[...] since she has already been playing the interim role. Also, big reminder that we are soliciting Three Recommendations from our readers as to how this person can best serve in this position. Don’t be shy! And [...]

From Linked-In:

Well I’m really new at this, but I used to install residential cable, phone and internet at one of our largest local cable providers where I live. One thing I’ve always wondered is: Why is no one watching the hard line? Hackers are really inventive people, and it would not be hard to place a listening device near a node and just let it sit there. I would also ask them for more strict regulations on where you can print a MAC address. We used to see all the modems necessary information on the outside of the box. Anyone who worked there could write it down after the install, go home, and then hack that modem with the right tools. More surveillance of hacker forums. Social intrude on those sites to gather information and make contacts in order to get a heads up on where they are thinking, what new tools their using etc. But I could be completely wrong, and I’m just basing my response from what I saw in the field. Guys used to hack stuff all the time. I know that you can secure servers and what not, but once it’s on the hard-line its free game. I could go on, but I’ll stop here.

Thanks for making such a great forum!

Three Recommendations:

1. My best advice to whomever takes this job: get control or at the least very significant control over the various departments’ and agencies’ budgets and policies. Otherwise, you will have little effect on cyber security. Government leaders, especially POTUS’, have a tendency to want to appoint czars or White House “councils” but fail to give them any actual ability to affect policy. Money is everything in DC. If you can’t control the budgets, or at least influence them, you can advocate all of the policies you want and the heads of the departments and agencies can ignore you unless or until the President instructs them to take specific action.

2. So assuming you do take this job (and you either ignore or indeed do get that budgetary influence) the next step is to go to (and I mean literally “go to”) the private sector – Verizon, Qwest, Bell, Comcast, et al – those who have the infrastructure, wires, fiber and networks – and get their input. Listen to them. Don’t just have a meeting. Really listen. Keep your mouth shut for the first few meetings and do nothing but listen. Then go back to your office and internalize what they said. Analyze what they said. Determine what you can do to help them where they want help; and, figure out what you can do where they don’t want help but need it. Please don’t have these meetings in DC and please don’t have some photo-op and bring the media in. Go outside the Beltway, close the doors, and listen.

3. Go to every department and agency that has cyber security responsibility and repeat all of the above.

3.1 (I’m limited to three so here’s a good government way around that limitation). Find and recruit some reformed hackers and put them on your staff.

3.2 Once you understand what needs to be done, start building your coalitions – your Boss (POTUS), the Hill, the private sector. And then lower your expectations! But keep moving forward.

Good luck.

I used to think that government oversight was the answer, not so much anymore. Before assigning a Czar (failed concept by the way) identify the problem(s) and bucket them; Policy, laws/regulations or lack of communication. I dare say that a CEO of a private company would not allow for every group in his/her company to do their own thing which seems to be what is allowed in the taxpayers company. The company would fail. Probably there are a lot of things wrong, let’s at least know what we are fixing before we fix it.

There are three items the cyber coordinator should focus on:

1. Focus on market incentives. There should not only be incentives for protecting customer data (we’ve beat that dead horse long enough), but also incentives for software manufacturers to end their long-standing practice of unrestrained vulnerability dumping onto downstream market participants. Incentivize the creation of secure software through a software assurance labeling regime similar to other labeling regimes such as auto-safety, fuel-efficiency, energy-efficiency, etc. If the market cannot “see” security, the market cannot effectively price or supply security.

2. Make cyber security a public safety issue. Cyber security should be less a law-and-order problem and more a public safety issue. It is tempting and comforting to think that law enforcement (or even the military) can address malicious behavior on the Internet. It can do a degree, but not nearly to the level sufficient enough to disincentivize cyber criminals on a broad scale. Software “runs” our lives. As such, software must be suitable to the task and not endanger citizens through insufficient security design and implementation. A public-safety perspective allows us to focus on incentivizing the few thousand software executives we know by name to make better software rather than on disincentivizing the untold numbers of anonymous attackers located around the globe.

3. Be wary of unintended consequences. As bad as our national cybersecurity might be to date, it can actually get a lot worse if we are not careful. The Payment Card Industry (PCI) standard is but one example of worsening cybersecurity. Prescriptive mandates such as these create an incentive to “race to the bottom” where organizations seek the quickest, least expensive method of becoming compliant. Compliance does not equal security. In other words, prescriptive mandates create the unintended consequences of actually worsening security by nature of the incentive to cut corners and costs. Prescriptive mandates do not allow the market to aspire to higher security, only burden it further with complexity and expense. The new cyber coordinator should focus on results and desired outcomes rather than on specific controls, rules, or mandates which are all lagging indicators of risk. Focus on results and outcomes and let the market figure out the best way to achieve them.

First I’d like to say that there are some REALLY good recommendations above. As I now have the opportunity to add to them (vice repeat them) I’ll relay some additional thoughts/recommendations.

1. Start with the following paradigm: There is NO such thing as complete Cyber Security! What I mean here is that you can’t just slap on some security, or even bake it in from the beginning and be secure forever. This is an arms race. No, it’s an arms race in the wild wild west. Not only are our adversaries getting very good, very quickly, they are doing so relatively unfettered by international law, attribution, or proactive methodologies. So, no matter how secure you are today, you’re likely to be very vulnerable tomorrow.

2. Employ a concept known to some as Mission Assured Networking. Whereby we must identify, track, and secure the heck out of our nations trade secrets as well as our sensitive and critical information (data), information systems upon which the data resides, and the infrastructure necessary to support those systems. This will likely require Cyber Security public safety standards akin to those previously mentioned. It also requires the ability to determine how the information/data mentioned above enters into the Cyberspace Domain, how it’s processed within the domain, as well as what business/mission processes it is directly supporting and how it supports them. Thus the “Mission” part of Mission Assured Networking. Once you can track your sensitive/critical information and trade secrets, you can learn an awful lot about how your networks are put together in the physical, logical, and social (mission) domains. These domains must then be combined in a layered fashion to provide true situational awareness of our own Cyber infrastructure and personnel as well as the adversary’s actions both on and off our networks.

3. Work within the first paradigm (no such thing as complete Cyber Security) to develop mechanisms for securing, and proactively updating the security for, the nation’s critical infrastructure. This by the way, may very well require completely new architectures costing Billions of dollars. Yep, that’s “Billions” with a B! The reality, however, is that this initial spend will very likely provide a return on the taxpayer investment 10 fold greater than working to improve the antiquated, obsolete infrastructure in place today. It will also likely cost far less in the long run. The proactive part come in relative to the Observe Orient Decide and Act (OODA) loop of the adversary. Specifically, if we know that a given defensive mechanism takes x hours to circumvent, then we must require proactive defensive changes to these mechanism at the rate of x-1 hours (or some approximation) for our critical infrastructure.

Take passwords for example. Once upon a time, a five (5) letter password would keep your data safe from password crackers for years. Now a similar password can be cracked in seconds. However, 15 character passwords using letters, numbers, and special characters take much longer to crack. BUT, they can still be cracked sooner or later. So, we must refresh these passwords in a shorter time than they can be cracked for critical systems. Another example would be the time it takes an experienced hacker to gain root-level access to a system. If this is a known value, than why not use a virtual OS which is refreshed (read throw it out and start with a new one) within the amount of time it takes the attacker to gain access? There are many more methodologies/examples we could discuss, but I don’t think anyone is interested in the minutia at this level.

Personally, I’m pulling for Melissa Hathaway. She’s tough enough to get the job done!