Miller goes on to report that OMB will require “agencies launch a series of cloud computing pilots across the government in 2010 using the E-Government Fund.” In 2013, Miller reports, agencies must provide OMB “a complete alternatives analysis for mixed life cycle projects where agencies are spending new money-known as development, modernization and enhancement-and steady state or operations and maintenance funding for how they could move to cloud computing.”

Miller quotes a former government official as saying, “They are not saying use it, but are pushing us to look at it and do an analysis of alternatives and make a decision based on our business needs. They are pushing us to look at it, yet giving us the ability to decide whether it makes sense.”

How well does your organization understand cloud computing? How will security be handled? What can you do to prepare? During this time of tight budgets, maybe you do not have the funds and/or time to attend conferences and training events. Fortunately, presentations are being posted regularly to the web, allowing you to keep informed on technological challenges. For example, the ZISC Workshop on Security in Virtualized Environments and Cloud Computing, held September 10-11th in Zurich, recently posted all their presentations:

Following NIST’s involvement in an area like cloud computing can help you judge the direction the government is heading. Tim Grance presented at the 5th Annual IT Security Automation Conference and Expo Presentations and the presentations have been made available. Grance presented on the Security Content Automation Protocol (SCAP) (see my previous post “Standardization and Interoperability in Security” for additional information on SCAP). A cloud computing track consisting only of slides (no video) was also posted. If lack of video does not concern you, the following conferences have posted slides on cloud security:

• CCSW 2009: The ACM Cloud Computing Security Workshop, held November 13th, 2009 in Chicago.
• Digital Government Institute’s Cloud Computing 2010: Focus on Operational Efficiency and Security, held December 9, 2009.
• Cloud Interoperability Roadmaps Session held in Long Beach, CA on December 10, 2009.

If you prefer to listen and do not need to see slides, Tim Grance can be heard on Dana Gardner’s BriefingsDirect podcast, “Panel Discussion: Is Cloud Computing More or Less Secure than On-Premises IT?.” The discussion includes a panel of all stars from the cloud security community, including Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems and founding member of the Cloud Security Alliance (CSA); Doug Howard, chief strategy officer of Perimeter eSecurity and president of USA.NET; Christofer Hoff, technical adviser at CSA and director of Cloud and Virtualization Solutions at Cisco Systems; and Dr. Richard Reiner, CEO of Enomaly. The podcast was recorded at the Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto on July 20-22, 1009, along with:

• Jericho Forum Aims to Guide Enterprises Through Risk Mitigation Landscape for Cloud Adoption where Dana interviews Steve Whitlock, a member of the Jericho Board of Management.
• Cloud and Security Join Boundaryless Information as Top-of-Mind Issues for The Open Group where Dana talked with Allen Brown, president and CEO of The Open Group.
• XDAS Standard Aims to Empower IT Audit Trails from Across Complex Events where Dana talks with Ian Dobson, director of the Security Forum for The Open Group, as well as Joël Winteregg, CEO and co-founder of NetGuardians. XDAS is an open-source standard that is hopefully going to help in compliance and regulatory issues and in the automation of heterogeneous environments.
• New Era Enterprise Architects Need Sweeping Skills to Straddle the IT-Business Alignment Chasm where Dana is joined by James de Raeve, vice president of certification at The Open Group; Len Fehskens, vice president, Skills and Capabilities at The Open Group; David Foote, CEO and co-founder, as well as chief research officer, at Foote Partners, and Jason Uppal, chief architect at QRS.
• Cloud Pushes Enterprise Architects’ Scope Beyond IT into Business Process Optimization Role where Dana is joined by Tim Westbrock, managing director of EAdirections; Sandy Kemsley, an independent IT analyst and architect; and John Gotze, international president for the Association of Enterprise Architects.

