Original URL: http://www.theregister.co.uk/2008/04/25/greg_garcia_interview/

Securing cyberspace against war, terror and red tape

DHS's Greg Garcia in the hot seat

By Dan Goodin

Posted in Law, 25th April 2008 12:02 GMT

Interview In September 2006, the US Secretary of Homeland Security appointed Greg Garcia assistant secretary for cybersecurity and telecommunications. With oversight for the National Cyber Security Division, the Office of Emergency Communications and the National Communications System, he is the federal government's point man for securing the nation's internet and telecommunications' systems against attacks from terrorists or countries that may target the US.

The Register sat down with him during the RSA security conference and a couple of things quickly became clear: One, he'd much prefer to see free market forces secure cyberspace than rely on the long arm of the government; and two, like the president he serves, he believes the execution of his duties is pretty much flawless.

El Reg: It's been about 18 months since you've been on the job. That's a nice number for report cards, or to check in and see how you're doing. In your judgment, what are your biggest accomplishments and what's the biggest failure or thing that you would have liked to accomplish that you haven't?

I think the biggest accomplishments so far are just the level of visibility that cyber security has taken on, not just in the DHS but across the government. I think the cyber initiative is the evidence of that. Leading up to that we had a number of very compelling accomplishments, the biggest of which was in May of last year we released the 17 sector specific plans as part of the national infrastructure protection plan.

This is where each of the critical sectors got together with their agency counterparts in the federal government, sat down side by side, two pens and a piece of paper and mapped out what commitments we are going to make collectively to do the national vulnerability assessment that's necessary across our networks and take the steps to mitigate them. That was a true illustration of the partnership model at work and that it's working. There were trust relationships built around that.

I think over the past 18 months I would look back and say the level of engagement of this partnership between the private sector and the public sector is I think a tremendous accomplishment.

Is there anything that you were hoping you would have accomplished by now that has not happened?

I think this is an evolutionary process. My only regret is that this administration is coming to a close and that the national strategy that we need to pursue is one that's going to take years to really to mature to where it needs to be and as I'm a political I don't expect I'm going to be around much into the next administration. But I'm looking to our private sector partners and career civil servants across the government and in DHS to keep that going.

There is growing evidence that [China is] actively engaged not only in attacking infrastructure belonging to private companies but also infrastructure that belongs to the federal government. I believe that Oak Ridge [National] Labs is one possibility. Do you believe that there are attacks coming from China that are state sponsored?

There are attacks coming from everywhere as you know, and there are botnet attacks that you can see coming from a country but that doesn't mean that's where the actual attacker is seated and that botnet computer could be hijacked from a completely different country.

That said, there are some things we don't talk about in this forum about nation states or otherwise, but from a DHS perspective what we're particularly interested in is how do we protect our systems from those attacks no matter where they're coming from. Because yes, they could come from nation states, they could come from hacker groups, they could come from hacktivists with political motives, they could come from organized cyber crime groups from different countries. So my objective is to ensure we've got the protective systems in place and the technology in place and the coordinated response to attacks.

If DHS were to learn that a particular attack was state-sponsored by the Chinese government, you knew for certain, would it be considered an act of war and responded to accordingly?

That's a good question and we are now in a cyber age where our traditional thinking about acts of war are changed. This is something that we are thinking about across the federal government in terms of more strategic thinking about how to deal with that question, because it's a very complex one and it's one that engages numerous players from the State Department to the Defense Department to many others across the federal government. This is part of our national strategy how we deal with that question.

You mentioned the important thing being protecting ourselves against an attack wherever it may come from and whoever may be behind it. Are offensive cyber attacks, sort of counter DDoSes, counter unleashing of malware - are those things included in the way DHS should go about protecting the country?

Our mission is protective, so we're protecting the homeland, we're protecting our networks. You've seen articles recently where the Air Force cyber command is talking about stepping up its offensive capabilities. DOD is really the most active in that area, but DHS we're protective.

If you see a botnet attacking important infrastructure, is taking that botnet out or attacking it one way of protecting ourselves?

There are some things we don't want to talk about in open forums, but we do partner with various agencies across the government who have different equities in cyber security, different activities in cyber security and we work together to help each other, particularly making sure that DHS knows what's coming into federal networks so we can take protective actions.

There's been some discussion about how to deal with radical jihadi groups that are online and websites that perhaps are spreading jihadi propaganda. One idea is shut them down and another idea is don't shut them down [but rather] study them, monitor them. Shutting them down only drives them underground and then you don't know what the enemy is thinking or doing. Where do you stand on that?

DHS's mission is about protecting our networks. We're not engaged in shutting down other networks. That's the purview of other agencies.

Does DHS consider the monitoring of groups like that part of its purview, in gathering intelligence and knowing if people are thinking about attacking or doing other things like that?

