We're Making Rapid Progress

Making Rapid Progress

The Department of Homeland Security didn't have to wait long to test
out its new National Cyber Alert System. Hours after the system went
online Wednesday, it issued its first major alert, warning of a
variation of a new virus called MyDoom. Nonetheless, by the next day,
security experts said MyDoom had become the world's fastest-spreading
virus ever, sending out more than 100 million infected e-mails in its
first 36 hours. And this may be just the beginning. Last year brought
a record number of viruses, worms and other cyberattacks. Security
experts say 2004 could be even worse. The attacks are increasingly
sophisticated. They don't just cause headaches when they crash e-mail
systems or shut down servers, they cost millions of dollars. Should
hackers shut down government servers or break into sensitive sites and
steal financial or security data, the results could be devastating.

Recognizing the increasing security threat, President George W. Bush
handed the task of keeping cyberspace secure to the Department of
Homeland Security last year, creating a National Cyber Security
Division. But it got off to a rough start. Earlier this month,
Democrats on the House Homeland Security Select Committee criticized
the administration, saying the implementation of recommendations in
Bush's National Strategy to Secure Cyberspace is behind schedule. They
also noted that the administration's top cybersecurity position was
open for months last summer after the first two appointees stepped
down--the second, just a few months after being named to the post.
Finally, early last fall, Amit Yoran was hired away from his executive
position at the security firm, Symantec. NEWSWEEK's Jennifer Barrett
spoke to Yoran about the new National Cyber Alert System and the
division's other plans for improving cyber security. Excerpts:

NEWSWEEK: How does the new National Cyber Alert System benefit the
average computer user?

Amit Yoran: It provides each user of cyberspace--basically, everyone
on the Internet--with timely information [about viruses], which is
accurate and actionable, so they know what they can do to protect
themselves. [See www.us-cert.gov/press_room/cas-announced.html.] This,
at a time when these threats are on the rise.

This week's MyDoom virus is said to be the fastest-spreading e-mail
virus ever. How are viruses like this getting through?

Well, just because it's the fastest spreading doesn't mean that it is
the most damaging.

That's true, and an important distinction. But how are these viruses
getting worse--or more prolific--despite our efforts to stop them?

The people who spend time creating viruses are spending a lot of time
exercising their creativeness to find new ways of propagating their
way through the system and making them more difficult to detect. It's
a game of cat and mouse.

How serious a threat do these viruses pose?

This threat was one of the most efficient at spreading itself
throughout the Internet. But I want to add that, in spite of it being
one of the most sophisticated viruses, our nation is better prepared
to deal with this now than we were a few years ago. A few years ago,
we experienced significant outages in our businesses from Love Letter
and Melissa and other viruses. Today, even with a more sophisticated
threat, the reports of outages [like networks going down, e-mail
servers being shut down] is far below where it was a few years ago
with those less-sophisticated viruses. The message here is that we
have a lot of work to do but our overall preparedness is improving.

It's been reported that the government basically warned leaders in the
technology field last month that if they don't start taking control of
the responsibility of making cyberspace secure, that the government
will be forced to take control. Do you think that's going to happen?

Clearly, that's not my position. That was reported as being the
message delivered at the National Cyber Security Summit [held last
month with the private sector]. It's not an accurate depiction. The
summit represented a transition from an agreement on a national
strategy--on how we want to go about protecting our shared
information, for example--to now [when] we are in the implementation
mode. Now, it's what initiatives are underway so that this strategy
moves forward and gets implemented? That was really the focus of the
summit. I think there is a tremendous amount of enthusiasm to
collaborate from the private and the public sectors.

What role do you envision the private sector playing in improving
security?

If you go to the Website for US-CERT [the United States Computer
Emergency Readiness Team, established in September as a government
partnership with the private sector], we've issued an alert early last
evening [about MyDoom] and much of the information came from
private-sector companies like F-Secure and iDEFENSE. That is just one
example of this public-private partnership. We are working with the
software vendors to make sure they are producing patches and fixes
before the vulnerability becomes public. Making people aware of a
vulnerability is not our goal, but to provide information that is
actionable so there are patches available. We're not producing our own
antivirus software. We're quite busy, thank you. But we refer people
to their security provider and to antivirus vendors.

