Ron Ross is a senior computer scientist and information security researcher at the National Institute of Standards and Technology (NIST) -- an organization that plays a key role in federal cybersecurity strategy. By staying ahead of cyberthreats and knowing their unique vulnerabilities, however, both the federal government and private organizations can take vital steps to protect online information, Ross said.
In this four-part SearchCompliance webcast, Ross joins Theresa M. Grafenstine, inspector general of the U.S. House of Representatives, to explain how cybersecurity controls can help protect data in both the public and private sector. Here in part two (as in part one) they discuss federal cybersecurity strategy and how organizations and individuals can address cyberthreats.
Theresa Grafenstine: Can you give us sort of an overview of what the federal cybersecurity strategy is?
Ron Ross: If you listen and read the newspapers and you look at all the headlines, you might think that the federal cybersecurity strategy is all about continuous monitoring. Certainly, over the last four or five years, we have reengineered all of our NIST standards and guidelines to be what I call more "real time" so we can continuously monitor the infrastructure and have a better understanding of what our situational awareness is with regard to cybersecurity. That's really an important part of our long-term cybersecurity strategy.
In addition to the ability to monitor on an ongoing basis, there's a front part of the strategy that doesn't get a lot of headlines but is very, very critical and important to our long-term success. I call that the "build it right" part of the strategy. If you look at the Defense Science Board report that came out earlier this year, they talk about different types of threats that we're up against today. There are known vulnerabilities that we have to deal with every day. That's the good housekeeping things we do to make sure we address those known vulnerabilities.
But there are also what we call zero-day exploits, where the adversaries find unknown vulnerabilities and exploit them. Then there's a third class of threats that even goes beyond the unknown vulnerabilities or the zero-days, and that's where the adversary actually creates vulnerabilities within your infrastructure so that they then exploit them in the future.
The "build-it-right" part addresses those things in the zero-day attacks and also those advanced types of threats. We want to make our systems more resilient, which means building stronger components and better engineering techniques as we put those components together. We really increase the strength of mechanisms in the underlying IT infrastructure so we can actually repel these cyberattacks. When attacks do get through, we want to have the ability to absorb that attack, confine that attack to a certain place in the system, then deal with it in a more localized manner instead of having the entire system go down to that one exploit.
Grafenstine: I've heard you talk in the past about the integrated project-team concept. Can you talk a little bit about that?
We're in this great revolution of information technology -- it's changing the way we do business.
Ross: I've had a lot of opportunities to tour almost every part of our federal government. I've made many trips to NASA [the National Aeronautics and Space Administration]. I observed that the folks at NASA have been building complex systems for probably five decades now. They understand how to build complex systems, and they do a really, really good job at doing that.
The way they do it is something called the integrated project team. If you remember the pre-launch phase of any of the shuttle missions, or even going back to the Apollo, Gemini or Mercury missions, they have a point in the launch where there's a big table of people, with all the stakeholders around the table. They go around to every stakeholder and they get a thumbs up or a thumbs down. When they have all thumbs up that's when the launch happens. Everybody has a stake in the launch, and everybody has a seat at the table.
If we're going to be successful long term in the cybersecurity realm, we have to give our cybersecurity folks have a seat at the table. All of our security work can't be done in isolation. In other words, most of our security folks now are sitting in a separate office down the hall. We've got to bring them into the integrated project team. This means putting them, embedding them, in other organizational activities like enterprise architecture of the system development lifecycle process, or having them work with the acquisition folks or the systems engineering team.
These are all processes that have been well defined for many, many years. We need to get those security folks into that discussion so we can understand the dialog, the language, of those other traditional processes, and then they can understand more about security, so we work together to build stronger solutions.
The new approach that comes out of this integrated project-team concept is we want to work directly with mission and business owners because that's the real reason why we do cybersecurity. We want to protect the mission and the business operations at all cost, and that's why cybersecurity is part of the process. All the stakeholders come to the table, and we have to be prepared to have our security requirements go through the same kind of tradeoff analyses as every other type of requirement.
In certain situations, it may turn out that all the security controls are not implemented. There may be risk-based decisions made by the program manager or the mission owner. But at the end of the day, we pick the right [cybersecurity] controls to protect our mission or our business operations. That kind of trade-off analysis should be very comfortable for us as security professionals, but it's a very different attitude than coming in with our wheelbarrow full of stuff at the end of the process and saying, "Hey you've got to do all of this or the sky's falling." Well, you know, the sky's been falling. It was falling yesterday. The sky's falling today, and it's going to be falling tomorrow. We've got to get on with the business of getting our folks into the process so we can work together to get better solutions.
Grafenstine: I think that's an excellent point, because in the past maybe as security professionals we were a little too purist and hardcore where we thought we had to do all or nothing. I think that it's really good to have that conversation with the business owners. It helps you understand that sometimes it's OK to assume residual risk.
Ross: You know, that's a great point. I had the pleasure of speaking in San Francisco a while back, and at that same conference there were three CSOs [chief security officers] that spoke after I did. One was from Intel, one was from Netflix and one was from ADT. Each one of these CSOs had the same message: They all do cybersecurity, and those three companies are very large and successful.
In the case of Netflix, they're not just delivering the DVDs by mail now -- they're delivering intellectual property. They're streaming these new miniseries right down to the customer. They have to protect their IP, their intellectual property. They're doing cybersecurity to actually protect their business case. It's a much different way of looking at the problem. It's more of a positive aspect of cybersecurity in helping the business move forward as opposed to being a drag on the business and looking at it as just a compliance exercise or something we have to do because of policies or legislation. It's really, to me, an empowering way of looking at this problem. It talks to a new generation of people out there who are doing the right thing for the right reasons.
