Melissa Hathaway Interview

President Obama has tasked Melissa Hathaway with conducting a 60-day review of the nation’s cybersecurity policies.

Hathaway has been working as a cybercoordination executive for the Office of the Director of National Intelligence. She chaired a multiagency group called the National Cyber Study Group that was instrumental in developing the Comprehensive National Cyber Security Initiative, which was approved by former President George W. Bush early last year. Since then, she has been in charge of coordinating and monitoring the CNCI’s implementation.

Although, honestly, the best thing to read to get an idea of how she thinks is this interview from IEEE Security & Privacy:

In the technology field, concern to be first to market often does trump the need for security to be built in up front. Most of the nation’s infrastructure is owned, operated, and developed by the commercial sector. We depend on this sector to address the nation’s broader needs, so we’ll need a new information-sharing environment. Private-sector risk models aren’t congruent with the needs for national security. We need to think about a way to do business that meets both sets of needs. The proposed revisions to Federal Information Security Management Act [FISMA] legislation will raise awareness of vulnerabilities within broader-based commercial systems.

Increasingly, we see industry jointly addressing these vulnerabilities, such as with the Industry Consortium for Advancement of Security on the Internet to share common vulnerabilities and response mechanisms. In addition, there’s the Software Assurance Forum for Excellence in Code, an alliance of vendors who seek to improve software security. Industry is beginning to understand that [it has a] shared risk and shared responsibilities and sees the advantage of coordinating and collaborating up front during the development stage, so that we can start to address vulnerabilities from day one. We also need to look for niche partnerships to enhance product development and build trust into components. We need to understand when and how we introduce risk into the system and ask ourselves whether that risk is something we can live with.

The government is using its purchasing power to influence the market toward better security. We’re already seeing results with the Federal Desktop Core Configuration [FDCC] initiative, a mandated security configuration for federal computers set by the OMB. The Department of Commerce is working with several IT vendors on standardizing security settings for a wide variety of IT products and environments. Because a broad population of the government is using Windows XP and Vista, the FDCC imitative worked with Microsoft and others to determine security needs up front.

Tags: business of security, computer security, economics of security, interviews, laws, national security policy, security policies

Posted on February 24, 2009 at 12:36 PM • 25 Comments

Comments

Randall • February 24, 2009 2:42 PM

If I could her send one message, it’d be that insecure public systems are a much bigger threat than secure communication.

Intelligence should be more targeted and likely less SIGINT-focused than it is. (See anything written by James Bamford recently.) Shutting off one of the giant contracts to listen in on targeted Americans’ international phone calls would probably free up enough cash to do real work towards hardening Internet infrastructure — DNS security, anyone? — bulletproofing SCADA systems, and so forth. And plenty of funds could be left over for targeted intelligence work that would be more useful than this dragnet stuff.

Big changes like that might be above her pay grade. But there’s a real tradeoff between allowing lawful intercept on the one hand and securing critical parts of the Internet on the other — crypto isn’t all of security, but it’s a necessary piece. And we can’t have both perfect intercept and the strongest security possible; when Capstone tried to achieve that, it failed and slowed down the deployment of strong crypto.

Given the crypto vs. intercept tradeoff, it’s much more important to deploy the best tools we’ve got than to give NSA’s intercept people (or law enforcement) everything they want.

Jeroen • February 24, 2009 3:05 PM

the best thing to read to get an idea of
how she thinks

You mean other than “fluffy”?

Roy • February 24, 2009 3:47 PM

So the thrust of her policy will be to work with the least secure OS because it is the most popular?

Security is not a popularity contest.

Glaring for its absence is any expression for the need for open sourcing.

RH • February 24, 2009 4:47 PM

I wonder if Bruce left the last sentence in just to see who would RTFA. I didn’t, but it looked like perfect bait for any windows haters!

At least she’s not claiming the goal is 0 risk. I hate those people

Tangerine Blue • February 24, 2009 5:23 PM

She sounds pretty reasonable to me. No pie-in-the-sky, no Big Brother, no terrorists or child pornographers.