DHS is not an intelligence gatherer, so the effort that we have in the cyber initiative is helping federal agencies monitor what's going in and out of their own networks. We're not monitoring or gathering intelligence.

There has been a lot of evidence that attacks on national labs are using very sophisticated spear phishing. Is this something that's within DHS's purview to try to prevent, and if so what exactly are you doing?

The US CERT is the focal point for the information sharing about attacks. Last year US Cert received 37,000 incident reports, which is about a 55 per cent increase over FY 07 and most of those were phishing attacks just as you described. So it's our ability to receive that information, watch what's happening across federal networks using our Einstein intrusion detection capabilities and correlating, seeing what the patterns are.

As to that collection of anomalous traffic across networks that we're able to push the information back out to our to our federal agencies, to our state governments and to our private sector saying this is what we're seeing. Most recently, last fall, we were able to communicate through notices to our partners a variety of IP addresses that they need to be watching out for for that kind of attack. This is the primary role of the US CERT, which is to both receive information from all sources about what's happening on our networks, analyze it, synthesize it, correlate it, and then push it back out again in actionable formats that people can actually take action and say, OK got it, I'm going to plug this port and apply this patch. That's our value add.

It was just this week that a research firm from Atlanta came out with research about a botnet they call Kraken, evidently it goes under other names such as Bobax. It's a massive botnet, and it's living in many cases inside of fortune 500 companies and presumably other places it shouldn't be. If Fortune 500 companies aren't taking steps to prevent this kind of thing, what evidence do we have that we're really on the right track when it comes to preventing attacks against important infrastructure?

Good question. I think a lot of companies are taking the right steps and a lot of companies are not taking the right steps and part of my role is to communicate the business proposition to these companies as to why they need to take steps to protect against threats that they're not actually seeing. And that's the challenge from a lot of the companies - they feel they need to actually see the threat but sometimes they don't know that they're being infiltrated.

This conference is evidence - there are what 17,000 people here - that there is an increasing awareness. So even though there are a lot of companies that are responsible and doing the right thing, our networks really are only as strong as the weakest link and because we are so interconnected, if there are companies that are not doing what they need to do to protect their networks, that in turn may be jeopardizing the security of companies that very well may be doing the right thing, and the federal government as well.

So do you use a carrot, or at some point do you use a stick?

I think it's really a combination, but a stick model, if you mean regulatory, I would be concerned that we could through a regulatory model not keep up with evolving technology, we could not keep up with evolving threats and that what instead we need to do is to push the market place to provide market-based incentives for companies that in order for me as one company to do business with you as another company, I need to be convinced that you're doing the right thing with you're networks.

If you're going to connect to me I don't want to catch your virus. I as your customer have to demand this upon you as my vendor or my service provider. That's the model we're trying to push. The stick has to be coming from the market place to the market place, not from the government to the marketplace.

Do you think that some sort of digital Pearl Harbor is possible in the next decade and if so, how likely do you think it is?

Our networks are so distributed and resilient and redundant that a massive attack that would bring down the internet - I don't think that's possible. I direct your attention to a report from the Business Roundtable last fall. What they said was: We have to envision a situation where you could have multiple coordinated attacks against different pockets of the internet infrastructure such that it degrades confidence in the internet as our mode of doing business.

If we lose confidence in that and we cease to want to use it, or we cease to be able to use it, then our business continuity is at stake. So we as CEOs have a responsibility to ensure we have business continuity. That's what cyber security is about.

It's about the operations of my business and I as CEO have a responsibility to my shareholders and to my board of directors to ensure that I'm paying attention to this and am taking protective measures and investing in the technology, investing in the people, investing in the best practices and policies to make sure we're doing the right thing.

Talk to me a little bit about your own experience with security. Have you ever been a victim of, or worked for the defense of, a network that was under attack?

I as a home user do everything I am supposed to do. I keep my anti-virus up to date and keep my firewall turned on. I have seen in the past spyware infect my personal computer, just as everybody has. My role at DHS is to co-ordinate all of those efforts from the operational side of my US CERT to the preparedness side of building the culture of securing across the country. I've not been a hacker. There are those who know how to do it, but I'm more interested in national policy and national strategy.

Over the last year there have been dozens of reports of flash drives, hard drives, iPods, all kinds of different devices you can buy at Best Buy or wherever else, with spyware loaded on to them. Do you worry that it's also possible to put on a much more nefarious software that has implications for homeland security?

Absolutely. We are acutely aware of potential vulnerabilities across the global supply chain. We live in a global manufacturing environment and that is the natural order of a global business. But with that comes risks that anywhere along the supply chain we could see vulnerabilities into products that are manufactured abroad, whether its hardware or software. This is something we have put more resources into at DHS and that is working with the private sector to consider how we can get a handle on the global supply chain.

Thanks very much.

Good talking with you. ®