Defending the U.S. Cyber Castle: Core Security’s Tom Kellermann on Internet Attacks and Obama’s Strategy
Last week President Obama tapped Melissa Hathaway, a former Booz Allen Hamilton consultant and top aide to President Bush, to undertake a sweeping 60-day review of the country’s computer security posture. Once that review is complete, the 40-year-old Hathaway could be in line to be named the nation’s first assistant to the president for cyberspace—or, in short, the cyber czar. Her main job would be to battle cyberattacks against government computer networks, which are on the rise. Attempts to penetrate government systems increased by 40 percent in 2008, according to data released yesterday by the U.S. Computer Emergency Readiness Team.
Creating the organization Hathaway may head, the National Office for Cyberspace, is just one of several ways in which the Obama Administration is implementing the recommendations of the Commission on Cybersecurity for the 44th Presidency. Before Obama even announced his run for the White House, this nonpartisan roundtable was formed at Congress’s behest by the Center for Strategic and International Studies (CSIS) in Washington, D.C. One member of that commission—and the chair of its Threats Working Group—was Tom Kellermann, vice president of security awareness at Boston-based Core Security Technologies.
Essentially, Kellermann is Core Security’s man in Washington. I met with him yesterday during one of his brief visits to Boston, and we had a long conversation about Hathaway and the challenges she and the broader security community face.
The picture that Kellermann painted is, in many ways, frightening. If terrorists or other enemies exploited existing vulnerabilities in the nation’s energy, financial, or telecommunications infrastructure, they could deal out physical destruction and economic damage on a scale that would make the fictional Fox TV show “24” look tame, Kellermann says. But at the same time, Kellermann says he is encouraged for the first time in many years about the prospects for improvement in the nation’s readiness for such attacks. Whereas the Bush Administration wanted to rely on free-market solutions to the problem, Kellermann says, the Obama Administration understands the need for broad regulatory changes that would impose much stricter computer security standards on both government agencies and private companies.
Of course, Core Security wouldn’t station someone like Kellermann in Washington unless the company had a big stake in how those changes play out. The company’s main product is an automated “penetration testing” package called Core Impact. Penetration testing is the practice of attacking networks and software from the outside, just as hackers do, but with the goal of seeing which attacks sneak past defenses, then closing the gaps. And as it turns out, the commission’s report is full of calls for “performance-based measurements” and “risk-based standards” for security.
Those are code words for learning how to prove that the nation’s networks are secure against attackers—which means, in part, conducting proactive penetration testing, or what Kellermann calls “red-team exercises.”
It’s clear that Kellermann himself is not in this for the money—he has unimpeachable white-hat credentials, as a former security official at the World Bank, chair of the Technology Working Group for the Financial Coalition Against Child Pornography, and a member of the American Bar Association’s working group on Cyber-crime. But his employer could certainly benefit from a new emphasis on proactive defense in cybersecurity. As he puts it, “I don’t think you need to convince people to buy a sword on the battlefield, if you can convince them that the battlefield is real.”
Hathaway is the right general for that battlefield, Kellermann believes. Like the revered Chinese military strategist Sun-Tzu, she “respects the adversary,” he says. “The way she grasps this problem, she sees it as a long-term game of chess. I’m confident that if, after her 60-day review, they give her the position of cyber czar, she will make huge inroads into stemming the tide that we’re dealing with.”
An edited version of my conversation with Kellermann follows.
Xconomy: What brought you to Core Security, and what’s your job here?
Tom Kellermann: At the World Bank, I was deputy security officer for the Treasury Security Team. I was there for almost eight years and I became very familiar with the need for penetration testing, because of the various networks I’m connected with. I have a very Sun Tzu approach to cybersecurity: continually scrimmage your defenses; “know yourself, know your enemy, win 1,000 battles.” I was tired of the bureaucracy of the World Bank and I was told there was a fantastic outfit in Boston that didn’t have any real representation in Washington, that truly believed in the attackers’ perspective and in being cutting-edge when it came to developing that perspective for organizations that are serious about protecting their assets.