She uses phrases with actual meaning like “meeting both sets [biz and gov’t] of needs”, “living with risk” , “using purchasing power to influence the market.”

Maybe she’ll reveal evilness later, but from all I see she’s knowledgable, thoughtful, and competent. Let’s wish her well.

Clive Robinson • February 24, 2009 6:16 PM

Well her statment,

“In the technology field, concern to be first to market often does trump the need for security to be built in up front.”

Is what I have been banging on about for more than ten years as have others who post to this blog so nothing new there (accept a Government weenie saying it)

She goes on to say,

“Most of the nation’s infrastructure is owned, operated, and developed by the commercial sector. We depend on this sector to address the nation’s broader needs,”

I thought yes some one has woken up in Government to the very real issues to do with the fragility of “power”, “water”, “telecomunications” infrastructure and how easily they are disrupted by low grade natural events due to “cost optomisation” / “efficiency” in the shareholder margin sense.

But no, she went on to say,

“so we’ll need a new information-sharing environment.”

And I guess that’s what in reality it will be in the end “all talk and no action”.

Then I saw this wonderfull statment,

“and build trust into components. We need to understand when and how we introduce risk into the system and ask ourselves whether that risk is something we can live with.”

And I have to ask does she actually no what she is talking about?

I agree that short term business policy should not in any way dictate the operating of “critical infrestructure” that effects “national security”.

However you need to use a bit of reality when thinking about national security of critical infrastructure.

And for all we say in reality the Internet is in no way “critical infrestructure” except for a very few business models.

It is still to new to have ingrained it’s way into society in the same way that the supply of safe drinking water, electricity, fuel, telephones etc have.

But then the Internet is hip, trendy, sexy and the play ground of the current President and his election team.

Some legislation to prevent cascade failurs and insecure command and control systems in the critical infrastructure would do a lot more for national security than playing around with “cyber-security”

But I guess I’ve been involved with risk, security and safety crtical design for so many years I’m no longer hip and trendy 8(

Kashmarek • February 24, 2009 6:54 PM

Anytime you bring commercial interests in, they have a vested interest in making money, collecting data for marketing, and glossing over their failures while not delivering a product that actually provides something of value for the expenditure. Doing it her way just gives those companies the “wall of security” to hide behind when it fails.

Len • February 24, 2009 9:22 PM

I’m with Clive here on how this administration thinks of the Internet as their playground. Those supposedly sophisticated and technical drones are a sorry lot. How else do you explain the pipe dream of nationwide broadband and how this will make the US more competitive in (fill in the reason du jour here). Never mind the last mile issue and few other little things. I often wonder if it will ever be possible to convince these people that the Internet is not infrastructure.

She definitely knows the vocabulary and how to use the buzzwords with the civil servants and the media. After reading the article I’m convinced that she is talented and bright, but I wonder how much she can accomplish in a setting that is very thin in corporate background and has a crosshair on corporations. (Can’t have those filthy capitalists making decisions).

The earlier comment about commercial interests only proves the point here. So remember when the government goes off on another “information-sharing enviroment” initiative to be very afraid. This information has no purpose other than sharing information about our lives. Yeah, I’ll take the “wall of security” behind a corporation anytime over the government. Unless of course the business get nationalized.

Rrr • February 25, 2009 2:55 AM

Just a flip-ant comment to the last sentence:

Because a broad population of the government is using Windows XP and Vista, the FDCC imitative worked with Microsoft and others to determine security needs up front.

Well, haven’t they found just the right knowledge-base for that;-)

Tim the Enchanter • February 25, 2009 3:49 AM

Off topic pedantry :

Task is not a verb

thank you.

A nonny bunny • February 25, 2009 4:05 AM

@Tim the Enchanter
“Task is not a verb”

http://dictionary.reference.com/search?q=task

–verb (used with object)
5. to subject to severe or excessive labor or exertion; put a strain upon (powers, resources, etc.).
6. to impose a task on.
7. Obsolete. to tax.

