For those of us covering the cyber security beat, there haven’t been many feel-good stories coming out of the federal government in – well – forever. Even before the advent of nation state sponsored hacking, the news was mostly of the federal government’s bloated and unwieldy IT infrastructure, byzantine procurement systems and the difficulty of attracting top talent away from private sector employers who could offer more pay, more autonomy and a better working environment.
Then came the gut wrenching display of offensive prowess by the U.S.’s main enemies – nations like China, Russia and Iran. Those stories started, in earnest, with news about operations like Titan Rain (in 2003) and continue to the present day. The problem has gotten so bad that the military’s preferred euphemism for Chinese hackers – “advanced persistent threat,” or “APT” has become part of the nomenclature of the IT security world far beyond the Beltway and the campuses of defense industrial base (DIB) contractors.
But times may be changing – albeit slowly. Specifically: the wholehearted embrace of cloud computing and software as a service by the private sector is (finally) beginning to spill over to the public sector, including federal departments and even the military. In 2011, the U.S. Chief Information Officer released the “Federal Cloud Computing Strategy,” making official the federal government’s plans to move its information technology assets away from traditional workstations and toward cloud computing environments.
And DARPA – the Defense Advanced Research Projects Agency – is working on a project called The Mission-oriented Resilient Clouds (MRC) program. That is directed at technologies that can serve as a kind of immune system for the cloud: detecting, diagnosing and responding to attacks on cloud applications and infrastructure.
So will cloud services be the salvation of beleaguered government and military IT departments? I had a chance last week to speak with one of the most knowledgeable guys around on the topic: Jeff Schilling, the newly appointed Chief Security Officer at FireHost, a Dallas, Texas secure cloud startup.
Schilling stepped into the top spot on May 27 after leaving his previous job as Director of the Global Incident Response Practice at Dell’s SecureWorks division. Before that he was the director of the U.S. Army’s Global Network Operations and Security Center under the U.S. Army’s Cyber Command, where he oversaw security operations and incident response for more than 1 million computer systems on 350 wide-area networks supporting U.S. Army units in more than 2,500 locations worldwide.
During our talk, I asked him what he thought the biggest benefit of his years of experience within the military’s cyber command was. Without missing a beat, he said it was the military-style security operations training he received: the discipline to leverage both people and technology in a coordinated fashion to achieve a mission objective.
Schilling said he also got exposure to a mind-blowing array of threats – many of them sophisticated. At most enterprises, he said, advanced attacks are the exception, rather than the rule. Most of what you deal with are commodity cyber attacks aimed at stealing salable information. That’s what Schilling refers to as “fishing with dynamite.” In the military sector, however, APTs are the rule: they’re most of what you see. “With APTs, its like playing chess.”
Cloud providers like Firehost have a clear advantage over legacy infrastructure used by the government and even the military which was “never designed to be defended.” “If you transition to the cloud in a smart way, you have the possibility of having an architecture that’s defendable,” he said.
No IT infrastructure of any size is completely immune to attack, of course. But the vendors like Firehost say that they can close the gap between the start of an incident, its discovery and a response. “Once they’re in, attackers like to kick back,” Schilling said. “The best way to frustrate threat actors is not to give them dwell time on the network.”
But getting the government and military to make the transition from traditional IT networks to the cloud won’t be easy. Nor will it come quickly, says Schilling. “There are three problems: policy, policy and policy,” Schilling told me. Both regulators and lawmakers need to familiarize themselves with technology and newer computing paradigms like cloud, he said. “There’s just a lot of outdated infosec policy inside the Department of Defense and the government,” he said. “It may be, in some cases, that those policies may actually make us less secure.”
Allowing third parties (like FireHost) to manage parts of that infrastructure and, in so doing, to disambiguate many of the security issues that arise from such a varied and complex architecture. That will be increasingly important as the government (along with society at large) transitions to the Internet of Things, Schilling said.
“If were looking 10 years down the road, I think we’ll have a completely different threat profile than someone with an iPad looking at data,” he said. “Being able to characterize the level of risk between user interfacing data and what the risk level is – that’s where the next big challenge is.”