For more video presentations on the cloud security, awhile back I posted “CERT, CERIAS, the Academy, and Google Video: Training Online.” Two other sources include the SecurityTube and O’Reilly Webcasts. Below are a few examples of the presentations available:

• The Belgian Beer Lovers Guide to Cloud Security (Brucon 2009) Tutorial by Craig Balding at Brucon 2009: In this presentation Craig covers why talking about “cloud” is akin to walking into a Belgian bar and asking for “beer”; the common cloud architectures and their implications for you – the security dude; what the beer brewing Trappist Monks can teach us about cloud security; attacking clouds (aka getting free beer); and dealing with the hangover: cloud incident response & forensics.
• Evolution of Security (Fsecure) Tutorial by F-Secure: an animated series on the various threats out there on the Internet and also talks about their state of the art AV (self promotion) They also talk about “cloud security” and how the next generation AV will be in the cloud and not isolated.
• Cloud Security and Privacy by Tim Mather, Subra Kumaraswamy, Shahed Latif: discusses cloud computing’s SPI delivery model, and its impact on various aspects of enterprise information security (e.g., infrastructure, data, identity and access management, security management), privacy, and compliance. Security-as-a-Service and the impact of cloud computing on corporate IT is also discussed.
• Architecting Applications for the Cloud by Jorge Noa: This presentation analyzes aspects of the Amazon EC2 IaaS cloud environment that differ from a traditional data center and introduces general best practices for ensuring data privacy, storage persistence, and reliable DBMS backup.
• Cloud Computing: The Next Frontier for Open Source by Bernard Golden: discusses how the trends of open source and cloud computing reinforce one another, and why cloud computing is a significant driver of enterprise open source adoption.
• Getting Started with Amazon Web Services by Cloud Security Deep Dive by Subra Kumaraswamy, Shahed Latif, Tim Mather: will take a deep dive into cloud security issues and focus on three specific aspects: (1) data security; (2) identity management in the cloud, and; (3) governance in the cloud (in the context of managing a cloud service provider with respect to security obligations). Each of these three topics will be covered in a 30 minute segment that will include a presentation and Q&A with the audience.
• Cloudburst (Hacking 3D and Breaking Out of VMware) Blackhat 2009 by Kostya Kortchinsky: VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
• Virtualization: Resource Coupling and Security across the Stack by Dennis Moreau, Configuresoft: The session briefly addressed extension to the cloud and utility computing infrastructures to address how to use configuration and behavioral information to address the increased complexity of security, compliance and risk assessment in virtualized environments.

Other BruCON Security Conference (held September 18-19, 2009) videos are available at their vimeo channel. O’Reilly maintains on YouTube an O’Reilly Media Channel along with an area to sign up for future webcasts. Blackhat DC 2009 video, audio, whitepapers, and slides are also available. Content is ever changing, so keep checking the sites.

Remember that Vivek Kundra, Chief Information Officer (CIO) of the United States of America, outlined as his team’s priorities:

1. Innovation
2. Lowering the cost of Government
3. Transparency
4. Engaging Citizens
5. Ensuring a safe computing environment

In response, FedScoop! started hosting one event each quarter around these pillars. On October 14 at the Newseum, they did their first event bringing together executives in the White House and federal CIO’s, CTO’s, and decision-makers to talk about lowering the cost of government with technology. Check out the video of the Cyber Security Panel. Since one of the topics was cloud computing, FedScoop! scheduled a follow-up event. On December 9th, 2009, they hosted and posted the “Cloud Computing Shoot Out.”

FederalNewsRadio has posted a three part video series on secure cloud computing. The panelists include Jim Flyzik, President of the Flyzik Group; Henry Sienkiewicz, Technical Program Director, Computer Services, Defense Information Systems Agency; Ronald Bechtold, Army Architecture Integration Center at Headquarters, Department of the Army, Chief Information Office/G6; Curt Aubley, Chief Technology Officer CTO Operations & Next Generation Solutions, Lockheed Martin Information Systems & Global Services; Dale Wickizer, Chief Technology Officer-Public Sector, NetApp, Inc.; and Aileen Black, Vice President of Public Sector VMware Inc.

