The best security strategy: Low expectations

Members of a panel of security experts today painted a gloomy picture of the cybersecurity landscape, in which rapidly evolving threats and conditions ensure that even the best solutions are likely to remain piecemeal and temporary.

Security efforts should focus on assessing and managing risk to information, members of the panel of industry and government officials said, and baseline security requirements mandated by government cannot be expected provide adequate security across the board.

“We should go in with our eyes open to the reality that if somebody wants the information, no matter what the baseline, they will get it,” said Wayne Fullerton, solutions and operations director for Cisco Systems Inc.’s U.S. federal organization.

Levels of security need to be assigned to a given piece of information based on its value to the owner and to those who could steal it. After the cost of stealing information drops below its perceived value, “if people really want it, they will get it,” Fullerton said.

And although no one level or policy is practical for securing all data, no one architecture is advisable either, said Bill Vass, president and COO of Sun Microsystems Federal.

“We don’t want to have one consistent architecture everywhere,” Vass said. That would only create a common set of risks.

The panel was presented by the Secure Enterprise Network Consortium, which includes Cisco, Sun Microsystems, CA and Accenture, as well as the Energy Department’s Los Alamos National Laboratory.

Rep. Jeff Miller (R-Fla.), ranking member of the House Armed Services subcommittee on Terrorism and Unconventional Threats and Capabilities, expressed concerns about the threat of cyber warfare in his opening remarks to the panel. Miller represents the panhandle of Florida that includes the Pensacola Naval Air Station and Eglin Air Force Base.

“We are in a cyber war, whether you want to call it a war or not,” he said, citing the millions of daily attacks against Defense Department IT systems. It is difficult to determine the sources and motives for these attacks, but he also cited instances of online attacks against Estonia in 2007 and Georgia last year as illustrations of the “ability to combine cyber attacks with a military objective.”

Miller said DOD must work closely with industry to ensure that national defense IT systems are not compromised at their outset by backdoors and other compromises that could be installed by offshore developers and manufacturers.

Terry Wallace, principal associate director for science, technology and engineering at Los Alamos, said the lab assumes that its systems are compromise, and that its security is imperfect.

“There will always be information loss,” Wallace said, and all systems are contaminated, although how and to what extent is unknown. With these assumptions, Los Alamos must strike a balance between the need to protect information and to enable collaboration on scientific research that is the lab’s stock in trade.

“There isn’t an answer today,” he said. “Our biggest challenge is that we have a lagging response. We’re almost always mitigating something that is no longer a security concern,” taking resources away from the job of anticipating threats.

Another problem that does not seem to be anywhere near a solution is figuring out who is in charge of the government’s IT security. This is a question that frustrates both the government and private sector.

“For us in industry, it looks like a phone book” when trying to determine whom to contact on a given subject, one member of the audience said.

Miller had little comfort to offer on that question. Although a central point of contact would be convenient, he warned that responsibility needs to be distributed so that differing needs of each installation can be addressed.

Jerry Briggs, managing director of Accenture’s federal business, said that rather than a single overseer for IT security in government, what is needed is better cooperation between the executive branch, Congress and industry.