Read Using TurnPage Technology...
Then Download Your Interactive PDF and Share with a Colleague...

Volume 3 • Number 5 • July 2011

Cybersecurity: Organizing To Win

The Comprehensive National Cybersecurity Initiative. The International Strategy for Cyberspace. The National Strategy for Trusted Identities in Cyberspace. Enabling Distributed Security in Cyberspace.


These cybersecurity policy documents and others carve out how concerted cyber defense actions involving international, federal, state and local governments, academia, the private sec­tor and the American public will work. They show we are serious about getting organized to win.


On the defense side, in June 2009, the Secretary of Defense ordered the establishment of USCYBERCOM. It was stood up in May 2010 and it now uses both offensive and defensive cyber weapons against attackers.1


On the civilian side, new legislation is proposed covering is­sues such as: how to prosecute cyber criminals and report data breaches; voluntary public-private partnerships that involve direct assistance and information sharing; and securing the na­tion’s critical infrastructure.2


The legislation also solidifies the DHS re­sponsibility and authority to lead the protec­tion of federal civilian networks according to Rand Beers the DHS Under Secretary for the National Protection and Programs Director­ate. At the June 2011 Symantec Symposium, he explained:


“This gives us a clear authority to offer ser­vices to other agencies — Einstein, red teaming and risk assess­ments — and focus FISMA on continuous monitoring rather than paper-based compliance systems.” The legislation consolidates policy and oversight in one agency on the civilian side. It also gives DHS additional flexibility to attract cyber workers.”


Beers said the proposal also seeks to remove barriers to information sharing by providing industry immunity from exist­ing public laws for providing information to DHS and gives DHS robust privacy oversight.


“Finally this puts in place a mandatory, yet flexible risk man­agement regimen to protect the nation’s most critical infrastruc­ture, using solutions developed by industry,” said Beers.

He explained that together with industry, DHS will identify the most critical cyber infrastructures; then DHS will specify the risks that they must mitigate through a public rule making process. In­dustry based on that risk will develop standardized risk mitigation frameworks for the operators.


“Industry, not government will propose solutions,” asserted Beers. “Each critical infrastructure entity will develop a plan on how they will implement it and a third party will assess and mea­sure the effectiveness. DHS will have authority to review plans and evaluate; conduct evaluations and discuss how the entities can improve risk mitigation.”

Instead of fines DHS will use transparency and market forces to incentivize compliance for the “covered critical infrastructure” said Beers adding that all information will be held secret.


“It is all about information sharing and coordination, working together as a team and sharing responsibility among federal, state and local governments, the private sector and the American people. DHS is committed to work to make them secure.” n


Securing Cyberspace: Building A “Technical Ecosystem”

DHS Secretary Janet Napolitano


“Right now, we’re building what we call a “technical ecosystem” based on an under­standing of cyberspace as a civilian, distrib­uted place, and also the “policy ecosystem” to support it.


I use the term “ecosystem” intentionally — because cyber­space is a dynamic, constantly changing, even organic environ­ment. We cannot treat it as static or self-contained.


We put forward a technical vision for enhancing cyberse­curity that is intended to empower individuals and enterprises across cyber networks to take action to enhance their own security operations. It has three primary building blocks: auto­mation, interoperability, and authentication.


Too often today, our cyber defenses are ad hoc, manual pro­cesses. Because things in cyberspace move at Internet speed, we need to move to a system of automated defenses, with real-time detection capabilities and coordinated responses. As we all know from waiting for a page to load on our computers or mobile devices, a few seconds is a long time in cyberspace.”

DHS wants input on its vision — “Enabling Distributed Security in Cyberspace”.


Read it at and email feedback at . A follow up paper is be­ing published.

This issue of On The FrontLines examines cybersecurity and the challenges of providing continuous monitoring in and out of the cloud.

Download your Cybersecurity interactive PDF now!


Source: Securing Cyberspace, Our Shared Responsibility, UC Berkeley College of Engineering, April 25, 2011.

Inside Cybersecurity 


A Few Seconds Are A Long Time In Cyberspace

Cyber experts Ron Ross, Peter Mell (NIST) and Tony Sager (NSA) talk about providing continuous monitoring in and out of the cloud.


Jim Flyzik on How Do We Build Trust

The implementation of the Trust Framework is the centerpiece of the National Strategy for Trusted Identities in Cyberspace (NSTIC).


US Cyber Camps, The Green Paper & “For Dummies”

How do we find the next generation of cyber warriors? How do we enhance their skills? And how do we get them employed where they are needed?


Plus the “Green Paper” — Cybersecurity, Innovation and the Internet Econ­omy — focuses on the “Internet and Information Innovation Sec­tor” (I3S) which is defined as “businesses that range from small and medium enterprises and bricks-and-mortar firms with online services, to social networking sites and Internet-only business, to cloud computing firms that are increasingly subject to cyber attacks”.


OTFL Interview: Ron Ross, Senior Computer Scientist, NIST


Dr. Ron Ross leads the FISMA Implementation Project. His current areas of specialization include information security and testing and risk management. He has written numerous FIPS publications including FIPS 199 and NIST Special Publication 800-53 (security controls guidelines), SP 800-53a (security assessment guideline) and 800-39 (en­terprise risk management guideline).


Dr. Ross is the principal architect of the Risk Management Framework that provides a disciplined, structured methodology for integrating FISMA security standards and guidelines into a comprehensive security program.


