[Infowarrior] - Jeff Moss on cybersecurity, government's role
Richard Forno
rforno at infowarrior.org
Sat Oct 17 15:05:52 UTC 2009
Q&A: Defcon's Jeff Moss on cybersecurity, government's role
by Elinor Mills
http://news.cnet.com/8301-27080_3-10376447-245.html
As a hacker and organizer of Defcon, at event at which computer
security vulnerabilities and exploits are routinely unveiled, Jeff
Moss seemed an unusual choice when he was named to the Homeland
Security Advisory Council in June.
But his background and lack of government experience brings a fresh,
outsider's perspective to a public sector plagued by a fast-changing
threat landscape, perpetual turf wars, and bureaucratic inertia.
With National Cyber Security Awareness Month under way, CNET News
discussed with Moss his new role, his thoughts on the national ID card
debate, and how the government wants to use social media sites for
public emergency alerts. This edited interview is the first of two
parts. Part two will run on Monday.
Q: So, how's it going on the Homeland Security Advisory Council?
Moss: It's going pretty well, it's pretty exciting actually. Recently
we did a recommendation, I'm sure you read about it, the homeland
security color codes. There are the five color codes. Normally the
country is on like yellow or orange. I think we've only been to red
once. But we've never been to the two lowest, blue and green. So the
system was up for review. It turns out that the color codes work
really well for industry and government. They have procedures in
place. They do things automatically when the color codes are changed.
It is actually successful for them but for the third group that uses
them, civilians, it actually doesn't work well at all.
Right. We don't understand it. We're like, what does it mean? Is it
real?
Moss: How does it give us any actionable information? How should we
change our behavior based on it? That's what came out of the report
was that it's very hard for civilians to do anything with it and it
causes confusion, and it's the No. 1 source of ridicule. The system
needs to stay because it's valuable for the other two groups, but it
needs to change was the conclusion of the report. So they had a couple
of recommendations and one was to just get rid of the two lowest
colors because honestly we've never been at them; make the new normal
orange. Three levels is probably more realistic than having five. The
U.K. doesn't have five either, I think they have three.
The other big thing was if something is happening in New York, you
don't need to raise it for the whole country, so make them more
applicable for a geographic location. Localize it more. And then some
other recommendations I thought were reasonable were make it a default
where the level is automatically lowered if nothing affirmative
happens. So the onus is on the officials to constantly justify why it
needs to stay at a higher level. They had some other really common-
sensical recommendations. You should tell people without revealing any
sensitive security information or sources why did it get raised? Why
did it get lowered? Is the threat over or is this an ongoing threat
that we just now think is less important?
What if you could have a feed coming from DHS and other government
agencies, say, to Twitter or Facebook or MySpace or whatever? ... End
users would know it's still the official word, it hasn't been modified
or changed.
They want make it all much more transparent to the public. So if they
say we intercepted these people trying to board a plane with these
liquids so we're going to go got a higher level around
airports...something like that, instead of a blanket generalization
that's applied to the whole country without explaining when the threat
goes away or is mitigated. I know some members of Congress agreed with
the report and it was generally really well received. Now the Advisory
Council, we all unanimously agreed with it, and now it's off to the
secretary (of Homeland Security). I was expecting a lot more
bureaucrat-ese but that report I couldn't find anything to nitpick
with because it make a lot of sense.
Two (reports) before that we were dealing with the Real ID versus Pass
ID debate. (The Bush administration was) trying to create basically a
national identity card and when that didn't happen they created this
Real ID standard that would cause all the states to have standardized
features on their driver's licenses. That's different from an enhanced
driver's license which is used in place of your passport when crossing
into Canada or Mexico.
You need biometrics (and to) verify the information through approved
two other sources. It's an attempt by the feds to make sure
information getting into the DMVs is actually valid and there's a
paper trail there and the information from one state can be easily
shared with another state. It seemed fairly reasonable. But then you
started looking at some of the provisions and it turns into another
one of these giant unfunded mandates from the feds. A lot of the civil
libertarians got up in arms over it and I'm not really pleased either.
States started to rebel.
The DHS was saying if you don't have one of these driver's licenses
that is approved you're not going to be able to fly. So these
governors got together and came up with an alternative plan called
Pass ID. It removed it from being a state unfunded mandate, reduced
the database requirements, reduced some of the ID requirements, made
it much more feasible and reasonable, phased in on not such an
immediate time table, didn't seem to have Big Brother issues. DHS is
not going to want to go to war with these states. I think there's a
realization you have to come to some compromise and Pass ID seems like
a good compromise, but now you've got to convince Congress.
Have you done much with cybersecurity?
