Published: 07 Jan 2005
Two Seattle CISOs, Kirk Bailey and Ernie Hayden, are pioneering a new level of trust and cooperation to secure their enterprises.
Over the clatter of an auto body shop where he was retrieving his car, Ernie Hayden received a disturbing cellphone call. "I'm sending you a warning about the latest MyDoom attack," the voice said.
No introductions were necessary. Hayden, the manager of enterprise information security for the Port of Seattle, immediately recognized the voice as his counterpart at the city of Seattle, CISO Kirk Bailey.
Usually, the pair meets once a week at a local coffeehouse to talk shop. They share their problems, insights, solutions and questions. Nothing is out of bounds, and there's no fear of compromise. Their trust in each other is unquestioned.
While the urgent warning of a MyDoom variant wasn't the norm, it was hardly unusual. When something serious breaks, they call each other immediately. They know implicitly that one always has the other's back.
By the time Hayden rolled into the office, he had the details of the worm that Bailey promised. The variant used an e-mail to instruct recipients to click an embedded URL and confirm an online purchase. The malicious Web site then downloads a virus that damages the host and mails itself to everyone on the person's contact list. With that intelligence in hand, Hayden sent an urgent message to his staff and began working on countermeasures.
It was yet another example of why close, personal, working relationships between peers and the open sharing of security intelligence are important and beneficial. And it's a relationship that Hayden and Bailey continue to foster amongst their peers and are trying to export to others.
While the security practitioner's mind-set is usually wrapped around secrecy, Hayden and Bailey say they're proof that extending a little trust and putting two--or sometimes more--heads together is a better way to solve pressing security problems. This kind of cooperation practiced by Hayden and Bailey, as well as other Northwestern security professionals, could become a CISO best practice.
|TIPS: Trading Success|
Breaking a Cloistered Culture
Cooperation in infosecurity is notable for its rarity. Consultant Ted Demopoulos recently asked 60 security professionals whether they or the hacker community was better at information sharing. "There was just laughter," he says.
The digital underground is a meritocracy; hackers rate themselves on their technical prowess and their capers' success. This means they must be open with information about their tools, targets and methodologies. In contrast, security professionals usually only share what most everyone already knows, not their actual experiences. But, keeping mum means missing out on useful intelligence and potential help.
"There are way more antagonists and players out there than there are keepers of the gate on our side," says Peter Garlock, CIO of the Port of Seattle and Hayden's boss, who likes the cooperation between his organization and the city. If CISOs can discuss problems safely, they can leverage all that experience--at no cost.
Hayden and Bailey have developed a mutual trust, which some security pros just don't get. "When we started raising the specter of CISO-to-CISO conversation, people gave us the look of 'What a concept' and 'What a brilliant idea,' but they didn't want to do that," Hayden says.
The ground Hayden and Bailey tread is perilous; they know they risk the possibility of having their problems appear instantly in a blog or in tomorrow's newspaper. Equally powerful is the fear of appearing vulnerable and weak. That's why building trust is critical. Time is the key ingredient.
The two infosecurity pros met years ago when Hayden was security director for a software company and Bailey, already CISO for Seattle, was running a vulnerability assessment exercise for the city. Over the years, they kept in touch and became friends. When Hayden became the Port of Seattle's first infosecurity chief, they couldn't have asked for better collaboration conditions. Not only did they know and trust each other, but the city and the port are inseparable business partners.
And Hayden and Bailey aren't just sharing their experiences, but also their contacts. If they don't know the answer to a problem, they can call upon their network of peers and acquaintances. "We use each other's black book," says Bailey. "This was a hyperjump to a whole new level of trust."
It's not unheard of for security professionals to consult colleagues and friends. Where their relationship differs is in the extension of trust. If Bailey can rely on what a given contact says, for example, Hayden can as well. The two also act as liaisons to their respective peer networks. If someone has relevant information--such as a warning of an attack or discovery of a new vulnerability--the news bubbles up in one of their networks. Hayden and Bailey share it, so it reaches the other's contacts. Because all the affiliations are informal, there is no bureaucracy to control how information travels. As a result, Hayden and Bailey say, intelligence is quickly communicated.
"The current cybersecurity practice has siloed reporting, where attacks are cross-jurisdictional," Bailey says. But industries and enterprises, regardless of their vertical category, are bound together. A problem in the electrical or telecommunications infrastructure ripples into problems for manufacturing and municipal operations. Hayden and Bailey argue that any truly effective cooperation must break down the walls between industries, even those between government and the private sector.
