Contact: Rob Housman
202-486-5874; 202-289-7999
rhousman@cybersecureinstitute.org

CYBER SECURE INSTITUTE STATEMENT ON PRESIDENT OBAMA’S
CYBER SECURITY ANNOUNCEMENTS

 INSTITUTE’S EXECUTIVE DIRECTOR—FORMER WHITE HOUSE CZAR OFFICIAL—AVAILABLE FOR COMMENT ON ANNOUNCEMENT

WASHINGTON, DC, MAY 29, 2009—Today, Rob Housman, the Executive Director of the Cyber Secure Institute, made the following comments concerning President Obama’s announcements on cybersecurity.

Housman said, “The President today demonstrated an unprecedented level of commitment to the nation’s cyber security.  Most importantly, the President stressed that the status quo, the unending hack and patch, is no longer acceptable.  That single understanding, that single statement, is vital to achieving real cybersecurity.  The Institute strongly supports the President’s view that a new approach is necessary.”

Housman went on to say, “As the President himself noted, so much of his agenda for the nation’s progress—from e-Health to a smart energy grid—is premised on advanced information technologies.  Effective cybersecurity is critical to the President’s ability to make progress in all these areas.  However, too many of our systems today are inherently insecure—we simply cannot rely on them if we are to make these leaps ahead.  We must require that critical cybersecurity systems need to be highly resilient and fully secure.  While the President stressed that the government won’t dictate security requirements to industry, at the end of the day, the government will need to use a variety of tools—from incentives to requirements—to drive change or else the status quo will remain.”

Housman, who served as Assistant Director for Strategic Planning in the White House Drug Czar’s Office under President Clinton, also noted, “Having served in a White House Czar Office, it is my view that the cross-cutting nature of cyber security requires a White House czar to coordinate efforts across the government and with the private sector.  As the President emphasized, to date no one is in charge, and that all but guarantees inadequacy of response.  The President has taken a major step to change that.”

He went on to say, “However, the key will be just how ‘in charge’ this new czar will be. Will the Cyber Czar have direct access?  Will the Czar have a high enough profile to command the bully pulpit? Will the Czar have unfettered access to the bully pulpit? Will the office have adequate staff and budget?  Beyond developing a strategy what sorts of real powers and authorities will he or she have?  Or will the Czar be limited to the power of persuasion?  One reason the Drug Czar office had an impact was it had broad budget review power over the federal agencies.  Will the Cyber Czar have that sort of power?”

#    #    #

Have you ever told your doctor something private that you wouldn’t want your family, friends and neighbors or even a tabloid paper to know?

Have you ever received a medical test result that you wouldn’t want shared with your employer? Your spouse or children?

What would you do if someone threatened to make public all your healthcare information—your medications, diseases, operations, doctors names and types, everything—unless you paid them a huge sum of money?

Recent attacks demonstrate that your most private healthcare information is seriously at risk.  And, absent major changes, the risks will grow exponentially.

Last month, hackers attempted to extort $10 million after breaking into a Virginia State web site used by pharmacists to track prescription drug abuse. The records of more than 8 million patients were deleted and a ransom note was put on the Virginia Prescription Monitoring Program’s homepage, demanding $10 million dollars in exchange for the return of the records.

The ransom note claims that that information was stolen and encrypted. A popular website published the ransom note that replaced the program’s homepage, which read:

“I have your (expletive)! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.”

The Director of Virginia’s Department of Health Profession has confirmed that state and federal criminal investigations were underway.

At almost the same time, The University of California at Berkeley disclosed that hackers had broken into their health-services database. The University began sending out notification letters to current and former students. The hackers had access to, and may have taken, health insurance information and medical information. The breach in the server took place from October 9th, 2008 until April 9th this year, when administrators discovered messages left behind by foreign hackers.

These are not the first instances where cybercriminals have stolen the private health care information of Americans. Last December, Lawanda Jackson pleaded guilty to violating federal privacy laws by selling private medical data from celebrities, including Britney Spears, Farah Fawcett and Maria Shriver (wife of California Governor Arnold Schwarzenegger), to the National Enquirer tabloid.   Last October, cybercriminals attacked Express Scripts, one of America’s largest processors of pharmacy prescriptions, threatening to release personal information of millions of Americans unless their demands were met. There is an ongoing investigation into the Express Scripts incident.

These recent attacks provide cause for real concern among cybersecurity experts and healthcare professionals alike. Inadequate cybersecurity systems put our most personal data at risk.

What is more disturbing is that the problem is likely to get exponentially worse—unless drastic changes are made.  President Obama’s healthcare plan is heavily focused on the use of electronic health records to help modernize our nation’s health care system. The recent stimulus package provides $19 billion for the next two years for the use of health information technology and President Obama has pledged an additional $50 billion total over the next five years.  The benefits of “e-Health” are substantial and this is a policy direction our nation should be taking.

However, absent vastly more effective cybersecurity measures, the implementation of e-Health will significantly increase the risks for all Americans.  Putting more and more highly personal healthcare information is placed on insecure networks is, in effect, a stimulus package—for cybercriminals.

The prospect of having your personal health history made public is frightening. A stolen credit card can be replaced and most if not all the unauthorized charges removed.  But an Individual can be embarrassed, blackmailed, fired, or lose their insurance.  “Farrah’s Story,” the television documentary that shows actress Farrah Fawcett’s struggle with cancer is an enormously cautionary tale in this respect.  In the midst of struggling with a deadly form of cancer, Fawcett faced a series of tabloid news stories about her condition.  On her own she traced the leaks back to the UCLA Medical Center, where she was receiving treatment.  After Fawcett confronted UCLA, an investigation revealed that Lawanda Jackson, a hospital administrative worker, was providing the National Enquirer with private information in exchange for thousands of dollars in payments.  Jackson had used her administrative password to access the information.  Along with Fawcett’s files, she had pried into the records of at least 60 other individuals.

Obviously, the risks here are greatest to public figures, like celebrities, stars and pro athletes.  However, consider what might happen if a hacker gained access to the records of the president, vice president or Cabinet member.  Likewise, a hacker could create enormous market problems by releasing the records of a corporate leader.  We have all seen the impact of the uncertainties surrounding Steve Jobs’ health.  What if a hacker released data showing that Bill Gates’ was on deaths door, or that Ben Bernake was suffering from dementia, or that Eric Schmidt might have Alzheimer’s (note in advance, we have no information to suggest that any of these conditions may be the case).

