I’ve been an organizer of ACSAC in one capacity or another for close to 20 years now, and I’ve managed to attend most years. The conference always meets in early December in a southern US city (2008 in Anaheim, 2009 in Honolulu). This year’s keynote speakers were Sami Saydjari (formerly of NSA and DARPA, and now president of his own consulting company) and Whit Diffie (Distinguished Fellow at Sun, and famous inventor of public key cryptography).

I found Sami’s talk (”Structuring for Strategic Cyber Defense: A Cyber Manhattan Project Blueprint”) both energizing and frightening. I’ve known Sami for many years, and worked with him in several capacities, and have seen his concerns for the safety of the US develop over the years. Sami views cyberspace not just as an extension of “traditional” warfare (which he dubbed “kinetic” some years ago), but as a space in its own right, with its own assets - instead of land and people controlled (or damaged/destroyed/killed), it’s information that’s at risk. He pointed out that our enemies - whom he doesn’t hesitate to name, most notably the Chinese government - are investing in all-out attacks against the US, focusing on destroying our infrastructure including power and banking. (If you think the meltdown on Wall Street of the past few months has been bad, think of how much worse it could have been if coupled with a cyberattack to wipe out banking records!) While Sami’s focus is on the US, he points out that the threat is not only to the US, but also to any other technology-dependent country, which includes most of the developed world. He believes the threat is the same order as the nuclear threat during the cold war, which was a threat to national sovereignty.

Sami noted “It’s time to stop speculating about the threat, and time to do a risk assessment”, and then described the “Dark Angel” tabletop exercises that showed how an adversary with $500M (a tiny fraction of what we’re spending on bailing out the auto industry!) and three years could take out 70% of the power infrastructure of the US for an extended period of time - think about the lawlessness in the wake of Hurricane Katrina, and extend that across the entire country for a period of months or longer.

Sami noted that “the debate between talking heads has to stop” and called for an expert congressional commission similar to the Rogers commission that studied the Space Shuttle Challenger disaster, in which Richard Feynman played a key role.

On the positive side, the incoming Obama administration seems more aware of the issues of cybersecurity than any prior administration.

Sami is calling for a Cyber Manhattan Project with the vision (to overcome national strategic vulnerabilities ASAP) and urgency (because there’s plenty of means, motive, and opportunity for an attacker) to develop strategic capabilities, including continuity of critical information infrastructure operations (perhaps including “dark power” similar to “dark fiber” available in case of emergency), addressing the systems that are designed to “fail safe fail by having catastrophic failures”, figuring out how to “reboot the power grid” in case of a failure (the power grid requires power to get started), asymmetric threats (a $500M attack could cause $1T damage), situation awareness, and metrics-based quantifiable security.

Finally, he called for the Right organizing model (along the lines of DARPA for research and NASA for operations rather than a bureaucracy like DHS), at the Right Place (in the White House, to be above the fray), with the Right Clout (a presidential statement of support), and the Right Authority (bureaucracies cannot have power over the money).

Sami certainly isn’t the only one commenting on the urgent need to address cybersecurity threats. If you haven’t read the report of the “Commission on Cybersecurity for the 44th Presidency” it’s well worth it, although it’s not as demanding as I’d like to see. Also, see a recent Wall Street Journal article (titled “Internet Attacks Are a Real and Growing Problem: A new report says cyberwar isn’t science fiction”) .

After his talk, several of us asked Sami what we could do as individuals to further the Cyber Manhattan Project. Following is his answer, reproduced with his permission.

1. Educate yourself. Learn about the nature and gravity of the national strategic cyber risk and bold and effective moves that could mitigate those risks. Learn about the policy realm and what the issues are so that youcan speak intelligently about good and bad cyber defense policy. Take a policy expert out to lunch. Learn about related history such as the early formation of NASA and of the (U.S. and U.K) Air Force and how these big changes were possible against the barriers that the establishment always puts up to such big changes.
2. Educate your peers. Once you educate yourself, help educate your professional peers through one-on-one debates and discussions. Give professional talks to peer group at conferences and to graduate level students about to emerge into the professional world.
3. Educate the public. Securing the national cyber vulnerability will require significant investment of resources and significant educational, legal, and cultural attitude changes. This requires that the public be educated on this issue and that a national public discussion take place. Facilitate this discussion by educating the public through lectures and talking to the press in terms that they can understand. I find that analogies like the Manhattan project and the space race are helpful to frame the debate. Wrote Op Ed pieces.
4. Educate leadership. Advocate for sound public policy in strategic cyber defense. Talk to executive branch leadership at whatever level you have access to help them understand the types of actions our country needs to address these risks and encourage them to take an active role. Meet with members of the legislative branch and their staff and advocate for legal and policy changes and appropriate investments to mitigate national risk. Government has a responsibility to “provide for the common defense” as laid out in the constitution. Hold the government accountable to step up to that duty to the emerging cyber space territory in the information age.
5. Serve. This is a hard one. There are at least two important ways to serve, but both will involve your most precious asset: your time. Consider investing 10% of your career in public service. This could include joining non-profit advocacy groups that help move for change and improvement in some aspect of national cyber defense. The second major category is to serve inside the government to change things from within. This can be extremely hard because it means disrupting your normal career path and perhaps your family. It is also hard when the degree of change is great and the system resists that change with all its might. Yet, this can be one of the most effective ways to cause significant change. Try hard to answer the call, particularly in later parts of your career when you have the experience and network to be most effective.

My last project for my former employer (Software AG) was a study of what software vendors do to achieve software assurance. The goal of the study was to see whether we (Software AG) were at, above, or below the norm, and to adjust investments in assurance accordingly. All but one of the vendors who participated are household names - these weren’t mom & pop shops, but major multi-national ISVs, most of them with sales of a billion dollars a year or more.

I presented a brief summary of the study results at the recent “Making the Business Case for Software Assurance” workshop hosted by Carnegie Mellon’s Software Engineering Institute, and sponsored by the US Department of Homeland Security. I’ll also be presenting an even briefer summary of the results at the 24th Annual Computer Security Applications Conference in December.

In my new role at Cigital, I’m hoping to be able to expand the survey beyond software vendors into e-commerce vendors, embedded software suppliers, financial institutions, etc., as well as to systematize the survey so it can be done by filling out a web form instead of as an interview. I welcome your suggestions as to how to make this project more relevant to vendors and software purchasers - and also welcome your participation in the survey, as well as suggestions on how to fund the ongoing work!

And finally, thanks to the (anonymous) vendors who participated in the first phase of the project. While I can’t thank them by name, I very much appreciate their input.

Greetings! I’m Jeremy Epstein, the newest member of the Cigital blogging team. I’ve joined Cigital after nearly 9 years with Software AG (and webMethods, before it was acquired by Software AG), and will be focused on software security in the federal space. Software security is a passion of mine – I’ve been talking about it, and occasionally practicing it, even longer than Gary McGraw, and that’s a loooooong time. I’m also very active in the voting technology field, and hope to bring some of Cigital’s software security expertise to the voting world.

I joined Cigital because I’m passionate about software security, and because of the great people at Cigital, many of whom I’ve known for a decade or more. I hope to help improve security at Cigital’s customers, and to raise awareness more broadly of security issues in government and commercial systems. Look for my occasional postings and rants here, on my personal blog at abqordia.blogspot.com, and on the RISKS digest at www.risks.org.