“The work has never been more important with how much we depend on IT now. Our long term economic and national security interests are going to be very much affected by how good a job we do at this thing we call risk management and cyber security. So that’s why I love what I do and it energizes me every day I come to work.”


Dr. Ross shares more of what energizes him in this interview with OTFL editor Jeff Erlichman.


OTFL Roundtable: The Electron Is As Mighty As The Sword


Learn from cyber experts from CA Technologies, McAfee, Presidio, General Dynamics and University of Maryland University College (UMUC) In this OTFL Roundtable, cyber leaders discussed the three building blocks, cybersecurity in the cloud, continuous monitor­ing, cyber education and developing the cyber workforce.


Fast Tracking FedRAMP

Getting the security authorizations for cloud systems into “an approve once, use often” scenario is the key component of this program which is on the fast track from GSA and OMB.

Download Your Cybersecurity PDF now!

Volume 2 • Number 8 • November/December 2010

Cybersecurity: Elevated Status

Greg Schaffer, Assistant Secretary for CyberSecurity & Communications at DHS, Rob Carey, CIO at Navy and Pat Howard, CISO at NRC tell how government is facing its cybersecurity challenges. Download PDF.

Visit, click on the Cybersecurity tab and you’ll be able to access and/or download first-hand examples of cybersecurity’s elevated status at DHS.


There you will find no fewer than 33 direct links; everything from “Stop, Think, Connect” cyber protection tips for businesses and individuals, to professional training and technical resources, to even how to report a cyber incident.

DHS is taking the federal civilian agency cybersecurity lead, partnering with the private sector and providing knowledge that empowers the public. The goals are to create a safe, secure and resilient cyber environment; and to promote cybersecurity knowledge and innovation.


“It is clearly something the government is putting a lot of energy and attention on,” Greg Schaffer, Assistant Secretary for CyberSecurity & Communications at DHS told On The FrontLines in a recent interview.


For the first time cybersecurity has been elevated to one of the 5 key DHS mission areas in the DHS Quadrennial Homeland Security Review. That puts cyber on a par with priorities such as protecting our borders and defending against terrorist attacks.


“So it is certainly being recognized as one of the things impor­tant for us to focus on,” said Schaffer. “It is as important, frankly, as the physical security pieces that we focus on traditionally from a security perspective, because today you really can’t do physical security effectively without focusing on cybersecurity.”


Schaffer said DHS “is front and center in terms of leading the defense of the federal government Executive Branch, civil­ian networks and playing a leadership role in developing security capabilities for the private sector.”


This is all happening at the same time DHS and DoD have agreed to enhance operational coordination and joint program planning and when agencies face new CyberScope FISMA report­ing requirements.


According to the joint DoD/DHS statement, “it formalizes pro­cesses in which we work together to protect our nation’s cyber networks and critical infrastructure, and increases the clarity and focus of our respective roles and responsibilities…the agreement will ensure both agencies’ priorities and requests for support are clearly communicated and met.”

Download Cybersecurity PDF

Cybersecurity Articles 

The Cyber Progression

It’s not easy to make everyday “Cybersecurity Awareness Day“. But the Navy and the Nuclear Regulatory Commission are sure trying.


Joined At The Node

At the crossroads of identity management and secure information sharing lays cybersecurity.


Interview: Greg Schaffer

Assis­tant Secretary for CyberSecurity & Communications



Private To Public Sector: Be Proactive

Cyber experts from McAfee, Q1 Labs, Guidance Software, CA Technologies and Merlin offer practical cybersecurity advice.


Cyber Defenders In Training

DHS says people are a priority. UMUC is offering three degrees for cybersecurity professionals. Looks like a match made in cyberspace.


Download Cybersecurity PDF


Volume 2 Number 2 • March/April 2010





Download PDF

Inside Cybersecurity

Welcome to Team Cyber!

The bottom line: Everyone needs to be a cybersecurity leader—starting with their computers. More


Steel Door On A Styrofoam House?

The more security is proactively “baked in’, the more “secure information sharing” will occur. More


What’s Your Role? What’s Your Responsibility?

Currently, a person’s security role and responsibility may not match exactly. What exactly is that responsibility and what training they need is the theme of FISSEA 2010. More


Wanted: Trained Cyber Defenders

DHS is hiring 1,000 new cyber defenders. When they need training, they can get it from The Defense Cyber Investigations Training Academy. More


Enabling Cyber Defenders

Government relies on a wide variety of approaches and tools to keep the bad bits out and let the good bits in. Here are three examples. More


Cyber Implementers

As threats rise, so do the efforts of industry to provide the cyber solutions government—and the rest of us—need. More



Getting Proactive—Viewpoint: Jim Flyzik

Jim Flyzik talks about why we all need to be proactive when it comes to cybersecurity. More

Make It Easier, Bake It In—Viewpoint: Jeff Erlichman

Industry needs to make it easier for end users to practice cyber hygiene. More

Cybersecurity Articles 

Welcome to

By Jeff Erlichman, Public Sector Communications


Emerging proactive, public/private partnerships are swelling the ranks of Team Cyber. But the bottom line is: everyone needs to be on the Team and start by practicing good “cyber hygiene” on their own computers.


Good news. Step 1 is done.


Step 1 of the President’s CyberSpace Policy Review Near-Term Action Plan was to appoint a so called “cyber czar”.


Howard Schmidt, who has an impressive 40 year resume including serving as the Chief Strategist for the US CERT Partners Program in the Bush Administration, is now in the job.

OK. Step 1 is done (finally, some would say).