If you’re gonna be pedantic, at least be right 😛

A nonny bunny • February 25, 2009 5:21 AM

@Len
“I often wonder if it will ever be possible to convince these people that the Internet is not infrastructure.”

It’s not? Could you (or someone else) elaborate on why it isn’t?

BF Skinner • February 25, 2009 6:19 AM

@Clive – the Internet is in no way “critical infrestructure”

I disagree. It may or may not be primarily critical communication infrastructure… Depending how you want to define monetary loss. Say every fiber cable into the US was blown at the same time. Inconvient for most, traffic would slow way down as satellites and radio links tried to shift the traffic…but even slow would be deadly for finance types and, interesting downstream affect, a loss of comms in the Mid East and S. Central Asia (where for some reason all their traffic comes through the US before go back out to those areas). Not all of the downstream affects are known.

Even if you discount the monetary loss, there is a dependency relationship….more and more critical infrastracture is being managed by SCADA piped over…the internet. A denial of offshore communications might affect those companies that now manage our critical infrastructure from offshore. A compromise, even suspected, of scada networks could give attackers the choice to decieve or exploit the monitoring systems. This would make us unable to trust large distributed systems like power distribution.

BF Skinner • February 25, 2009 6:21 AM

Side note:

Ms.Hathaway has a lot of admirers. Guys at SANS and in the beaucracy i’ve spoken call her the most capable SES in the administration.
That’s not faint praise.

old guy • February 25, 2009 10:29 AM

She gives hope to holders of Bachelor degrees only. She must really bring something special to the table.

It will be interesting to watch how this all fits in with CSIS recommendations to the 44th presidency. I was surprised to see that social networking was recommended as an information-sharing tool even though it introduced more risk in that report. That makes the Internet even more critical to processes.

Davi Ottenheimer • February 25, 2009 11:04 AM

This reminds me of the Colbert Report “Better Know a District”.

http://en.wikipedia.org/wiki/Better_Know_a_District

Can we get that started for “cyber” executives?

Matt from CT • February 25, 2009 12:10 PM

And for all we say in reality the >Internet is in no way “critical
infrestructure” except for a very few
business models.

I disagree.

For me, it’s no less critical then the others. Then again I have a woodstove and springs on my property — worse case scenario, I can use an ax and a bucket to keep myself warm and toilets flushed.

All but one of my bills is paid on line, most of those companies don’t even send a physical bill.

Take away online bill paying, they don’t have the physical infrastructure in place to handle customer service calls and lock box capacity to process checks.

Min Headroom • February 25, 2009 12:46 PM

When you get to that level, especially in U.S. government, success has more to do with leadership and administrative abilities than with expertise in a subject area.

BF Skinner • February 25, 2009 4:42 PM

@Min Head

Leaders and administrators are a necessary part of the system. Their abilities aren’t to know what we know at our level. But to know it at a sufficient depth and breadth to make good policy.

JimFive • February 26, 2009 3:28 PM

@Len
“The internet” may not be infrastructure, but all those wires that it runs over certainly are.

@Clive “The internet is not critical infrastructure”

The infrastructure that the internet uses is the same infrastructure that telephones use. Seems pretty critical to me.

JimFive

Clive Robinson • February 26, 2009 6:11 PM

@ JimFive,

“The infrastructure that the internet uses is the same infrastructure that telephones use. Seems pretty critical to me.”

It would appear that my statment has confused a number of people.

Lets see if I can clarify it a bit,

The Internet requires the communications infrestructure to function, but the communications infrestructure does not need the Internet to function (don’t confuse the cart and the horse).

Ask yourself which is the critical infrestructure, the person in the car or the road it is on?

The Internet is the traffic (car) on the low level data networks (road) along with voice and other data. The user data such as images and email etc are the passenger in the car.

As I noted in my post,

‘…very real issues to do with the fragility of “power”, “water”, “telecomunications” infrastructure and how easily they are disrupted…’

It is clear I did consider the telecommunications (road) infrastructure to be critical.

But the Internet (car) not.