CNET’s editor of Webware, Rafe Needleman and senir writer Stephen Shankland talked with Christofer Hoff on the Reporters’ Roundtable podcast about the “Dangers of Cloud Computing.” Chris also presented at Microsoft’s BlueHat, “Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure.” Any presentation with such a great title must be watched. There is a short interview with Chris from Bluehat.

One of my favorite stories of Abraham Lincoln involved the McCormick-Manny case of 1855 where Lincoln was one of Manny’s lawyers. Lincoln basically was pushed aside and humiliated. After the trial, he told Ralph Emerson, a young lawyer who was present at the trial, “I am going home. I am going home to study law.” Emerson asked, “Mr. Lincoln, you stand at the head of the bar in Illinois now! What are you talking about?” Lincoln replied, “Ah, yes, I do occupy a good position there, and I think that I can get along with the way things are done there now. But these college-trained men, who have devoted their whole lives to study, are coming West, don’t you see? And they study their cases as we never do. They have got as far as Cincinnati now. They will soon be in Illinois.” Emerson stated Lincoln turned to him, his countenance suddenly assuming that look of strong determination which those who knew him best sometimes saw upon his face, and said, “I am going home to study law! I am as good as any of them, and when they get out to Illinois, I will be ready for them.”

Change is coming. If you try just to get along, the future will overwhelm you. While we do not live in a world of unlimited funds for conferences and training, people are sharing a wealth of information. Take advantage of it and get ready for whatever might be heading your way.

Gregory C. Wilshusen, Director, Information Security Issues at GAO offered a different interpretation, when he stated, “Despite the progress reported by agencies, they continue to confront longstanding information security control deficiencies that limit the effectiveness of their efforts in protecting the confidentiality, integrity and availability of their information and information systems.” GAO has released a report, “Information Security: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies.” Quoting from the report, a few statistics of particular interest:

• Data from the National Vulnerability Database, the U.S. government repository of standards-based vulnerability management data, showed that, as of February 6, 2008, there were about 29,000 security vulnerabilities or software defects that can be directly used by a hacker to gain access to a system or network. On average, close to 17 new vulnerabilities are added each day. Furthermore, the database revealed that more than 13,000 products contained security vulnerabilities.
• The percentage of certified and accredited systems government wide reportedly increased from 88 percent to 92 percent. Gains were also reported in testing of security controls – from 88 percent of systems to 95 percent of systems – and for contingency plan testing – from 77 percent to 86 percent.
• In their fiscal year 2007 performance and accountability reports, 20 of 24 major agencies indicated that inadequate information security controls were either a significant deficiency or a material weakness.
• Our analysis determined that 19 of 24 major federal agencies had not fully implemented agency-wide information security programs.
• The number of incidents reported by federal agencies to US-CERT has increased dramatically over the past 3 years, increasing from 3,634 incidents reported in fiscal year 2005 to 13,029 incidents in fiscal year 2007, (about a 259 percent increase).

Niels Provos, Google’s Anti-Malware Team, cited a recent paper by researchers at Google. The paper revealed that more than 1.3% of Google search results now contain at least one malware-serving website – a number that has quadrupled in the past nine months. The graph shows the increase ratio of search results containing a URL labeled as harmful:

In government, while the percentage of certified and accredited systems is increasing, a much greater increase occurs in the number of reported incidents. OMB found a 60 percent rise in the number of reported incidents from 2006 to 2007. Evans attributed the increase in large part to improved reporting. Tim Bennett, president of the Cyber Security Industry Alliance, has a different opinion. Bennett feels the increases are real and blames the increase on a shift from attacks by lone hackers to those launched by organized crime and state-sponsored organizations.

Adam Dodge took a look at the information security breaches that occurred in 2007 at colleges and universities around the world, as reported in the news. Dodge released his results in the report “The Educational Security Incidents (ESI) Year in Review – 2007.” The report found a 67.5% increase in the number of reported incidents over 2006. This increase is in line with what the government agencies experienced.