According to the Policy Review, Schmidt’s task is coordinating “the nation’s cybersecurity policies and activities, establish a strong NSC directorate… (and) to coordinate interagency development of cybersecurity-related strategy and policy.”


He is “on the frontlines” as point person for accomplishing the other 9 elements of the Policy Review’s Near-Term Action Plan, followed by the 14 elements of the Mid-Term Action Plan.

Needless to say, Schmidt is going to need a lot of help from government, academia, research labs and industry.


These professionals are going to have to provide the brain power, the technology power and the will power to arm the nation’s cyber defenders with the tools they need to have full-time, real-time situational awareness.


In the near term, Schmidt’s efforts will be focused on hard tasks such as: preparing an updated national strategy; establishing performance metrics; creating an incident response plan; and initiating a national public awareness and education campaign to promote cybersecurity.


All mandated by the “leading from the top” approach of the CyberSpace Policy Review.


Practice “Cyber Hygiene”

To initiate a national public awareness campaign, Schmidt is going to need everyone’s help (i.e. you).


After all, cyber security (two words) begins—and sometimes ends—with how you connect to your network.


In fact, 80% of the cyber challenge could be mitigated right now, making it much more difficult for the bad guys if everyone practiced what Bob Dix President, Government Affairs & Critical Infrastructure Protection, Juniper Networks calls “cyber hygiene.”


Dix made his comments during the Federal Executive Forum on cybersecurity. He called for increased efforts to educate government, home users and small businesses on how to practice simple cyber hygiene (e.g. using and updating antivirus programs, installing firewalls and practicing sound password management).


“That’s a place where we can spend a little more time and attention while we raise the awareness at the senior levels,” said Dix. “We need to get down to the Mom and Pops and small businesses that don’t have IT staff, and I think we can improve upon that.”

So, for everyone there is the opportunity—and responsibility—to “lead from the bottom”.


Make Everyone A Cyber Defender


Greg Schaffer, Assistant Secretary for CyberSecurity & Communications at DHS, agreed with Dix.

“We need broad societal recognition across government, the private sector, in large businesses, in small businesses, among individuals as well as our international partners that unprotected nodes—poor cyber hygiene—is irresponsible behavior,” explained Schaffer.


“If we are not protecting those nodes, we are presenting opportunities for those who would do us harm to take advantage of those nodes and then use them as attack vectors against us. There are significant costs to society of having those problems persist. I don’t know that we recognize all the expense associated with what is happening today.”


That squarely puts responsibility on the end user to practice good cyber hygiene. It also puts responsibility on government to provide ongoing training.


In fact, one common complaint from end users is: industry makes practicing good cyber hygiene too hard. So the onus is also on all cyber providers to make it easier for end users to practice good cyber hygiene.


Amazing Opportunities


Among Schaffer’s 2010 priorities are hiring the right set of capable and skilled professionals in the cybersecurity arena and building an ecosystem as the front line of defense for the Federal Executive Branch. He is also interested in building partnerships with key players both within the government and within the private sector.


Dave Wennergren, deputy CIO at the Office of the Secretary of Defense, is one of those key government partners. He is keenly aware of the amazing opportunities that will arise when “secure information sharing” becomes standard operating procedure.


“The power of a Web 2.0 world; the ability to do mass collaborating; the democratization of technology; the ability to share is profound,” Wennergren told the Forum audience.


“If you could use terminology like ‘secure information sharing’, you are actually are defining security solutions that help you collaborate with users across boundaries in ways never before deemed possible. So it provides huge business opportunities,” Wennergren explained.


In a future where “secure information sharing” devices will be more powerful iPhones, iPads and Droids, on-demand collaboration beyond organizational boundaries will be the norm. For that to be successful depends on being focused on “continuously evolving security”, said Wennergren.


Together We Must Stand


In a cyber world where the private sector controls a vast majority of network assets, public/private partnerships are critical to developing the evolving security policies and solutions.


“The dialogue that we are having at the CIO level is about how do we raise the bar in security? How do we share best practices?” said Wennergren.

“We are using social networking services and rather than trying to figure out how to raise the bar on security by yourself; we are engaging in a dialogue with all the big social media services asking ‘what are you guys doing? What are the best practices, how do you share with your partners’?”


“We are all in this together; you’ve got to raise the bar together. It’s a message that has to be heard by all government agencies that there’s incredible power in partnerships with industry and having that strategic dialogue.”


“You’ve got to not shy away from it, you’ve got to jump into it,” Wennergren asserted.

Cybersecurity Articles 

Are You Putting A Steel Door On A Styrofoam House?


The more security is proactively “baked in”, the more “secure information sharing” will occur.


Future cybersecurity solutions have to ensure the power of mass collaboration and sharing information with unanticipated users according to Dave Wennergren, DCIO at the Office of Secretary of Defense.


“If you could use terminology like ‘secure information sharing’, you are actually defining security solutions. This provides huge business opportunities, but it has to be different than the reactive security practices of the past.”


So, how do you become proactive, not reactive?


Is Your Security Intrinsic?


Reactive security is when a problem is identified and a product is deployed to solve it. This leads to better firewall, antivirus and intrusion protection products, but against a threat that has already been identified or is signature-based.


“The problem is that many threats are not signature-based, but are zero- day threats, said Sam Visner, Vice President in charge of Computer Sciences Corporation’s (CSC) cyber strategy, in a recent interview. “So if you are trying to react, by the time you do, it may be too late, the damage may be done.”