Moreover, e-Health data vulnerabilities literally could cost lives:

• Imagine what happens if critical data isn’t available to an emergency room doctor treating a patient because a criminal has taken the e-Health system down just like the hackers took the Virginia records down.
• Imagine what happens if information about an allergy is deleted, or a blood type is changed. (The typical victim won’t receive a monthly statement to check. )

Fortunately, new technologies offer us the ability to implement e-Health securely. These technologies are NIAP-NSA certified against the most sophisticated threats. The NSA-NIAP system utilizes Evaluation Assurance Levels in conjunction with the Common Criteria security profiles to grade both the security of systems and indicate the level of confidence in that grade. These levels range from EAL1 (minimal security) to EAL 7 (highly secure). However, most of the IT systems that our healthcare system now relies on have been certified up to EAL4+ and only for inadvertent, nonhostile and unsophisticated attacks.  The best systems today, such as the Integrity Global Security operating platform and the Tenix Interactive Link Device, are certified at EAL 6 and above levels against even the most sophisticated attacks, including by insiders with the source code.  These systems can make e-Health secure.

However, these systems are not yet deployed within healthcare, notwithstanding HIPAA’s information security requirements.  So, while we could all be secure in our healthcare data, instead we find millions of people have just had their most personal information compromised.

Any e-Health system, whether at the national level or the single corporation level, must be built solely upon the best available, most secure technologies.  Such technologies must be certified by the government—read the NSA-NIAP—against protection profiles that specifically address hostile, intentional and sophisticated attacks and at confidence levels of no less than 6. Such technologies exist, there is no reason they should not be required for information as sensitive as the private health care information of Americans.

Moreover, such protections must extend to every device that is capable of accessing such data. A November 2008 study of mobile device (e.g., laptops and PDA’s) use by of over 1,000 healthcare professionals found that 93 percent of the devices were at risk.  The study found that 49 percent of the healthcare professionals surveyed downloaded sensitive patient data on their devices.  The study further found that over 71 percent of respondents protected their devices and sensitive data with just a single password.  Additionally, at least 13 percent of these healthcare professionals had lost one or more devices containing such sensitive information.  Moreover, with the shift to e-Health we can expect that such data will increasingly be pushed out to healthcare professionals via laptops, netbooks and smart devices.  In fact, the ability to quickly put data literally in the hands of physicians is one of the key benefits of an e-Health infrastructure.  However, protecting the core of the e-Health system will be of marginal value if this data is vulnerable on all these devices.

Beyond the technological, any move to e-Health must be accompanied by a range of protections to ensure the privacy of data and the protection of individuals and families, which might include:

• A national e-Health data integrity oversight office charged with ensuring healthcare IT systems are sufficiently secure and are utilizing best available protections and investigating allegations of data breaches or data misuse.
• Statutory protections making clear that victims of health data breaches can recover for all damages of e-Health violations, including loss of employment, loss of insurance, harm to reputation, and other similar harms.
• A trust fund, which could be paid for through healthcare corporation user fees, that would be available to make whole victim’s of e-Health data breaches.
• A monitoring and reporting system that requires under penalty of law any breach of health data be reported both to the appropriate federal state and local authorities, as well as to any potentially impacted individuals.
• Statutory protections against insurers using unauthorized data to suspend, terminate, raise premiums or otherwise impose negative terms or conditions on a person who has suffered a breach of their medical data.
• Statutory protections against employers using unauthorized data to suspend, terminate or otherwise impose negative terms or conditions on a person who has suffered a breach of their medical data.
• Enhanced, granular and highly specific patient consent protections.
• Statutory limitations and/or protections on the use of e-Health data for associated research purposes, including specific protections to prevent access to services from being conditioned on acquiescence to the use of data for research purposes.
• Statutory limitations and/or protections on the use of e-Health data for commercial purposes, including specific protections to prevent access to services from being conditioned on acquiescence to the use of data for commercial purposes.
• Procedures to enable individuals to both access their data and to compel the removal of inaccurate or extraneous information from their e-records in an expeditious fashion and without the need for costly legal or administrative assistance.
• Background check and clearance procedures for those individuals who have administrator-level access to e-Health data.
• Statutory requirements that any e-Health participating entity have in place policies and procedures to govern the use of its systems; use of any and all e-Health data held or accessed, procedures in the event of a breach; conduct disciplinary and other remedial actions in the event of the intentional or unintentional violation of such procedures; and establishment and authorities of an internal e-Health patient/consumer ombudsman.
• Statutory requirements that no e-Health data may be shared or otherwise provided to any entity that does not meet the requisite best available technology requirement and all other applicable policy and procedural requirements.

Before we implement a e-Health record system, the Administration and the Congress need to promulgate baseline standards that require such systems be built upon the right individual protections and utilizing only the most secure available technologies.

The privacy, personal information, and the lives, of millions of Americans depend on it.

Recently WTOP, Washington, DC’s newsradio station, aired an interview with a cybersecurity expert from a major systems integrator who said that the failure of the Conficker worm to result in some form of major cyber assault or disaster showed that our IT systems were more secure, more resilient than people tend to think.  This conclusion is wildly off base and patently flawed.  In short, just because the other guy in a fight doesn’t pull the trigger when he’s got the gun to your head, doesn’t mean you won the fight.

Since October of 2008, the Conficker worm has been the subject of a great deal of attention and debate. To date, the Conficker worm has infected countless computers—estimates range wildly from 200,000 to more than 10 million.  And it has demonstrated the ability to both end run security measures and establish communications with controlled computers despite major efforts.  It has also consumed an extraordinary amount of time and energy by CIOs and cybersecurity experts from around the world.

However, because there was no major Conficker-created problem on April 1st when hijacked computers went online and began communicating with controller domains, numerous commentators are now downplaying the significance of the worm.  This view is misguided.

In order to properly gauge the importance of the Conficker problem, the threat and the facts must be considered in their totality.  Whether or not Conficker ultimately turns out to be a sales tool for bogus Ukrainian security software or something much more destructive, the simple fact is that the Conficker worm has infected perhaps ten million computers around the world.  The worm has evolved, circumventing cybersecurity software.

As a result, if anything Conficker has demonstrated the inadequacy of today’s cybersecurity, in particular relying upon cybersecurity add-ons like firewalls, anti-virus programs, and the like.

Additionally, it is wrong to suggest that the worm has not a negative impact.  Conficker has begun executing harmful instructions on the computers that it has infiltrated.  For example, although shut down in early March, the worm has had its self-propagating routines reinstated—this makes for easier sharing among its generated P2P network.  Additionally, the worm received instructions to secretly install copies of the Waledac spamming worm, which has caused computers to be overwhelmed with fake anti-virus software.  This software claims to have done a scan of the infected computer, and prompts the user to pay money for the removal tool, but in reality, if the user complies, he has just paid money to have his computer even further infected.  While not catastrophic, these impacts are real.

