Tom Kemp's Centrify Blog

The President's Cyberspace Security Review and Some Thoughts on Innovation in the Security Industry

Wednesday, June 3, 2009

It was definitely encouraging to see based on last Friday's announcement that Cyberspace Security is becoming a national security priority. President Obama on Friday presented the recommendations of a 60 day cyber security review panel and will likely appoint a Cyberspace Security "Czar" in the next few days. I thought the tagline of the Cyberspace Policy Review did a good job of nailing what needs to be done: "Assuring a Trusted and Resilient Information and Communications Infrastructure." Below are some of my thoughts and observations on the Obama Cyberspace Policy Review — I think probably my more provocative thoughts are at the end of this blog as it relates to the need for innovation in the security industry.

First of all, drawing attention to security and having a person coordinating this within the federal government could not come soon enough. The Wall Street Journal reported that

"The moves come amid growing evidence that sophisticated overseas hackers are waging a widening assault on important U.S. networks. The Defense Department detected 360 million attempts to penetrate its networks last year, up from six million in 2006. The Pentagon alone has spent $100 million in the past six months repairing damage from cyberattacks.

U.S. officials acknowledge that the hackers, believed to be mainly from Russia and China, are having some success. The Wall Street Journal reported this spring that cyberspies breached both the nation's electricity grid and the Pentagon's biggest weapons program, the $300 billion Joint Strike Fighters."

And CNN reported that

"The Department of Homeland Security reports the number of cyber attacks on government and private networks increased from 4,095 in 2005 to 72,065 in 2008.

This month, a Transportation Department audit -- carried out after hackers got into a support system containing personnel records -- indicated the nation's air-traffic control system could be at risk."

Part of the problem is that the Federal government is not keeping up with the laws in place (e.g. the Federal Information Security Management Act - FISMA) regarding security that they must abide to:

"In their fiscal year 2008 performance and accountability reports, 20 of 24 major agencies noted that the information system controls over their financial systems and information were either a material weakness or a significant deficiency," said Gregory Wilshusen, director for information security issues at the GAO, testifying before the House of Representatives Subcommittee on Government Management, Organization, and Procurement.

"Over the last several years, most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information," he added. He blamed the deficiency directly on a lack of agency-wide information security programs as required by FISMA, Federal legislation that mandated Federal information security programs. "Six years after FISMA was enacted, we continue to report that poor information security is a widespread problem with potentially devastating consequences."

Agencies had failed on various levels, said Wilshusen, citing tasks that read like a basic security checklist. Authorizing users, implementing principles of least privilege, establishing boundary protection mechanisms, encrypting data, and logging security-related events were areas where agencies had failed."

Now granted Congress is looking to reform FISMA, but it appears from the article above that basic blocking and tackling just needs to be done. [Note to Federal agencies and shameless plug: Centrify does a great job of addressing in the areas of the authorizing users, implementing principles of least privilege, and establishing boundary protection mechanisms, etc. — check out this whitepaper and webinar on how to leverage Active Directory to meet FISMA requirements.]

But lets also be candid here, improving Cyberspace Security is not and should not just be about what the Federal government needs to do better. The private sector needs to share the responsibility. As the Review notes on page 27 of the PDF:

"The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and well-being of their citizens. The private sector, however, designs, builds, owns, and operates most of the network infrastructures that support government and private users alike. Industry and governments share the responsibility for the security and reliability of the infrastructure and the transactions that take place on it and should work closely together to address these interdependencies. There are various approaches the Federal government could take to address these challenges, some of which may require changes in law and policy. "

In fact, breaches occurring in the private sector are just as worrisome as the breaches that happened in the Federal government, as the Review noted on page 12 of the PDF:

"In November 2008, the compromised payment processors of an international bank permitted fraudulent transactions at more than 130 automated teller machines in 49 cities within a 30-minute period, according to press reports. In another case reported by the media, a U.S. retailer in 2007 experienced data breaches and loss of personally identifiable information that compromised 45 million credit and debit cards."

Another observation I have about the Review was that identity management was specifically called out. The Review said that "We cannot improve cybersecurity without improving authentication, and identity management is not just about authenticating people. Authentication mechanisms also can help ensure that online transactions only involve trustworthy data, hardware, and software for networks and devices." Being CEO of an identity management vendor I say here here to that!

My final observation and comment has to do with innovation vis a vis Cyberspace security. The last chapter of the Review is about encouraging innovation and how critical innovation is to addressing our needs in this area. The Review notes on page 41 of the PDF:

"The United States should harness the full benefits of innovation to address cybersecurity concerns. Many technical and network management solutions that would greatly enhance security already exist in the market place but are not always used because of cost or complexity. In addition, existing solutions can only do so much given the underlying design of the Internet architecture. In the long run, openness and innovation will help create a stronger infrastructure with transparency and accountability."

Hard to argue with that, but I actually think we have currently have a situation where we face the greatest threat vis a vis security at the same time the least amount of innovation in security is occurring. Here's why I think that:

According to Dow Jones VentureSource, investments in new ventures are the lowest in 11 years. VC funding has dropped 50% in one year, as did investing in investing in IT companies. This means that fewer and fewer security software companies are being funded that will do the a lot of the required innovation. Sayeth Dow Jones: "IT Industry Walloped: Investment, Deals at 90s Levels." I would argue that security software investing had tailed off even before the economic downturn given VCs focus in the last few years on Web 2.0 and cleantech companies, and not seeing too many IPOs in security and thinking this sector was overinvested in the early 2000s (e.g. see this article on another NAC bankruptcy).

At the same, the larger security vendors are cutting back on investments given the economy and the need to focus on maintaining existing products. I found this blog post by Bruce Cleveland does a nice job of articulating the "innovation stagnation" that is occurring in larger companies today:

"Ironically, one of the problems that plague large software companies is their ability to innovate and bring new products to market tends to be inversely related to their success and growth. That is, the bigger they get the less innovative they become. There are two primary reasons for this perplexing phenomenon.

The first is that existing customers place increasingly significant demands upon the company's product resources to provide bug fixes and deliver enhancements to current product lines. Over time, maintenance and product revenues from existing customers dwarf new customer revenue so companies must invest the majority of their resources to secure these revenue sources, leaving few resources for new product initiatives.

Second, the public markets expect companies to generate increasingly better operating results - improved revenues and margins each and every quarter. Investing in new product initiatives results in little short term revenue increases. The problem is compounded by the fact these new product investments immediately impact the expense side of a public company's balance sheet. This can lead to poor margins and a depressed stock price which in turn can jeopardize a senior management team's employment tenure with the company."

At Centrify we believe we are innovating in the security space, more so then we see from other vendors, with some new products that will be coming out later this year. But Centrify, like any other security vendor, can only offer a few drops in the bucket compared to the wide range of cybersecurity threats our nation faces today. Hopefully this initiative by President Obama can help stir up the additional innovation that is needed to address our nation and the world's needs.

< Previous Article: 5 Case Studies on Integrating the Mac into a Windows Infrastructure
> Next Article: Identity Management 2.0 aka "IAM - The Next Generation"