A signature-based threat is one that has been detected and characterized so cyber defenders can look for a signature (pattern) and prevent that from getting through into the enterprise. And if it does get through the effects are known. A zero-day threat has never seen before. It’s the first time.


Being proactive takes doing a couple of things right said Visner.


“First look at the architecture of your enterprise and ask: Was it designed properly from the get go?” Or, “if you are redesigning, recapitalizing or modernizing your infrastructure, is that process using good architectural and engineering principles, so that your enterprise is intrinsically secure?”


Translation: “Are you building the house properly—which is being proactive? Or are you trying to put a steel door on a Styrofoam building—which is reactive? So, no matter how fast you work you are always behind the power curve,” explained Visner.


That doesn’t mean patch management is going away. What Visner advocates is “baking in” the security solutions into the infrastructure and sharing more information about architecture and design.


“We have built a set of architecture and design principles called ‘intrinsically secure architecture’ to make sure any architecture and any enterprise solution that CSC implements are intrinsically secure,” he said.


Public/Private Partnering


“The real question is whether the government can add the private sector information to its own and build a knowledge base of information that is sufficient,” said Visner. “I think people are talking actively about what public/private partnerships can do (e.g. Google & NSA) to better defenses and share threat information faster.”


Another example is DOD is putting together a Defense Industrial Base (DIB) pilot program with a set of framework agreements.


Visner explained that this allows DOD to learn about threats on the parts of the CSC infrastructure where DOD information is processed and thinks the DIB model should be considered as a template for other parts of the private sector to share information with the government. —Jeff Erlichman


Cybersecurity Articles 

What’s Your Role?

What’s Your Responsibility?


Where the intersection of FISMA, OMB’s ISS LOB and NIST SP 800-16 cross is the concept of security role-based training.


FISMA states that agency-wide Information Security programs are required and shall include “security awareness training”. OMB’s Information Systems Security Lines of Business (ISS LOB) talks about common suites of ISS training products and training services for the federal government.


Because the current IT environment is so complex, a person’s role and responsibility may not match exactly. Everyone has some responsibility from the executives right on down to the end user. But what exactly is that responsibility and what training is needed to fulfill that role?


Using roles—and the responsibility that comes with it—not titles allow for fine tuning. Plus a person may have more than one role in maintaining security. So, there are roles—and responsibilities—for executives, IT staff, program managers and so on.


It sounds so simple.


In fact, the concept is spelled out in NIST SP 800-16 and there is a “NIST Model” which features a Learning Continuum and divides role-based training into: 6 functional specialties; 3 fundamental training content categories; 26 job functions (roles); 46 training matrix cells; and 12 body of knowledge topics and concepts.


So why is it still an enigma?


“Effective role-based training continues to be a major puzzle for federal agencies,” explained Captain Cheryl Seaman from the NIH Information Security and Awareness Office in a recent interview.


Captain Seaman said that while the goal is to have a staff that is adequately prepared to protect information assets within our dangerously shifting cyber threat frontier, the path to that goal is not straightforward.


“Who needs training and what do they need is not standard throughout the federal government, thus it remains an enigma,” said Captain Seaman.


Great Conference Theme

Captain Seaman is also the chair of the 23rd annual FISSEA (Federal Information Systems Security Educators’ Association) Conference to be held March 23-25 at the Natcher Conference Center on the NIH Campus in Bethesda, MD.


This year’s theme: “Unraveling the Enigma of Role-Based Training”.


According to Seaman, while many already have a handle on security awareness, “role-based is hard to get your arms around; especially when you think of training and resources and how do you make do with the resources you have; what is your strategy for your own agency?”


Seaman is hoping to have a candid exchange of ideas on some of the different paths agencies are taking to solve the enigma, some of which meet federal cross-training workforce development initiatives.


“Look at the different approaches. OPM is developing competencies; what are DHS and DOD doing? What about the NIST way? VA has its own. So let’s look at harmonization efforts to find common ground and approaches.” —Jeff Erlichman

Unravel The Enigma At FISSEA

March 23-25, 2010 • NIH Campus • Bethesda, MD

The Conference theme is “Unraveling the Enigma of Role-Based Training”.

Benefit from:

• A better understanding of role-based training and how to implement it at your organization

• Awareness and training ideas, resources, contacts

• New techniques for developing/conducting training

• An update on cybersecurity initiatives

• Networking opportunities

• Professional development

For more information on FISSEA, please view the website at

Cybersecurity Articles 

WANTED: Trained Cyber Defenders

By Jeff Erlichman, Public Sector Communications 

Having the right set of capable and skilled people—who know their role and responsibility—

is critically important for defending your network perimeter and your data itself.

he headline reads: Wanted—1,000 Trained Cyber Defenders.


This focus on finding the right people is the #1 priority of DHS said Greg Schaffer, Assistant Secretary for CyberSecurity & Communications during the Federal Executive Forum.


“No question about it, people are our #1 priority with respect to everything that we do,” said Schaffer. “Having the right set of capable and skilled people in the cybersecurity arena is critically important to all of our programs; so we are very focused on getting those people hired.”


Recently DHS was given the financial resources to hire 1,000 new cyber defenders. Officials hope they have found some of the people they need at their December Cyber Job Fair. But even if DHS fills each of the 1,000 positions it won’t be enough. And it certainly isn’t enough to fill the governmentwide need.

In fact, SANS Institute’s Alan Paller recently told the audience at the Cyber Crime Conference there are around 1,000 trained digital forensics professionals in the U.S.; 20,000 to 30,000 are really needed to combat the threat.


