Still no substantive change in cybersecurity policies, processes

Amit Yoran, director of the Homeland Security Department's National Cyber Security Division from September 2003 to October 2004, can be included in a growing list of security experts to vacate the job of federal cybersecurity chief rather quickly. Some observers speculated that he experienced the same frustrations as his predecessors, Richard Clarke and Howard Schmidt, both of whom emphasized the need to elevate cybersecurity as a national priority. But Yoran provided little explanation for his resignation in a 2004 interview with The Washington Post: "I filled my obligation and accomplished the core requirement," he said at the time.

Yoran now serves as chief executive officer of security firm NetWitness. He credited the Obama administration for placing a discernible focus on cybersecurity, a focus that he conceded was absent during the previous administration.

Yoran spoke on Tuesday with Nextgov about the federal government's approach to cybersecurity, and what changes are necessary to better combat threats to the nation's computer networks.

Nextgov: You've been out of federal government for some time now. How's life in the commercial world?

Yoran: I'm less constrained by politics and the bureaucratic process. Ultimately I feel a much greater ability to contribute from the outside in a more tactical, but effective way. We have a very counterintuitive sales model [at NetWitness]. While we know a lot of the chief security officers and senior level officials, that's not who we sell to; we go to the technical teams. If the leadership listens to them, we see a good opportunity.

Nextgov: How has the handling of cybersecurity in federal government changed under the Obama administration?

Yoran: Thematically, there has not been a substantive change, yet, but President Obama clearly made strong statements about cyber [security] and seems interested in engaging in a meaningful way. That's encouraging, and not something that happened under the previous administration. There's also a stronger emphasis from the Obama administration on transparency, and ensuring more rigorous processes around privacy and civil liberties, which is also encouraging.

That said, we still haven't seen a presidential appointment of the cyber coordinator position, and we've seen in large part a continuation of existing programs and activities, without any strong shift from what the previous administration was doing.

Nextgov: There's of course lots of talk about the cyber coordinator. Practically speaking, what kind of impact will this individual have?

Yoran: To a large extent, the coordinator doesn't affect the near-term or tactical programs. But you need someone at the White House that can coordinate across agencies and departments to make sure government is leveraging efficiencies, and not duplicating effort or generating conflict. In order to evolve the strategy there needs to be White House leverage; otherwise we'll suffer from bureaucratic inertia.

Nextgov: Some question whether the position will hold the kind of influence needed to have a real impact.

Yoran: I'm not convinced the position won't be as influential or empowered as is necessary. The president has said this individual is going to meet with him on a regular basis. That proximity means a lot in Washington. Are they getting the right people interested? I'm not even convinced who the right person would be. You hear a lot that the person needs to be from private sector, and while I agree that much success and failure will be dictated by his ability to work with the private sector, there's a lot more to be said for the ability to work within the Washington processes -- being able to move those levers.

Nextgov: What are the biggest mistakes that the federal government is making in terms of combating cyber threats?

Yoran: The prevalent mindset is that if you have classified programs, you need classified products developed specifically for use [by federal agencies]. But my guess is that government requirements are maybe two-tenths of a percentage different than those for financial institutions, utility companies and other private sector companies. Apply the same requirements through [commercial off-the-shelf software] that's customized to address your own need.

The government to a large extent understands that cyber activities are thriving, and all nations have offensive cyber capabilities as part of their national security fabric. But government should also understand that the technologies they've relied on for the last 10 years -- firewalls, intrusion detection -- don't provide the insight needed in order to combat advanced threats.

Many people are still of the naive belief that their firewalls are keeping them safe, their systems aren't already compromised, and data isn't exfiltrating out. The challenge for government is realizing that the enemy is already within. Once they come to grips with that, they can deal with it more effectively.

Nextgov: DHS has maintained primary responsibility over cybersecurity, at least for civilian agencies and coordination with the private sector. Is that the appropriate strategy, and if so, what needs to change to make it work?

Yoran: There's reluctance to placing cybersecurity responsibility at DHS, given the track record of performance, and broader DHS challenges that can impact a struggling cyber program. That said, I don't know that you can responsibly place cybersecurity elsewhere, at least for the federal civilian infrastructure.

There are all sorts of seemingly nuanced, but very significant impacts of operating in the kind of closed and classified fashion found in the intelligence community -- not the least of which is an inability to work with the operators of networks. If you see threatening activity, do you notify someone or protect your sources or processes? If you do tell the network operators about the threat and the information is classified, are they [automatically granted] the necessary clearances? If so, does that level of classification restrict their ability to use the data? There's a cascading ripple effect of having the situation maintained by an intelligence agency.

Nextgov: The 2002 Federal Information Security Management Act has been widely criticized for not adequately addressing risk. Last week, the Office of Management and Budget released some proposed performance metrics to give the legislation greater impact. Is that a step in the right direction?

Yoran: The previous iteration of FISMA was probably as damaging as beneficial, in that many [agencies] focused on compliance versus their operational requirements. [Incorporating metrics] would be an improvement, but agencies still need to buy products and adopt processes that help deal with the advanced threat, so that the byproduct answers your compliance needs, not the other way around.

Agencies need to think about risk in a different way. What are your critical processes? What is core to your mission? Where does important data reside, and how do you allow those systems to operate in an environment where parts of the infrastructure are compromised? The intelligence community is not going to protect you, [but] organizations need to look at those advanced methods being used and apply them to their own protection strategies.