Recently the Institute analyzed the ramifications of IT vulnerabilities for the push towards e-Health. Our analysis focused to an extent on the recent hack of a Virginia State prescription drug database.  This week Virginia State officials testifying before State legislators said that they are now receiving reports that doctors are hesitant to prescribe more potent painkillers to patients because of the hack and the vulnerabilities inherent in the database.

The Associated Press reports:

A House panel learned that powerful drugs such as Oxycontin, Valium, Vicodin and Ritalin are being withheld because pharmacists can’t check with the prescription drug database that still allows limited access.

This is precisely the sort of real world health impact from cyber shortcomings that the Institute’s analysis discussed.

If hackers can continue to be able to access vital health records almost at will, then they will have the ability to steal records, alter information, or simply deny access.  Or, as with what has happened in the energy sector, they could simply use the power to take these systems offline to extort untold sums of money.  As bad as compromising a prescription drug database may be, imagine if the database that was taken down had the real time medication data for a patient arriving at an emergency room in extreme distress.  How much could you be compelled to pay if a hacker had your life in the balance?  Or the lives of hundreds of thousands of patients?

For these reasons the Institute continues to advocate that the first step in building an e-Health system has to be the development of an essentially hack proof digital infrastructure that has security designed in from the start—not yet another bolt on system of firewalls and forensics that is inherently insecure.  Such a secure infrastructure must utilize only technologies that are tested by third party experts—preferably the NSA and NIST—against established, national standards.  Such testing must include extensive penetration testing, even with the source code.  And, only technologies that can meet these requirements should be part of the national e-Health infrastructure. 

In sum, the mantra for e-Health must begin with the Hippocratic Oath’s promise to “First do no harm.”  An insecure e-Health system cannot live up to that oath.

Yesterday the Institute attended the first meeting in Washington, DC of the Security Innovation Network. 

The meeting began with a keynote address by former Director of National Intelligence, Vice Admiral (ret.) Michael McConnell. VADM McConnell’s remarks were impressive.   The Admiral noted that from a cybersecurity standpoint, “The United States is the most vulnerable nation in the world.”  He also noted that after becoming the DNI, he told President Bush that if the 9/11 terrorists had hacked a major bank and taken it down, the impact would have been significantly greater than even the heinous attacks of 9/11.  McConnell noted that Bush turned to then Treasury Secretary Paulson and asked if he concurred.  The Admiral noted that for a brief moment he was on edge hoping his Cabinet colleague shared his perspective.  A moment later, Paulson strongly his assessment.  President Bush in response noted that IT is our nation’s competititve advantage for the future—a point that the Institution has regularly stressed—and that the United States needs to defend our IT and that advantage.  This exchange began the ramp up in cybersecurity efforts during the Bush Administration. 

The Admiral stressed that it was relatively easy to make the case for cybersecurity during the 2008 election cycle, as both candidates during the last presidential race had their  IT systems hacked and information stolen by foreign parties.

With respect to the current glide path of cybersecurity, the Admiral stressed the strength of the commitment to improve our cybersecurity within the Obama administration, emphasizing the budgetary commitment and the 60 Day Review and follow on efforts.  However, he did emphasize one point that deserves much greater attention.  Admiral McConnell noted that the $17 billion presently targeted at IT and security enhancements would secure .mil and begin to secure .gov, but that 98 percent of the challenge is .com.  This is a sobering note and points to the real challenge ahead.  In terms of how we will meet this challenge the Admiral said he expects it will require a combination of collaboration, coordination and positive incentives with new standards and mandates—this too has long been the view of the Institute.

What stands out most from VADM McConnell’s presentation is that at the highest levels of the intel and defense world the perception of the cyber threat is vastly higher—and more accurate—than across the remainder of the tech world, the corporate world and the public writ large.  The typical CEO these days is simply not focused on a cyber-armageddon, even if his or her company could be caught in the mix.  The average man on the street is much more worried about the economic crisis, another 9/11 terrorist attack, or a North Korean nuclear attack, than a digital Pearl Harbor.  However, at the senior most ranks, our leaders are very much worried about a digital attack. 