Contract Expands Cyber Training


It’s clear those newly hired DHS recruits are going to need training. Helping government put contracts in place to train cyber defenders is Ken Evans, GSA FEDSIM Defense Sector Director.


“We help our Defense clients put contracts in places and help them manage the contracts,” explained Evans in a recent interview. “We provide our clients the best vendor that provides the best support they need at the best value.”


One of FEDSIM’s clients is The Defense Cyber Investigations Training Academy (DCITA). DCITA wanted to expand its training offerings in the cyber area said GSA’s Keith Parks, Senior Project Manager, who along with William Kreykenbohm, DOD Group Manager, worked closely with DCITA.


“They also wanted to find a better way to measure whether DCITA training was meeting DOD and federal law enforcement community needs,” explained Parks.

After gathering all the requirements, a performance-based task order was awarded to Computer Sciences Corporation (CSC) under the GSA Millennia GWAC.


Under the task order CSC is to design, develop and teach courses in areas that computer forensics and network intrusion.


The Academy is the only government organization solely dedicated to cyber investigations training, development, and delivery. Students are trained in the latest digital forensic techniques using state-of-the-art equipment, classrooms, and technologies according to its website.


“The relentless changes in technology, cyber landscape and threats demand that we provide the very best training to our students; from the fundamentals to key tactics, techniques and procedures all delivered through innovative and dynamic methodology,” said Matthew Parsons, director of DCITA in a statement when the contract was awarded.


“DCITA is pleased with the CSC award and anxious to continue our progress in training DOD’s network investigators and operators in this critical mission.”


The World’s Cyber Clearinghouse


Jim Menendez is the Vice President and General Manager of Global Security Solutions (GSS) within CSC’s North American Public Sector (NPS). He, along with CSC project lead Ron Hinkle, head up the CSC DCITA team.


“In the 12 years that CSC has been providing the forensic training at DCITA, we’ve trained over 13,000 students,” said Menendez in a recent interview. He said students from both DOD and civilian agencies either come to the “schoolhouse” as we call it, or have access to remote courses throughout the world including Germany and Iraq.”


“One of the biggest challenges as a nation is the availability of trained professionals,” Menendez said.

He explained the key to CSC’s success is in their approach to training. They are not relying on past performance, but building on that and putting in place new training techniques and approaches, including the use of a portal technology and a new content management system to facilitate distance learning. Students can even earn college credits for courses taken at DCITA.


“Our tagline during the recompete was ‘over the horizon’, looking not only at current requirements, but looking at what we should be doing to meet future demands for training,” Menendez said.


The new contract formalizes a provision to train private sector members of the Defense Industrial Base (DIB) so that there is a consistent process for responding to cyber incidents that have been consistent for both the government and DIB members.


Menendez is not shy when he says part of his mission is to help the DCITA meet its business objective of becoming the nation’s—and the world’s—clearinghouse for forensic training.

As more and more agencies race to beef up their training, Menendez is working closely with DCITA staff to figure out ways build out the program that we already have in place to address their needs.


He urges agencies who might be thinking about starting their own training programs to think twice. “Some might think they need their own academy,” said Menendez, “but rather than do that we should promote collaboration across the government and build out what already has been established at DCITA.”


In fact the cyber forensic training requirements go beyond the U.S. said Menendez. “There are NATO forces and others and trying to figure out how we can put MOUs in place and turn this into a global business.”


Learn more at  

Take The DC3 2010 Cyber Crime Challenge!


The 2009 US Champion Team was the Air Force Institute of Technology’s “Little Bobby Tables” with 1,772 points. They were successful in providing the most solutions to the scenarios for U.S. only teams.


Can you top them? If you are ready to pioneer new investigative tools, techniques and methodologies, then it’s time for you to enter the DOD Cyber Crime Center Challenge.


The DOD Cyber Crime Center (DC3) sets standards for digital evidence processing, analysis, and diagnostics for any DOD investigation that requires computer forensic support to detect, enhance, or recover digital media, including audio and video.


Already over 190+ teams have registered for the 2010 Challenge! Registration closes November 1, 2010. Solutions are due November 2, 2010. Winners will be announced December 1, 2010.


To register email; call 410.981.6610 or fax 410.981.1092.

DC3 also sponsors the US Cyber Challenge ( which is a national talent search and skills development program.

Its purpose is to identify 10,000 young Americans with the interests and technical computer skills to fill the ranks of cyber security practitioners, researchers, and warriors. In particular, the search is looking for the people who can become the top guns in cybersecurity.


The identification process relies on national competitions with many winners. They include CyberPatriot high school competition conducted by the Air Force Association, the DC3 Digital Forensics Challenge conducted by the US Department of Defense Cyber Crime Center, and the NetWars vulnerability identification competition conducted by the SANS Institute.

Cybersecurity Articles 

Enabling Cyber Defenders

By Jeff Erlichman, Public Sector Communications


Government relies on a wide variety of approaches and tools to keep the bad bits out and let the good bits in. Here are three examples.


The reality is there is more new bad code being developed than good code.


“There are 50,000 new, bad applications being developed per day,” explained Mike Carpenter, Senior Vice President for Public Sector at McAfee, during The Federal Executive Forum.


“I venture to say that there are probably not 50,000 good commercial applications being developed per day. So there is more bad code being developed than there is good code.”