Moss: It is cybersecurity month, you know. One thing I wanted to point
out, there's this realization that they want to enhance the alerting
system and embrace the Web 2.0 technologies. It goes back to this
theme I keep hearing from people there that they need to fully engage
in the cyber area with distributing information. They want to be more
transparent and they want to communicate information faster to broader
audiences in different ways. The hangup seems to be, what are the best
ways to do it? Let's say there's another (Hurricane) Katrina, a huge
weather alert or a terrorist attack and you want to get the
information out to everybody. Right now the only way to do that is to
activate the whole emergency broadcast system or the emergency action
system and have everybody's radio tell you, which they didn't even use
during the World Trade Center attacks.
Why not?
Moss: I don't know. I was so frustrated. I have one of those emergency
weather radios because we get a lot of storms (in Seattle) and my
radio is constantly going off telling me about specific storms. It
doesn't go off when there's a terrorist attacking my country. I just
turned it off and threw it away. It's useless. So what if you could
have a feed coming from DHS and other government agencies, say, to
Twitter or Facebook or MySpace or whatever? And you subscribe to that
channel or that feed, end users would know it's still the official
word, it hasn't been modified or changed. There has to be some
official ways of distributing this alert information in many different
ways.
The president started out with a strong cybersecurity speech and then
things started to slow down. Then there was the big battle over what
is the DHS going to do? What is NSA going to do? It turned into a lot
of politics.
Cell phones have this broadcast mode where it's possible for a cell
tower to send a broadcast message out to everyone on the cell tower.
They're wondering is there a way you could use these broadcast
features to send out localized announcements? A university saying
there's a school shooter on campus everybody leave. How do you
communicate security sensitive information in a localized way? I think
the technology group at DHS is spending a lot of time thinking about
that. It was nice to see an acknowledgment in the report that we need
to engage in social media or other media forms to communicate more
than just on television or when someone gets up at the White House and
makes an announcement.
Now we're into Cyber Security Awareness Month and DHS got authority to
hire up to 1,000 employees in the next three years in the
cybersecurity area, everybody from analysts to secretaries to reverse
engineers and network architects. I'm sure you saw the articles about
are there even 1,000 skilled people available.
What's your take on all that?
Moss: I don't think there are. It's great when agencies and groups
come up with these really grand statements, that's what you're
shooting for. You'd love to have 100 of the best, but Cyber Command
wants 100 of the best and Air force 10th Wing wants 100 of the best
(and Microsoft and IBM want 100 of the best). At some point there's
just not enough people left. But they say when you work for government
you're not really working for the money. People tend to do it for
different reasons. You either do it because you're patriotic or you do
it because you get to play with some really cool stuff that wouldn't
ever be possible in the civilian world. And I think they're trying to
address the third thing, which is pay.
The 60-day review released earlier this year concluded that the
government is not prepared to respond adequately in the event of a
cyberattack. Is it just a matter of having enough staff and having
more trained staff?
Moss: Well it's that and a lot of it is bureaucratic fiefdoms. Whose
in charge of what? Cyber attacks just have never happened. That's why
everyone paid so much attention to Estonia when they were being
attacked. What's the best way to organize yourself to respond to one
of these things? And nobody really knows, I don't think, what agency
calls what other agency and who responds in what order. They've been
gaming it for a while, but until it actually happens a few times I
think it's all new. I've recently heard that there was the competition
sort of between not so much DHS, it was Air Force and NSA over the
Cyber Command and NSA won that so that big cyber turf war is over and
dying down. Now the energy is being put into actually building that
command and figuring it out.
Sort of the same thing is going on with DHS. Who is actually going to
be in charge of defending domestic government space? And they referred
to it as the "Defend .gov Initiative." Who defends.gov? It's going to
be the DHS and how do they do that and what does it mean? Because DHS,
if they have this mission but they don't have the budget for it, can
they really go to the Department of Agriculture, for example, and
order them to change their systems but not really give them the
resources or the budget to do it? It's not clear how much one agency
will be able to go and dictate to another agency because everybody is
just fantastically protective of their fiefdoms.
It does seem like there has been some turf war, some struggle for the
cyber security position or role.
Moss: And there are some competing ideas. The current idea is you have
these, in DHS lingo its called TICs, Trusted Internet Connections.
It's sort of what the military did...where let's say you were on a
military base somewhere and you wanted to go search Google, your
connection would leave the military network and go off to the civilian
network. And there were hundreds and hundreds of thousands of these
connection points between the two networks and the DOD (Department of
Defense) realized there was just too many to watch and they need to
have a plan to reduce the number between the two networks. So they
have this multiyear strategy to reduce the number, and I don't know
what the end number is.
DHS needs some of (the NSA's cybersecurity) talent and they need some
of that expertise. So there's some sort of working arrangement being
sorted out where until DHS can get their own talent pool sorted out,
NSA will send people over.