This disconnect is a real issue.  It is a major barrier to enhanced cybersecurity across our critical infrastructure. Someone—be it the President, the cyber czar, or a corporate leader—needs to stand up and shake people up until they get it.  The Institute looks forward to helping in that effort.

A number of the other speakers after McConnell also made critical points.  While the list of prescient observations is too long for a detailed run down, allow me to highlight a few:

Jerry Archer, the CISO of Intuit, stressed that cyber threats have evolved markedly over the last few years, as hackers have become increasingly sophisticated and professional.  Archer said that he has not seen a vanity, or amateur, hacker in the last two years.  Every hacker he faces now is a professional.  He also said that hack attacks have grown by 1,500 percent over the last two years.

He also noted that cyber-crime now exceeds drug crime on a dollar per dollar basis.  Paraphrasing Archer, why risk running drugs when you can hack millions of dollars while sitting in a cyber café in Somalia with no risk of getting caught?  Along these lines he noted that the Russian hacker who stole millions had not only gotten a mere slap on the wrists, but he was subsequently elected mayor of his town. 

Archer stressed the need for IT platforms with security built-in not grafted on as an afterthought.  This is another core view of the Institute—that we need inherently secure technologies. 

Finally, Archer focused on a key point that the Institute will take up again in the coming days: the business case for cybersecurity.  He noted that in the corporate environment today money isn’t limitless, so cybersecurity improvements need to be justifiable, in other words produce ROI.  Along these lines he said we need impactful innovation in cybersecurity to produce inherently secure technologies that achieve real security, or ROI.

Steve Elefant, who is now leading the end-to-end encryption program for Heartland Payment Systems, provided a number of interesting observations from the perspective of the company that recently suffered perhaps the largest hack ever. 

Most importantly, Elefant explained that Heartland’s CISO had never been turned down for a security technology and yet the company was still hacked.  This sums up the state of cybersecurity today in a single line.  The technologies we all rely upon are  inherently insecure.  Companies can spend vast sums of money and be all but as vulnerable as the next guy who spends a mere fraction.  This creates perverse disincentives for cybersecurity investments—as well as innovation.  It also clearly shows the need for a leap-frogging technology.  We need to go from inherently insecure technologies, with security added on after the fact—like a digital Maginot Line—to inherently secure technologies that begin from security.

Elefant also echoed the changing nature of the hacker threat, stressing that Heartland was hacked by a criminal group. 

He also stressed the need for greater exchange and coordination between the public and private sectors.  He noted that the breach of Heartland could have been headed off; law enforcement knew of the form of attack from prior breaches before Heartland’s, however that information wasn’t shared more widely.

Finally, let me heartily endorse and align the Institute with the efforts of SINET, as it is known.  SINET is focused on “increas[ing] collaboration between the United States public and private sectors with the mutual objective of accelerating innovation in security technology, practices and implementation.”  In short, SINET seeks to bridge the gap between Silicon Valley and its sister valleys, allies, hubs, triangles, routes and corridors and the Beltway, meaning the prime government-industrial complex (to include major systems integrators, tech contractors and the like).  SINET is run by Robert Rodriguez, a retired US Secret Service cybersecurity leader, who is a strong advocate for cybersecurity innovation and the scores of emerging companies in this space.  Anyone in this space should consider becoming a SINET member.

Last week an Associated Press investigation revealed that the companies that handle your credit card data, including banks and major retail outlets, are not as secure with your information as they could be.

Scores of retailers and payment processors have disclosed data breaches in the past few years. This year Heartland Payment Systems suffered perhaps the largest data breach ever—hundreds of millions of transaction records were comprised, and millions of people had their account information stolen.  The hack that hit Heartland also compromised perhaps 300 other companies—only the others never disclosed the problem.

As with Heartland, even companies with the industry’s top computer security rating, known as Payment Card Industry (PCI) compliance, have been the victims of major breaches.