Any analysis of the true impact of Conficker must also factor in the (wasted) time, resources, and energies of the cyber-community, governments, companies and individuals.  Extrapolating out from studies on the average cost of similar past attacks, the total economic cost of this worm (including the cost of efforts to combat the worm, the cost of purchasing counter-measure software) could be as high as $9.1 billion.  Even using the single, outlying data source that suggests a much more limited scope of infection (<200,000)—vastly less than all other sources suggest—the cost of this virus is still roughly $200 million dollars.   It should, however be emphasized that these estimates do not factor in opportunity costs—just what could have been achieved if the expertise, time, energy and resources that have been devoted to combating this virus had been devoted to more productive efforts.

Moreover, it is too soon to say for certain what is next with Conficker itself.  The worm remains active.   There is no way to know if the actors behind the worm have played out their full hand.  It is way too soon to declare victory.

And, it is likely that this is not the last we will see of worms like this one.  In all likelihood the next virus that deploys similar capabilities will not be nearly as benign.  While the worst case scenario has not yet materialized with this worm, it opens a Pandora’s box of new risks.  To suggest that we are somehow secure against these risks, just because Conficker hasn’t yet inflicted the damage it could, is nonsensical.

Finally, the most confounding aspect of the Conficker worm threat is that this entire problem, along with almost all other similar threats, can now be avoided if we start to deploy inherently more secure technologies. At least two technologies,  the Integrity Global Security operating platform and the Tenix Interactive Link Device, have been certified by the National Information Assurance Partnership and the NSA against the most sophisticated threats.  These new technologies are capable of protecting systems, isolating critical data and can eliminate viruses and worms from computers at the click of the mouse.   The widespread deployment of inherently secure cyber-technologies, which are certified to the highest levels of robustness, would reduce the risks of viruses like Conficker virus to basically zero, which, over even the near- to mid-term would more than pay for the cost to deploy these new technologies.  Over the long-term the savings here, in time, energy and opportunity costs would clearly be in the hundreds of billions.

March 10, 2009

The Honorable Yvette D. Clarke
Chair
Subcommittee on Emerging Threats, Cybersecurity, Science and Technology,
    Committee on Homeland Security
United States House of Representatives
1029 Longworth House Office Building
Washington, DC 20515-3211

Dear Chairwoman Clarke,

On behalf of the Cyber Secure Institute, I write to offer you the Institute’s unqualified support for your position that new standards and incentives are vital to making our nation cyber secure. To this end, we respectfully ask you to introduce legislation that would provide baseline, performance- and evidence-based, objective standards for cybersecurity for both government and private sector critical infrastructure information technology (IT) systems.

The Cyber Secure Institute

The Cyber Secure Institute is an analysis and advocacy group dedicated to serving as the voice for effective cyber security. We were founded because our nation’s critical networks are inherently vulnerable. Our singular purpose is to help drive the development and deployment of next generation, inherently secure IT systems. Our name says a lot about our goal. We view “cyber secure” as an end-state goal, the state of being secure in the digital world; in contrast we see cybersecurity as the current reactive process of seeking to patch known flaws in inherently insecure IT systems.

Background

As you are well aware, our nation’s critical IT systems remain unacceptably at risk. Recent examples show that virtually no systems are adequately secure:

A 2008 Center for Strategic International Studies (CSIS) report revealed that the departments of State, Defense, Homeland Security, and Commerce have all been compromised by attacks from foreign entities.
The networks at the Pentagon alone are probed thousands of times each day.
Last November, Chinese hackers penetrated the White House network multiple times, and were able to acquire emails between government officials.
Our critical infrastructure is also at risk:

In December 2006, TJX Co., which operates Marshalls, TJ Maxx and other retail companies, experienced a serious attack on its computer networks. Hackers breached the company’s networks, putting at risk over 45 million credit and debit card numbers.
On January 20th, Inauguration Day, Heartland Payment Systems Inc., a credit card processing company, announced that it had experienced a large data breach. While Heartland did not reveal how many records have been breached, industry experts have estimated that up to 100 million credit card numbers could have been compromised, making it potentially the largest known data breach in history.
Last year the Department of Homeland Security released previously classified video showing that a cyber attack could physically destroy an industrial electrical power generator.
Each year cyber attacks cost the U.S. economy $2.6 billion.
In our view this is a direct and predictable result of the last administration’s laissez-faire approach to cybersecurity.

The most revealing evidence for this can be found in a recent communication to the newly appointed Secretary of Homeland Security, the Honorable Janet Napolitano, from the leadership of the National Cybersecurity Center (NCSC’s). Denied resources and devoid of real authorities, the NCSC’s leadership described its major accomplishments as including: the completion of a CONOP and implementation plan; development of a working group; development of an economic model for cybersecurity; introducing concepts of game theory; creating a vision for a new National Cyber Center; contributing to the national thinking on this issue; and presenting to 10,000 people at 40 events.

What is startling is that there is not a single mention of a significant improvement in the actual cybersecurity of the nation. That is because the gains in cybersecurity to date have been marginal at best. At a time when we require bold action, we instead find ourselves caught up in a Sisyphean struggle – the endless cycle of hack and patch trying to fix legacy systems that are, at best, inherently insecure.

This must change, and, as you rightly noted, change will not come on its own, unprompted. To be blunt, we have tried the laissez-faire approach to cyber security and it has gotten us only so far; it is now time to drive technological progress.

In order for our nation to become “Cyber Secure,” the Congress and the Executive will need to drive change. We share your view that a combination of regulation and incentives are needed to overcome the inertia of the status quo.

It is the Institute’s view that to be effective such legislation needs to be based upon objective, performance- and evidence-based standards. The beginnings of and necessary technological capacities for such a framework are already in place within the certification program carried out by the National Security Agency (NSA) and the National Information Assurance Partnership (NIAP) (a joint program of the NSA and the National Institute for Standards).

THE NSA-NIAP CERTIFICATION SYSTEM

The federal government, namely the NSA-NIAP, issues security certifications for the IT technologies used across our economy and digital-lives. The NSA-NIAP certification scheme is based on the Common Criteria Evaluation and Validation Scheme (CCEVS), which provides a framework of protection profiles recognized by nations around the world, against which technologies are measured. Certifications are awarded on the basis of independent evaluations of a technology’s performance against the specific protection profile. At the higher certification levels this evaluation process includes extensive penetration testing, including using source code and design manuals as guides to find the most potentially vulnerable areas of the system.

