Q&A: Amit Yoran talks cybersecurity

West Point graduate Amit Yoran went from security work in the Air Force, the Defense Department, and private industry before being tapped as director of cybersecurity for the Department Homeland Security.

He joined DHS in September 2003 and left about a year later, the first of several cybersecurity directors to have a short tenure. Now, the 38-year-old is chief executive of security firm NetWitness.

During the first week of National Cyber Security Awareness month, Yoran talked to CNET News about his efforts getting a federal cybersecurity program off the ground, how no organization is safe from attack and why he is "anti-user." Here is the edited interview.

Q: The big question on everyone's mind is when will the administration appoint a new cybersecurity czar and who will it be? Do you have any comments on that?
Yoran: (Laughs) Apparently, they'll report it when they're good and ready. I don't have any particular comment on that.

There's been a lot of talk about the structure. Do you think the position should report to the White House or an agency like the National Security Agency? Should the official snoops be in charge of protecting security and privacy?
Yoran: (Laughs) Is that a biased question? No. In my mind clearly the right thing to do is to put a coordinator at the White House. NSA has a key role in cyber, but they've got their mission focus and there's a number of other departments. And agencies that have other priorities and activities in cyber that are relevant and need to be coordinated at the White House level.

You resigned as director of DHS' national cybersecurity division after only one year. Why?
Yoran: I had a specific start-up job or requirement that was asked of me--to help them get the US-CERT operation up and running and help get some of their cyber programs off on the right foot. After a year we had established some of those programs and (decided that) my interests lie elsewhere. We were as productive as we could be in a short period of time.

Do you think your division was given adequate attention and resources?
Yoran: At the time I don't think they were inadequate meaning when you're just starting something from scratch even if you have hundreds of millions of dollars at your disposal, I don't think that you can prudently and effectively spend it. I don't think you can be effective or responsible with large resources like that on day one. Until you know where you can add value, what the programs and activities you can undertake are, you aren't particularly resource-constrained. I do think over time some of these activities require greater funding. I just don't know if that was a shortfall while I was there.

You weren't the only to leave sooner than people might have expected. Former cybersecurity director Rod Beckström resigned in March and Melissa Hathaway resigned as acting director in August. What's going on here?
Yoran: Well, this is a very complex topic and dealing with it is a careful balancing act between an understanding of business, an understanding of technology and an understanding of how...to prioritize your programs and this was a national level of activities. So it doesn't particularly surprise me that we've had a high turnover of leadership, a fast pace of leadership turnover in this area. That doesn't mean that all the programs and activities start and stop with changes of political appointees.

The 60-day review that President Obama commissioned came out in May with the message that the country is not prepared to respond to cyberattacks. What's your opinion of the report?
Yoran: I would concur the nation is not prepared to adequately address cyberattack...The report, like cyber, has so many nuances some of which I agree with and some of which I don't agree 100 percent, but I think the observations being made were accurate.

You were a member of the commission that worked on a report that came out last December, right? Are the reports really all that different?
Yoran: There were a lot of similarities and there was a lot of alignment between observations made by the CSIS (Center for Strategic and International Studies) commission and ultimately 60-day review that Melissa Hathaway conducted for the White House. But that shouldn't be very surprising. It's not the same document...You've got a lot of the same expertise...a lot of the same types of analysis done...It also is reasonably well aligned with a lot of earlier presidential strategy and docs around cyber.

It doesn't seem like there's a lot of change after years of this. Do you get a sense we're treading water at all?
Yoran: I'm not certain treading water is the right analogy. It seems like we're making progress, progress is being made, but cyber is not a stagnant environment. It's not like a network router (which) behaves as you command it so you change the network or the architecture. In cyber you have a continuous sort of evolution, not only of technologies, but also you have an adversary game theory-type activity. What you think is secure today is based on your current knowledge and your knowledge expands and the adversaries change their techniques and methods. The landscape has changed so it would actually require a lot of swimming to stay in place versus treading water, I guess is how I would characterize it...Our adversaries are advancing their techniques and we're also deploying a lot of technologies and process and capabilities to help better protect ourselves. Overall, I don't think we're better protected, that we're better off or less exposed today than we were years ago.