Credit card companies and the payment processors who work with them are left by the government to develop their own industry security rules. These PCI standards require stores that initiate credit card transactions must use antivirus software and have firewalls installed. However, hacker simulations are run just once a year and these businesses are allowed to define the scope of the tests and run the tests themselves. As Ariel Silverstone, the CISO of Temple University, has aptly said, “Who can fail an audit when one of its tenets when one of its tenets is that the audited organization gets to define its scope?” Those merchants who decide to hire outside security auditors to check for compliance frequently carry this out the cheapest way possible.  It is no surprise that the AP describes these rules as “cursory at best and meaningless at worst.”
Moreover, some companies that handle your sensitive financial information aren’t even PCI compliant. They are forced to pay fines but are left free to process your credit and debit card payments.

Suffice to say, your credit and debit information is at serious risk.

What is surprising is that there has been little effort until late to do something about this serious problem.  The lack of network security has been the dirty little secret of the processor industry. The payment industry is built on efficiency and the industry has feared that adding security would slow the process down.   With the entire payments industry worried about speed, and all being equally insecure, better to not talk about this problem at all.  Surprisingly, the credit card providers have not been pushing for greater security.  Instead they have been content to operate across inherently insecure networks notwithstanding the billions of dollars at risk.  Breaches and the frauds that follow have been chalked up to the cost of doing business.   Besides, these companies don’t have to go through the hassle an individual consumer endures when his or her financial data has been compromised.
Tougher compliance standards, PCI or other, are needed. Financial systems, including payment IT systems, should deploy only the best available technologies end-to-end.  Merchant’s computer networks must be secure in the handling sensitive financial information. Processors need to ensure that even if a retailer is hacked, the critical private financial data on their systems are protected.  Consumers should be immediately informed of the possibility that their information has been compromised.  The list of necessary improvements is long and substantial.

President Obama released his new Cyberspace Policy Review this Friday, May 29th, which outlined his plan to improve America’s Internet and computer security. The review is the result of a 60-day, “clean-slate” evaluation headed by an interagency group. The key components of the review include:

