[Infowarrior] - Interview with DHS cybersecurity chief

[Richard Forno]

Original URL: http://www.theregister.co.uk/2008/04/25/greg_garcia_interview/
Securing cyberspace against war, terror and red tape
By Dan Goodin in San Francisco
Published Friday 25th April 2008 12:02 GMT

Interview In September 2006, the US Secretary of Homeland Security appointed
Greg Garcia assistant secretary for cybersecurity and telecommunications.
With oversight for the National Cyber Security Division, the Office of
Emergency Communications and the National Communications System, he is the
federal government's point man for securing the nation's internet and
telecommunications' systems against attacks from terrorists or countries
that may target the US.

The Register sat down with him during the RSA security conference and a
couple of things quickly became clear: One, he'd much prefer to see free
market forces secure cyberspace than rely on the long arm of the government;
and two, like the president he serves, he believes the execution of his
duties is pretty much flawless.

El Reg: It's been about 18 months since you've been on the job. That's a
nice number for report cards, or to check in and see how you're doing. In
your judgment, what are your biggest accomplishments and what's the biggest
failure or thing that you would have liked to accomplish that you haven't?

I think the biggest accomplishments so far are just the level of visibility
that cyber security has taken on, not just in the DHS but across the
government. I think the cyber initiative is the evidence of that. Leading up
to that we had a number of very compelling accomplishments, the biggest of
which was in May of last year we released the 17 sector specific plans
(http://www.dhs.gov/xprevprot/programs/gc_1179866197607.shtm) as part of the
national infrastructure protection plan.

This is where each of the critical sectors got together with their agency
counterparts in the federal government, sat down side by side, two pens and
a piece of paper and mapped out what commitments we are going to make
collectively to do the national vulnerability assessment that's necessary
across our networks and take the steps to mitigate them. That was a true
illustration of the partnership model at work and that it's working. There
were trust relationships built around that.

I think over the past 18 months I would look back and say the level of
engagement of this partnership between the private sector and the public
sector is I think a tremendous accomplishment.

Is there anything that you were hoping you would have accomplished by now
that has not happened?

I think this is an evolutionary process. My only regret is that this
administration is coming to a close and that the national strategy that we
need to pursue is one that's going to take years to really to mature to
where it needs to be and as I'm a political I don't expect I'm going to be
around much into the next administration. But I'm looking to our private
sector partners and career civil servants across the government and in DHS
to keep that going.

There is growing evidence that [China is] actively engaged not only in
attacking infrastructure belonging to private companies but also
infrastructure that belongs to the federal government. I believe that Oak
Ridge [National] Labs
(http://www.channelregister.co.uk/2007/12/07/national_labs_breached/) is one
possibility. Do you believe that there are attacks coming from China that
are state sponsored?

There are attacks coming from everywhere as you know, and there are botnet
attacks that you can see coming from a country but that doesn't mean that's
where the actual attacker is seated and that botnet computer could be
hijacked from a completely different country.

That said, there are some things we don't talk about in this forum about
nation states or otherwise, but from a DHS perspective what we're
particularly interested in is how do we protect our systems from those
attacks no matter where they're coming from. Because yes, they could come
from nation states, they could come from hacker groups, they could come from
hacktivists with political motives, they could come from organized cyber
crime groups from different countries. So my objective is to ensure we've
got the protective systems in place and the technology in place and the
coordinated response to attacks.

If DHS were to learn that a particular attack was state-sponsored by the
Chinese government, you knew for certain, would it be considered an act of
war and responded to accordingly?

That's a good question and we are now in a cyber age where our traditional
thinking about acts of war are changed. This is something that we are
thinking about across the federal government in terms of more strategic
thinking about how to deal with that question, because it's a very complex
one and it's one that engages numerous players from the State Department to
the Defense Department to many others across the federal government. This is
part of our national strategy how we deal with that question.

You mentioned the important thing being protecting ourselves against an
attack wherever it may come from and whoever may be behind it. Are offensive
cyber attacks, sort of counter DDoSes, counter unleashing of malware - are
those things included in the way DHS should go about protecting the country?

Our mission is protective, so we're protecting the homeland, we're
protecting our networks. You've seen articles recently where the Air Force
cyber command is talking about stepping up its offensive capabilities. DOD
is really the most active in that area, but DHS we're protective.

If you see a botnet attacking important infrastructure, is taking that
botnet out or attacking it one way of protecting ourselves?

There are some things we don't want to talk about in open forums, but we do
partner with various agencies across the government who have different
equities in cyber security, different activities in cyber security and we
work together to help each other, particularly making sure that DHS knows
what's coming into federal networks so we can take protective actions.

There's been some discussion about how to deal with radical jihadi groups
that are online and websites that perhaps are spreading jihadi propaganda.
One idea is shut them down and another idea is don't shut them down [but
rather] study them, monitor them. Shutting them down only drives them
underground and then you don't know what the enemy is thinking or doing.
Where do you stand on that?

DHS's mission is about protecting our networks. We're not engaged in
shutting down other networks. That's the purview of other agencies.

Does DHS consider the monitoring of groups like that part of its purview, in
gathering intelligence and knowing if people are thinking about attacking or
doing other things like that?