According to Carpenter if you look at the current way that we defend our networks and our systems, it’s about identifying what malware is; it’s about preventing malware from coming in.


“We have over 450 researchers around the globe; their only job and their skill set is to identify malware and then be able to decode that malware protection back to our customers. We have a global footprint.”


That global footprint consists of over 150 million sensors around the globe that feed the McAfee Cloud, enabling analysts to provide intelligence and tools to help government defend against attacks.


But 50,000 new, bad applications is a staggering number. So, what Carpenter and his industry partners are grappling with is “how we can get ahead of that?”

“I believe the future in prevention is not about getting in front of the bad threat, it’s about identifying good code that should be executing on your systems,” Carpenter said.


He favors an approach that moves from blacklisting to more whitelisting and looking at what applications should be accessing what resources on your system and what IPs should be transversing your network.


“You are looking for good information rather than necessarily looking for bad information since there has been a major shift in global development of code.”


Identifying Chains of Attack


Whitelisting is sure to gain more traction in the future. Blacklisting has traction right now.

“About 80% of the cyber attacks that occur in technology that has been developed today have a signature that we recognize, we’ve blacklisted it. A Juniper system can shut it down,” Lee Holcomb, Lockheed Martin’s Vice President, Strategic Initiatives, explained during the Federal Executive Forum.


“But about 20% of the attacks today fall into this category that’s called ‘advanced persistence’. A lot of what we are focusing on is really looking at that 20% that is very hard to catch.”


Holcomb described the concept that Lockheed Martin’s developed through its own internal network which has about 120,000 people; so it looks very much like a large government agency to foreign adversaries.


“We look at a chain of attack. How does a bad guy come after you? They do reconnaissance, maybe on your network or maybe on social sites they go to,” Holcomb said. “They do reconnaissance; they do delivery of an attack; they do an exploit and compromise you; they then do command and control; and then they exfiltrate data from your site. We’ve watched that process.”


Lockheed has catalogued about 55 different campaigns and developed a database on how each behaves. They share that information.


“We’ve been able to identify the patterns, and we may miss the bad guys at one of these stages, but if we look at the whole pattern we’ve actually been able to catch folks in the pattern, even when we don’t know the signature of the attack,” said Holcomb.


“So we think this is a new paradigm; we think that this is a direction that needs to be taken to be more effective as a cyber defender. It’s a lot easier to be a cyber warrior, quite frankly. It’s more difficult to be a cyber defender. And so we are trying to make the cyber defender more effective.”


Cyber Cloud Computing


Imagine the Cloud as back hoe filled with 40 quadrillion bytes of data as the workhorse.

It contains the brute strength to perform the tremendous amount of analytics needed to cull “golden nuggets” from an ever growing massive amount of “Big Data” that can come at any time and in any format at a rate of 50,000-60,000 new cyber events per second.


Then it can pick the best set of data in real time and feed these “golden nuggets” to precision instruments (e.g. Oracle, PeopleSoft) analysts can use to make decisions in as close to real time as possible.


So, when analysts are defending against cyber threats, they can analyze data in close to real time—not 24 hours old—thus improving defense capabilities exponentially to thwart attacks.


The ultimate goal is real-time situational awareness.


Big Data allows better decision making through a more effective way to store, manage and analyze data said Josh Sullivan from Booz Allen Hamilton in a recent interview.

Hamilton explained how the Cloud was this back hoe that was the brute force workhorse that fed them golden nuggets. At the same time, they could still use their existing suite of visualization and analysis tools and keep all the capital they had built up around using these tools, but the source feeding those precision instruments was the Cloud.


The scalability of the Cloud allowed them to do tremendous amount of analytics and pick the best set of data in near real time to feed to those precision instruments instead of relying on the precision instruments to pick out the golden nuggets from an ever expanding sea of data said Sullivan.


Sullivan explained if there was a critical node they wanted to analyze; every hour we could compute everything we wanted to know about that node and store for later retrieval.

So, if there were 1,000 critical devices to constantly monitor, the Cloud would be used as the workhorse to continually pre-compute all available data for those devices and have the information ready for analysts or other machines to consume as needed in real time.


All of these experts agree that it is easier to be a cyber warrior; and much more difficult to be a cyber defender. Using blacklisting and whitelisting technologies along with the sheer computing power inherent in the Cloud are helping balance the scales making cyber defenders more effective.


Cybersecurity Articles 


Cyber Implementers
By Jeff Erlichman, Public Sector Communications


As threats rise, so do the efforts of industry to provide the cyber solutions government—and the rest of us—need.


The news is not earth shattering.


Cyber experts from Guidance Software, HP, Juniper Networks, SafeNet and Symantec all agree government faces a daunting task managing and protecting data at rest and in motion, whether it is on an internal server or a mobile device.


But these experts also agree there are practical, cost-effective ways to minimize risk and maximize protection—and they have solutions working in the field to back them up.

These experts—Sam Chun, HP; Cary Moore, Guidance Software; Bob Dix, Juniper Networks; Pete Engel, SafeNet; and John Bordwine and Jason Meinhart from Symantec—made their comments during a recent Roundtable hosted by the publishers of On The FrontLines.

Getting A Grip


Everyday there are more and more attacks. Every day, the time we have to respond grows smaller.


“Customers are having a hard time having a sense of what’s going on and having a true command picture of their environment,” said HP’s Chun.


“That’s because of so many different technologies being deployed, along with the volume and speed that information is coming in. We are working hard to address that in a near real time way to drive quicker decisions.”