Chris Walsh provides some interesting insight by comparing the number of reported breaches in the US and Great Britain. In the posting “Reporting on Data Breaches: US and Great Britain.” Walsh shows that both countries have seen a dramatic increase in reported breaches:

The US-CERT annual report for fiscal year 2007 reported the following number of incidents that were reported to DHS incident response center:

Alan Paller, director of research at SANS Institute, explains that the increase in both certified and accredited systems and reported data breaches has occurred because “the government has made progress in writing reports.” Paller goes on to state that the government has made, ”no progress in improving the security that matters – keeping the wrong people out.” Michael Smith (aka rybolov), manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, writes in his posting titled, “Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive:”

GAO used exactly what was reported to OMB but came up with different conclusions. Some of that is to be expected, it’s the same doers v/s the auditors conflict that’s been going on since the beginning of time, but wow, there is a huge disparity here that we need to account for.

Rybolov goes on to offer one possible explanation for the disparity:

Now as far as the contradicting reports, let’s do a hasty analysis of the current political situation in DC, shall we? The Executive Branch is controlled by the Republicans (and has been for 7 years), the Legislative Branch is controlled by the Democrats (for only a year), and oh yeah, it’s an election year. You would expect the Congress-owned GAO to sing songs of woe and the President-controlled OMB to sing songs of praise.

Even if rybolov is correct, and there is an element of politics in government operations, the perceived risk has grown large enough that all sides see the wisdom of taking action. As the old expression goes, it has come time for the government to put up or shut up. The government has responded by “putting up” in terms of money. Jason Miller, from Washington Technology, reports in his article, “‘09 budget request has IT spending on the rise” that in the White House’s request, agency IT spending would be $70.9 billion, up from a 2008 request of $66.4 billion. That would be a 6.3 percent increase. Congress appropriated $68 billion for 2008, which makes for a 3.8 percent change when comparing actual to requested dollars. IT security is a major piece of the proposed spending increases for agencies. Information security requests have increased 73 percent since 2004. In the 2009 request, security account for 10.3 percent of the overall $71 billion funding.

How will the money be spent? There are no easy answers. Still, it is good that Senator Tom Coburn, Karen Evans, Gregory C. Wilshusen, and others are debating how the government should do its business, while agreeing the business of security must be done.

I do not normally do news summaries, but I was sent an interesting article concerning the Trusted Internet Connections (TIC) initiative. Curious, I started to pull up other news items and found that the Office of Management and Budget (OMB) has been very active lately. First there is the OMB memo from Clay Johnson III. If you have not heard the name before, he is reported to be one of President Bush’s closest friend. His job is not an easy one. He has been tasked with reforming the government in order to make it more effective and efficient. The bottom line is that his words, and memos, are to be taken very seriously. With folks in government, it is wise to read exactly what is stated. With that in mind, here is the complete memo:

M-08-05
MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
FROM: Clay Johnson III
SUBJECT: Implementation of Trusted Internet Connections (TIC)

I am announcing the Trusted Internet Connections (TIC) initiative to optimize our individual network services into a common solution for the federal government. This common solution facilitates the reduction of our external connections, including our Internet points of presence, to a target of fifty.

Additionally, the role of the US-CERT will be enhanced to improve our response capabilities. Each agency will be required to develop a comprehensive plan of action and milestones (POA&M) with a target completion date of June 2008. Initial agency POA&Ms must be sent to the Department of Homeland Security’s (DHS’s) National Cyber Security Division (NCSD) by January 8, 2008, for review and agreement with OMB, DHS, and the agency.

To discuss this initiative further, we are planning a government-wide meeting on Friday, November 30, 2007. I have asked Karen Evans, Administrator of the Office of Electronic Government and Information Technology and Robert Jamison, Deputy Under Secretary for National Protection & Programs Directorate, DHS, to ensure adequate collaboration among the various interested parties such as the Chief Information Officers and Chief Acquisition Officers.

