George Washington University Slides on Cyber-Security

In the last post I returned as I often do to the question “How to be secure when each component of your solution is itself insecure?”. I find that most practitioners, and in particular their management, are in denial on this issue. While my first suggested step which is to practice security hygiene is useful it does not help against a determined attacker.

While I am not sure if anything short of not connecting to anyone will work all the time, two possible approaches seem promising.

First, is the concept of an OODA loop. OODA stands for Observe, Orient, Decide, Act. It was developed by a US Air Force Colonel John Boyd who has since passed away, there is a rich set of literature on the topic for those interested in reading more. My slide 19 has an illustration of how this approach works at a conceptual level.

My simple interpretation is to be able to change faster than the bad guys are able to penetrate.  It was Boyd’s contention that in modern warfare the adversary who has the faster OODA loop would generally win. With cybersecurity, as with all security, the attacker generally has an inherent advantage of motion over the defender. Thus it requires serious planning to have an architecture that is agile enough to change and adapt and still remain operational.

A second approach is to use a biological construct. For example, your body has many viruses wandering around inside it at any point in time, yet in general people are healthy and the body defends itself well against these viruses – though with some help from time to time from a doctor.

The concept of having loosely coupled systems working together, like the cells in your body do, is called being Stigmergic systems, described in my slide 20.

In the class I described ants as an example of a Stigmergic system. An ant which finds food leaves a trail that other ants then follow. While none of them ‘talk’ directly to each other, they work together indirectly. This kind of swarm intelligence is characterized by fast adaptation, living OODA loops.

Once again, this kind of capability would have to be built into systems in order to work, it would require a completely different approach to system design.

I considered each of these merely thought exercises, I do not have much personal experience with either. However, earlier today when I was working on this post, I ran across an article about a Wake Forest University professor who is working on digital ants to check networks for viruses, so perhaps Stigmergic systems are one serious way to go:

http://www.tgdaily.com/security-features/56255-digital-ants-check-networks-for-viruses

Quoting Professor Errin Fulp: “As they move about the network, they leave digital trails modeled after the scent trails ants in nature use to guide other ants. Each time a digital ant identifies some evidence, it is programmed to leave behind a stronger scent. Stronger scent trails attract more ants, producing the swarm that marks a potential computer infection.”

And anyway, who wouldn’t want to be able to use the word Stigmergic in casual conversation at a cocktail party. Of course, that would imply that a Stigmergic designer would get invited to one.

Since the classes I teach at the University of Maryland and Syracuse University are on-line distance learning, it is always a treat for me to have actual live students in the same classroom as I am to interact with. This year the exchange of information was really great, Dr. McCreight has a wonderful class. For all of these activities, I deal with what I call the “avoidance of appearing like an idiot in front of people syndrome”, which forces me to at least to scan and keep up with the literature before the class is held.

While I am one of those people who learn best by doing, being able to talk to and/or discuss with bright students is still very helpful and fun to do.

I have posted my presentation below and during the next few weeks hope to write a few columns based on the later slides, of course I have still not written my last two posts I promised on cloud computing, as as usual what I plan to do with this blog and what actually happens continues to diverge.

GWU Cybersecurity Presentation

On slide 13, I put a quote from Professor John Mueller, who is the Woody Hayes Chair of National Security Studies at Ohio State University, parenthetically a title which gives one pause for a number of reasons. I really like to read Professor Mueller’s papers not because I agree with all of them but because he is a contrarian. It is from those people who do not follow the crowd, that much can be learned.

Professor Mueller basically claims that the ability to predict what a terrorist would do is so small and the cost of protecting everywhere so high that we need to rethink our entire approach to national security. He has written a number of papers on this subject including doing mathematical analysis of the value of the lives saved or lost, which I expect makes some readers uncomfortable, but in the end makes a pretty strong case that we are throwing a lot of money down a bottomless well and not achieving very much with the investment.

I do not have enough expertise to figure out if he is right or wrong, but wanted to mention the related issue which his premise touches on which is prioritization.

The lesson from Professor Mueller is that prioritization in order to work has consequences. That is, when one decides what is a high priority and what is a low priority, then more attention and resources need to be invested in the high priority items – this is the easy part – and less attention and resources need to be invested in the low priority items – AND THIS is the actual hard part.

Interestingly to me, there is lots and lots of attention in the Government in how to create and implement performance based measurements. Doing so in the Government has difficulties not present in commercial situations in large part due to the less clear goals or at least less agreed to goals that a Government program may have. But as hard as creating a performance based approach is, in reality in the end it is the easy step. Much, much harder is acting on the results.

Taking ownership for NOT dealing with a low priority item is not a goal for most Government managers. If you do so and something goes wrong unexpectedly with the area you didn’t get to, you will own the negative results which is not so hot in our blame-first, analyze-second culture. Thus regardless of how we prioritize and how we measure performance there is a tendency to peanut-butter the investments, spreading them around so everything gets at least some attention and none, including the potentially identified high-priority items, get solved.