Grafenstine: I think the ultimate goal is full integration of business strategy driving IT strategy, and them complementing each other. To get back to one of your earlier points, we were talking about complexity and how complexity is sort of the enemy of security because it's just harder to get your arms around things.
Ross: Complexity is the ground zero for all of our problems today. I talked about why we have this problem. I go back to the days of the mainframe computer -- that's about 40 or 50 years ago, when it consumed the vast majority of your budget. Now we're at the point in our IT revolution where these components are getting very inexpensive and very powerful. We've purchased a lot of IT, and we haven't managed the architecture of how all these components get put together.
One of the first things we have to do is be able to manage this complexity. That's why I talked about cloud computing and things like enterprise architecture. The fundamental tenets of those concepts are you consolidate, optimize and standardize. When you go to cloud, for example, you can pick your favorite cloud model. There's a big debate whether public cloud or private cloud is a better solution. The common theme is [that] in the cloud -- and enterprise architecture for that matter -- you don't have to own everything. It's kind of an on-demand service, whether it's Platform as a Service or infrastructure or software. You don't have to own everything. Therefore, there's not a bunch of IT sitting around idle all the time not being used. Somebody else gets to manage the security aspects of those cloud operations.
When you do that, you can reduce your IT costs by anywhere from 5% to 40%, which is not insignificant in today's tight budget world that all of us are facing, whether you're on the public- or private-sector side. When you get that dramatic savings, you can also provide more efficient services for your customers and better cybersecurity. The money you save in that basic infrastructure can be reinvested in better cybersecurity.
You'll get a simpler solution, and you get an opportunity for our cyberfolks to really do what they do best to defend whatever components and systems that we do deploy. That, to me, is something we can attack today without needing any more money. We're not going to get a lot of increased budget. Therefore, we can take this bull by the horns, so to speak, and start some of these [cybersecurity controls] right away.
Grafenstine: It seems that in our society, our digital footprint is getting bigger and bigger, whether it's through social networking, Facebook, LinkedIn, Twitter -- all these different things. It just seems like our own personal digital footprint is getting larger, as well as our organization's digital footprint. Can you talk a little bit about that and what challenges that presents?
Ross: We're in this great revolution of information technology. It's changing the way we do business. In fact, we're actually going from a paper-based world to a fully digital world. We now have to figure out how all this stuff works in the fully digital world. Your digital footprint is something you can't avoid. Any time you buy a smartphone or a tablet, or you come to work and use a laptop computer, everything you do that touches that computer system, everything that goes in as part of that network and all this vast, ubiquitous connectivity that we have -- that all leaves a footprint. When you do home banking, any types of transactions that you're doing, that footprint is there.
More on cybersecurity controls
The history, and future, of U.S. cybersecurity legislation
Our job as security professionals is not to say no. Our job is to tell our senior leaders or our CEOs what are the risks and the rewards that come with bringing this new technology into the organization. Certainly, there are compelling arguments for some of the mobile technologies that we're seeing now. It's making us more productive, and there are so many things that change the way we do business based on the new technology. We're reengineering the missions and business processes to take advantage of this great technology.
But at the same time, we have to have our eyes wide open and say, "If we're using new technologies like mobile devices, what kind of cybersecurity controls should we expect on those devices that we normally deploy on our laptops or our workstations?" Just because you have a smaller form factor in these devices, you still have vast capability of moving information from these endpoints on these small devices straight to the heart of corporate networks. It's a legitimate discussion to have with our CIOs, CSOs and CFOs as to what the technology can provide to us to benefit the organization. Also, [we control] what kind of risks we're going to have, depending on how many controls we deploy on these devices, what's affordable, and what's going to give us that risk tolerance we need to actually be more effective. That's kind of what the digital footprint discussion is all about.
Grafenstine: It's just sort of another moving part that we have to keep track of because, again, it gets into that whole balancing out through the societal values as we're moving into the very sort of open society where everybody wants to share everything. Yet as security professionals, we want to be as tightly controlled with our information as possible. It just adds another layer of complexity and something we have to consider in our overall strategy.
Can you talk a little bit about why having your arms around enterprise architecture is so important to overall security strategy and about some of the challenges in that area?
Ross: I was first exposed to enterprise architecture by my friend Scott Bernard, who now is the president's chief architect at the White House. He was at the Federal Railroad Administration at the time. We had a conversation about five or six years ago, and he at that time convinced me that enterprise architecture was actually critical to the long-term success of cybersecurity.
The idea is that this all gets back to that complexity issue. This is really a computer science and a physics issue with regard to cybersecurity. Enterprise architecture talks to all of the components that you end up deploying. There's this ability through good enterprise architecture techniques, whether it's through the segments or the solution architectures or all of the reference models that are provided by the federal enterprise architecture, to do your operations in a much more efficient way.
Enterprise architecture is used to manage and promote that consolidation, optimization and standardization. We don't have to have every federal agency doing payroll and accounting operations. We have certain agencies that now have been selected to do that particular function, and they do it well. We can eliminate a lot of duplication that is both unnecessary and not cost-effective. But it also expands that IT footprint. That thing we talked about earlier, that complexity, keeps growing.
Architecture, to me, is absolutely at the epicenter of our long-term security success. I've said that I don't think we can be successful long term in the cybersecurity area unless we fully are integrated into the enterprise architecture. Security architecture is our roadmap on how to deploy and where to deploy. Without a good start at the top with the enterprise architecture, we really can't build good security architecture as well.
Please visit SearchCompliance.com to view the next segment in this webcast on cyber threats and how the U.S. government is addressing top cybersecurity challenges .