Last week President Obama tapped Melissa Hathaway, a former Booz Allen Hamilton consultant and top aide to President Bush, to undertake a sweeping 60-day review of the country’s computer security posture. Once that review is complete, the 40-year-old Hathaway could be in line to be named the nation’s first assistant to the president for cyberspace—or, in short, the cyber czar. Her main job would be to battle cyberattacks against government computer networks, which are on the rise. Attempts to penetrate government systems increased by 40 percent in 2008, according to data released yesterday by the U.S. Computer Emergency Readiness Team.
Creating the organization Hathaway may head, the National Office for Cyberspace, is just one of several ways in which the Obama Administration is implementing the recommendations of the Commission on Cybersecurity for the 44th Presidency. Before Obama even announced his run for the White House, this nonpartisan roundtable was formed at Congress’s behest by the Center for Strategic and International Studies (CSIS) in Washington, D.C. One member of that commission—and the chair of its Threats Working Group—was Tom Kellermann, vice president of security awareness at Boston-based Core Security Technologies.
Essentially, Kellermann is Core Security’s man in Washington. I met with him yesterday during one of his brief visits to Boston, and we had a long conversation about Hathaway and the challenges she and the broader security community face.
The picture that Kellermann painted is, in many ways, frightening. If terrorists or other enemies exploited existing vulnerabilities in the nation’s energy, financial, or telecommunications infrastructure, they could deal out physical destruction and economic damage on a scale that would make the fictional Fox TV show “24” look tame, Kellermann says. But at the same time, Kellermann says he is encouraged for the first time in many years about the prospects for improvement in the nation’s readiness for such attacks. Whereas the Bush Administration wanted to rely on free-market solutions to the problem, Kellermann says, the Obama Administration understands the need for broad regulatory changes that would impose much stricter computer security standards on both government agencies and private companies.
Of course, Core Security wouldn’t station someone like Kellermann in Washington unless the company had a big stake in how those changes play out. The company’s main product is an automated “penetration testing” package called Core Impact. Penetration testing is the practice of attacking networks and software from the outside, just as hackers do, but with the goal of seeing which attacks sneak past defenses, then closing the gaps. And as it turns out, the commission’s report is full of calls for “performance-based measurements” and “risk-based standards” for security.
Those are code words for learning how to prove that the nation’s networks are secure against attackers—which means, in part, conducting proactive penetration testing, or what Kellermann calls “red-team exercises.”
It’s clear that Kellermann himself is not in this for the money—he has unimpeachable white-hat credentials, as a former security official at the World Bank, chair of the Technology Working Group for the Financial Coalition Against Child Pornography, and a member of the American Bar Association’s working group on Cyber-crime. But his employer could certainly benefit from a new emphasis on proactive defense in cybersecurity. As he puts it, “I don’t think you need to convince people to buy a sword on the battlefield, if you can convince them that the battlefield is real.”
Hathaway is the right general for that battlefield, Kellermann believes. Like the revered Chinese military strategist Sun-Tzu, she “respects the adversary,” he says. “The way she grasps this problem, she sees it as a long-term game of chess. I’m confident that if, after her 60-day review, they give her the position of cyber czar, she will make huge inroads into stemming the tide that we’re dealing with.”
An edited version of my conversation with Kellermann follows.
Xconomy: What brought you to Core Security, and what’s your job here?
Tom Kellermann: At the World Bank, I was deputy security officer for the Treasury Security Team. I was there for almost eight years and I became very familiar with the need for penetration testing, because of the various networks I’m connected with. I have a very Sun Tzu approach to cybersecurity: continually scrimmage your defenses; “know yourself, know your enemy, win 1,000 battles.” I was tired of the bureaucracy of the World Bank and I was told there was a fantastic outfit in Boston that didn’t have any real representation in Washington, that truly believed in the attackers’ perspective and in being cutting-edge when it came to developing that perspective for organizations that are serious about protecting their assets.
In my role at Core, I wear four hats, not in any order. I do advisory services to the intelligence community. I participate in things like the CSIS Commission on Cybersecurity for the 44th Presidency. I do strategic partnerships. And I do a lot of public affairs and public relations, mostly as it relates to going to events, trade shows, and various industry groups such as the American Bankers Association, building awareness of how you manage risk in a digital landscape.
X: How did the CSIS commission report come together?
TK: Congress created a commission on cybersecurity after hearings held two and half years ago on homeland security and why the Department of Commerce, the State Department, the Department of Defense, and the Department of Homeland Security were breached hundreds of times, in part by organized Chinese hackers. After the hearings, Congress said, let’s create a commission—because that’s what they like to do—and bring together some of the world’s authorities and analyze what we should be doing to protect economic and national security as it relates to cyberspace. So we sat around and pontificated for two years and came up with this report.
X: You sound a little jaded about the process. What about the product?
TK: No, the process was good. The product is great. The Obama Administration, from its first day in office, declared they were going to champion six out of the eight principles established in the report. The commission was a typical Washington roundtable discussion that became very politicized, but we operated on majority rule, not consensus, which was unique, because the standard in these groups that talk about security is to want to hold hands and sing “Kumbaya.” The final result was on the cutting edge on many tough decisions.
Some of the notable things that came out of the commission’s report were, first and foremost, an acknowledgement that this is an economic, not just a national security, issue, and that to deal with it we need to