The NSA-NIAP/CCEVS system is the only government-recognized, objective cybersecurity certification system in existence.

However, the system is not mandatory and is under-utilized—its potential benefits are squandered. There are no baseline cybersecurity standards—neither NIAP/CCEVS nor any other standards—for federal civilian agencies (e.g., the Department of State, the Department of Energy, the Department of Health and Human Services), nonfederal government agencies (e.g., State level counter-terrorism offices, State-level Departments of Health, Emergency Management, Public Safety, Homeland Security), or the private sector. The Department of Defense (DoD) mandates the use of NIAP/CCEVS evaluated technologies on all DoD networks. However, even within DoD, there are no baseline or minimum NIAP/CCEVS standards.

As a result, many of the IT systems widely in use today have never been independently evaluated against their marketing claims, let alone against objective, evidence- and performance-based measures. Companies are free to make all sorts of security claims—ranging from mere puffery to clearly deceptive advertising. Even the most sophisticated buyers have little way to actually evaluate every such claim in the marketplace in advance of a purchasing decision.

Further, all widely deployed, currently certified technologies are certified against protection profiles that safeguard against only inadvertent and non-hostile attacks. In other words, even the certified systems, are actually certified—in the negative—as being incapable of defeating the sorts of sophisticated hostile attacks that our nation faces every day.

Moreover, these certified systems are only certified at low confidence levels against the most minimal protection profiles. The NSA-NIAP system utilizes Evaluation Assurance Levels in conjunction with the Common Criteria security profiles to grade both the security of systems and indicate the level of confidence in that grade. These levels range from EAL1 (minimal security) to EAL 7 (highly secure). Most systems we rely on today have been certified only up to EAL4+. This includes virtually all the systems across both the federal government (e.g., the White House, the Congress, the Department of Defense) and our most critical infrastructure (e.g., nuclear plants, power grids, water systems, healthcare systems, banking and finance systems).

The reliance on low-level certified technologies is also particularly troubling because at such levels even the NSA-NIAP program does not require penetration testing.

Putting all this in context, virtually all our vital systems today are certified to only a modest level of confidence (4 out of 7) that they can withstand only non-hostile, inadvertent attacks.

Unfortunately, the cyber-adversaries we face today are anything but inadvertent or non-hostile. Our nation is under constant cyber-attack by domestic and foreign adversaries, ranging from elite hacking units of the Chinese Army to the Russian Mafia to al Qaeda to cybercriminals. Our nation’s critical networks will continue to remain at risk if steps are not taken to secure them.

New technologies are available that meet the most secure protection profiles (“high robustness”) at EAL6 and EAL7 certification confidence levels. These inherently secure technologies offer the nation the ability to significantly reduce our cyber vulnerabilities.

Request for Legislation

To this end, we would respectfully ask that in your leadership role as the Chair of the Emerging Threats, Cybersecurity, Science and Technology Subcommittee, you consider advancing legislation that would put in place baseline cybersecurity performance standards to drive the adoption of inherently secure technologies.

Such legislation could and should be:

Based on the NIAP-NSA certification program, which offers an objective technology and performance-based evaluation process.
Mandatory for both government and private sector critical infrastructure IT systems.
Phased-in but within an expedited timeframe that recognizes the serious present-day threats to our nation.
Action forcing, driving the adoption of next generation technologies.
Comprehensive and strong, including, for example, oversight provisions to ensure such standards, once promulgated, are actually implemented.
Accompanied by both transition and technical assistance.
The Institute recommends that rather than re-inventing the proverbial wheel, any such cyber baseline legislation should task NSA-NIAP to work, in conjunction with the Department of Homeland Security and other relevant federal agencies, to develop such standards.

We further recommend that the legislation also take steps to address ways to improve the current NSA-NIAP certification program, including:

Provide grant monies for small businesses with promising technologies to offset the costs of certification.
Put in place a mentor-protégé program to assist small businesses going through the certification program for the first time.
Reduce the certification (or more accurately re-certification) requirements for simple updates to an already certified technology—an improvement the NSA is already working towards.
Increase the program’s funding and capacities to enable it to meet the new demand such standards will create for certifications, reduce the overall time required for certification decisions to be made, and enhance consistency of the testing processes.
Provide highest-level certified IT providers, and, in turn, those companies that rely on highest-level certified technologies for their IT systems incentives, which might range from caps on liability (akin to those under the SAFETY Act) to preferential tax treatment.
Create an outreach program to assist the private sector in understanding the importance of the certification regime and how it can help their individual enterprises.
We also share your view that such a regulatory program should be accompanied by targeted incentives to help the private sector offset the costs of deploying new, inherently secure technologies. We would stress that any such incentives must be tailored to meet the goal of driving technological change and a new cyber secure end state. They should not be available to offset just any new IT security spending—helping companies deploy more patches will not change our nation’s level of security. Rather, such incentives should be available solely for the deployment of high-level certified, inherently secure technologies.

The benefits of this approach are substantial. Most importantly, baseline evidence- and performance-based requirements will ensure a high-level degree of security for all the nation’s critical IT systems.

Such an approach will also increase next generation R&D and innovation. To the extent that standards and incentives are put in place to drive government and industry to adopt certified, inherently secure technologies, more IT providers will endeavor to develop new, better technologies that can meet these standards—rather than working on the next patch or modestly better firewall. Over the mid-term this approach will provide the government and private sector more and better options for real cybersecurity.

Additionally, this approach framework will encourage IT providers to submit their technologies for testing and certification processes. Outside expert testing will help improve the quality of products introduced to the marketplace. Such testing will help weed inferior and insecure products out before they can be marketed, widely adopted and their flaws seized upon by criminals, terrorists, and our nation’s adversaries. Certified products will be proven inherently secure.

Increased testing and certification will also greatly reduce the “cyber snake-oil factor” that undermines the effective functioning of the cybersecurity market. Objective measures of security performance will provide the government and the private sector the ability to cut through the current morass of deliberately confusing, and often over-hyped marketing claims. A robust certification system that replaces claims with performance standards will allow the individuals charged with protecting vital systems the ability to identify and buy certified, best-in-class systems.

The overall effect of such an approach will be to empower America for a new era of innovation. The Institute recently opined that the greatest impediment to American innovation—our nation’s core comparative advantage—and economic progress is IT insecurity. The promise of next generation technologies to improve our lives and increase efficiency and productivity is immense. We stand on the verge of genetic cures for diseases, the ability to predict and prevent illnesses, smart power grids, and machines that can react to our thoughts and needs through brain interfaces—the list is long. However, the adoption of such technologies is seriously undermined by inherent technological insecurities. People will not trust their personal data—let alone their very lives—to IT systems that they cannot fully trust. Nor can we trust a smart grid to power our nation if that grid can be hacked and shut down by our enemies. Driving security will empower innovation and foster progress.