• Leadership: The President will appoint a new cyber security policy official, or “coordinator.”  This official will work across the federal government coordinating efforts in policy and technology, build agendas and help ensure the necessary budget is met to accomplish the President’s goals.
  Review: “Leadership should be elevated and strongly anchored in the White House to provide direction, coordinate action and achieve results.”
  Comment:
  -Cyber security requires a leader. President Obama’s creation of a cyber security coordinator is a step in the right direction, but the job description lacks specifics such as: How much authority and power will they have? Who will be appointed and what will be the pre-requisites for appointment?
  -The cyber coordinator must have the support of Congress to ensure a large enough budget to accomplish significant goals— in both parties and in both houses.
  -To be effective, the coordinator must be publicly appealing and be able to use the bully pulpit effectively.  Support from the public is vital, as they use the Internet most frequently and on the largest scale; cooperation from them is therefore key to increase security.
  -The president must find a candidate who has widespread support, while having extensive background knowledge and experience in cyber and national security—no small task.
• Transparency: Officers or boards within the private, public and government sectors will be implemented to increase communication between the sectors and therefore increase trust. This enhanced level of trust will ensure greater success in efforts to strengthen security, while ensuring that privacy and civil liberties are upheld.
  Review: “The Federal government should continue the principle of “mission bridging”…sharing of expertise, knowledge and perspectives…between network defenders and the intelligence, military and law enforcement organizations.”
  Comment:
  -We all know that sharing is important, but when it comes to sharing important information, where is the limit?  For example, will this sharing bring technology providers into a pre-procurement process to identify operation requirements? Will there be requirements for sharing certain information among sectors? And if a player in the process refuses to disclose certain information, is there a penalty for keeping it confidential?
  -To what extent does real sharing implicate antitrust concerns? And if it does, how will this be addressed?
  -Additionally, sharing by the government is complicated by the classification and protection of much of the most important security information. Obtaining security clearances takes time and money and can require private individuals to disclose very private information. How will the government facilitate the sharing of information in classified areas?
• Education: The Federal government will implement a cyber security education program that will span from kindergarten to the university level. Public awareness will be spread through the use of public service campaigns promoting responsible use of the Internet.  These campaigns will facilitate understanding of Internet security on all public, industry and government levels.
  Review: “The Federal government should expand support for key education programs and research and development to ensure the nation’s continued ability to compete in the information age economy.”
  Comment:
  -Preventative education is one of the best ways to address a problem. The key will be in how this goal is implemented. How will the Federal government fund cyber security education? What sort of courses or teaching methods will be taught to ensure an impact is being made?
  -This type of education is difficult to determine a success rate, so money could be wasted on programs that produce delayed, weak impacts on the public.
  -Policymakers love to talk about education, but when the budget cardinals get their hands on these programs, they are almost always under-funded. Will these cyber education programs have the resources necessary to make an impact?
• Synergy: Increased collaboration between the government and public will guarantee a more cyber-secure America. The review calls for more information sharing through forums and partnerships between agencies, the industry and the public, in order to recognize common goals and plans.
  Review: “The government should work creatively and collaboratively with the private sector to identify tailored solutions that take into account both the need to exchange information and protect public and private interests…”
  Comment:
  -The Institute supports collaboration where mutual agreements are being made that benefit each side.
  -But there must be assurance that all parties are given equal opportunity for partnerships and information sharing. Are there incentives for particular partnerships compared to others? Will certain companies, agencies or organizations be favored over others for their importance or possession of high-level information?
  -And while partnerships are very feel good, we need to prioritize efforts so that we focus on things that can make a real impact.
• Standards: Through “incentive-based legislation”—for example, monetary consequences for service providers— government can encourage industry leaders to demand more security. The president stressed that the “Administration will not dictate security standards for private companies.” However, the review calls for new rules, oversight and laws that require notification of incidents and sharing of information with the government by the private sector. The review also advocates for partnerships in the global IT community to formulate an international standard of cyber security.
  Review: “Another way to increase reporting is through consideration of appropriate data breach notification laws that require notification to the public and to the government, including law enforcement entities that could pursue investigations.”
  Comment:
  -The Institute strongly supports the use of incentives such as monetary  “consequences” to drive the market for better cyber security.  Without such incentives the status quote will remain unchanged.
  -However, no one should believe that putting such measures into place—presumably this will require new statutory authority—will be easy. To get this done, the coordinator—and more importantly President Obama himself—will need to spend political capital and twist some arms. That said, we believe it is well worth the effort.
  -As the Administration develops these mechanisms, a range of issues will need to be addressed, including: What would be the framework for these incentives? What kind of penalties are involved? Do companies who have more to lose decide the incentives aren’t worth it?  Are the incentives strong enough to change market-driven behaviors?
  -The new rules, oversight and laws outlined in the review provide negative incentives to the private sector. They need to be carefully crafted to not unduly inhibit cooperation needed for security improvement.
  -Sustaining partnerships in the global IT community and finding an “international standard” of security may be problematic because of immense socio-economic, legal and cultural differences.  Countries have different views on relationships between government and the people, as well as the amount of information and news the public is allowed to view.  Any international law or standard is not only difficult to agree upon, but difficult to enforce. That said, such a standard could be a “game changer” if successful.
• Innovation: For successful innovations, governmental, industry and public sectors must collaborate on ideas to enhance security technologies and ensure they work to their full potential for each sector. The federal government will help implement new privacy technologies such as identity management systems that build trust between all parties involved in online transactions to assure confidential information is kept safe.
  Review: “The Federal government will work with the industry to develop next-generation secure computers and networking for national security applications and tough new standards for cybersecurity and physical resilience.”
  Comment:
  -Innovation takes lots of time, money and investment.  How much is the government willing to spend/invest on developing and implementing these new technologies? How do small businesses and individuals who may be unable to pay for their own security ensure their information is safe as well? How far are we willing to go for new innovations?
  -Innovation and privacy also requires a delicate balance; we must be sure individuals’ information is safe, while not making it impossible to check their bank statement online.