One CEO’s Not So Rosey Take on the Cyberspace Policy Review

June 2, 2009

The President’s Cyberspace Policy Review was issued on Friday, and I suppose I should get in the long line of CEO’s from the IT security market and commend the study as “groundbreaking” or “impactful” or “a giant leap forward”.  I do believe the study was a first, albeit small, step in the right direction.  Defining the depth of the problem, calling for cooperation with the private sector, and creating a position responsible for the nation’s cyber security are all positive steps to be sure.  But after reading the report again I find myself very disappointed by what was released, as I saw very little in the report that showed tangible, immediate steps forward. 

I therefore have to step out of that line and join the very small group that is not patting the back of the government for a job well done.  I have picked up on some indirect dissent in the market with some writers using terms like “…so far…” until they see more meat on the bones.   John Pescatore, the respected Gartner Analyst on IT security notes in his blog post on the subject that the review “recommends response over prevention” and adds that it is “basically a strategy for investing in more forest fire lookout towers vs reducing the likelihood and impact of wildfires”.    

As the CEO of a small IT Security company, perhaps my direct interaction with our customers and prospects provide me a better glimpse of what is going on in the real world in a less sanitized, more firsthand way than most.  Specifically I have seen the results of attempts to implement security policy in the federal space without well defined enforcement.  In Triumfant’s role as a certified NIST SCAP vendor for FDCC Compliance, I have seen large agencies that not only do not adhere to FDCC Compliance mandates; they do not appear to have a plan in place to begin the process in the near term.  Numerous stories chronicle how agencies continue to miss the OMB deadlines, which I attribute to the fact that there is no enforcement or consequence of non-compliance.  I see organizations that have liberal personal use policies that allow their employees to fill endpoint machines that handle sensitive data with games and music sharing applications that have known vulnerabilities.  These vulnerabilities have already been traced as the source of the compromise of sensitive information about the President’s own helicopter and the nation’s most advanced strike fighter (which apparently has not yet been resolved).

I also found the Sputnik reference in the document to be quite disarming.  Lyndon Johnson’s declaration that he did not want to go to sleep by the light of a Russian Moon was against a threat that would take at least a decade to progress past the simplicity of the Sputnik launch and America was already well on its way toward launching its own satellite.  The Sputnik analogy disintegrates when you consider that it is generally accepted that cyber criminals from foreign lands have already infiltrated the power grid and other critical elements of the country’s infrastructure.  We are not ten years from losing command and control – the evidence shows that we already have.  The time to ramp up science and mathematical skills has already been ceded.  Real action is required, and those actions must have enforcement teeth to succeed.  More years of analysis and broad suggestions will only put us further behind.

I am also concerned that the Whitehouse is not looking past the larger companies in IT security for guidance on the way forward.  I have said it before – the solutions for many of the problems we face will not be found in the center of the exhibit hall at RSA, yet those were the companies visible at the announcement.  To be clear, I am in no way implying that these companies are in any way corrupt or lack a commitment to the United States.  But when change is a necessity, it is best not to look toward those who stand to benefit most for more of the same as agents of change.  It is obvious that many of the changes needed to take significant steps forward will potentially upset the status quo and may therefore be disruptive to the established revenue streams that these companies enjoy. 

One does not have to look far for an example.  General Motors filed for bankruptcy protection yesterday on the heels of the earlier bankruptcy filings for Chrysler.  It was not that long ago that the government looked to GM and the other auto manufacturers for solutions to fossil fuel consumption.  But there was little incentive for these companies to innovate and upset the profitable ecosystem that they enjoyed, and they ceded that role to global automakers whose ultimate success has been a significant contributing factor to the demise of GM and the others.  I would also add that these automakers did not step up to fuel efficiency until the government added enforcement in the form of stiff corporate penalties if aggregate MPG ratings did not reach certain thresholds – again showing the need for teeth to drive progress. 

