SAIC's Science To Solutions Magazine Features Cyber Security Articles

I thought you might be interested to know that the current issue of SAIC's Science To Solutions Magazine is featuring four articles on cyber security!

Specifically:

Volume 2, Number 2

In this issue of Science to Solutions Magazine we look at cybersecurity, specifically at the top five concerns of our own cyber guru Bob Giesler. Find out what keeps Bob and other cyber experts awake at night, and take a look at a joint effort between SAIC and the Supply Chain Management Center at the University of Maryland's Robert H. Smith School of Business to improve the cybersecurity of today's global supply chains. Our guest columnist, SAIC's own Chief Information Officer Charles Beard, shows how SAIC does cybersecurity.

Five Issues in Cyber That Cause Sleepless Nights

For Bob Giesler, corporate executive agent for SAIC's cyber programs, there are five main areas that keep him up at night, and they cut across all of the company's business lines.

SAIC and the University of Maryland Envision a Cyber Supply Chain Risk Assurance Reference Model

The flow of goods and services around the world, from their origin to their completion — the global supply chain — has become inextricably intertwined with the global cyber infrastructure.

The Key to Quantum Security or a Quantum Shift in Securing Data

Public Key Infrastructure (PKI) is the best-known and most trusted way of protecting information.

SAIC CIO Charles Beard: Three Steps to Cybersecurity

Cybersecurity is a problem that results from criminal activity that could arise from anywhere in the world.

If you have any feedback regarding the articles, I encourage you to comment on the blog!

Insights from the Gov 2.0 Summit

Today's guest post is from Lauren Pinson. Lauren is a policy analyst and deputy program manager for SAIC, leading a team of onsite analysts in organization and management activities for a client in the DoD.

Hart Rossman posted several items about the Gov 2.0 Summit held September 9-10, and the implications for cybersecurity.  Building on Hart’s posts, I wanted to discuss how the Gov 2.0 Summit offered insights into how the security community can embrace Gov 2.0.

Many thought leaders in the field were at the Gov 2.0 Summit, including U.S. Chief Technology Officer Aneesh Chopra, U.S. Chief Information Officer Vivek Kundra, , Army Generals Sorenson and Justice, DoD Public Affairs Principal Deputy Price Floyd, and representatives from the Sunlight Foundation, Government Services Administration (GSA), Department of Homeland Security, White House, Google, ESRI, Facebook, Twitter, Department of Energy, and many more.  The variety of subject matter seemed aimed to please everyone—but conference organizers insist that was the point.  In writing this post, the problem was focusing on what matters to the security professional.  There were several overall themes which permeated the Summit, and which also apply to the security field trying to balance openness and transparency with operational security (OPSEC).  These themes, which were repeated over and over at the conference, were transparency, participation, and collaboration.

“These are not your grandfather’s wars.  We do not always know who are the good guys and who are the bad guys.” –Army CIO and Lieutenant General Sorenson

First, transparency is ensuring identity and data in the era of Government 2.0.  How do we trust identity and data online?  Ensuring trust in the network is exponentially more important for soldiers, who must have trust that the intelligence provided is credible.  Soldiers must know that the data is verifiable, and be confident to make decisions on the ground and engage the enemy.  Gen. Sorenson highlighted the ways DoD is using social networking services (SNS), including on the continent of Africa to provide communications for humanitarian operations.  In the civilian world, Ms. Judy Spencer from the GSA spoke on how it is important for the government to have an identity assurance mechanism to interact with 300 million people.  It was also announced at the conference that government websites would now be allowing you to sign in with a Yahoo, Google, or other ID.  For users of government websites, and the security community, the push for an open trust framework and “authenticated anonymity” should provide a level of assurance.

“Use social media to engage—not just push out messages.” –Defense Secretary Gates to Principal Deputy for Public Affairs, Price Floyd

Second, participation is ensuring that you are building communities of interest.  The DoD is currently conducting a review of the use of SNS, and determining how the department should balance risk.  Price Floyd spoke about the morale boost for soldiers to be connected with family and friends.  Other uses include the real time updates to counter-insurgency manuals, lessons learned, and After Action Reports.  (Although if it’s real time, is it just an action report?)  The department is responding to Secretary Gates’ missive to engage by hosting town halls like this one, relaunching the DoD web site with ways to engage DoD, and encouraging the use of social media for recruiting and interacting with the public.  Floyd is confident that the Web 2.0 policy will result in a well-balanced policy for both sides of OPSEC.  A recurring theme of the summit was the people aspect —that SNS does not hinge on the technology,it is building a community of people.

