Marcus Sachs is helping develop the Department of Homeland Security's Cyber Program. The nascent division will eventually be the central government's point of contact for anything dealing with critical data infrastructure.
The Cyber Program is intended to give the government an early warning system against large-scale Internet threats, defend against terrorist attacks involving the Internet, and investigate Internet security incidents that target U.S. government and military computers. Those duties are currently shared by or overlap with several different organizations, including the Federal Computer Incident Response Center, the National Infrastructure Protection Center, and the CERT Coordination Center.
Sachs works with analysts to develop the Cyber Program's organizational structure, but as yet he has no job title. He spoke about his work, the role of the Department of Homeland Security (DHS), and industry cooperation in defending the Internet, at the Black Hat Briefings security conference last week.
PC World: How prepared is the DHS Cyber Program to defend the U.S. against attacks that happen over the Internet?
Sachs: Prior to September 11, we had the big ramp-up for Y2K, and we saw a lot of emphasis put into cyberspace, not just from a security standpoint, but making things Y2K compliant. So that just kept right on going after the first of January 2000 right up to and after September 11.
We are really, really, really prepared. But we in the cyberworld benefited from Y2K.... We wouldn't be as prepared as we are today.
PCW: What is the DHS's position on the use of open-source software? Is it safer than proprietary, commercial software?
Sachs: It doesn't matter if it's open source or proprietary; what we're looking for is software that does what it's supposed to do. In other words, if it's a word processor, that really should be all it's good at. There really shouldn't be other features built into that, like keystroke-capturers and who knows what might filter into that. If I buy a children's game, something that teaches the child to do the alphabet or counting, I don't need to have spyware built in that also tracks where I go on the Internet.
You can pick on any software company you want to, but I don't think there's a software company out there that doesn't have a product, some with millions of lines of code, that somewhere in there, there is some cute little piece of code that does something that the software is not truly designed to do. And it doesn't matter whether it's proprietary or open source, who wrote it, whether it's Microsoft or Oracle. That's just a fact of life when you have thousands of people working on these programs, and they're going to insert stuff.
PCW: What you're calling for is the end of Easter eggs in software?
Sachs: Yes, it should be. Easter eggs should have died a long time ago. The only code that probably doesn't have something like this is the code that runs the space shuttle, where you have no-kidding software that can't fail.
PCW: Can software ever be trustworthy in terms of security if the end user can't verify that it's doing what it's supposed to do?
Sachs: The home user probably can't ever verify that, so a home user is going to depend on somebody else, either the company themselves, or a third party, like Underwriters Labs do electrical, and where there's testing facilities for automotive safety.
"Trustworthy" means different things to different people. What I'm looking for is trusted software.
PCW: It sounds like you're saying that you want software not to do what it's not designed to do.
Sachs: Yes, that's right. We're not saying that it has to be a good word processor, just that it is only a word processor and nothing else. Some word processors are designed to do graphics presentation; that's fine. As long as it's up front, in the instructions or in the license, that it's designed to do that.
PCW: So, what about if a program is designed to send data about the users out to some company on the Internet?
Sachs: If it's disclosed in the end-user license agreement, and if it says that this is exactly what the software is doing, no problem, because then it's doing it as advertised. The features it has in it are documented. As long as the user knows about them, they have a choice to purchase or not purchase the software, or sometimes turn off those features.
Software companies will want to collect user data about their products, to make the software better, for marketing purposes. Consumers have a right to have products do as they are designed to do. These kinds of questions are taking on more significance because in the past year we've started to see some of the increased capabilities of software, stuff like adware and spyware.
PCW: Is DHS empowered to coerce software companies to "behave," or adhere to best practices, when it comes to monitoring user behavior on the computer?
Sachs: DHS has several functions, such as preventing terrorist attacks; coercing companies is not one of them. We partner with software companies and try to work with them to develop a more secure environment.
PCW: Do we face any kind of threat to our lives from terrorists attacking over the Internet?
Sachs: We are now at a point where we depend on the Internet, and you could cause things to happen on the Internet that could potentially lead to loss of life. Now, we've never seen that happen. We don't know of any example of some intruder, who broke into a hospital, or messed with traffic lights and caused an ambulance to crash.
PCW: Where does Internet fraud crime fall on the priority list of the Department of Homeland Security, especially when many of those crimes originate outside our borders?
Sachs: [Internet fraud] is a potential source of funding for terrorist groups, as is the theft of credit cards, so it is of extreme interest to us.
PCW: What's government's role in disseminating vulnerability information?
Sachs: This is not something that's just government, or just private sector. We have to work with each other. There is some obligation for software companies who find vulnerabilities to do some type of timely notification with their customers. There's an obligation on the part of the government that if we uncover any vulnerabilities, just like any other consumer, we should work with those companies to make sure they're aware of it and to get the word out.
DHS is the central point of contact, when it comes to handling cyber things, which could include vulnerability [information] distribution, or alerts or warnings about incidents in cyberspace.
PCW: What's your message to IT professionals out on the front lines?
Sachs: Be serious about security. It's a personal statement that system administrators have to make. Are you doing it because it's fun to be a system administrator, and you get paid to do your hobby? Or is this your passion? We have a lot of people who aren't serious about this stuff, they just run networks because it's fun.
Most people are very serious about it and do a good job, and most federal system administrators are [both] good and...overworked, which is unfortunate. But all individuals who do this for a living have to make this a personal thing. It means self-education in some cases, it means working with your boss, and helping the boss with setting priorities, and security is a hard thing to sell. It's up to them to build the case to buy that firewall or upgrade software, because in many cases they're the only ones who understand it.