Criminalizing Modern Security Research

My high school physics teacher quietly taught me that all locks have vulnerabilities. He was an “amatuer locksmith,” and while I never learned exactly how to pick a lock from him, he explained enough about how locks work that I figured it out. I took this skill to college where, with other like minded individuals, I become a minor part of a like-minded community of students called hackers. With our skills, we were free to roam just about anywhere. My favorite destination was the roofs of various campus buildings. It was a liberating experience.

If I had caused physical harm or damage as part of our “hacker” activities, who would be to blame? Based on the proposed updated law enforcement guidelines, then you may very well hold my high school physics teacher partially responsible for helping me understand the vulnerabilities in standard locks, how I could massage the internal tumblers of a lock until I found the correct sequence that would allow me to turn the cylinder to disengage the lock. When translated to cybersecurity, that same teacher, indeed any security researcher, could face 20 years in prison for disclosing a technology vulnerability due to changes that President Obama is proposing in cybersecurity law.

US: Please Come Down Hard on JPMorgan

The U.S. Government needs to come down hard on JPMorgan Chase for its woeful performance in disclosing and responding to a privacy data breach that reportedly affects 76 million customers.

Free market principles can, eventually, affect cybersecurity change. When data breaches like the 40 million record breach at Target in late 2013 and the 56 million record breach at Home Depot earlier this year, customers can effectively respond with their feet. That reportedly happened with Target, and anecdotally, I’ve become a much more frequent patron of both my local town hardware store and Lowes. By withholding business from organizations that suffer a breach of your personal and financial information, customers can punish the company financially. It may take a lot of customers to really have an effect on the bottom line, but when they act in unison, customers are an economic force to be reckoned with.

Federal Contracting Part 3: The Definition of Madness

There is a common assumption in government IT services procurement that past experience is an indicator of future success. But, when working with an industry that benefits mostly from the efforts of individual performers, the idea of ‘corporate’ past experience is a logical fallacy. Not only does it put the government at an immediate disadvantage, it favors repeating inefficient activities that benefit large contracting firms rather than promoting the innovation needed to move into new technology areas.

Federal Contracting Part 2: Good to be a Contracting Firm

This is Part 2 of my Federal IT Contracting series. Please be sure to check out my Introduction posting that includes a disclaimer about my past relationship with CGI Federal, the primary contracting firm responsible for the Healthcare.gov project.

My previous Federal IT Contracting posting presented a jarring insider analysis of how contracting firms realize success from failure. Some may interpret my analysis as a shot against contracting firms, illustrative of a tainted industry that deserves more oversight. With recent movements to reduce how much firm executives can earn despite very limited direct involvement on any customer-facing project, I admit to harboring some animosity towards those firms. But, having also served as an executive in a startup firm for several years, I submit that the government is far from blameless. That government managers often channel an insatiable childlike appetite for wants without really understanding what it is they need leaves them susceptible to failures like that currently embodied by Healthcare.gov.

Federal Contracting Part 1: Lucrative Failure

This is Part 1 of my Federal IT Contracting series. Please be sure to check out my Introduction posting that includes a disclaimer about my past relationship with CGI Federal, the original primary contracting firm responsible for the Healthcare.gov project.

This Washington Post opinion piece is accurate in its success through failure assessment. Where it fails is in not going deep enough into the cause, focusing instead on the visible symptom of executive advancement despite failure. I want to go deeper.

What We've Learned About Federal Contracting Through Healthcare.gov

The Healthcare.gov roll-out has been an epic debacle. If media reports are to be believed, just about everything that the Department of Health and Human Services (HHS) did for the project was wrong. From the limited procurement process, to the management structure, the scope and requirements, and the final testing, HHS is suffering from poor execution at every level.

Most of the media coverage seems to imply that the failure conditions are exceptional. Federal contracting insiders will admit, albeit quietly in some circles, that the only difference with Healthcare.gov is visibility. Set aside the scrutiny, and the Healthcare.gov failure is, unfortunately, quite common.

How I Learned to Stop Worrying about Security and Love Incremental Development

This is a follow-up to my previous post: Agile Development and Security in Government.

The security authorization processes that U.S. Government agencies implement to comply with guidelines defined by the National Institute of Standards and Technology (NIST) fail to support incremental development methodologies like agile and spiral. Instead, I argue that they promote "big-bang" system releases that are impractical in contemporary budgetary conditions and generally seem to fail more than they succeed. Agency Chief Information Officers (CIOs) can fix the problem, but only if they reinvent their authorization processes and redefine process responsibilities.

Like Dr. Strangelove's bomb, agency Information System Security Managers (ISSMs) generally discount the importance of incremental development to streamlining government. When I met with a security policy executive at one agency to discuss a reconciliation between my project's agile incremental management methodology and the agency's security process, she was none-too-pleased with the notion.

"Projects use agile to bypass security requirements. I will not allow that to happen."

Agile Development and Security in Government

All IT domains continue to make broad use of incremental system and software development methodologies to improve the efficiency of deploying projects small and large. Those methodologies are even extending beyond traditional development to include system integration and program management. When it comes to the U.S. Government, though, there is one aspect of oversight that is preventing managers from making effective use of incremental methodologies: Security. While project teams share some blame by often actively and explicitly discounting security objectives (in my direct experience), I submit that the lion's share of the blame should fall on Information System Security Officers (ISSOs) and Managers (ISSMs).

The National Institute of Standards and Technology (NIST) has also failed to execute its mission to be "responsible for developing information standards and guidelines" in what I would consider a timely and effective manner in relation to incremental development methodologies. But, agency Chief Information Officers (CIOs) can meet legacy NIST guidelines, certify systems developed under those methodologies, and even improve security of their agency system, without running afoul of NIST guidelines, if only they were willing (and able) to make some strategic changes in how they manage system security compliance activities.

The Critical Need for Liberal Arts in Security

"As we strive to create a more civil public discourse, a more adaptable and creative workforce, and a more secure nation, the humanities and social sciences are at the heart of the matter, the keeper of the republic - a source of national memory and civic vigor, cultural understanding and communication, individual fulfillment and the ideals we hold in common."

- The Heart of the Matter: The Humanities and Social Sciences for a vibrant, competitive, and secure nation; American Academy of Arts & Sciences; Retrieved on June 21, 2013 from http://www.amacad.org.

Security professionals often state that security is an art, not a science. This field demands a certain degree of finesse, elegance, imagination, creativity, and a find-grained understanding of technology. We characterize the act of securing assets and information as finding the right balance between people, process, and technology, the security triumvirate. Yet, look at any job posting in security over the past 15 years (about the duration of time that I've worked in the field), and you find this:

Education: Degree in Computer Science, Mathematics, or any comparable field.

An Adventure in Cloud Security

I recently registered for a website hosted by a government agency that handles some of the most sensitive personal information available within U.S. Government. While the site is only a simple scheduling system, imagine my dismay when I received an email confirming my registration that included both my username in password in the email body. That email demonstrates that, despite all of the reported attention to security over the past several years, especially within the Federal Government, we are failing to build an effective information security culture.