The internet is a series of network independent protocols that can run on any network (see practical implementation of ping on avian carrier network for proof of this 😉

The protocols supply a data nuetral method of carrying user data and supporting engineering order wire (EOW) data.

You could quite happily rip the Internet out and replace it with another series of data carrying protocols. At it’s lowest level it has replaced it’s self a number of times and we appear stuck for the moment at IP Version 4.

The fact that some people have started to migrate “applications over” does not make it critical as the previous methods are still available.

Only when there is no viable alternative will it be “critical”.
I hope that answers it for every one.

averros • February 27, 2009 1:11 PM

And all of this is noteworthy – why?

It’s just another pile of $$$ looted us working stiffs which will be totally wasted. It may result in more idiotic regulation, it may not. It will have no positive effect whatsoever (it never does). Move along, nothing to see here.

Karl • February 28, 2009 10:05 PM

@Clive “The internet is not critical infrastructure”
There used to be a joke among folks in the Military. “If email goes down, nothing gets done.” Nobody laughs at that one anymore.

This woman sounds great to me. It reads like she is practical enough to get good, important things done. Something I’ve been wondering about though: can a bureaucracy adequately manage network security in this age?

I think the fast-paced changes that will be required to secure our critical networks are not compatible with the way bureaucracy runs those networks today. Technology could be part of a solution, but it will require a change in the way people work with and write policy for networks, too.

People also have to start thinking of the Internet as a critical infrastructure.

Clive Robinson • March 1, 2009 3:46 AM

@ Karl,

“People also have to start thinking of the Internet as a critical infrastructure.”

I hope not.

The fragility of what is currently without doubt “critical infrastructure” and how it came to be that way is an object lesson in why the Internet should not be treated to the same methodology.

As I originaly noted above there is no protection worthy of the name in the power grid, water supply and other sources of domestic and industrial energy supply. They are extreamly fragile.

Worse to improve “shareholder value” just like the banks they have taken unacceptable risk to the point where a simple fault expected in normal operation (ie an overload trip) can ripple rapidly through the entire system taking entire geographical regions out for extended periods of time.

In general the telecoms companies are better at dealing with this than are the energy suppliers. Mainly due to Government intervention at one level or another (due in the main to politicos understanding the armed forces need to communicate reliably in adverse times).

The stupid thing is that non critical infrestructure tends not to be fragile and highly resiliant (think the supply of newspapers, booze, tabaco, sweets, fast food and fizzy drinks).

In the main this is due to the supply process being compleatly open to competition and rapid inovation at all levels.

Unfortunatly the Internet although it could easily be this way it is bogged down in the self interested behaviour of the regulated telecoms industry which is fragile and becoming increasingly more so with time.

I think that although Judge William Green had the right idea it was applied way to late and did not go ar enough.

Any way time will tell.

Patricia Thornton • February 20, 2010 3:52 PM

If it can happen to me; it can happen to you!

Working as a CPA specializing in technology for 25 years consulting in enterprise wide accounting, my office is only 70 sq feet. A small fish and not too busy these days, I started a campaign – Tents for Haiti.

Wrote a few emails to Coleman, the tent company and one to an IT guy at Coleman Technologies. I overshot my shot.

Next day, my emails were redirected out of my Inbox while I sat and watched. After a month of researching, long story short, the guy from Coleman Technologies works in their Contact Center. A core service they provide uses Cisco routers with telephony to redirect emails for Call Centers.

Wrote to a representative from Coleman Technologies that I found on You Tube about my suspect including my FBI complaint number. Their 1st reply was my suspect did not work for their company and implied as an engineering consulting firm, they would not have the capacity. Basically, they told me to go away.

After receiving my followup documentation, the company rep repy changed to “oh that guy” and ignored the reference to their core product.

No assurance that any plan in place to deal with employee abuse in an industry with powerful tools like Cisco. I do not feel safe with a company with federal contracts in Homeland Security giving no assurance of internal controls.

Who rules do these guy play under? What is my recourse? What is the value of my free speech taken away from an employee not managed properly but given the tools to hack my computer?