What about proposals like requiring Internet service providers [ISPs]
to provide free antivirus and firewall software to their customers?

I've not spoken with them [ISPs] about that. I do think there is some
value-added services which some ISPs are providing. It's good that
these issues are receiving public attention.

Why do you think it took so long for cyberattacks to be classified as
a serious threat to homeland security?

I think in many cases, without having a focal event like a September
11, or like the blackout in the Northeast and Midwest last
summer--some highly visible, focal event that caused a direct impact
to many people in the public--it's often difficult to increase
awareness. But we have made significant progress in the past few
years. I'm not implying that the road ahead is rosy. But I am
optimistic that by increasing our preparedness, we increase the
likelihood that we will not be struck by a digital Pearl Harbor or an
electronic 9/11. The key is preparedness. The key is making
improvements.

Can you give some examples of those improvements?

It has to be a holistic approach. Antivirus vendors have made
fantastic progress with new logarithms to identify viruses and more
efficient ways of pushing out updates of their signature files (many
antivirus technologies rely on fingerprints, or signatures, of
viruses, so they can identify if it's the same fingerprint of another
virus). Candidly, you are only protected for the threats your
antivirus program knows about, so if your signature file is two years
[old] you are in bad shape. The antivirus community has gotten much
more efficient, though, and users have gotten much more aware, and
corporations have gotten much more aware of the importance of updating
their software. That is one more important piece of the puzzle. But
there are really a number of things.

You took the position of cybersecurity division chief in October after
two other appointees had stepped down, and left the post vacant for a
few months. Are you enjoying the job?

There's no shortage of work to be done. But the task is an important
one, and I'm encouraged by the level of commitment in the public
sector and in the private sector that are working on these issues. It
is certainly a challenging job.

Earlier this month, Democrats on the on the Homeland Security Select
Committee criticized the administration's cybersecurity efforts,
saying that implementation of the recommendations in the National
Strategy to Secure Cyberspace (released last February) is behind
schedule, among other things. How would you respond to that?

We're measuring ourselves in the National Cyber Security Division on
very tight time frames. I'm not going to address specific criticisms,
but I can tell you that we are moving very aggressively. The
Department of Homeland Security was created in March. The National
Cyber Security Division was created in June. In September, the US-CERT
was created. We have conducted the live-wire exercise.

What was that?

That's where not only federal, but state and local entities
participated, as well as the private sector, in a large-scale national
cyberexercise where our nation was under simulated attack using
cybertechniques. And we looked at how those attacks impacted some of
our systems and some of our infrastructure. How did they
[participants] react? How did the departments work with one another?
How did they coordinate?

How did they do?

It was apparent that we need to increase the level of information
exchange between the public and private sector. But, overall, I was
very favorably surprised at how well coordinated we are. I'd give it a
B-plus. That's not bad, given our state of development. There is a lot
of work underway. I am confident that we're making rapid progress.

What do you see as the biggest challenges ahead?

Well, there's no shortages of challenges in our division, but we'll
stay very focused on implementation and execution and collaborating
with the private sector.

Can you give some specific examples?

We want to be sure that we bring our national resources to the table
and make sure we are able to provide the actionable information from
whatever source--it could be law-enforcement based, intelligence
based, it can come out of the private sector. We want to bring the
information in an actionable way to the operators responsible for
protecting the public interest. By that, I mean that 85 percent of the
critical infrastructure owner and operators are in the private sector.

So the government would be willing to provide the private sector with
sensitive data gathered by intelligence agencies?

This is a new paradigm for the government to operate under. It had
been focused on getting highly classified information just to the
folks who needed it. But there's been a paradigm shift, and the
warfighters now are more frequently on the private-sector side. The
government is learning now how to do that [share information]--it's a
front-and-center focal point.

By the end of 2004, do you think we'll see a decrease in virus attacks
like MyDoom?

I think it's unlikely to expect that there will be fewer viruses
written. Every indication we have is that it will only continue to
rise and become more efficient in how they propagate themselves. But I
think we will continue to improve our preparedness to deal with them.