 “The power of collaboration is the power to get something done.” –General Justice

The third theme for the security community is collaboration.  According to Gen. Justice, collaboration is one of the most important activities on the battlefield.  The military has always used a rigid infrastructure and hierarchy, and now in the era of Web 2.0, needs to relearn how to be flexible.  Studies have shown that 150 people is the optimal number for collaboration and working together to solve specific, well-defined problems.  This is also, not coincidentally, the size of a company command in the Army.  While DoD is at the leading edge of government in technology and Gov 2.0 principles, Floyd quipped that it would take 25 years for the government to develop Twitter, including several years just for a request for proposal (RFP).  This is why government, and the DoD, need to incorporate open source and private applications to the security environment.  At the Summit, Gen. Sorenson announced that the Army will soon launch a competition called Apps for the Army for those on the .mil domain to build new software that will help carry out the Army's mission.  Gen. Sorenson also insists we need to teach soldiers to improvise with software like they do with hardware in the field.

The Gov 2.0 Summit provided a forum for discussion on the role of security in a digital government age.  Indeed, the Office of Management and Budget will soon publish an Open Government Directive, promising the debate will continue.

 Note about the conference:  The Twitter feed (online and onscreen) added an extra dimension to the conference, with helpful links and places to go for more information. Think getting the smart kids’ notes after class.  I recommend searching for #g2s or #gov20s on Twitter for more information.  You can see the compendium of tweets here.

What the Gov 2.0 Summit Means for Cybersecurity- Part 3

As I posted last week, with the rise of Web 2.0 and specifically Gov 2.0, now is a terrific time for the security community to surge ahead in innovation and create sustainable solutions for the next generation of platforms and users.  This week we’ll look into the final two points I have to share prior to the Summit.

The fourth point is that Web 2.0 has brought back is a discussion of truth and identity in a way that becomes a more tractable issue for the security community.  Somewhere along the way we got lost in absolutes —  it must be secure, your identity must be fully attributable, trust must be implicit/explicit and 100 percent guaranteed.  And yet, there has never been a completely impenetrable system. Identity is contextual, it changes over time, and past performance is not indicative of future results.  The same can be said of trust and trust networks/relationships.  Web 2.0 practice and principle gives us new insight into how you can scale big systems and manage security and identity in a way that doesn’t require absolutes or static interpretations of assurance requirements.  It also provides new mechanisms to deal with the community’s perception of privacy and security in a way that both raises the bar AND informs the security practitioners as to the risk tolerance of both the user community and system owner that is both productive and in realtime.

Fifth, we need to start making real security data available and using it to make better decisions and better systems.  We’ve got a terrific start with consensus models like the CVE, CVSS, CWE, and others.  What’s needed now is for system security designers and developers to make the leap beyond trying to build the next great security application and focus on building the next truly amazing security platform.  Systems that can adapt to planetary scale requirements and are valued by those outside the security community not just as enablers, but as capability multipliers.  We need the Facebook, Google, or Twitter equivalents for the security community. Systems that leverage the practice and principle of Web 2.0 in the service of Gov 2.0.  After all, keeping all the “security-relevant” data to ourselves decreases its value almost instantly while putting data in motion creates value and improves the risk environment for everyone.

With just these five points, you see that the role of the security practitioner is likely to radically change in the coming years.  With more security being built in and not bolted on (and legacy systems protected by the infrastructure on which they reside), a more capable developer community, active worldwide government involvement, and opportunities to gain new insight into risk tolerance and practices that work (science, not applications), we really need to ask ourselves how we can capitalize on these tip-of-the-iceberg trends to further tip the scales in favor of the good guys.

I think having the security community embrace Web 2.0 and Gov 2.0 is what is sorely needed both to give the security community its mojo back AND start delivering on its promise to enable people and organizations to thrive in cyberspace safely.

Your thoughts and comments are welcome.

What the Gov 2.0 Summit Means for Cybersecurity- Part 2

As I posted last week, with the rise of Web 2.0 and specifically Gov 2.0, now is a terrific time for the security community to surge ahead in innovation and create sustainable solutions for the next generation of platforms and users. Five points come to mind that make me think the role of the security practitioner is likely to radically change in the coming years.

 The first is that we’re finally starting to get the message out that security awareness training for end users is helpful but what we really need is robust security training for system architects and software developers. Sure, we’ll still have some boneheads and self-taught developers who write vulnerable code but on the whole code will become better. Initiatives like the CSSLP, DHS Software Assurance Forum, the Microsoft SDL, and the BSI-MM are just a few of the campaigns out there carrying this message to the masses.

The second is that security is being driven into the infrastructure and being owned and sold by the major infrastructure players.  This in many ways obviates the need for a complete redevelopment of core products (OS, routers, etc.) and gets the solutions as close to baked in as possible in an after-market environment for legacy infrastructure while ensuring forward integration for new products and solutions.  What it also means is that we’ll soon be in a position to actually stop badness at the source rather than at your front door.  Most of the badness has to traverse several networks and computers before it even gets to you, all of it infrastructure and generally not user-land  systems. It should never reach you in the first place and in the future it likely won’t.  This should be accentuated by cloud offerings in the here and now.