I have some other concerns about the review.  Why was the announcement pushed to a Friday of a short holiday week?  That hardly gives the impression that this is front and center in the administration’s priorities.  Why is the Cyber Czar position a less prominent position than promised during the campaign and less than those in the Whitehouse were hoping for?  Combining these subtle signals with the lack of hard and tangible detail in the review and I am not feeling a sense of urgency nor am I confident that we will move from rhetoric to action in the near term. 

The evidence is all around us – the time for conversation is well past.  If this report is followed by tangible and concrete actions that result in real changes that have a sense of urgency and a structure of rigid enforcement with real consequences for noncompliance, than I will be the first to applaud.  But right now you can mark me down as underwhelmed and unimpressed by this first step.

6 Comments | Endpoint Security, FDCC Compliance | Tagged: , , , , | Permalink
Posted by John Prisco

Triumfant Added to Army IA Approved Product List

April 6, 2009

Today we are announcing that we have been added to the U.S. Army’s Information Assurance Approved Products List (AIA-APL), fresh on the heels of our announcement of our EAL2+ certification.  We are excited about these certifications because they say a lot about the quality, stability and capabilities of our product.  The tests performed by the DoD labs at Ft. Huachuca, Arizona are  rigorous.  We are pleased to have passed successfully.

These are especially important for Triumfant because they reinforce the interest and support we have gotten from the DoD and intelligence communities.  The DoD organizations are drawn to our ability to ensure that endpoint computers meet standard policies and controls on a daily basis.  They like knowing that we can detect problems and remediate these problems automatically, with the practical result of having every machine audit ready at the start of every day.   We have successfully demonstrated the ability to build a body of policies that capture the Army Golden Master and successfully enforce those policies.  We are removing unauthorized software from IMCEN at the Pentagon and they tell us that we save them $8 per computer per month.

For the intelligence community, they are drawn to our ability to detect malicious software without the need for prior knowledge of the attack or a signature.   Why?  Because they spend their days knowing that nearly every attack they see will be new and will never have a signature.  So beyond detection, they love the granular change detection that provides a wealth of knowledge to their incident response teams so they can decompose every attack.  They also like the way this granular change detection allows them to spot the work of maliciously intended insiders, because unless someone finds a way to change a machine without changing registry values and the other most basic elements of a machine, Triumfant will detect those changes.

For an emerging company like Triumfant, these certifications mean that the DoD and Intelligence organizations can feel a lot more sure about making a bet on Triumfant.   They already see the value of what we do.  These certifications allow them to be confident that we can stand up to their requirements and deliver against that promise of value.

Leave a Comment » | Compliance and Configuration Management, Endpoint Security, FDCC Compliance | Tagged: , , , | Permalink
Posted by John Prisco

FDCC Compliance – What is the “Or Else”?

March 19, 2009

We are fast approaching another “line in the sand” date for FDCC Compliance, but there is much to be done before we reach a state of mass adoption.  On March 31, agencies are required to submit to NIST and OMB a technical report about the status of their implementations. But like many other deadlines in the FDCC timeline, this will pass with a large number of agencies either in progress or still squarely at the starting line with their FDCC initiatives.

The problem is certainly not a technical one, as there are many validated tools that can help with the process. Triumfant was one of the first vendors to be a NIST SCAP validated FDCC scanning tool, and we remain one of a very few tools that can deliver automated misconfiguration remediation according to NIST. Enforcing the FDCC policies is a relatively simple task for our solution, as these policies touch a very small percentage of the 200K+ attributes that we scan on a daily basis. The policies are not inherently complex nor do the policies pose a significant technical challenge to enforce. In fact, they represent common endpoint security policies that we often see in security configuration management.

But there is something lacking that seems a bit more obvious to me – the “or else”. As a father of two teenage boys, I can assure you that I have a firm grasp of the “or else” component of successful policy enforcement.  So just what is the “or else” for those agencies that miss the deadline? The answer, or lack of, maybe the real reason why many agencies will wave politely from the sideline as another deadline passes them by.

Leave a Comment » | Compliance and Configuration Management, FDCC Compliance | Tagged: , , | Permalink
Posted by Jim Ivers