In my role at Core, I wear four hats, not in any order. I do advisory services to the intelligence community. I participate in things like the CSIS Commission on Cybersecurity for the 44th Presidency. I do strategic partnerships. And I do a lot of public affairs and public relations, mostly as it relates to going to events, trade shows, and various industry groups such as the American Bankers Association, building awareness of how you manage risk in a digital landscape.
X: How did the CSIS commission report come together?
TK: Congress created a commission on cybersecurity after hearings held two and half years ago on homeland security and why the Department of Commerce, the State Department, the Department of Defense, and the Department of Homeland Security were breached hundreds of times, in part by organized Chinese hackers. After the hearings, Congress said, let’s create a commission—because that’s what they like to do—and bring together some of the world’s authorities and analyze what we should be doing to protect economic and national security as it relates to cyberspace. So we sat around and pontificated for two years and came up with this report.
X: You sound a little jaded about the process. What about the product?
TK: No, the process was good. The product is great. The Obama Administration, from its first day in office, declared they were going to champion six out of the eight principles established in the report. The commission was a typical Washington roundtable discussion that became very politicized, but we operated on majority rule, not consensus, which was unique, because the standard in these groups that talk about security is to want to hold hands and sing “Kumbaya.” The final result was on the cutting edge on many tough decisions.
Some of the notable things that came out of the commission’s report were, first and foremost, an acknowledgement that this is an economic, not just a national security, issue, and that to deal with it we need to take more proactive risk management approaches. There needs to be more attention paid to critical infrastructures, particularly energy, finance, and telecommunications, and how the government secures those infrastructures. They also noted that it’s a priority to deal with industrial espionage and the personal information theft that’s ongoing—hindering criminal syndicates and cyber money laundering. And there was a recommendation to raise this issue all the way up to the Executive Office of the President, to take the leadership out of the Department of Homeland Security and create a National Office for Cyberspace that would oversee all processes across the government. Cybersecurity right now is spread across five major agencies engaged in constant turf wars. Melissa Hathaway is pretty much the person who will lead that. After she completes her 60-day review, I’m pretty sure she will be anointed [as the president’s assistant for cyberspace and head of the National Office for Cyberspace].
X: It sounds like she would still have to exercise authority across a lot of competing agencies. That didn’t work too well with the Department of Homeland Security.
TK: It didn’t work well because it wasn’t real. Putting someone in at the assistant secretary level within DHS and telling them they should oversee the National Security Agency and the Department of Defense doesn’t make sense. They won’t listen to a civilian agency. Which is why the position had to be moved out of DHS. Greg Garcia [the Department of Homeland Security’s assistant secretary for cybersecurity and communications from 2006 to 2009] was more of a figurehead and less of a real strategic planner, in my own view.
And another initiative recommended in the commission report relates to supply chain management. Thirty-nine percent of breaches in the last year were due to third parties—companies’ strategic partners being breached and hackers transiting through these third-party systems into central systems. So penetration testing needs to be expanded to deal with third parties. And in the Federal Information Security Management Act (FISMA) reform bill, there is a movement to expand service level agreements with third parties, to give Company A the right to test Company X using automated penetration-testing technologies like Core Impact, to allow you to ascertain where they are vulnerable and at the same time remediate that.
One of the things that Melissa Hathaway has said which certainly aligns with our mantra, our mission statement here, is that in order to understand defense, you have to understand offense. The only way to really train in cybersecurity is to conduct red-team exercises. The beauty of what Core does is that we don’t provide a security product, we provide you with game-day film identifying how your defensive line is going to stand up against a blitz.
X: I get everything you’re saying about the need for penetration testing, but given human ingenuity and the huge number of possible ways to breach most programs and networks, how can you stay ahead? How can you know that the vulnerabilities you’re discovering through penetration testing today are the same ones that a hacker is going to try to exploit tomorrow?