Third, governments world-wide are taking notice and view cyberspace as the next decisive domain for conflict resolution. Think missions like citizen services, economics, diplomacy, and warfare.  This will necessarily force changes in the domain as a whole and the security market specifically.  It’s already causing us to rethink issues around the role of privacy, security, anonymity, identity, news and reporting, and control (to name a few) with recent headlines bringing these issues to the forefront of the populace: think Iran/Twitter/State Dept., China/Firewall/Filter, CNN/TMZ/Twitter/Bing/Google memes to name a few just in the last few weeks.

I’ll share my final two points on this next week.

What the Gov 2.0 Summit Means for Cybersecurity

I’m very much looking forward to attending the upcoming Gov 2.0 Summit.  The summit’s  origins and purpose are as follows.

“Over the past fifteen years, the rise of the World Wide Web has resulted in remarkable new possibilities and business models reshaping our culture and our economy. Now the time has come to reshape government. With the proliferation of issues and a scarcity of resources to address them all, leaders inside and outside government are turning to the principles of participation, collaboration, transparency, and efficiency to address the challenges facing our country and the world. This is the agenda of the Gov 2.0 Summit.”

The agenda of the Gov 2.0 Summit and the number of technology and policy luminaries lining up to participate is really encouraging.  And so I’ve been thinking, how does the security community play into this?  How might we adapt to support the movement and leverage its best practices and principles to improve the risk environment for everyone?

Some might say that the principles of Gov 2.0 and “government as a platform” are ideologically opposed to the aims of the security community. I’m not sure that is entirely accurate, and I’d like to take a minute to share a few thoughts I have on the role of the security community during this time of opportunity. You can be more secure by being more open, in fact it is an imperative.

Let’s start by taking a broad-brush look back in history. A few decades ago the cybersecurity community was engulfed in innovation.  As we all wrestled with understanding the implications of computer technology— first single user and disconnected, then multiuser and networked — the security community thrived.  Everything was in flux and there were no checklists or best practices. Bold advances were made in cryptography and trust models, risk management meant taking calculated risks and capitalizing on successes while learning from failures (some deliberately and some accidental), and we saw the birth of a variety of innovative security products for their time like firewalls, intrusion detection systems, multilevel security operating systems and guards, and virtual private networks that were appropriate for that time period.   With the rise of Web 2.0 and specifically Gov 2.0, now is a terrific time for the security community to surge ahead in innovation and create sustainable solutions for the next generation of platforms and users.

I think there are a couple trends in the market that are already driving security in the right direction; which in some cases, surprisingly, means out of the hands of the traditional security community.  To raise the bar for security and create an environment that is safe for every netizen we need systemic changes that create an ecosystem of intolerance of threat, not just point solutions linked together in layers of defense.  What point solutions that may be required need to be netcentric platforms that epitomize Web 2.0/Gov 2.0 practice and principle and not simply more robust enterprise apps or network appliances.

I’ll provide more on these over the next few weeks as the Gov 2.0 Summit draws closer.

Phase 1 Complete- Exploratory Research in Cyber Supply Chain Assurance

As I’ve mentioned in earlier posts one of the many cybersecurity-oriented research projects we’ve been working on is a collaboration with the University of Maryland R.H. Smith School of Business in the area of cyber supply chain assurance. 

After a bit over 6 months of work and a couple months writing and revising the report, I’m happy to say that a white paper documenting our first effort to build a cyber supply chain assurance reference model was released last Monday.

Here is a snippet from the press release:

The Cyber Supply Chain Assurance Reference Model defines not only key actors, processes, and vulnerabilities, but also identifies strategic interdependencies at each node of the international production/sustainment chain. Among the paper's key findings are:

•   A fully integrated cyber supply chain requires the coordination of what researchers describe as "defense in depth," the process of securing/hardening core systems and their constituent parts during the build and deploy phases of the lifecycle; and "defense in breadth," the process of securing the global web of actors who use and maintain a system including customers, system integrators and suppliers.

• There is a lack of visibility and coherence across the cyber supply chain which prevents effective orchestration and synchronization.

• There is a clear need for structured incentives and relationship drivers which facilitate management of shared risk.
  

• Lack of communication between the cyber and physical supply chain domains is constraining advancement. Most organizations mistakenly view themselves as the terminus in the cyber supply chain and do not recognize the need for accountability within all internal function areas, as well as among all suppliers, customers and partners.

 Completing this first stage in our research required a lot of time and attention from the security and supply chain community.  I’d like to take a moment to recognize those organizations who have given us permission to publicly acknowledge their participation: the National Security Agency, the Department of Homeland Security, the National Institute of Standards and Technology, The Department of State, Pfizer, Veracode, EMC, KRvW Associates, Juniper Networks, and the Institute for Applied Network Security.  I would also like to thank all those individuals and organizations who dedicated time and effort to this project but wish to remain anonymous.  All of your hard work contributed to the success of this project!