#            #            #

Chairwoman Clarke, we welcome your leadership of this vital Subcommittee, and we are excited at the prospect of working with you to make our nation truly cyber secure.

We would welcome the opportunity to meet with you to discuss these issues. Please feel free to have your staff contact me at (202) 289-3666 or via email at rhousman@cybersecureinstitute.org.

Sincerely,

Rob Housman
Executive Director

Imagine a day when you no longer need to carry money with you—everything you need to buy groceries, make investments, pay your gas bill, apply for a mortgage, move money around the world, put cash into your child’s college account, all of it is contained on a microchip embedded in your next generation communications device.

Imagine a day when all your vital information is on the same device and instantly at the finger tips of the emergency room doctor in whose hands your life hangs in the balance after a bad car accident—your blood type, your prior bad experiences with anesthesia, your allergies, your cardiac history, and even your living will.

Imagine a day when that same device can suggest a new restaurant based on your prior history (determined by your past searches and purchases, or even by the shows you watch, the movies you rent and the books) and that of your friends (as determined by your most frequent contacts from the same device’s memory), which is located just a block from your current location (as pinpointed by an embedded GPS chip).

Imagine a day when you come up with a new proprietary supply chain innovation for your company while walking down a street in Beijing, you go online, research the innovation, ping your company’s logistics team about how it might be implemented, receive IM responses immediately, exchange data and diagrams to begin the innovation process, and make arrangements for an in process design review via a web conference (which you will participate in via your device) for later that day.

Imagine a day when you drive your car with your thoughts down a smart road that prevents your car from crashing into the car in front of you, or driving off the road, and which sets the optimal speed based on road conditions, energy efficiencies, and whether you are late for a doctor’s appointment or just taking a leisurely drive on a Sunday afternoon.

All of these things are here now or are technologically within the realm of the possible soon.
However, the two greatest obstacles to these and other advances are security and privacy (which is really another manifestation of security concerns).

In January the public learned of a data breach at Heartland Payment Systems that experts say has comprised tens of millions of credit and debit transactions.  Heartland processes roughly 100 million transactions a month for more than 250,000 companies.  Some are saying this is the largest breach ever.  The breach was caused by a malicious software inserted into the payment processing network.  To make this breach truly troubling the company has no clue how the software got on its system or who put it there.  Also Heartland not only has no idea what transactions were comprised, but they can’t even tell whose accounts were breached and information stolen.  As a result, basically any American could find that they their accounts have been defrauded in the future.  And, just to increase the distrust factor, even though the breach occurred last year, Heartland elected to inform the public on Inauguration—a strategy guaranteed to draw as little attention to the information as possible.

A recent study by the world’s largest market research firm, Research and Markets, determined that, “Security concerns are the single biggest factor inhibiting consumer acceptance of mobile banking.”  Seventy-three percent of respondents feared that a hacker would be able to remotely access their accounts through a mobile-device system.  Similarly, 47 percent said that they did not sign up for available mobile banking services specifically because of security concerns.  The study surveyed a representative and random sample of 2,350 U.S. households.

The New York Times online closed out 2008 by reporting that a team of U.S. and British researchers were able to use “a cluster of several hundred Sony PlayStation 3 video-game machines to exploit a basic weakness in the software system used to protect commercial transactions made via the Internet . . . The flaw would make it possible for a criminal to redirect a Web surfer to a fake bank or online merchant without being detected by the security mechanism embedded in today’s Web browsers.”  This security flaw exists only because a few entities that issue the digital certificates that secure Internet transactions have continued to rely on outdated MD5 algorithms, despite repeated warnings about their vulnerabilities.  This vulnerability—or more precisely the inability of the entities that are supposed to make online transactions secure to secure their own operations—calls into question the integrity of ecommerce, especially for anything beyond consumer goods.

A November 2008 study of mobile device (e.g., laptops and PDA’s) use by of over 1,000 healthcare professionals found that 93 percent of the devices were at risk.  The study found that 49 percent of the healthcare professionals surveyed downloaded sensitive patient data on their devices.  The study further found that over 71 percent of respondents protected their devices and sensitive data with just a single password.  Additionally, at least 13 percent of these healthcare professionals had lost one or more devices containing such sensitive information.  No wonder that numerous studies find upwards of 70-80 percent of Americans are concerned about the security of their electronic medical records and their personal privacy.  A 2008 Institute of Medicine study found that almost 60 percent of Americans believe that personal medical information is not adequately protected by federal and state laws or organizational practices, despite new safeguards under the Health Insurance Portability and Accountability Act.

If people don’t trust the security of digital information the enormous gains that the digital revolution can bring will never be realized.  Smart devices have little value if smart people won’t use them.  Markets won’t move beyond online videos and books if ecommerce increasingly becomes “eswindled.”

Insecurity is the greatest impediment to innovation.

And this hurts America most of all. The United States simply cannot win in an economic race based almost exclusively on lower costs of production.  We cannot compete on that footing against other nations where wages and benefits are vastly lower, standards of living for the majority of the people are abysmal, and health care is the ultimate luxury good of the elites. Other nations are uniquely able to re-engineer and make at a lower cost the things that Americans and others around the world need.  If we run that race to the bottom we lose—win, lose or draw.

America’s competitive advantage has always been, and should always remain, our ability to innovate.  It was Henry Ford, an American, who invented mass production and brought the automobile to the masses.  The Wright brothers of North Carolina created the first airplane.  American innovation gave rise to skyscrapers and with them the modern city.  America has brought the world four successive generations of the information age, first with the telephone, then the television, then the computer, and then the Internet (whether you agree Al Gore invented it or not).

To be successful America needs to constantly push the limits of innovation and efficiencies.  We need to be out in front of the learning curve.  We need to be highly entrepreneurial and technologically driven just to remain competitive, let alone regain some of our lead.

But American innovation can’t take consumers and companies to the next level if they don’t want to go there because they fear the security of their data, money, and personal privacy.  The innovation highway is littered with the wreckage of countless companies with amazing product ideas that have gone too far beyond the limits of consumer confidence.

However, the corporate sector is slow to see this dynamic.  Most companies are loathe to invest more on cybersecurity, especially during these tough times.  Instead corporate “leaders” are quick to take shelter behind a series of rationalizations—we are secure enough (but not secure), we are secure as our competition (which isn’t very secure either), we haven’t suffered a major cyber-attack loss (yet).

