And they’re understanding that these malevolent hacker tools are used to steal terabytes of data from government networks, hijack vast armies of innocent computers for nefarious purposes such as “denial of service attacks” against unprotected websites, steal identities and commit card fraud,  and sabotage computerized process control systems that generate and distribute our electricity, purify our water, manufacture chemicals and pharmaceuticals and cool massive computer rooms where billions of dollars a day in financial transactions are processed.   Citizens from soccer moms to CEO’s are recognizing the alarming vulnerability of our information infrastructure, which has become a foundation for our nation’s economic and homeland security – for how we live, work and play.

But how do we really focus on addressing a security problem whose perpetrators and methods are as distributed and numerous as the networks and internet links on which we rely so heavily?  Billions of connected devices around the world enable communications that traverse often anonymously over a crazy-far-flung web of networks.  This in turn allows untraceable attack and subterfuge against individuals and institutions.  Policing this anarchy of the commons called the Internet presents governments, businesses and consumers with dilemmas between security and privacy, freedom and control, cost and convenience.

The Bush Administration recognized the complexity and cross-cutting nature of this problem when it created the Comprehensive National Cybersecurity Initiative (CNCI) in January 2008  The CNCI involves coordinated government action to monitor and protect Federal networks, fund and coordinate R&D and training, develop a deterrence strategy, engage the private sector to protect their part of cyberspace, enhance counterintelligence, and more.  It is intended to make the cost and risks associated with cyber crime prohibitive to our domestic and foreign adversaries.  It is indeed only a start, but a strong start at holistically addressing the challenge.

The Obama Administration, rightly not wanting to let that momentum flag, has finally released its much-overhyped “60 day review”.  As has become cyclical theater in Washington, however, the 60-day review is the predictable political expression of a new team coming in with the artifice that history starts today and everything that happened before actually didn’t.  Any number of “60-day reviews” have been conducted since the first debates to devise a “National Strategy to Secure Cyberspace”, which was released by the White House with industry support in early 2003.   At that time, the Department of Homeland Security, through its National Cyber Security Division, began the long and difficult process of building the partnerships necessary to forge a collective security framework across Federal, state and private sector networks.  It’s just that very few in the press, the Congress, the private sector, or the general public paid enough attention to take the threat seriously. 

The question of “who is in charge” misses the point of governance in a Federal structure.  The pertinent question is how multiple power centers with differing and legitimate mission equities can be coordinated effectively as a team.   There is no White House czar or single Federal agency that will ever have true declarative authority and power over the many departments and agencies in the government.  The bureaucratic slow-roll is a fact of political life in Washington.  This is poly-sci 101.

As we filter all the noise around the 60-day review, there are two demonstrations of leadership that we should demand.  First, the only new message this 60-day review can and should deliver is that the White House cyber czar will clearly define the authorities of the various agencies responsible for cyber security, deconflict their turf battles, coordinate their activities, and hold them accountable, with the budget hammer, to do their jobs without micromanaging them.  And then the White House needs to work with Congress to support the strategy with sufficient funding.   Indeed, a Congress that was asleep at the switch on cyber security the past 5 years is now finally taking notice.   Therein lies an opportunity for a second demonstration of leadership that we should expect of Congress.

The Congress as we all know takes its oversight role seriously, but in the process overlooks its own accountability.  Congress is quick with importunate demands that the Administration develop a “comprehensive policy” and a “sense of urgency” and “real leadership”, but when it comes to legislative discipline among the un- and under-informed Members seeking to stamp their own “leadership” on a hot new issue, it’s the Wild West.  Now we see a bill putting cybersecurity in the hands of the Commerce Department, and another regulating the electric grid, and the next one likely competing with both of those and other committees for jurisdiction.  Talk to any Congressional committee staffer involved in the cyber security issue and they most certainly will have opinions about “who is in charge” on Capitol Hill.  Is it the Homeland Security Committee?  Armed Services?  Intelligence?  Commerce?  Government Reform?  Judiciary?  Financial Services and Banking?  This infighting on Capitol Hill encourages the same turf battles among the agencies they oversee and provides them top-cover.