TK: We only focus on developing exploit code that allows you to have remote root execution capability. And we focus on the vulnerabilities that we know are out there, through various relationships we have with the communities of interest and through our own lab, which is one of the best in the world. (Remote root access means you can remotely access a service and take over system administrator privileges.) We also have very important partnerships with groups like Team Cymru [an Illinois-based security research firm that tracks malicious activity on the Internet]; I can’t speak more as to who else they provide their services to, but you can imagine. They see things in the wild through their darknets, and they send us stuff that we analyze in the lab. Last but not least, I spend my days going around to the various communities of interest on the intel and law enforcement side, and because of the trust relationships and interpersonal dynamics, we learn things. If my friends who run security for the Secret Service or the CIA see a trend or an application that is troubling, we task the people in our lab to develop code to exploit that.
X: So you’re saying that by focusing just on simulating attacks that could result in root access, and by bringing in information from your contacts in the security world, you’re able to stay ahead of the hackers?
TK: “Ahead of the hackers”—there is no such thing. The elite hacker communities in Europe and Asia are always a little bit ahead. But we try to keep even with them, to the point that our customers can scrimmage and test their defense in a timely fashion against some of the more robust vectors and attacks that are going to be used against them.
And the reality is that unless you are a major critical government department, targeted by elements of the defense communities in other countries, if you harden and test yourself in a proactive fashion, the hacker community will turn their guns on the softer targets. So you can eliminate 95 percent of the noise by proactively testing and hardening.
X: You’re talking about protecting software that is assumed to have vulnerabilities, and hardening those vulnerabilities before the hackers exploit them. But did the commission talk at all about the front end of the process—the need to start out by writing software that is inherently more secure?
TK: Scott Charney [corporate vice president for trustworthy computing at Microsoft] had his name on the report, but not Microsoft’s name. He was one of the civilian co-chairs. And we addressed this issue very holistically, and that is why Microsoft refused to allow him to put their name on the report. It’s part of the supply chain issue. Joe Jarzombek [the director for software assurance in DHS’s National Cyber Security Division] has done some amazing work, and they have led the community on what is the best practice for developing secure software. But in the rush to bring applications to market, holes are inevitably going to be there.
X: Melissa Hathaway was an integral part of the Bush Administration’s cybersecurity team. Is she someone you can respect and work with?
TK: Yes, I can respect her, I can work with her. She has three things that are unique, for people inside the Beltway. A lot of this comes from her experience at Booz Allen. First and foremost, she is very well-read, which is rare inside the Beltway, and she acknowledges and researches what she doesn’t know, which is also very rare. And she surrounds herself with one of the best support staffs I’ve ever seen. They are all multi-disciplinary—not just technicians but lawyers and economists but some of the very best people around. And last but not least she really does have the Sun Tzu perspective on this, which is really what’s necessitated here. She respects the adversary. The way she grasps this problem, she sees it as a long-term game of chess. I’m confident that if, after her 60-day review, they give her the position of cyber czar, she will make huge inroads into stemming the tide that we’re dealing with.
X: What does she need to do first?
TK: She’ll have to set up an office of cyberspace in the Executive Office of the President. She’ll have to widen the purview of that office to encompass the three most critical infrastructures, and to do that she will have to increase the capabilities and the authority of government as it relates to red-teaming and testing the security infrastructure and enacting real security plans. You can’t have industry sitting around any more in roundtable groups, saying, “What are we willing to do to protect what we have,” when they have not actually conducted red team exercises to see how they can be compromised. It’s shifting away from the idea of the Maginot Line and dealing with paratroopers and the reality of modern-day warfare.
X: If Hathaway does all the things you’re talking about, what will be the benefit to Core Security?
TK: The overall benefit to Core Security comes from awareness. I don’t think you need to convince people to buy a sword on the battlefield, if you can convince them that the battlefield is real. The fact that I have a seat at these tables—that there is a small company like ours represented in these forums—means that we can develop partnerships with major integrators more fluidly, and our message about improving testing regulations and standards can be received by the powers that be more easily. Then there is the obvious: the number one procurer of cyber security in the world is the United States government. Security tools and technologies are purchased based on trust, and you need to have someone maintaining those trust relationships. If you are not at the table, in the end they will just turn to the bigger juggernauts.