To those who preach innovation this inability to respond to looming trends looks a lot like Detroit in the late 60’s and 70’s, and again in the last few years.  Only this time the problem doesn’t threaten a single industry and its dependents; this time the threat is to the prospects for renewed American economic strength.

So, if our future is dependent upon capturing the promise of the digital revolution, and if that future is being compromised by the insecurity of our information systems, it would seem logical that we should do all we can to fix that problem so that we can succeed.

There are innumerable ways that we can seek to address this situation.

We can work to educate and cajole the private sector to understand the problem and hope that these leaders will come around and do the right thing.  This is a worthwhile effort, albeit one that may take some time.  We can also use carrots and sticks to speed this process.

Another thing we can do is to invest in the integrity of our digital infrastructure as a nation.  For years we have ignored our crumbling physical infrastructure.  Now, faced with the current financial crisis, experts and the Obama administration are calling for a massive stimulus package, with much of the money to be spent on infrastructure.  The idea is infrastructure spending will not only stimulate the economy, but also improve America’s ability to compete.  This is inherently smart thinking.

However, America’s infrastructure today is as much digital as it is physical—as much bit and byte as it is brick and mortar.  And, the future of America’s economy requires that both our physical and our digital infrastructures need to be world class.  Thankfully this is not lost on the new President-elect who has pledged to use the stimulus package to boost America’s digital economy.  The President-elect has called for major investments in broadband deployment and increasing the use of technology in education and healthcare.

However, while increasing access and reach are important, access only won’t fix our problem.  Far too many Americans who already have access to these technologies are not using them because these systems are insecure.  Innovations that could create new efficiencies and economic growth are being passed over because of security concerns.

To fix the problem we need to not just expand our information superhighways, but also make them safer, more secure and more reliable.  To achieve this a portion of those digital stimulus dollars should be spent on making our digital infrastructure inherently secure.

Even a small percentage of the stimulus package could have a significant impact if invested wisely on private sector digital critical infrastructure security.  If the total economic stimulus package reaches $1 trillion, as some suggest it will, a mere one percent devoted to cybersecurity would amount to $10 billion.  If that money was used in the form of grants requiring a 50 percent match, then the overall impact would be $20 billion in new cybersecurity spending.

There is a clear parallel with what is planned for and needed with respect to physical infrastructure.  Overwhelmingly, the problem with our physical infrastructure isn’t that we lack bridges and roads—the problem is that too much of this infrastructure is unsafe and/or unreliable.

You can’t trust an unsafe bridge with your life, nor can you trust your life to an unsafe digital superhighway.  Let’s fix both.

There has been a flurry of attention recently about cybersecurity under the new Obama administration.

Last month the federal CIO Council published the charter of the Information Security and Identity Management Committee, which will serve as the official forum for agencies’ data and network protection efforts.

Also in December a report by a Center for Strategic International Studies called for a range of organizational changes, including putting in place a White House cybersecurity czar. The report, prepared by a blue ribbon panel of experts, is an excellent piece of analysis.

There were early indications that the Obama administration might adopt the CSIS approach. In fact, there has been some talk that one of the report’s lead authors, Paul Kurtz, might be asked to assume the czar role. Paul is an outstanding leader in the cybersecurity world and would make an excellent choice.

However, it now appears that senior Obama national security team leaders have cooled on the idea of cybersecurity being run out of the White House. The current scuttlebutt is that there will be an assistant to the president for cybersecurity, most likely positioned on the National Security Council staff. If this ultimately becomes the Obama approach, it would seem that, at least with regard to form, the handling of cybersecurity within the next administration will not differ all that much from prior administrations.

Assuming this glide path, some will criticize the Obama team for not making more significant changes to the form or structure of cybersecurity. To this end, the Institute believes that while a reorganization along the lines of the CSIS recommendations would be a major step forward, a fundamental, substantive change in approach is what is really required. In other words, as appealing as moving the deck chairs can be, a change in course is a more pressing need.

The Bush administration’s approach to cybersecurity has avoided anything that smacks of benchmarks, standards or requirements like the plague. The present administration’s refusal to actually drive cybersecurity was so pronounced that at one point its most promising cybersecurity official, Amit Yoran, abruptly resigned.

Without any impetus to drive cybersecure the government and industry have coalesced around the status quo: an inherently insecure digital world.

“We are more secure than ever before.” Yes, but we are still not secure.

“We are as secure as our competitors.” Yes, but that just means all of you are insecure.

The status quo will not change on its own, sua sponte. Unless something forces a change, nothing will change.

This problem is most pronounced within the private sector, which owns the vast majority of the critical infrastructure systems our society is dependent upon. There are virtually no real cyberscurity standards for the vast majority of the corporate sector—even those companies that are vital to our economy and our lives. A few statutes require some measure of cybersecurity, however these standards are so ill defined as to be toothless. For example, Sarbanes Oxley requires corporate leadership to certify that adequate information control systems are in place. However, there is no minimum standard for what constitutes adequacy. Similarly, Gramm-Leach-Bliley Safeguards Rule requires financial service companies to develop programs to protect information. However, what that standard means is left largely to the companies to decide. As a result, most of our critical infrastructure is inherently insecure.

Across the federal government, there are no baseline security requirements for the vast majority of agency systems and technologies. While our classified systems are better protected, even these systems almost all run on operating systems that are inherently insecure.

The Obama administration needs to look at ways, ranging from sticks (standards and sanctions) to carrots (grants and incentives), to drive a new approach to cybersecurity.

There is a vast range of sticks that the Obama team can choose from to push better cybersecurity, ranging from more traditional command approaches (which may have limitations) to more creative frameworks. For example, almost two years ago I co-authored a paper for the Center for American Progress, which is led by John Podesta who is the head of the Obama Transition team, that called for the use of disclosure requirements under the rules of the Securities and Exchange Commission for corporate security matters. Such an approach could easily be focused on cybersecurity.

Another approach would be to provide companies that implement high-level, proven-secure technologies incentives to offset any cost. Such incentives could be in the form of tax breaks (e.g., allowing additional deductions or faster depreciation). Alternatively, the federal government could fund cyber improvements through direct grants. Such funding might be considered as part of the infrastructure stimulus package now being considered—after all today’s economic infrastructure is as much digital as it roads and bridges.

On a positive note there does seem to be added focus on improving private sector cybersecurity within the agencies as they prepare for their new Obama administration leaders.