Karen will be sending out the details for the government-wide meeting, including the agenda, to your Chief Information Officers and I will be inviting the President’s Management Council to attend the meeting as well.

With the work completed to date in the Lines of Business (LOB) initiatives for Information Systems Security and IT Infrastructure, the General Services Administration (GSA) award of the NETWORX contract for telecommunications service, and your current initiative to implement the secure desktop configurations (i.e. Federal Desktop Core Configuration – FDCC), we are presented with a unique opportunity to optimize our network delivery capabilities. I ask for you to devote people from your agency to work on the development and implementation of TIC throughout the federal government.

Information assurance and cyber security are important priorities and a responsibility shared by all officials. If you have any questions, please contact Karen Evans at 202-395-1181.

The Federal Computing Weekly (FWC) site is reporting an interesting move on OMB’s part in an article titled, “OMB to Limit Number of Internet Connection for Agencies” by Jason Miller. Normally I do not copy complete articles, but this article has major implications, so please bear with me:

The Office of Management and Budget wants to reduce the number of Internet connections across government to 50 by June. Under a new Trusted Internet Connections initiative, which OMB will kick off with a government wide meeting Nov. 30, agencies will have to develop a plan of action and milestones by Jan. 8 on how they will reduce the number of Internet connections.

Clay Johnson, OMB’s deputy director for management, announced the new program Nov. 20 in a memo to agency leaders. He wrote that the Trusted Internet Connections initiative will “optimize our individual network services into a common solution for the federal government.”

Johnson said with the progress made under the Security Line of Business initiative, the General Services Administration’s award of the Networx telecommunications contract and the Federal Desktop Core Configuration
implementation project, agencies have a unique opportunity to improve their network delivery capabilities.

The memo also will require agencies to use the Homeland Security Department’s U.S. Computer Emergency Response Team Einstein program to improve their response capabilities. The White House requested an additional $115 million Nov. 6 to expand the Einstein program under the DHS fiscal 2007 appropriations bill.

“This is an essential step because the Federal Information Security Management Act-based defenses have failed to stop the attackers from getting inside agencies,” said Alan Paller, director of research at the SANS Institute. “Once they are inside, only very sophisticated monitoring can hope to find the infections.”

Warren Suss, president at Suss Consulting, said he is not sure if the new initiative is what agencies need right now. “OMB must be careful with the new initiative to avoid layering yet one more mandate on agencies who are working hard to address a very real security threat,” Suss said. “Centralization is not necessarily the answer because agencies have needs for redundancy for the Internet and can have unique requirements. To limit the number of Internet connections to a target of 50 could be an overreaction to the cybersecurity problem and it has potential to create more problems than it solves.”

He added that agencies have network design and architecture challenges that could be limited under this program.

Agencies already are trying to meet the June deadline to implement IPv6 on their networks’ backbone. OMB officials also have touted IPv6 has a way to improve agencies’ defenses against cyberattacks.

“Agencies at some point need to take responsibility for security and the management of their technology,” Suss said. “There are very serious threats out there and I don’t mean to minimize them, but forcing yet another constraint on the solution may do more harm than good.”

On November 13th, Exec. Order 13450 “Improving Government Program Performance” was passed. The order requires federal agency heads to set clear annual goals, devise specific plans for achieving those goals, and designate performance improvement officers (PIOs) to assess progress, use performance data in budget requests and set up Web sites that describe “the successes, shortfalls and challenges of each program” and efforts to improve them. The order directs agencies to appoint a PIO who will coordinate “sufficiently aggressive” goals and plans for programs. It also requires that PIOs be a member of the Senior Executive Service or equivalent service. It requires the creation of a Performance Improvement Council (PIC) to consist exclusively of the OMB Deputy Director for Management (Clay Johnson III), serving as Chair, and:

• such agency Performance Improvement Officers, as determined by the Chair; and
• such other full-time or permanent part-time employees of an agency, as determined by the Chair with the concurrence of the head of the agency concerned.