The lesson from this to me is that it is as or more important to focus on getting agreement from all stakeholders, and their management, as to how to prioritize and the implications of prioritization as it is to create the measurement systems. If the implications are not agreed to up front in a public fashion, then even after performance is measured, you will still end up not acting on the results.

A few people asked me to post my presentation, but I have found that my current job as the COO at Powertek Corporation has caused me to miss many of my self-imposed deadlines for doing many things, including updating my blog.

However, has now been overcome, at least for a few moments, and here it is.

UMUC Slides 

My talk was divided into four parts:

• Context where I discussed what I call First Principals, what I feel are the underlying causes of much of the technological disruptions happening these days
• Some thoughts on security trends, after all this was a Cybersecurity Symposium
• Comments about the demand for security professionals, after all this also was a Job Fair
• Ending with some thoughts on the goals for security and some general advice

I think the slides are pretty self-explanatory though I keep hoping to turn some of them into individual blog entries.

I had two key pieces of advice.

First, I related an old joke by Steve Martin that talked about how to make a million dollars and not pay taxes. The first step was to ‘find a million dollars’. I find that many proposed solutions to security, well, actually to almost anything hard is the functional equivalent of that first step.

Second, I told them to remember that the primary mission of almost every organization they will work for is NOT security. Because of that fact, one of the primary jobs of a senior security professional is to learn how to articulate the reasons for security investments in the context of the actual mission goal. Otherwise, organizational senior management will not make the right decisions.

The webinar, moderated by Adam Ross, the Managing Editor from the SANS Institute, will focus on some of the challenges faced in creating secure Federal Systems. With the growing movement for speed-to-market and the movement to the cloud, and associated buzz words, and with the increased publicity about cyber-attacks, how we should best deal with such issues is becoming a still greater issue.

Pat and I will look at these issues in three parts.

First, we will look at the context that we now face. I find that without understanding the context of a problem, it becomes difficult to really deal with the systemic issues. Second, I will review some of the high-level goals that I would focus on, putting on my now dusty CIO hat from my Department of Transportation days. Finally, Pat will tackle real-world issues with implementation suggestions, looking at how to integrate security planning rather than dealing with it as an afterthought. He will also offer his thoughts relating to SCADA design issues (Supervisory Control and Data Acquisiton – e.g. computers managing things like the electrical grid, power plants, and so forth).

Registration details are at:

http://event.on24.com/r.htm?e=195825&s=1&k=D14C3C31F1889E77A82E235253D58190

The Government Executive website is at: http://www.govexec.com/

Powertek Corporation’s web site is at: http://www.powertekcorporation.com/

The Nuclear Regulatory Commission’s web site is at: http://www.nrc.gov

Secure SCADA – Dec 2009 a

The presentation consists of two parts.

Part I was prepared by me and talks about the economic basis associated with the impact of the Internet, wanders through a number of topics I like to kick around (‘from earth centered to sun centered to nothing centered and what that means for Enterprise Architecture’, my thought that everything is a cloud, …), and touches on what the Government is thinking about regarding security.

Part II is a subset of what Rus Records, a fellow CSC’er, prepared which provided some thoughts on the state of SCADA systems in the Chemical, Energy, and Natural Resources areas (what CSC refers to as CENR).

I hope to expand on a number of these topics in future blog entries.

My focus, as usual, will be on the strategic reasons behind the movement to SCADA. Oops, perhaps I should back up. SCADA is an abbreviation for Supervisory Control and Data Acquisition. It usually is used as a catch-all term dealing with computer controlled equipment or machinery (or plants or smart grids or, well you get the idea).

Many of these systems were controlled individually by locally provised systems and thus security, while relevant, wasn’t the most critical factor when designing such solutions. Now that many of these systems are managed over the Internet and an increasing percentage of what most would consider our/US economic critical infrastructure touches these systems, cyber issue have become a very hot topic.

So my presentation will focus on why this is happening and also touch a bit on some of the issues the Government is facing in this space. The second presenter from CSC is an industry expert in the utility, chemical and natural resource market and will provide some more detailed oversight and advice.

I adapted some of my past talks on this issue starting with my standard discussion about transaction cost economics and the internet and then push on to cloud computing.

I have started to try and generalize the concept of cloud computing and wanted to get some feedback from anyone who cared to give it regarding what I wrote up. This does NOT include the second part of the presentation which I mention above.

Dan’s SCADA Presentation

My thought is that in a sense every computer and in fact in a broader sense every aspect of an organization could be looked at as being part of a private, community, or public cloud. Your desktop could be considered a small, generally unoptimized private cloud for example.

For the purposes of this presentation, each ‘thing’ has a governance question relating to how decisions are made and a security question relating to how security is provisioned or at least who is responsible for the provisioning of it.

The purpose of this thought experiment ties back to my premise as to why cloud computing has taken off, transactional cost economics + some technological developments, and the difficulty in avoiding these implications.

The whole thing needs work but I think the direction I am heading is increasingly clear.  All feedback welcome either as comments to this post or as emails directly to me.