Guidance Software’s Cary Moore sees a similar trend. “Many of our customers are being hit with more sophisticated attacks and advanced persistent threats. They need the intelligence to respond quickly and get networks healthy in much faster way.”


As threats increase, SafeNet’s Engel said he is seeing an increasing move to securing the end points—the mobile devices and telework situations—as well as a move to securing the data itself; so that if the network is compromised there is another layer of security around the data itself.


He added that includes studying how the data is being used on the network and on those mobile devices. “We are seeing what the users are doing with these devices and bringing that together in the overall profile and the picture of what’s happening on our network.”

Symantec’s Jason Meinhart brought up another point often talked about, but where there has been little action.


“The chief challenge is dealing with outmoded forms of regulation, the challenge of certifying systems, coming to grips with the limitations of the C&A process,” said Meinhart.


“With all the mobile devices, you can’t govern their use by same policies that were written five years ago when a desktop computer attached to classified or unclassified system may have been the norm. It’s a whole new ball game today with mobile; the rules are outdated.”


All agree that government managers understand the magnitude of problem they face. But they also point out that in government there are very few people who understand the full scope of the problem because it is so complex.


So where does that lead us?


“The government is making a strong effort to address cyber hygiene and low hanging fruit issues such as: regular updates to antivirus signatures, password management, configuration management, patch management and a commitment to regular cyber education and training,” explained Juniper’s Dix.


“We need to get back to basics; have solid and sound policies; make sure users know policy and if there is an enforcement arm, that those policies are truly being enforced. We need to be proactive,” said Moore from Guidance. “Training has to be a big part of that and there has to be a change in mindset and security is a big part of that—every user needs to take that responsibility.”


Where There’s Work To Be Done

“We as an industry don’t have a really rigorous way of modeling risk,” said HP’s Chun. “We make IT decisions crudely compared to other industries. For example the financial industry has the data to give you a number, to quantify your risk.”


“Our customers need the tools and capabilities that allow them to do trade off analysis between very specific technologies that are not similar,” he added. “The economic condition is ripe for this type of approach; if I had to choose between antivirus versus intrusion protection, what is the better choice for my environment to invest in?”


SafeNet’s Engel noted that “one of the areas we see developing very rapidly is back office identity and privilege management—the CAC cards and the PIV cards. Agencies are now looking at how they can take advantage of the technologies that are on the card from both a security and business process perspective.”


At Guidance, Moore said they are building off their forensic tools to deliver faster actionable intelligence that can be passed on to the decision-maker.


“We are building technologies to be able to deal with new threats like poly- and metamorphic malware. We are getting better visibility into the network and into the systems to find what truly is out there.


This means finding out what the differences are between a “good” system and a system that has been hit and bring this in a way that clients can see information as fast as possible.”

Symantec’s John Bordwine talked about the importance of integrating technology around the SCAP environment and paying more attention to Data/Loss Prevention or DLP technologies—both of which have the attention of OMB.


According to NIST, “the Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.”

Bordwine said this is a key initiative across government due to the fact that agencies know they are understaffed and may not have the right skill sets in-house. Thus along with a need to increase the knowledge base, it needs to automate security processes as much as possible.


Juniper’s Dix said, “we’re seeing more focus on standardizing configuration management across the enterprise, such as the Federal Desktop Core Configuration (FDCC) initiative, as OMB now requires verification of FDCC compliance via SCAP. We also see greater attention to the top 20 security controls in the Consensus Audit Guidelines (CAG), which now includes NIST 800-53 Revision 3 mappings.”


It is also clear that utilization of enterprise-wide solutions and ‘Center of Excellence’ skills and best practices represent a more holistic approach to cyber attack risk identification, prevention, mitigation and response said Dix.


Cybersecurity Challenges– Getting Proactive


By Jim Flyzik, The Flyzik Group


I have taught a graduate class on cybersecurity at the University of Maryland, University College part-time on Saturdays for 17 years. Every year, my students complete research papers on current cyber topics so I have had a chance to follow along as cyber threats became more complex. The sophistication of the threats evolves right along with the advancement of technology.


I also watched as we reacted to cyber threats in the past with a “band-aid” approach—fixing problems after something bad happens. We have now reached a stage where significant vulnerabilities call for proactive approaches to prevent cyber attacks before they happen. Can we do this? Why is it so difficult?


Cybersecurity challenges are daunting for many reasons. First, the scope of the problem raises the question of where to put resources to begin to address the challenges? Do we begin with securing operating systems, databases, local networks, or the data itself?


What about wireless networks? What about the devices? The PC’s, notebooks, tablets, blackberries, iPhones, droids, routers, and switches to name just a few of the hundreds of smart devices that connect to our networks. Then there is the Internet! How do you secure something that has no centralized governance structure or single points of trust? Clearly, we need to start somewhere.


The National Cybersecurity Initiative addresses protection of the perimeter—defining ways to keep bad bits out and let good bits in. Internally, protecting the data requires encryption and tools for data loss protection and data masking of structured and unstructured information. Proxy data should mask real data while data is in transit. “Real” sensitive data should only exist in the secured production environment. We also need to use encryption techniques to the fullest extent to address the identity management (IdM) challenges and message authentication.


Law Enforcement plays a big role here too. Cyber attackers have the anonymity of the Internet on their side; the rules of evidence are often times complex computer logs difficult to trace and almost always difficult to understand by juries. No smoking guns, no DNA, no blood or fingerprints.


Attacks originate worldwide and these cyber laws vary widely.