What is clear is that dealing with cyber security comprehensively and effectively requires that Congress take a disciplined approach to identifying the potential government, regulatory and market-based drivers for achieving a more secure national information infrastructure and agreeing on where Congress can fill the gaps.  Cyber security is a cross cutting issue demanding a policy review of technical standards, privacy policy, intelligence and surveillance, military doctrine and operations,  corporate governance, auditing and liability, education and training, science and technology, telecommunications policy, financial services regulation, foreign affairs, government procurement, and insurance and tax policy as market incentives.  This isn’t to say that legislation is needed in all of these areas, but that Congress owes the American public a sober review of where that branch of government can truly add value rather than platitudes, and embark on an omnibus legislative effort that ensures the committees are coordinating, not freelancing, and that cyber security is being addressed holistically.

It can be done; Congress would show unity of purpose and effectiveness of outcome, and align resources and policy with the Obama Administration’s implementation of the Comprehensive National Cybersecurity Initiative.

“We just discovered a data breach.  Millions of customer credit cards could be compromised.  Who’s responsible for this?”

“The CISO should have been on top of it.”

CISO:  “We had only some of the security technology we needed.  CFO didn’t clear the budget for it.  Besides, the compliance officer didn’t put the training and performance measures in place.”

Compliance officer:  “I didn’t have budget either, and business ops said all these security procedures were cutting into efficiencies; marketing hated the sluggish look and feel of our online business when it was smothered with security; and the general counsel said risk of litigation is low because we won’t be held liable for being victimized by a crime if we get breached.”

General counsel:   “The CEO and CFO asked my advice for managing risk with a premium on cost reduction.  A security breach was just not seen as a high risk, and the cost of buying security was much higher than the potential risk for loss.”

Sure.  Obviously this is an over-simplified conversation, but this is still the gist of what’s happening in businesses across the country, and what CISO’s are rightly complaining about a lack of responsibility across the organization.

According to the Poneman Institute, 43 companies that suffered a data breach in 2008 paid an average of $6.6 million to rebuild their brand image and retain customers.  And the average number of consumer records exposed to breach was about 33,000.  The common denominator here seems to be the CFO, who is pressured by cost reduction considerations as a key measure of providing value to the company and the lack of a standard methodology for evaluating financial risk from cyber insecurity.

Now who’s responsible for this?

The American National Standards Institute and the Internet Security Alliance teamed up in a report released last fall that throws it over to the CFO to answer that question – by asking the right questions to the responsible people in the organization.  In the “Financial Impact of Cyber Risk:  50 Questions Every CFO Should Ask”,  CFO’s are reminded that the financial stability of a company depends on many factors pegged to risk, and that many stakeholders within the company have a role to play in managing that risk.    The same is true for cyber security.  The report notes that “corporations have often failed to properly account for the financial downside resulting from the risks of cyber systems.”  Part of the reason, the report notes, is that while there are numerous models for assessing the technical elements of cyber risk, there is little in the way of classic financial risk management principles and tools that can be applied to cyber risk. 

The report then goes through the key questions that must be asked of key stakeholders within the company in the conduct of a proper risk assessment.  These include key questions for the legal counsel, for the compliance officer, for the business operations and technical teams, for the external communications and crisis management teams, and for the risk manager for corporate insurance.  Depending on the company’s business model, additional senior executives may need to be engaged to answer similar questions, whether they are in investor relations or channel partnerships and strategic alliances.  Each one of these individuals within a company needs to assess security risk – and the consequences of an incident – from their unique but interdependent business functions.

This is an important and easy read for any C-suite executive to begin to think strategically about the shared responsibility of information security across the enterprise, and I strongly recommend it.

But there is another risk management taking place – and not – at this year’s Super Bowl.  Next Sunday, NBC will charge companies $100,000 per second, or $3 million for one 30-second commercial.  With close to 100 million people watching this most American of spectacles, it goes without question that these ads will reach a lot of eyeballs.  But how many of those eyeballs will buy the product they’re looking at?  How powerful is the power of suggestion against an equally powerful recession?  What risk management formula are advertisers and their willing CFO’s using to conclude, as Annheuser Busch has (http://money.cnn.com/2009/01/09/news/companies/superbowl_ads/ ) that what appears to add up to $27 million spent on four-and-a-half minutes of advertising, will see an equal or greater return on beer sales by virtue of those ads? 

Now, I am sure I am missing the greater point of advertising – branding, visibility, and certainly some returns.  But there seems to be little risk aversion at the prospect of spending  vast sums on advertising whose returns and effectiveness are difficult at best to measure.