The two things I’ve enjoyed most about working on the first phase of this project were meeting so many passionate and intellectually engaging people who have a genuine concern for the integrity of our global IT supply chains and having had the opportunity to work with two wonderful academics, Dr. Boyson and Dr. Corsi, who guided my introduction to and understanding of supply chain risk management and have been a real pleasure to work with!

Now that Phase 1 is complete, we’re putting the finishing touches on our plans for Phase 2. The second phase of our work is scheduled to begin later this summer and will focus on field work with several organizations to validate the reference model and develop data collection tools. We’ll work towards improving the alignment between security operations and supply chain risk management with the goal of a more highly assured cyber supply chain.  If you think your organization might be interested in participating, please leave a note in the comments or drop me a line at rossmanh <at> saic <dot> com.

Tracking Innovation in Cyberspace

If you’re interested in the future of the Web and the tools available to those operating in cyberspace, the Google I/O Developer Conference, held May 27-28 at the Moscone Center in San Francisco, had some pretty interesting thoughts to share.  Tim O’Reilly presents a terrific summary of the themes in the keynote, which hinge on the upcoming HTML 5 standard.  Tim , along with MG Siegler at Tech Crunch, do a thorough job of reviewing Google Wave, a 3-in-1 solution (app, platform, protocol) coming from Google that answers the question: What if email was invented today with the robustness of the modern Internet?

Aside from giving us an inkling of things to come in the browser, why is this interesting? Well, it got me thinking about the pace of technology innovation and how it impacts the public sector and their technology choices.  To me, events like Google I/O highlight the maturity of our thinking about the need for information and show off the capability compliments required to operate more effectively in an information driven medium.  A further convergence of cyberspace and meatspace.

We’ve gone from placing artifacts of ourselves online to living online. Social objects are fully integrated into our perception of value creation. Our notion of the role of the OS (virtualization? cloud?) and its ability to effectively traverse and bind together hardware platforms (Android- leap from smartphone platform to laptop OS, OSX leaps from desktop OS to iPhone giving users a more robust computing experience). And this is all happening at a pretty rapid rate.  Twitter & FriendFeed are just going mainstream and already we’re seeing Google Wave.  In ages past we had years and sometimes decades to formulate the social norms and expectations for tectonic shifts in technology. Privacy and security were attributes to be labored over where perfection was not the enemy of good enough. Now it seems like we’ve got to do it all in real time.

Cinder OS: mobility with power management and security

This morning an article in NetworkWorld caught my attention about an interesting OS designed from the ground up to better handle power consumption (at the application level) and improve security for mobile devices. It’s not clear how this will compete with existing market dominant mobile OS. But the lessons learned in building these features seem to easily translate to smart metering applications and may individually find their way into leading mobile OSs over time.

Cyber Supply Chain Security Workshop Reactions

Last Friday I had the opportunity to co-facilitate a workshop in the area of cyber supply chain assurance. The workshop was organized around a collaborative research effort conducted by SAIC and the Supply Chain Management Center of the Robert H. Smith School of Business, University of Maryland College Park, which sought to fuse the fields of cyber security and supply chain risk management to produce a cyber supply chain assurance reference model.

The workshop was well attended with about 25 participants consisting of executives and practice leads from government and industry. The majority of the participants had a strong background in information assurance and enterprise risk management and varying degrees of experience with conventional supply chain risk management.  Of those with significant supply chain risk management experience, it was primarily in the acquisition/procurement and audit disciplines. All together, the participants were well suited to contribute feedback and provide guidance in the maturation of a cyber supply chain reference model.

The day was fast paced and pretty jam-packed with information.  One participant remarked that these were the kind of “high bandwidth” conversations he looked forward to; and that he hoped would occur more frequently in this emergent domain.  The morning consisted of a plenary session, which I emceed, that provided the workshop participants with:

• An understanding of the motivations behind the research project
• An overview of the project methodology
• Insight into the demographics of the study participants
• A crash course in conventional supply chain risk management practices and thought leaders
• Lessons learned and observations gleaned from our literature review
• A formal introduction to our proposed cyber supply chain assurance reference model

Building A Cyber Supply Chain Assurance Reference Model

In support of the president’s Comprehensive National Cyber Security Initiative (CNCI) and its urgent mission to protect the nation’s cyber assets, SAIC and the Supply Chain Management Center of the Robert H. Smith School of Business, University of Maryland College Park have collaboratively undertaken a research initiative to develop a Cyber Supply Chain Assurance Reference Model. Our research sought to fuse the fields of cyber security and supply chain risk management.