Interestingly, within this mix there is a serious move afoot to shift some or all of the lead for critical infrastructure cybersecurity away from the Department of Homeland Security and over to the National Security Agency (NSA). And, a transition period is the perfect time for such a power move.

At first glance putting the NSA in charge of private sector cybersecurity may seem odd. However, upon deeper analysis this shift may have a certain appeal.

At the outset, it should be noted that making the NSA the lead on private sector cybersecurity does raise a number of legitimate concerns. These concerns are clustered around the “Big Brother” aura that many attribute to the NSA. One out growth of that aura is that some are concerned that if you put the NSA in charge, it will swallow up the entire policy area. As cybersecurity is a cross-cutting issue, which will require a host of actors from across government and industry to play a role, that singularity of control could prove a bad thing. Some also worry that the NSA often functions as a black hole, which seems to run counter to the openness of the Internet realm. Finally, some worry that the NSA lacks the institutional knowledge of how to deal with the commercial world and markets—however, this concern is countered by a full grasp of the NSA’s existing involvement with the private sector.

All of these are valid concerns, and if the NSA is given a larger role, they should be balanced and addressed in the new approach.

That said, there is something to be said for shaking things up. If you aren’t shaking the tree all you eat are the rotten apples off the ground.

Cybersecurity efforts are presently spread across a number of departments but are concentrated within the Department of Homeland Security (DHS). DHS has been out front in the Bush administration’s “please walk with me brother” approach to private sector cybersecurity. A shift away from DHS could send a signal to the private sector that the old way has produced inadequate results and insufficient security. Such a message could help break the inertia within the corporate ranks.

Second, the NSA is the laboring oar in the federal government’s technology security certification programs. As a result it has extensive expertise in reviewing and analyzing the real security of IT systems. The agency also has many of the world’s best penetration experts on staff. This would give the NSA a major leg up in managing a set of carrots or sticks, or both, to drive private sector cybersecurity; they would know which systems meet the mark and which fall short. These capabilities means that a shift to the NSA could be much more than a bureaucratic reshuffling of the deck chairs.

Third, the NSA by virtue of what it is and what it does has a certain aura. This is the positive edge of the Big Brother double-edge sword. Companies have become rather comfortable dealing with DHS—gone are the days when companies just saluted like good foot soldiers when DHS called. Being “invited” into a discussion with NSA might help move the dialogue, and real security, along.

Fourth, information security and confidentiality are major concerns the private sector raises at the first mention of any federal cybersecurity program touching on their corporate data and secrets. The NSA is nothing short of masterful at keeping secrets.

Fifth, and perhaps most importantly, even within the private sector, the NSA cybersecurity experts are highly regarded. After all, they guard secrets that make the Colonel’s secret recipe or any other corporate matter pale in comparison. This cache might enable the NSA to work more productively within the tech community.

Sixth, the NSA director also occupies a special place within the national security apparatus—a place that no DHS secretary to date, not even Gov. Ridge, has attained. Putting corporate cybersecurity, and perhaps even federal cybersecurity, into the director’s hands could elevate the issue, which, as a practical matter is vital for progress with the bureaucracy of the federal government. Bureaucrats are much less likely to tangle with someone who has a direct line to the president on his speed dial. In fact, such an elevation was the underlying goal of the CSIS proposal for a cybersecurity czar within the White House. The NSA approach might achieve that same result, albeit in a different way.

This is not to suggest that the NSA approach is the only solution. For example, a DHS approach, with the secretary armed with a strong mandate to make real change could also produce results. In fact, it seems harsh to blame DHS going forward for following the orders of the past president. An energized, empowered DHS could also drive change. At the same time, a White House cybersecurity czar of the sort envisioned by CSIS, but which seems to have fallen by the wayside, could also force progress. However, the NSA approach does have certain pluses and the mere fact that such a change might be in play suggests a level of action that has been lacking to date. And, perhaps most importantly, it seems to at least still be in the mix.

With so much action taking place it seems that there is a strong potential for real substantive progress in the cybersecurity realm. Within that context, moving away from the laissez faire approach to cybersecurity would be a major step forward for the new Obama administration, no matter how the Obama administration opts to do so.

As Yogi Berra once remarked, “Déjà vu all over again.”

This week Microsoft announced that hackers have found a serious security flaw in its Internet Explorer browsers. The security gap allows a hacker to take control of someone’s computer and steal the victim’s passwords—presumably they could take any other sorts of data if they wanted to by just changing what the trojan was designed to go after. Already some 10,000-plus websites have been compromised by the trojan. Of course, Microsoft went to work to quickly find a patch to the gap.

However, as the Institute has repeatedly said this game of “hatch and patch” is a losing proposition.

First, in the same moment that Microsoft was hard at work looking for a patch, the hackers were off looking for a new vulnerability. Microsoft has a lot of very smart employees, but there are vastly more equally smart, highly creative hackers, criminals and spies out there bombarding these systems. When the Russians launched coordinated cyber war against Georgia in 2007, the Georgian systems were hit with attacks from over a million computers, the largest in the 20GB to 40GB range. Given present systems, no nation can defend against an attack of the magnitude—and certainly no company can.

Second, we can only fix that which we know is broken. For every hack we find there are untold numbers of penetrations that are so skillfully done that they remain unseen, unknown. Some botnet hacks today are so sophisticated that, after they get in, they quietly close the door behind themselves—at once reducing the chance of detection and ensuring no other hacker can wrestle control away.

The Microsoft attack is especially disturbing because of the size of the flaw, the magnitude of the penetration, and the sweep of the global IT infrastructure that was compromised—and even more so the still larger reach of systems that were put at risk.

Microsoft’s technologies are so ubiquitous that any major vulnerability in its systems raises the potential for a catastrophic attack. A great percentage of our government’s critical systems are Microsoft based. The overwhelming majority of IT systems within critical infrastructure companies are Microsoft based. The list goes on and on.

The media reports are that this time the hackers were just out to steal gaming passwords. Lucky us. What if their purpose was more nefarious. What if they took banking and finance passwords and used them pilfer billions upon billions of dollars from millions of people. Our economy is already on shaky ground, imagine how the markets would respond to a cyber crisis. Or, what if they stole SCADA system data and then that they used that information to take down our nation’s powergrids. Or what if they took down the entire air traffic control system. Or what if they wiped out the medical records of millions of patients—data doctors need to make life and death decisions.

Love or hate Microsoft, the almost total ubiquity of a single set of interconnected and interdependent IT systems—with serious security issues—is a serious threat to each of us as individuals and families and to our nation’s security.

For this reason, the Institute will continue to push for the deployment of inherently secure technologies.