But on the other end of the spectrum, the Bureau of Justice released a survey (http://www.ojp.gov/bjs/abstract/cb05.htm)  last fall of more than 3200 businesses that reported cyber attacks of various forms in 2005 resulting in a total of $867 million in losses – monetary, theft of intellectual property, system downtime, and others.  That’s an average of $270,000 per company.  Yet corporate spending on such necessities as secure networks, web and application security, IDS, IPS, and employee training still tends to take a back seat to other seemingly more pressing budget demands.  C-suite executives challenge CIO’s and CISO’s to make the “business case” for investing in something they can’t measure – losses prevented, while spending on advertising with unvalidated sales returns is a “no brainer”.

I won’t challenge that there is value to advertising, or that it helps to generate sales.  We do know this.  But when the loss of investment in sales-not-made trumps an investment in the prevention of loss of intellectual property, reputation, downtime, customer confidence, shareholder value, and in some cases, lives, then we have misplaced priorities.  There is a business case here.  That kind of risk management is the no brainer.

It’s fourth and long;  time to get the ball over the cyber security goal line.

It is by now a well known symbol of war – the Trojan Horse – in which Greek soldiers hid themselves while Trojan soldiers wheeled the horse in a victorious march back to Troy, exposing themselves within their own walls to ambush by the disgorged Greeks. Fast forwarding almost 3200 years, we now conventionally know the new meaning of the Trojan Horse as stealthy malicious software code that hides within our computers and networks, programmed to launch and execute crippling instructions that slow or crash our computers, and steal or alter the data stored or transmitted on them.

In the lexicon of cyber security, trojans are just another weapon in the hacker’s arsenal of attacks, including phishing, pharming, viruses, worms, spoofing, and man-in-the-middle attacks, among many others. But the other trojan-horse always lurking beneath the vulnerable surface of our national information infrastructure is ourselves, and hiding within that horse — the source of perhaps our most intractable vulnerability — is the threat of our own complacency.

Think of what we do on the Internet with trillions of mouse clicks every day: we buy on it, trade stocks on it, entertain on it, do our taxes on it, send sensitive blueprints over it, monitor and control electricity flow over it, and, even the blogger in chief has been known to send Twitter tweets on it. That the internet and our computer networks constitute the engine of our economy and the fabric of our daily lives is no longer in question. But only slowly have we been able to raise the level of awareness in this country about the vulnerabilities that await us every moment on our enterprise and open networks alike.

The essential realization here is that computer and data security need to become a habit, just as we have habituated ourselves to TSA lines at the airport or the complex rules of the road on our streets and highways. We know what to do; we have made it a habit. Not so, yet, with cyber security, either with the home user or with still far too many enterprise networks in the private sector and government. But we can get there.

The Obama Administration and the Department of Homeland Security have inherited one of the successful legacies of the Bush Administration, which has been anything but complacent on cyber security: a multi-year national cyber security initiative that embarks on an ambitious and resource-intensive strategy to secure our national information infrastructure – one which engages governments, businesses, academic institutions, and private citizens. They now have an early opportunity to build on that momentum and disgorge our latent complacency before it allows a catastrophic cyber attack against the most essential services on which our economic security, our homeland security, and our national security depend.

At the heart of the cyber initiative is the need to strengthen our Federal networks from attack. This program is well under way as DHS builds the Einstein intrusion detection and prevention capabilities and consolidates the number of external internet access points across the .gov domain. Proceeding apace are other parts of the strategy including R&D, developing a deterrence strategy, supply chain vulnerability mitigation, greater informational and operational collaboration across the many watch and warning centers, and private sector engagement, among other initiatives. I have confidence in the prospects for the success of these initiatives.

I also believe we need to continue putting special emphasis on five other areas that will amplify the various components of the cyber initiative. Here’s what we need to do:

1. Stick with the plan: The responsibility for securing our nation’s information infrastructure falls primarily to the private sector, which owns and operates 80-90% of the infrastructure that needs to be protected. Large businesses and trade associations have for the past 5 years partnered with the Department of Homeland Security and the National Cyber Security Division under the National Infrastructure Protection Plan to develop a risk assessment and mitigation strategy for our cyber assets and functions. See: http://www.dhs.gov/xprevprot/programs/gc_1179866197607.shtm. And now we’re assessing the security of the global supply chain to prevent vulnerabilities from being implanted in a product or software somewhere during the production or distribution process.