Robert D. Behn, a performance-management expert who teaches at Harvard’s Kennedy School of Government, points out “You never know from an executive order. They can do something or not do something. Who knows?” For additional analysis, Stephen Barr, columnist for the Washington Post wrote a very interesting article titled “From Bush, an Order for Agencies to Track Progress.”

Just to emphasize these numbers. The Bush administration is seeking $154 million in new cyber security spending as part of the the $436 million package to increase Homeland Security and Justice departments new cybersecurity and counterterrorism programs. Additional numbers from the President’s 2008 DHS budget is available off the OMB site, though the document lacks any real details. Jonah Czerwinski over on Homeland Security Watch filed the report, “New White House Cybersecurity Initiative Underway.” Homeland Security Watch is an interesting site featuring “breaking news, rigorous analysis, and informed commentary on the critical issues in homeland security today.” I have mentioned the site before in my posting, “Security Data Visualization” while discussing “The National Strategy for Homeland Security“.

The administration has also asked for $115 million to enhance DHS’ ability to deploy the Einstein program through the U.S. Computer Emergency Readiness Team. In case you are unaware of the Einstein program, Federal Computing Weekly provides a description:

Einstein monitors about 13 participating agencies’ network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting traffic information summaries at agency gateways, Einstein gives US-CERT analysts and participating agencies a big-picture view of bad activity on federal networks.

Alan Paller, Director of Research for the SANS Institute, is quoted as saying, “They know monitoring works and they want more monitoring. The money will be used to get out more monitoring more quickly and do more analysis of the data. That is useful and necessary because what they discovered is the federal perimeter is broken. One of few ways to find bad guys in [the] perimeter is a more intent analysis of traffic coming out of the computers.”

To put these numbers in perspective, the American Association for the Advancement of Science (AAAS) provides some interesting budget numbers. As of FY 2007, the overall federal investment in research and development (R&D) was nearly $137 billion. The funding levels actually appropriated to federal IT R&D is at $3.0 billion. That funding is controlled through multi-agency enterprise called the Networking and Information Technology Research and Development (NITRD) program, which is coordinated by the Interagency Working Group (IWG) on Information Technology Research and Development of the National Science and Technology Council (NSTC). NITRD is the successor of the High Performance Computing and Communications Program established in 1991. NITRD program would increase 0.4 percent in the President’s FY 2008 request.

NITRD agencies coordinate research in eight Program Component Areas (PCAs):

• High End Computing Infrastructure and Applications
• High End Computing Research and Development
• Human Computer Interaction and Information Management
• Large Scale Networking; Software Design and Productivity
• High Confidence Software and Systems
• Social, Economic, and Workforce Implications of IT
• Software Design and Productivity
• Cyber Security and Information Assurance.

The 2008 budget broken down by PCA is available off the NITRD site. The National Science Foundation (NSF) is the lead agency in NITRD. The NSF and the National Security Agency (NSA) are the only agencies that are looking at significant increases to their computing research efforts under the President’s 2008 plan.

Since the NSF is the lead agency, it is important to try and understand the agency’s vision for cyber security. In November 2003, the Computing Research Association (CRA) convened an invitation only workshop on the “Grand Challenges” in digital security the National Science Foundation should concentrate a decade of funding on. The results were four grand challenges:

• No further large scale epidemics
• Enable Trusted Systems for Important Societal Applications
• Develop Accurate Risk Analysis for Cybersecurity
• Secure the Ubiquitous Computing Environments of the Future

While 2003 might be ages ago in computing time, the four grand challenges are at work today. Back in September, Siobhan Gorman from the Baltimore Sun reported in the article “NSA to defend against hackers” that the NSA was going to “helping protect government and private communications networks from cyberattacks and infiltration by terrorists and hackers.” The article went on to state:

The plan calls for the NSA to work with the Department of Homeland Security and other federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as the “Cyber Initiative.” Details of the project are highly classified.