…We are at a tipping point. We have an administration that is proactively grappling with this—that on their first day in office stated that part of their national security strategy would encompass the security of information networks. Now, with Hathaway conducting the 60-day review, and the major restructuring effort that is currently ongoing, it’s symbolic of the metamorphosis.
I’ve been losing sleep [over the cybersecurity crisis] for years. But in the last couple of months, since December, I have become more hopeful and less disillusioned. The past administration and their belief that the market would solve this problem was irritating, because the only market functioning right now is the underground economy. Only recently, with the Comprehensive National Cybersecurity Initiative and what Melissa Hathaway has championed, do you see a fundamental paradigm shift.
X: Are you saying that when it comes to cybersecurity, the government needs to step in and set the terms under which the free market operates?
TK: To be honest, yes. No one wants to hear that. But we need more stringent regulations on how we deal with third-party relationships, how we deal with incident response, and what constitutes a proper security audit and security exercise as it relates to protecting data privacy. For too long the regulations that exist have been overly focused on encryption. That’s fine, but that’s not enough. If I can own your operating system, I can compromise it through an attack, I can steal the private keys from beneath it and compromise the encrypted tunnel.
X: In fact, here in Massachusetts, there are new rules from the Office of Consumer Affairs and Business Regulation that will require all businesses in the state to encrypt the personal information they store about customers by January 1, 2010. Would you say, then, that that regulation is inadequate?
TK: Yes. The major encryption vendors have been running the table when it comes to education and awareness among policymakers here in the state, so it doesn’t go far enough. It should also require regular penetration testing against all enterprises and third parties, and have remediation timetables associated with that. And organizations should be required to have incident response plans in place, including a forensic capability. And we should all be moving away from password-based technologies.
X: Understandably, you keep coming back to penetration testing, but I want to challenge you on that a little bit. When you’re a hammer, everything looks like a nail. Is penetration testing really the key to better cybersecurity?
TK: Yes, and here’s why. How do you even begin to think about building a functional castle in cyberspace, if you don’t even ascertain how the moats and the walls and the archers can be breached? The only way to build a better castle is to really understand how a good castle can be destroyed. The common problem in the cybersecurity sector is that we are going out and waiting for the attack to happen. We don’t scrimmage enough, we don’t even know how our policies and procedures will hold up in battle, because we don’t test them with a battle-like mindset. The enemy is leveraging staged attacks. And by the time they get inside, as any law-enforcement person will attest, you are never getting them out unless you rebuild those systems, because they will have rootkitted you. [A rootkit is a hidden file, usually harboring malicious software, that cannot be detected by a computer’s normal operating system.–Eds.] Virus scanners are only picking up 30 percent of what is out there.
X: Do you think that general public awareness of cybersecurity issues is growing?
TK: This is why I’m sitting with you. The media really needs to wrap their heads around this in a holistic fashion. I don’t think the public is there yet. In the last three months, there has been a dramatic awakening, but it’s slow, and they’re still half groggy.
I do think that shows like “24” have really improved the awareness of the problem. The problem is that “24” is full of shit, because there is not a giant firewall around our critical infrastructure. It’s actually easier to hack than “24” portrays it to be.
X: I’m glad you brought up “24,” which spares me the embarrassment of asking about it. The plot of the early episodes this season revolved around the theft of a “Critical Infrastructure Protection” device that was supposedly the key to maintaining this giant firewall around the air traffic control system, chemical plants, the whole infrastructure. But that premise strikes me as crazy—if you centralized all of these systems, wouldn’t you just be inviting some hacker to compromise all of them at once?
TK: The fact is that you can hack the entire infrastructure now, just by leveraging a certain strategy of attack. I actually wish there were a giant firewall to protect everything. But the situation is actually worse than “24” would suggest. The main reason it’s never happened is that the people who have had access to the controls for critical infrastructure—and I say this as the chair of the working group on threats for the CSIS commission—just want to remain clandestine. The day we go to war with China over Taiwan is the day they will turn on those boxes. The main terrorist community is too busy financing physical acts of terror and conducting command, control, and communications through the cyber infrastructure, so it is not in their best interest to draw attention to themselves through a critical infrastructure attack.