Share and Share Alike
Hayden and Bailey have felt some resistance to their ideas, but there must be some "collaboration" mineral in Northwestern waters.
The Pacific CISO Forum, a local information network with 25 to 30 members, including Bailey and Hayden, has been around for a while. Some members bring connections to the FBI, Secret Service and Department of Justice, while others participate for access to their local security peers.
"We're like the three-legged people in town," says Peter Gregory, a founding member of the Forum and chief security strategist for the consultancy VantagePoint Security. "There aren't many of us, so we like to get together, share what we know and commiserate."
Vendors are excluded from this group. Bailey says many of the more organized plans for cooperation "are burdened with pundits and participants who are vendors and who don't have skin in the game." When he picks up the phone, the person answering will have the same sort of accountability that he does, as well as the same issues and problems. Vendors may have products and expertise, but they don't have the operational needs and experience. And, of course, there's always the possibility of a vendor tainting discussions to favor their products.
One reason the Pacific CISO Forum has worked is that members have used sound principles for sharing experiences and information, says Jeffrey M. Stanton, a social psychologist and associate professor in Syracuse University's School of Information Studies. Groups like these are "most likely to work if they're peers and if there are enough similarities in their job functions and responsibilities that they have something to tell each other."
Geographic proximity is also helpful. The Internet and telecommunications make it possible to converse with anyone, anywhere. But people still prefer having personal contact with the people they want to trust.
What clinches things, though, are benefits and deliverables. For example, Seattle is renegotiating its ISP contract. Networked connections to computer forensic specialists, network experts and even lawyers helped build a wish list of concessions and benefits, like having a special support telephone number in case of a serious cyberattack, so there's no wait for assistance. No one CISO would have thought of everything, but collectively they draw on one another's experiences and perceptions to develop well-rounded security architectures, policies and response plans.
Some experts, like Dr. Don Goff, wonder whether a total lack of organization might send some groups heading in wrong directions.
"A common understanding of what the basic problems are and how to address them seems to me a basic first step," says the professor of information and telecommunications systems at University of Maryland University College (UMUC), one of 60 programs nationwide certified by the National Security Administration as a Center of Academic Excellence in Information Assurance Education. Currently, the Maryland governor's office is launching an initiative to bring together private companies, law enforcement, fire departments and government to create a statewide cybersecurity plan.
Even in Maryland, with the power of the governor's office behind security information sharing, participants are wary of too much organization.
"As soon as you make them structured, people at the meeting have to represent the party line of their agency," Goff says. And that, he adds, hampers the exchange of information. Loose structure and zero bureaucracy help enable more cooperation between private industry and the public sector.
The federal Freedom of Information Act (FOIA) and equivalent state-level legislation only increase anxiety. Under these statutes, anyone can request documents on file with the government. If private industry cooperates with the government and commits anything to paper, those documents could become public.
Bailey, Hayden and their colleagues circumvent this risk of public disclosure by avoiding minutes, reports and, whenever possible, e-mails. "We don't have a nondisclosure agreement," says Gregory. "We don't have a Web site or officers. We just hang out. If we were [a formal organization], everything would be subject to the Freedom of Information Act."
But a lack of records risks making valuable information a victim of fallible human memory. A CISO would have to depend on stumbling across people who knew what he or she wanted to learn. While the Homeland Security Act of 2002 protects information voluntarily provided to certain federal agencies from federal FOIA requests, it offers no protection from state information disclosure laws. Since much of the cooperation must take place on a local and state level, this leaves participants vulnerable.
That's why there are growing attempts to share critical knowledge through this informal approach. For example, Agora, a low-profile regional network of infosecurity professionals formed in the mid-1990s, is one of these "nonentity" groups gaining a foothold.
"The reason it was formed was that a few security professionals realized we were failing in our attempt to protect our enterprises, and we needed to talk to our competitors," says Bailey, a founding Agora member.
Ultimately, what will drive these relationships and a new dynamic in cooperation are word of mouth and money. CISO networks are perfect examples of viral marketing, with referrals only coming from other trusted sources. Forget about waiting for a conference to hear the latest best practice; your friend across town will probably tell you about it at the next coffee klatch. And then there are the economics: Companies get help from experienced professionals when needed--for just returning the favor.
"Most professional associations reflect very tired practices," Bailey says. "Very tried and true, but tired when it comes to building symbiotic associations."
By taking this approach, Bailey, Hayden and their circle of trusted friends are finding that their approach is no longer lethargic--and that the only thing that keeps them awake at night is too much coffee.