Now, if technology and law enforcement challenges aren’t hard enough, consider who needs to be involved in this effort—everyone who uses a computer, a cell phone or any of the wireless network appliances in use in cyber space.


No government or industry entity can fix every vulnerability. It is the responsibility of everyone to practice good security practices when interacting in the cyber world. This means a massive awareness and education campaign as a national priority and cooperation and collaboration with international entities. Further, if we hire people of high integrity, a good deal of the internal threat is diminished. If we use physical security methods to restrict access to sensitive areas, we diminish that threat as well.


The federal government wants to hire more cybersecurity skilled employees. What are the qualifications for the job? Let’s see. They need computer skills, telecommunications skills, wireless and wireless devices skills, management skills, oral and written communications skills, and of course, cybersecurity skills. Where do we find them?


The good news is cybersecurity is now a national priority. Some great people are being called back to government service to address these tough issues. And our universities are stepping up to help train a workforce of the future to step up to the challenges. The proactive approach is underway.


Jim Flyzik is President of The Flyzik Group. He is the former CIO at the Secret Service and Treasury and served at The White House under Tom Ridge. He hosts the Federal Executive Forum on Federal News Radio and is the chair of the AFCEA 2010 Homeland Security Conference in February. Contact him at



Make It Easier, Bake It In 


By Jeff Erlichman, Public Sector Communications


I admit it. I’m one of those “end users” on the frontlines of my personal and business cyber defenses.

When it comes to security, the CyberSpace Review Plan doesn’t have to spend its resources telling me. Believe me, I’m aware. You better be—especially when your email is in the Cloud.


I’ve long known and practiced the virtues of proactive cybersecurity and having multiple backups. But it didn’t prevent me from being attacked. I have one email account that has taken my provider more than 6 months to figure out the problem. And I’m still not 100% sure it’s solved.


If you are like me, here’s what you’ve got. I have a one program that provides a “Security Center” protecting my computer, files and email from viruses, spyware etc.


I have another program that scans, repairs and optimizes my PC. Plus, I have another anti-spyware program. I’m not sure whether these programs actually conflict or are complementary. In fact, I’m confused. I would ask my systems administrator, but of course, that’s me. And I don’t know the answer.


But I do know one thing: I’m practicing “cyber hygiene”. I’m cyber responsible, but still frustrated, still not sure I’m doing enough, and still wishing the whole cybersecurity process was easier and more transparent. Plus, error messages and warnings are written in “computerese”. Yikes!


So, I can’t tell you how refreshing it was to hear some leading security providers say the industry isn’t doing enough to help end users.


HP’s Sam Chun has written on security awareness. During our recent Roundtable he said, “I think we on the industry end have made it fundamentally too difficult for the end user to achieve security. I think we as an industry need to do better; it’s just too hard and too complex for the average user.”


Chun said we need to make security transparent, invisible, assured and persistent for the end user so it is just computing for them. “The industry needs to work harder to make this happen. We should not expect the user to do it effectively; so we as an industry need to help them do it.”


CSC’s Sam Visner added “for many years hardware and software manufacturers and SIs said ‘we are going to turn IT into a commodity; one that is increasingly available, increasingly useful and increasingly easy to use; so you shouldn’t worry about IT’.”

But now some are telling end users they haven’t done enough. They don’t update antivirus definitions or don’t configure their firewall right Visner explained. “Everything we told you about IT being inexpensive, easy and useful, now we have a big and difficult discipline that you—the user—have to do. That wasn’t the deal when we rolled out IT.”




I’d love to do nothing, but I’m a realist. It may become simpler, but proactive personal cybersecurity is never going away.


But I’d like every cybersecurity provider to have Chun’s and Visner’s attitude.


“If we design the system properly, we do not have to expect users to do all the maintenance; if we design it properly, users don’t have to become cyber experts; and if we “bake in” cybersecurity as an intrinsic system component, then IT becomes increasingly available and inexpensive, becomes easier to use and becomes useful to the mission,” declared Visner.


That’s the attitude I want. Bring it on.


Jeff Erlichman is managing partner of Public Sector Communications. He is the On The Frontlines editor and can be reached at


Cyber Leaders Talk About Cyber Progress 

Priscilla Guthrie

Dave Wennergren

Greg Schaffer


Cyber Leaders Talk About Challenges and Partnerships 

Jim Flyzik
The Flyzik Group
Dave Wennergren
Greg Schaffer


Cyber Leaders Share Their Cyber Visions 

John Bordwine

Mike Carpenter

Bob Dix
Juniper Networks

Priscilla Guthrie

Lee Holcomb
Lockheed Martin IT

Dave Wennergren

Greg Schaffer



Cyber Leaders Speak Out at AFCEA Homeland Security 2010 

Van Hitch

Dave Wennergren

Richard Spires

Luke McCormack

Charlie Armstrong


Steve Chabinsky

Published by

Trezza Media Group

Tom Trezza


Public Sector Communications, LLC

Jeff Erlichman


The Flyzik Group

Jim Flyzik



Design/Production: Reuter & Associates  


© 2010 Trezza Media Group, Public Sector Communications, LLC


Public Sector Communications   Privacy   Unsubscribe  Change E-Mail Address
eMagazine / Subscribe  Feedback/Contact Us  

Copyright © 2012 Public Sector Communications, L.L.C.

Public Sector Communications, L.L.C.
19009 Alpenglow Lane
Brookeville, MD 20833



Powered by Vertical Symmetry Technologies