DHS is not an intelligence gatherer, so the effort that we have in the cyber
initiative is helping federal agencies monitor what's going in and out of
their own networks. We're not monitoring or gathering intelligence.

There has been a lot of evidence that attacks on national labs are using
very sophisticated spear phishing. Is this something that's within DHS's
purview to try to prevent, and if so what exactly are you doing?

The US CERT is the focal point for the information sharing about attacks.
Last year US Cert received 37,000 incident reports, which is about a 55 per
cent increase over FY 07 and most of those were phishing attacks just as you
described. So it's our ability to receive that information, watch what's
happening across federal networks using our Einstein intrusion detection
capabilities and correlating, seeing what the patterns are.

As to that collection of anomalous traffic across networks that we're able
to push the information back out to our to our federal agencies, to our
state governments and to our private sector saying this is what we're
seeing. Most recently, last fall, we were able to communicate through
notices to our partners a variety of IP addresses that they need to be
watching out for for that kind of attack. This is the primary role of the US
CERT, which is to both receive information from all sources about what's
happening on our networks, analyze it, synthesize it, correlate it, and then
push it back out again in actionable formats that people can actually take
action and say, OK got it, I'm going to plug this port and apply this patch.
That's our value add.

It was just this week that a research firm from Atlanta came out with
research about a botnet they call Kraken
(http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/), evidently
it goes under other names such as Bobax
(http://www.theregister.co.uk/2008/04/09/kraken_disagreement/). It's a
massive botnet, and it's living in many cases inside of fortune 500
companies and presumably other places it shouldn't be. If Fortune 500
companies aren't taking steps to prevent this kind of thing, what evidence
do we have that we're really on the right track when it comes to preventing
attacks against important infrastructure?

Good question. I think a lot of companies are taking the right steps and a
lot of companies are not taking the right steps and part of my role is to
communicate the business proposition to these companies as to why they need
to take steps to protect against threats that they're not actually seeing.
And that's the challenge from a lot of the companies - they feel they need
to actually see the threat but sometimes they don't know that they're being
infiltrated.

This conference is evidence - there are what 17,000 people here - that there
is an increasing awareness. So even though there are a lot of companies that
are responsible and doing the right thing, our networks really are only as
strong as the weakest link and because we are so interconnected, if there
are companies that are not doing what they need to do to protect their
networks, that in turn may be jeopardizing the security of companies that
very well may be doing the right think, and the federal government as well.

So do you use a carrot, or at some point do you use a stick?

I think it's really a combination, but a stick model, if you mean
regulatory, I would be concerned that we could through a regulatory model
not keep up with evolving technology, we could not keep up with evolving
threats and that what instead we need to do is to push the market place to
provide market-based incentives for companies that in order for me as one
company to do business with you as another company, I need to be convinced
that you're doing the right thing with you're networks.

If you're going to connect to me I don't want to catch your virus. I as your
customer have to demand this upon you as my vendor or my service provider.
That's the model we're trying to push. The stick has to be coming from the
market place to the market place, not from the government to the
marketplace.

Do you think that some sort of digital Pearl Harbor is possible in the next
decade and if so, how likely do you think it is?

Our networks are so distributed and resilient and redundant that a massive
attack that would bring down the internet - I don't think that's possible. I
direct your attention to a report from the Business Roundtable last fall.
What they said was: We have to envision a situation where you could have
multiple coordinated attacks against different pockets of the internet
infrastructure such that it degrades confidence in the internet as our mode
of doing business.

If we lose confidence in that and we cease to want to use it, or we cease to
be able to use it, then our business continuity is at stake. So we as CEOs
have a responsibility to ensure we have business continuity. That's what
cyber security is about.

It's about the operations of my business and I as CEO have a responsibility
to my shareholders and to my board of directors to ensure that I'm paying
attention to this and am taking protective measures and investing in the
technology, investing in the people, investing in the best practices and
policies to make sure we're doing the right thing.

Talk to me a little bit about your own experience with security. Have you
ever been a victim of, or worked for the defense of, a network that was
under attack?

I as a home user do everything I am supposed to do. I keep my anti-virus up
to date and keep my firewall turned on. I have seen in the past spyware
infect my personal computer, just as everybody has. My role at DHS is to
co-ordinate all of those efforts from the operational side of my US CERT to
the preparedness side of building the culture of securing across the
country. I've not been a hacker. There are those who know how to do it, but
I'm more interested in national policy and national strategy.

Over the last year there have been dozens of reports of flash drives, hard
drives, iPods, all kinds of different devices you can buy at Best Buy or
wherever else, with spyware loaded on to them. Do you worry that it's also
possible to put on a much more nefarious software that has implications for
homeland security?

Absolutely. We are acutely aware of potential vulnerabilities across the
global supply chain. We live in a global manufacturing environment and that
is the natural order of a global business. But with that comes risks that
anywhere along the supply chain we could see vulnerabilities into products
that are manufactured abroad, whether its hardware or software. This is
something we have put more resources into at DHS and that is working with
the private sector to consider how we can get a handle on the global supply
chain.

Thanks very much.

Good talking with you. ®