Last week LynuxWorks came out with this release about LynxSecure, which got some attention in the tech press:

http://www.marketwatch.com/news/story/LynuxWorks-Announces-Immediate-Availability-LynxSecure/
story.aspx?guid=%7BCBEB8EC2-A572-41F8-AC68-D44B53116EBD%7D

LynuxWorks’s release said that its LynxSecure “Technology Supports EAL-7 Evaluation, Integrates Multiple Applications at Different Security Levels on a Single Piece of Silicon and Consolidates Hardware for Security and Separation…”. The company also said, “LynxSecure supports a lightweight Application Run-Time environment that can be used for creating secure applications without an intervening OS which can be evaluated to the required assurance level up to EAL-7.”

This release—and other claims like it—are a major reason why the Cyber Secure Institute was founded. Like so many other security claims—new and improved, better, faster—this is just marketing speak.

Read the release carefully. LynuxWorks isn’t saying that its technology has been certified to a high level of security. Nor is LynuxWorks saying that its technology is secure enough to entertain membership in the Cyber Secure Institute.

This is the National Information Assurance Partnership’s list of certified products. http://www.niap-ccevs.org/cc-scheme/vpl

You won’t find an EAL 7 certification for LynxSecure on that list.

This is the National Information Assurance Partnership’s web listing of products in evaluation. http://www.niap-ccevs.org/cc-scheme/in_evaluation

You won’t even find LynxSecure listed as being under evaluation for EAL 7.

Given that LynxSecure isn’t certified and isn’t even under evaluation for EAL7, it is important to pay close attention to precisely what LynuxWorks said. LynuxWorks said its system supports EAL 7 evaluation or could be evaluated at that level—or so they say. Allow me to paraphrase. “We haven’t been certified to a high level of security, but we say we could be evaluated to that level—take our word for it. And, saying one could be evaluated at that level is not saying one could be certified to that level. I could be evaluated for the US Olympic track team, I wouldn’t qualify, but I could be evaluated.

In fact, there is no way that LynxSecure could receive an EAL 7. For example, EAL 7 requires certain physical security assurances that no software can meet.

The Cyber Secure Institute thinks that claims about cybersecurity ought to be subject to intense and objective scrutiny. And, LynuxWorks claims in this release just don’t stand up.

We would encourage LynuxWorks, and any other technology provider who thinks that their systems can stand up to high level security certifications to go and actually try to get certified. If you get certified we look forward to working with you. Until then, let’s skip the marketing speak.

Our name says a lot about us and what makes us different. There are scores of entities—ranging from government agencies to industry trade associations—that are focused on cybersecurity. However, in our view cyber security is all about process.

In contrast, we are focused on a single, clearly defined end state goal: to make our critical IT systems “Cyber Secure”™.

In our view too much cyber security attention has been focused on patching systems that are inherently insecure. The federal government, namely the National Security Agency and the National Information Assurance Partnership (a joint program of the NSA and the National Institute for Standards) issue security certifications for the IT technologies used across our economy and digital-lives. The systems in use today have only been certified to protect against inadvertent and non-hostile attacks. Unfortunately, the cyber-adversaries we face today are anything but inadvertent or non-hostile. Our nation is under constant cyber-attack by foreign enemies, ranging from elite hacking units of the Chinese Army to al Qaeda and other terrorists. Each of us faces cyber threats from sophisticated criminals, like the Russian mafia, every single day. Companies are under siege by cyber-extortionists, organized criminals, and corporate spies.

As if that isn’t troubling enough, we have only modest confidence that these technologies can withstand even inadvertent and non-hostile attacks. The certifications issued by the federal government come with an associated confidence level, which is measured on scale of 1 (low) to 7 (high). The systems we rely on today have been certified only up to levels 4 and 5—meaning that our confidence in these systems to protect against even the most basic attacks is modest at best.

As a result, the cyber systems that we rely on to protect our nation are vulnerable. So are the systems we rely on to run our nation—from power grids to financial services. And, each of us is vulnerable individually. Your identity can be stolen. Charges can be run up on your credit cards. Your health care and other personal records can be hacked.

This places us in a constant game of whack-a-mole with the terrorists, criminals and other sophisticated adversaries—struggling to knock down the next threat that pops up, only to then face yet another threat, followed by yet more threats.

We need a new paradigm for digital security. We have to stop patching holes and start deploying fully secure systems.

The Cyber Secure Institute was formed to help drive that change.

To achieve this we will start by raising awareness of the cyber threats faced by the nation, companies, and individuals. If we are to drive change there needs to be awareness and pressure.

Second we will serve as a de facto, independent “industry” standard-setting body with the goal of raising cybersecurity standards. In order to be a full member of the Cyber Secure Institute and display our badge companies must be able to document to us that their technology has been certified by an independent entity as fully secure against hostile and sophisticated attacks, or document that they are deploying certified technologies for their IT systems. Over time, when you see our badge you can have confidence that the system you are relying on is Cyber Secure ™.

Finally, we will advocate for the deployment of best available cybersecurity technologies to protect governments, critical infrastructure and individual citizens. The systems that we are dependent upon need to use only Cyber Secure ™ technologies.

To drive technological change we will advocate for a host of different mechanisms to compel critical systems to use best available, Cyber Secure ™ technologies. In some cases we will base our efforts on existing standards. For example, section 404 of Sarbannes Oxley requires publicly traded companies to have internal control measures, including over their data and IT systems. Similarly, the 1999 Gramm-Leach-Bliley Act requires financial institutions to institute safeguards to protect customer information, including in digital or cyber formats. Where these standards exist we will use them as drivers for Cyber Secure technologies. In addition, we will also advocate for new mechanisms–disclosure regimes, insurance schemes, market-based measures, and, where appropriate, regulatory requirements—to achieve these goals.

Through these efforts we will make Cyber Secure ™ the benchmark for both industry and government IT systems.

Critics will say that the goal of real cyber security as we define it is unattainable. They will argue that “There will always be hackers out there finding ways to break our safeguards.” There is an element of truth in their perspective. If cyber security continues to be viewed as an after thought—the fence you put up after things start to go missing—then there will always be hackers looking to find ways over, under, through or around that fence. Patch one hole in your fence, they will cut a new one. Build a taller fence they will buy a longer ladder.

In fact, the only way to fix this problem is through the sort of a paradigm shift we advocate. All the better cyber fences aren’t going to eliminate the threats we face. The next generation of technology needs to be inherently secure, not as an after thought, but as a core element. If we can put a man on the Moon, harness the power of the atom and build a global information web, we can build inherently secure digital systems.