Lessons From A Software Revolution
There are a lot of bad stories out there about government failure when it comes to cybersecurity. They certainly serve a purpose, and in many respects, they note the truthful fact that the U.S. has largely failed in its attempt to secure its computing infrastructure. But there also are good stories floating around. The one I'm going to tell shows how the U.S. Air Force stepped up to the plate long ago, even before the Navy, which I've praised in earlier posts.
There are a lot of bad stories out there about government failure when it comes to cybersecurity. They certainly serve a purpose, and in many respects, they note the truthful fact that the U.S. has largely failed in its attempt to secure its computing infrastructure. But there also are good stories floating around. The one I'm going to tell shows how the U.S. Air Force stepped up to the plate long ago, even before the Navy, which I've praised in earlier posts.
In 2002, U.S. Air Force CIO John Gilligan discovered that the Air Force was spending more to clean up flaws in Microsoft software, and clean up after attacks enabled by those flaws, than they were spending to buy the software in the first place. With the help of Tony Sager at NSA, they found that 85 percent of the attacks that penetrated military and civilian Windows systems at that time were enabled by configurations and patching problems. Secure configurations could eliminate nearly all those problems, and if the software could be delivered out of the box that way, it would save a lot of money.
Under Gilligan's guidance, Air Force technology buyers sought help from Microsoft to make the systems they bought with Windows much harder to penetrate. The idea was that Microsoft would deliver the software with the NSA/Air Force secure configuration pre-installed. The Microsoft government affairs staff in Washington told my colleague Alan Paller that the request intruded on their corporate prerogatives and that the government shouldn't be telling industry how to make systems secure. They fought hard against Gilligan's initiative. They won, and for nearly three years, millions of dollars were wasted because of insecure configurations. Then Gilligan met with Microsoft CEO Steve Ballmer, who immediately saw how an agreement could help both the company and the nation. The three years of delay, it turned out, hurt not just the Air Force, but it also hurt Microsoft because it had been known for its insecure software, and UNIX gained market share. Gilligan tasked NSA and Air Force experts with determining a safe configuration of Microsoft Windows that would withstand attacks by NSA's red teams and still effectively operate Air Force applications. When complete, Gilligan negotiated a contract with Microsoft, in which the company would empower HP, Dell and other PC vendors to deliver the secure software directly to the Air Force. The agreement also ensured all new security patches were fully tested by Microsoft on the Air Force secure configuration before the patches were released. Now this is where the story really gets fun.
Today more than 550,000 Air Force computers run on the secure desktop. The net effect, according to Gilligan's successor, is $100 million saved each year in patch testing and administration costs because they didn't have to spend all that time configuring, testing and patching multiple configurations. Additionally, patch delays were cut from 57 days to 72 hours, with help desk calls cut in half. The special configuration used by the Air Force also protects it from most infections carried by the Advanced Persistent Threat, an attack gaining traction around the Beltway because it has infected so many federal computers. The bottom line has been huge savings with huge overall improvement and user satisfaction. Strangely, despite the Air Force's success, it has not been replicated in other agencies. This is where congressional oversight might help, and if things go right, any legislation signed into law will include language that bakes security into software and hardware for government machines. We'll just have to wait and see if it comes to fruition.