The real problem, the nightmare scenario for the U.S. government, is a “pax mafiosa” between former Soviet bloc mercenaries and Al Qaeda to launch a two-pronged attack. The first prong is to play with the integrity of the information on which first responders rely. I don’t mean turning it off, I mean playing with time, switching GPS coordinates, things like that. And then coupling that with a physical attack. There are so many ways you can kill a lot of Americans through cyber attacks on the infrastructure, it is unbelievable. And I don’t just mean poisoning the water or turning off the electrical grid. Just look at the pharmaceutical industry.
What it’s really about right now is that non-state actors, whether they be classified as terrorists or organized criminal syndicates, are financing their activities through cybercrime, using American money and stolen credit lines to finance physical activities that are against the interests of Americans. And not only are they infiltrating networks so that they can have command and control in an active war of aggression against the United States, but they are conducting industrial espionage to give comparative advantage to their countries. Then, if you look at the international financial system and how easily you can conduct insider trading by hacking major systems, just think about the moves you could make, either shorting a stock or going long if you knew where a major institution was going to put its money that day. Or why not just play with time on Wall Street, since everything is time-tagged and there are no more paper records? The possibilities are endless. “24” actually puts a landscape out there that makes us look safer than we are.
X: And you’re saying penetration testing is one of the solutions to all of this?
TK: Yes, because these systems are all reliant on IP [Internet Protocol]-based networks. Modern day computing has created this amorphous, aquatic realm in which it’s easy to hack. You’ll never know what you’re up against until you identify the holes. It’s the same reason we go through annual physicals, colonoscopies, CT scans, and MRI scans—to identify future problems.
X: Well, if you’re going to use the medical analogy, aren’t those high-tech tests also one of the reasons the U.S. has the most fabulously expensive and inefficient healthcare system in the world? Not to mention all the false positives that start turning up if you give everyone a full-body MRI.
TK: Our product doesn’t turn up false positives, the way vulnerability scanners do. Every one of the holes we find is a functional vector that has been exploited. And if you want to talk economics, we can do that. A major consulting firm like Pricewaterhouse Coopers will charge hundreds of thousands of dollars to conduct an operating system and Web application security test. That’s a one-shot deal, a snapshot that’s outdated by the time it’s printed. We charge roughly $30,000 a year for the ability to test all the time, anytime. That’s at least 75 percent less. There’s a reason the major consulting firms use our product and just mark up the price.
X: Okay, last question. Will there ever be a time when you guys can relax—when the threat of terrorism recedes, or when law enforcement has gotten enough of a handle on organized crime, or when software engineers get better at writing secure code, and there’s not as much need for proactive penetration testing?
TK: No. I say that not because I’m with Core Security, but because there are just too many hacker havens out there. The international control of cyberspace is very weak. It’s almost like the lawless seas of the 13th century. And when it comes to secure operating systems and a functionally secure Internet—hopefully, the National Cyber Range, a research and development project out of DARPA to rebuild the Internet, could achieve that, but it’s 10 years out, and even if they did achieve it, they wouldn’t throw every corporation and network on that range, only the most sensitive ones. And even those could still be compromised on the client side. Even if you have a secure network and operating system and code, your user community can be spearfished.
X: It’s unclear whether digital communities and economies could even exist on a platform as secure as the one you’re talking about. Isn’t there a fundamental tradeoff between openness and security?
TK: There is a tradeoff. But the irony of the e-commerce, e-finance, e-governance revolution was the idea that “If we build it, they will come, and they will all be righteous.” That was fundamentally myopic thinking. And you have to remember, the original purpose of the Internet had nothing to do with commerce. It was never intended to be a secure network for finance, government, and military operations. So whoever the thought leaders were who said “Let’s use this giant aquatic environment and put everything important on it,” kudos to them—because they’re paying my salary right now.