DHS is trying to do the same thing with the initiative to have more
traffic pass through these TICs that can then be monitored and you can
get an idea of what is going on. That spurred another debate which is,
on one hand now your eggs are in less baskets and you can monitor your
eggs and look for trends and do more intrusion detection but because
your eggs are in less baskets there are less baskets to attack. There
are fewer connection points to have to DOS (denial of service). I'm
not in that camp. I like the idea of having less connections to
monitor because the counter to having less things to attack is well
you buy more bandwidth. Have you heard of this Einstein system?
No.
Moss: It's the civilian governments defensive. It's like their IDS
(intrusion detection system). So there's a technology road map. If you
go to a government system or leave a government system you would pass
through this Einstein system and so the idea is once you have
everything in these TICs you can start to analyze flows and look for
interesting patterns.
Can you talk a little bit about the leadership of the cybersecurity
effort. When are we going to have a new cybersecurity czar? Who might
it be? Seems like there's been a revolving door as far as the
directorships. What's going on?
Moss: Yeah. Without naming names nobody knows. And every time you have
a conversation with a different agency everybody says, well what have
you heard? What rumors have you heard? The rumor was always that in
two weeks there would be an announcement and I've heard that for the
last four or five months. And there are two theories. One I've heard
is it's just really hard now. A lot of people who were potentially
under consideration have taken themselves out or they're really hard
to vet and they keep having issues because of all the scrutiny the
czars have been getting.
And the other one (theory) is that the longer you go without a czar
the more they realize that maybe they don't need one, that what they
envision what a czar doing, the role is changing. Maybe now this
person is more important on a strategy level and a coordination level
and maybe this person isn't going to lay down the blueprint for what
technology to buy or what strategy to impose. I like that because I
really think it needs to be a coordinator position. They need to work
the intelligence, the military and civilians. And they need to have
good visibility with the president and the national security staff.
So it's probably more important to get the right person and explain
the position so they don't end up with one of these "all the
responsibilities and none of the authority" situations, which is what
it sounded like, (a) multiple reporting structure with little budget
and little staff and no real authority. That didn't sound like a
recipe for success.
That being said, DHS has had some turnover. Melissa Hathaway left (and
Rod Beckstrom resigned). I don't know if it's the course of normal
turnover or if it's frustration at the pace at which things are
happening or resistance to change. Rod wanted to make some changes,
everybody wanted to make some changes, and they're used to having an
impact and I think things were moving very slowly. The president
started out with a strong cybersecurity speech and then things started
to slow down. Then there was the big battle over what is the DHS going
to do? What is NSA going to do? It turned into a lot of politics.
That's from an outsider perspective.
All the people I've met at that level, (, director of the National
Cybersecurity Center at DHS, and Rand Beers, (under secretary for the
National Protection and Programs Directorate at DHS) are very
impressive. I just don't know really what's underneath the surface.
But those guys seem really on the ball. They're saying reasonable
things. They don't have crazy inflated egos or trying to throw their
weight around. So it's different from what I expected or the way it
was portrayed. It makes you want to get involved more or participate
more. It's actually been really refreshing for me.
That's good to hear. So are we set as far as the domestic
cybersecurity initiative and role and czar reporting to the White
House and not being under the auspices of the NSA?
Moss: I don't know. When you talk about what's the role of NSA with
DHS for helping protect .gov, the way you hear people talking about it
is, NSA has all this experience and they have a different structure
when it comes to compensation so they can just woo everybody because
they have much more authority for hiring. Historically, they had to
hire academics and engineers and people with specialized skills used
to higher salaries. So their hiring structure is built up around that
so it's easier for them to lure computer and software guys than say it
is (for) DHS. They generally usually win in the recruiting battles.
They've got a lot of talent over there and DHS needs some of that
talent and they need some of that expertise. So there's some sort of
working arrangement being sorted out where until DHS can get their own
talent pool sorted out, NSA will send people over. I have a feeling
it's going to be something like an internal government loaner program.
You have a unique perspective. Your background is very different from
the others on the council. Has your background as a hacker helped you
in your role advising the government and helping them think about
things from a diff perspective? Is there a diff perspective?
Moss: Yeah, there definitely is a different perspective but it's not
very visible yet, I don't think. We haven't had enough meetings, we
haven't had enough issues come up that are directly cyber related so I
haven't gotten a chance to really shine yet just because there are a
million ongoing things. Cyber is just one aspect. The big piece that's
missing is what are the states doing? I don't hear a lot of statewide
initiatives for cybersecurity--there's only a couple of states that
are trying to be proactive about this and I can't remember them all.
One is New York because they have to be with all the financial
networks. Washington state. Louisiana, of all places. And I can't
remember the fourth. All the attention seems to be on the federal side
but at some point the states are going to have to get involved.
More information about the Infowarrior
mailing list