The NSA appears to be working towards “Secure the Ubiquitous Computing Environments of the Future” challenge in relation to the network. Concerning securing the systems, and the “Enable Trusted Systems for Important Societal Applications challenge,” OMB this week told agencies that use Microsoft Windows XP or Vista to begin using the government’s approved secure desktop configuration by February 2008. OMB hinted that the Windows operating system was only the beginning of a more extensive program. Once more, quoting Alan Paller, “Vendors who compete with Microsoft saw the White House announcement as a threat. OMB was not standardizing on Microsoft and said they would talk to others to ensure their products are secure, too.” Paller said that once NSA gives its blessing to a vendor’s product, it would make sense for non-Defense Department and intelligence agencies to follow NSA’s lead. Exec. Order 13450, appears to be moving towards addressing the challenge to “Develop Accurate Risk Analysis for Cybersecurity.”

Michael Posner from the GovernmentExecutive.com site in an article titled, “America already is in a cyber war, analyst says” states “currently there are 1,300 avenues in all federal agencies for possible cyber terrorists.” The Trusted Internet Connections initiative plans to reduce the number of “trusted” Internet connections to below 50 across government. The article quotes Andrew Palowitch, a former CIA official, during a talk to a Georgetown University’s Center for Peace and Security Studies, as saying that the United States is in the midst of an active cyber war and is now implementing still-secret security plans for protection. Palowitch might be referring to the “2006 National Military Strategy for Cyberspace Operations” classified document, which is reported to be the blueprint for the military defining both defensive and offensive measures. Maybe in that document I could finally find out what the “1,300 avenues in all federal agencies for possible cyber terrorists” and “reducing below 50 the trusted Internet connections” is suppose to mean.

To help us understand the reduction of trusted Internet connections, Karen Evans, OMB’s administrator for e-government and information technology, explains, “The reduction of access points to trusted Internet connections will improve our situational awareness and allow us to address potential threats in an expedited and efficient manner. While we optimize and improve our security, it is also our goal to minimize overall operating costs for services through economies of scale.” A follow up post in FWC by Jason Miller titled “OMB directs agencies to close off most Internet links” sites Roger Baker, former chief information officer at the Commerce Department who is now chief executive officer at Dataline, as pointing out that having a limited number of Internet connections will mean that agencies must become shared-service providers for field offices outside of headquarters, which will add an unwanted level of complexity. “It will be hard to agencies to agree on a standard security policy for connections,” Baker said. “What they need to do is set that security policy across government and then audit every organization to ensure they are abiding by it.” Baker added that the key to solving many federal IT security challenges will depend on how well agencies have architected their Internet connections. Several letters to FWC editor, to quote FWC, “warned about unintended consequences of OMB’s initiative. Both teleworkers (‘Closing Internet links will lead to more unauthorized telecommuting‘) and satellite offices (‘Closing Internet links will hurt satellite offices‘) would suffer, several readers said. Another suggested that the policy could hamstring some research and development efforts (‘Closing off Internet links will hurt R&D‘).”

In September, as part of an expanding mission to prepare for war in cyberspace, the US Air Force established a provisional Cyber Command. According to Major General Charles Ickes, it is expected that the provisional command will, within a year, create the the full Air Force Cyber Command with the mission to “train and equip forces to conduct sustained global operations in and through cyberspace, fully integrated with air and space operations.” Air Force officials report as many as 40,000 Air Force personnel are assigned to cyber-tasks. It is reported that those officials envision an emerging breed of warrior who fights with a computer and keyboard. Dr. Lani Kass, special assistant to Gen. T. Michael Moseley, Air Force chief of staff, told a recent seminar that this new breed of warrior is expected to be as formidable as soldiers with guns. She goes on to say, in relation to developing an offensive cyber capacity, that the Air Force needs “not a bunch of geeks, I want a bunch of trained killers who understand that non-kinetic does not mean non-lethal.” While she has a point, I cannot let that statement go without comment. I would recommend Dr. Lani Kass read Rob Goffee and Gareth Jones article titled, “Leading Clever People.” Better yet, read my posting discussing managing clever people titled, “Herding Cats.” It contains many good sources that can help the Air Force effectively manage the Cyber Command personnel. Otherwise, I fear the Air Force will always be reliant on purchasing, and not developing, solution from geeks who do not carry guns.

