The first thing Andy Ozment did was apologize for his suit.
“It’s kind of our uniform,” he said to the distinctly non-besuited crowd of network security professionals and students in the large hotel ballroom.
It’s the community Ozment — the White House’s senior director for cybersecurity — came from. He did computer security research at the Massachusetts Institute of Technology, picked up a Ph.D. in computer science from the University of Cambridge and worked on operational network security at Georgia Institute of Technology.
And Thursday, he was back for his third year at the USENIX Security Symposium to share the White House’s grand cybersecurity strategy, but also to implore the group to help shape that plan.
“You in this room have enormous knowledge that we need,” he said, mentioning the cybersecurity framework the government is developing to help public and private institutions protect their networks. “I promise those emails don’t go into a black hole. We read each and every one. They often print them out, bring them in and wave them at me. So I notice.”
While Ozment closed with a plea, his talk was also an attempt to lay out the government’s good work thus far on cybersecurity. Big on lists, Ozment highlighted the White House’s five cybersecurity priorities: securing the government’s network, protecting critical infrastructure, engaging internationally, improving incident response and investing in research, training and raising awareness.
“You’re going to hear, like, 80 terrible acronyms from me, just to warn you,” he said.
Ozment acknowledged the government lagged woefully behind leading researchers and private industry solutions in some areas. Securing networks, for example. The government still hasn’t consolidated its network connections into a manageable number of connections. “This is what you guys were working on 15 years ago,” Ozment said. “You may be thinking, ‘You guys haven’t done that?’”
“Yeah, it’s kind of scary.”
The government used to think it had 6,000 connections to the Internet, he said, before darkly laughing, “ho ho ho. No, we had tens of thousands of connections to the Internet. Every time we think we’re making progress, we find a whole slew of new connections.” But despite the project’s crawling pace, Ozment believes the government will eventually get down to about 50 connections.
The government has moved with a similarly plodding pace on incident response, Ozment said. Last year, the government ran a simulated cyberincident to see how its cyberdefenses would respond.
“It was perfect. We now know how to do it,” he said sarcastically. “No, not so much. Yeah, I just heard some chuckles from the people who participated,” he added, as laughter broke out across the room.
The incident response team was able to gather up the IP addresses and turn them over to Internet service providers… within two weeks. That’s eons in the world of cyberattacks. In the past year, though, the government has whittled down reporting time from weeks to minutes and hours. But it’s still not there.
“In the immortal words of the Monty Python character, ‘We got better,’” he said.
In other priority areas, such as international engagement, Ozment believes progress has been undervalued. While the cybersecurity talks with the Chinese government have been high profile, ongoing negotiations with the Russians have received less attention. Ozment pointed to a series of small, confidence-building cybersecurity measures with the Russians — a “red phone” for cybersecurity, connecting the two country’s computer emergency response teams — announced in mid-June. Two years in the making, many dismissed the pact as meaningless, but Ozment defended it as necessary first steps.
“These are small steps, but it’s the way government’s build confidence,” he said.
And Ozment thinks President Barack Obama’s February executive order on cybersecurity will make big strides in identifying and protecting the country’s critical infrastructure and educating a growing cyberworkforce — “This is a big deal,” he said. The edict also dictated the creation of the cybersecurity framework Ozment was imploring his audience to weigh in on.
The order could have wide-ranging impact, Ozment said. Identifying new critical infrastructure could encourage the government to share more classified information with those private companies, hoping to help protect them. “We have to change the culture of the government and classify less,” he said.
It could also encourage the private sector to come to the government, knowing the framework had crowdsourced the best cybersecurity practices from the academic, private and government sector. Ozment specifically mentioned the Department of Homeland Security’s new program, Enhanced Cybersecurity Services (“I was advocating we name that program Ben Hur”), a voluntary information-sharing program that allows private companies to route some of its traffic through protected government servers.
As with everything, though, it isn’t perfect. And the cybersecurity framework — due out in October — won’t be either.
“When it comes out, it’s not going to be a unicorn; it’s going to be a pony,” he said.
Which is why Ozment ended with his clarion call to the audience. First drafts are never perfect, he said. But with everyone’s input, “we’ll iterate it. And version two will be pretty good. And version three will be really good.”