The word The Wall Street Journal used in its headline was "war," which always gets people's attention. In a March 28th story headlined, "U.S. Outgunned in Hacker War," outgoing FBI Executive Assistant Director Shawn Henry was quoted as saying, with respect to the ongoing battle against cyber threats, "We're not winning." As the story made its rounds through the Web, "not winning" quickly became "losing."

Apart from distorting exactly what Henry said, focusing on the winning-or-losing aspect of his retirement comments takes away from his broader point. Andy Purdy, former director of the National Cyber Security Division of the U.S. Dept. of Homeland Security, tells ReadWriteWeb that the real point is far more fundamental than whether we're winning or losing the so-called cyberwar.

"We Can't Eliminate All Risk"

"Risk management needs to be the approach that guides our government agencies," states Purdy, currently the chief cybersecurity strategist at enterprise services provider CSC. "I think that concept of risk management needs to guide the approach to our critical infrastructure, and you see that reflected in the National Infrastructure Protection Plan that was launched back when I was at DHS. And the nation needs a risk management approach."

In 2003, Purdy served as Senior Advisor and coauthor of the DHS' National Strategy to Secure Cyberspace. Today, Purdy talks about both government and business moving away from a warfare scenario and toward something more like a maintenance operation - a way of making adjustments for losses and ensuring the integrity of data systems in the face of changing threats. "We can't eliminate all risk; we can't be just reactive, though we have to be prepared," he tells RWW.

“We are suffering a systematic online theft of intellectual property. It rises to the level of national security significance because of the impact on global competitiveness of American companies. We have to do much more than we're doing now.”

Andy Purdy
Chief Cyber Security Strategist, CSC

"Some of the functions and some of the work can be outsourced. But in a risk management process, with the ongoing assessment of risk, the interaction with the business owners, and the changing dynamics in terms of the IT landscape within the larger enterprise, you can't outsource all that. There needs to be that kind of customer [focused], ongoing engagement. In larger enterprises, I think we're increasingly seeing an enterprise risk manager with very senior reporting responsibilities, who has access to the information from [resources] below - which perhaps may be outsourced - and then direct connectivity to the leading decision makers in the company, so that the risk issues can be escalated appropriately, brought to decision, and the risk can be accepted, transferred or mitigated much more quickly than in the past."

It's here that traditional reporting tools are showing signs of age, and where service providers may take a cue from how Salesforce has very rapidly revolutionized team management in the world of CRM.

Purdy introduces us to a concept he calls leveraged, managed security services, which builds on a CSC idea called, "The Security Stack." Every enterprise needs global, full-time security operations centers, he argues.

These centers do not need to be dedicated - indeed, Purdy suggests they should be shared between enterprises so that sources of threat intelligence from both commercial and the public sector may be integrated. "That ability to monitor from a centralized source, [puts you] in a much better position to connect the dots and eliminate the difficulties of legacy communications processes."

Situational Awareness

It's the notion of situational awareness - the third layer of CSC's Security Stack - that distinguishes the risk management process. Though it sounds like a Pentagon euphemism, it doesn't require a military mindset. It's what Shawn Henry told a cyber defense summit in Muscat, Oman, last week - that everyday businesses need a central channel of communication that places the best intelligence in the hands of the decision maker.

"If the leadership of organizations doesn't get it, its people are not going to pay attention," an Oman news service quotes Henry as telling attendees. "If the boss doesn't think it is important, then people are not going to take it seriously. So I want to get to the organizations at the CEO level or the CIO level, at the leadership, at the executives in organizations. I want to get to corporate counsel, general counsels and organizations so that they understand what the liability is. If you can raise the situational awareness at the executive leadership of [organizations], you will get a much better response and have a much more secure organization."

“The fact is, we're suffering very significant losses, very significant harms right now, and we have to do more about it. We've got to get a little bit out of the 'Kumbaya' attitude of public/private partnerships.”

Andy Purdy
Chief Cyber Security Strategist, CSC

"I think Shawn's one of the more experienced people ever to take that position," Purdy tsays, "and I think he's made tremendous progress working within the country and internationally to try to set up processes for greater cooperation with allies and others, and to make sure that they're working in a strategic, targeted way, and we're trying to learn from those activities."

Next Page: Dropping the Wrong Bomb...

Dropping the Wrong Bomb

Recently, Henry has been invoking a "bomb" analogy with respect to the situational awareness model: It's the idea that if you told the CEO there's a bomb in the basement, he'd react and evacuate the building. But if you can't describe a threat as something equally tangible and equally serious, there's a good chance they'll do nothing at all. (The analogy made an appearance l during Henry's retirement speech; and bloggers who translated that speech from a foreign language back into English concluded that Henry was saying there's a bomb in the basement.)

"I hope and expect at some point that he will come out with a 'Part 2' of his discussion," remarks Purdy. "There are those who feel that, when you finish reading what he said, it feels a little hopeless and helpless, and that the necessary path forward cannot really help contribute in the long term to managing the risk more effectively. I would say that some of the efforts we've seen recently to do some things that can drain the swamp of malicious cyber activity are critically important."

One example Purdy cites is an agreement last month between ISPs and the FCC for codes of conduct and best practices in detecting threat activity that may impact customers, and in informing those customers. Those best practices include an accelerated deployment of DNSSEC (Domain Name Security Extensions), improving security for DNS routing to prevent domain hijacking. "That activity is a necessary complement to the great work that law enforcement has been doing. But they have not been emphasized enough in this country... I think some of the challenges and the frustrations that Shawn talked about can be addressed by enhancing the role of ISPs and enhancing information sharing. [This] can reduce the number and seriousness of machine infections around the country - hopefully if we work internationally on it, around the world - so that we can make it harder for the bad guys to hide in the white noise of cyberspace, to make it easier to find the more sophisticated actors, and to force them, frankly, into using some of the more sophisticated tools, the zero-days, rather than using the very common exploits and botnets to launch their attacks."

Responding to the Nation's IP Crisis

Although much of the security industry in 2011 focused on the "rise of hacktivism," Purdy believes that deflected attention from a much greater problem.

"I think the major development in 2011 was a consensus among senior government officials and senior private sector officials in this country that we are suffering a systematic online theft of intellectual property. It rises to the level of national security significance because of the impact on global competitiveness of American companies. We have to do much more than we're doing now. I'm not as comfortable in putting it in terms of 'winners and losers,' but I think the kinds of harm that's being suffered in this country by individuals and organizations, that Shawn Henry talked about, is very real, and we can't just think of it in terms of, 'Will there be a digital Pearl Harbor?'" says Purdy, invoking a phrase coined recently by Defense Secretary Leon Panetta. "The fact is, we're suffering very significant losses, very significant harms right now, and we have to do more about it. We've got to get a little bit out of the 'Kumbaya' attitude of public/private partnerships."

This was one of the lessons of Hurricane Katrina, Purdy notes, which was learned way too late: Situational awareness could have been achieved had government agencies been more willing to share information with telecoms, for example, in keeping lines of communication open.

Working together to analyze information, respond to incidents and recover from disruptions is now something that agencies realize is not only possible, but critical. The National Coordination Center, now co-located within DHS, manages situational awareness. "That kind of analysis needs to be done, so when Secretary Panetta says we face a possibility of a devastating attack against the power grid... government and the private sector, the electric power providers, need to do that kind of analysis, identify gaps, set goals, objectives and milestones so we can drive and enhance the cyber preparedness of each of our key sectors, and enhance the nation."