Possibly adding to political need for action is the US-China Economic and Security Review Commission, which was released last week. The report addressed the “scope of China’s military buildup and the extent to which it is aimed at defeating the U.S. in any conflict over Taiwan.” The report states, “China has developed capability to wage cyber-warfare and to destroy surveillance satellites overhead as part of its tactical, asymmetrical warfare arsenal.” Gen. James Cartwright, commander of the U.S. Strategic Command, told the commission, “I think that we should start to consider that regret factors associated with a cyber-attack could, in fact, be in the magnitude of a weapon of mass destruction.” The general was referring to the psychological after affects of disruption of services. China has denounced the charges and characterized the “wild accusations” as smacking of a bygone era. Wang Wenfeng from the ChinaDaily addresses the report in the article “Commission’s report full if inaccuracies.” On the heels of the report, the Times of London reported Jonathan Evans, the director-general of MI5, has sent out a confidential letter to 300 executives and security chiefs at banks, accountants and legal firms this week warning them that they were under attack from “Chinese state organisations.” Alan Paller called the MI5 warning “the most vibrant example of how the British are doing a better job of cybersecurity leadership. You cannot ask people to act unless they understand the problem. The British have consistently been willing to speak the truth.” In contrast, Paller said the United States has relied on a failed paperwork policy built around the Federal Information Security Management Act and “vapid guidance” from the National Institute of Standards and Technology. Bruce Schneir, a security consultant with BT Counterpane, said he found it significant that both Evans and Cartwright decided to identify China as a serious cyber threat. Despite reports of Chinese attacks this fall against government and military networks in the United States and U.K. as well as Australia, Germany and New Zealand, top leaders in those countries have not publicly identified China as the culprit until now. Chinese Foreign Ministry spokesman Qin Gang denied the report, saying China opposed computer hacking and that it was cooperating with British authorities. He also accused the British media of spreading inaccurate information. The Pittsburgh Tribune, in the article “Confronting Confucius“, points out that “the same day the commission’s study was published, another was released by two respected Wall Street companies. It showed in detail how half the venture funding for Chinese business and consumer services came from America, particularly seed capital for the critical information services and technology industries.”

Antivirus software company McAfee stated in its annual Virtual Criminology Report released at the end of November that 120 nations worldwide have started to develop cyberattack commands, with China well ahead of the others. Bob Brewin, of GovernmentExecutive.com, in his artcile “U.S., British officials target Chinese as source of cyberattacks” states the McAfee report also “fingers the Chinese government as the source of widespread cyberattacks. James Mulvenon, director of the Center for Intelligence Research and Analysis at the Defense Group Inc. in Washington, told McAfee that ‘the Chinese were the first to use cyberattacks for political and military goals….Whether it is as battlefield preparation or hacking networks used by the German chancellor, they are the first state actor to jump feet first into 21st century cyberwarfare technology. This is becoming a more serious and open problem.’” The report goes on to state that China is not along in its military exploitation of cyberspace. Peter Sommers, a computer security expert at the London School of Economics, said there are signs that intelligence agencies around the world are constantly probing government networks for signs of weakness, and countries he did not identify “are gearing themselves up to launch all-out online attacks.” The McAfee report predicted that over the next few years, governments will pursue “punitive action” against cyberattackers and “will … go after them, regardless of their location.”

Rightly or wrongly, the mood in Washington appears to be to do something. No matter what the motive, efforts to implement some form of the four grand challenges in trustworthy computing on a national level may be under way. This would result in some major changes in how government agencies do business. Personally, I look forward to additional details and explanations on the Trusted Internet Connections initiative. In the end, I have to agree with Robert Behn, when he said, “They can do something or not do something. Who knows?“