So let’s execute on the good work that has already been done in the public-private partnership, rather than ask the business community to abandon what they’ve done and retool their efforts simply for the mantra of “change”. This is a good – and maturing – framework, and now the task is to push this plan – and the national commitment – out to the business community all across the country. We don’t need to reinvent this process or rearrange team formation.  What we – the business community and DHS — need to do now is to market it, and execute on these plans, and get everyone across the country to take this as seriously as those forward-thinking companies, academics and state government leaders who helped develop it. And we can ensure this “viral uptake” of strong security will benefit from the multiplier effect when the large auditing and consulting firms and systems integrators build it into their offerings and business strategies for all clients. Good consulting firms will urge this of their clients and astute businesses will demand it of their consulting firms.

2. Keep hackers out of our physical infrastructure. Where cyber security meets physical security, control systems operators and their vendors need to take urgent action. Most of you saw the many CNN reruns (http://www.cnn.com/2007/US/09/26/power.at.risk/index.html) in 2007 of a simulated cyber attack on an electric generator. It shuddered and smoked http://www.youtube.com/watch?v=fJyWngDco3g to failure as its rotating machinery was reprogrammed through a simulated cyber attack to do the equivalent of putting a car transmission into reverse while driving forward at 60 miles per hour.

The ability of savvy hackers to find their way into control systems technology that manages electric generation and distribution, water purification, chemical manufacturing, and cooling systems for server farms carrying trillions of dollars in financial transactions a day should alarm us. This is not the stuff out of a Michael Crichton novel. DHS and other agencies have moved aggressively to raise awareness with utility owners and operators, as well as the companies that make digital control systems, to put a high priority on the security of those operations. DHS and other sector-supporting agencies need to redouble this effort and companies need to pay attention and secure their operations.

3. The federal government needs to tighten the way it buys security and the way it implements it. Not only does the government need to lead by example in the secure administration of its networks but it has to show it is serious about technological innovation by building better efficiencies into its procurement process. The Office of Management and Budget can help make this happen. First, it needs to vest clear authority in the Department of Homeland Security to be the audit and compliance driver for secure network and data management across the federal agencies.

Second, OMB needs to work with the National Security Agency and the National Institute of Standards and Technology to reform the common criteria program (http://www.niap-ccevs.org/) that certifies product security for purchase by the government. Every agency needs to employ this security evaluation process as part of its protective program, but the lengthy and costly process of certification causes many small and innovative companies to opt out of participating, either because they cannot afford it or their products have moved on to the next product version before the previous version even makes it though the certification process.

This is an area that is ripe for government leadership and for the Congress to help incentivize reform.

4. Don’t forget that the states are “.gov” too. State governments across the country are, like the Federal government, experiencing extraordinary budget shortfalls. However, their costs of governing could only go higher as the increase in cyber attacks affects the ability of state governments to deliver both online and offline services and manage the myriad administrative functions conducted on IT systems. The national cyber initiative can evolve to include interconnectivity between the federal government and state agencies, as stakeholders build a comprehensive situational awareness across .gov, .com, .edu, .net, etc. State CISO’s have rightly demanded assurances that the government’s leadership by example in cyber security management and incident response must include state governments. This is not a simple matter of plugging into each other’s networks, given the many legal and privacy issues that need to be sorted out, but now is the time for the new DHS administration to begin considering these questions immediately and work with the forward leaning states to prototype interconnection arrangements and get the partnership up and running on a national scale.

5. DHS needs to paint the lanes of the road. As with any new government bureaucracy, DHS – only five years into its existence – is still getting organized. This means that, as roles and responsibilities evolve, there is the risk of ambiguity. And where there is ambiguity internally, there can be confusion and mixed signals to external stakeholders. This dynamic, which is common in large Federal bureaucracies, has been no different with cyber security, which prompted complaints from the private sector of several overlapping leads for policy and implementation, including the Office of Cyber Security and Communications; the Science and Technology Directorate, the Office of Policy, and the National Cybersecurity Center. Secretary Napolitano should strive very early on to establish clear lanes of the road for cyber security management within the department to ensure efficient policy and implementation and clear points of contact for external stakeholders.

We are at an inflection point in cyber security for this country. We need to draw out the compelling work that has already been done, accelerate and expand on it, and not allow the fact that we have not yet fallen prey to a massive cyber catastrophe to deceive us into complacency.

##