You said "progress is being made." Can you elaborate?
Yoran: So in the last two years or more, the Bush administration carrying on into the Obama administration the primary national federal effort is really being driven by what they call CNCI, "Comprehensive National Cybersecurity Initiative." It remains highly classified as an initiative and series of programs. Work is under way. CNCI is more than people just talking about cyber. There is work being done. Unfortunately, a lot of it is behind the scenes.

What is the state of cybersecurity today?
Yoran: The organized crime, the criminal element today, is organized. They've got capability and because there is money on the line they've got phenomenal intent and focus and persistence. Last year, the FBI director said that more money was made using online cybercrime than by drug trafficking in the U.S. It's a mind-boggling number to people who aren't familiar with it...About 30 percent of the cybercrime today uses anti-forensic techniques, so you're literally not going to find them even if you know to look for them...The FBI also said that over 100 foreign governments have structured offensive cyberwarfare organizations as part of their network security and intelligence infrastructure. So the industry and the IT world is getting decimated by the cybercriminals and the nation-state activity is even more advanced than that. The technologies we're using to protect ourselves, that we're relying on, the dirty secret within the IT security world is that they're incapable almost by definition of dealing with the advanced threats of cybercrime or nation states.

Yoran: The challenge faced by the government departments and agencies is 98 or 99 percent similar to the challenge faced by enterprise IT environments which is very blatantly the IT security industry is not equipped to deal with the advanced threats. If we think we're monitoring systems and if we think we're protecting our systems using the products we have then we're uninformed about the threat, or misleading ourselves or just plain loony.

And the most advanced threats being specifically what?
Yoran: Custom exploits. Custom malware. The same concerns that thought leaders in the industry have been predicting or projecting from a few years ago or maybe even five years ago as conceptually possible are now an every day occurrence. Attacks being embedded in the application layers. Attacks being embedded into the content of applications or behavior of applications. It's by infiltrating and compromising the supply chain of an enterprise, be it in the hardware supply chain or more likely the services supply chain...

So a lot of attacks also use social engineering. Which attack vector is more successfully exploited, social engineering or the one targeting vulnerabilities?
Yoran: That's great question. I think that the attack surface is so large. Whether you're going into a supplier, whether you are socially engineering an employee, or whether you're doing some sort of spear phishing type of exercise. The attack surface is so large and the IT security industry's ability to adequately protect a complex enterprise is so poor that I believe we have to have a shift or a change of paradigm in how we think about security. We have to believe, and I would say almost every security industry leader that I respect today, we have to believe that our defenses are imperfect and that our adversaries, criminal or otherwise, are already on the inside and that no matter what we do to protect ourselves they're still going to get inside.

Yoran: How do you live, how do you operate in an organization's IT environment, and how do you enable the organization to still accomplish their mission knowing that their IT systems are already living in a state of compromise? The bad guys are already inside. I don't care if it came in through social engineering or through a new exploit I didn't know about or a piece of malware they just wrote or by bribing someone on the cleaning crew to get into an environment. In order to succeed today you have to operate under the assumption that the compromise is already on the inside.

So then is it a matter of just minimizing the damage?
Yoran: Unfortunately I think that is a good part of it. You've got to understand where they are. Minimize the damage, containment, prioritize your limited resources, and focus efforts on the core assets, the most important assets of the enterprise. The data, the database, the brain, whatever you deem to be most sensitive in your business. Intellectual property.

Which is more important for curtailing threats--user education or technical countermeasures or something else?
Yoran: I'm a (laughs) I'm a believer in anti-user. Users are part of the problem, not part of the solution. (Laughs)

But you have to deal with them still. They are part of the equation.
Yoran: I typically advise folks to get rid of their users as the best defense but they usually don't have that as an option. I don't think user education is very effective. There's definitely a benefit to it. Is the marginal return worth the cost? I don't know. If you have some cost-effective programs it does make sense. Any security architecture which relies on the awareness or education of the user population is flawed by design. I'm a security professional. I've been doing it security for the past 18 years or so and some of the spear phishing and other methods are so slick, so well engineered and so sophisticated that I could easily see myself falling victim to them. Having an alert user, that's valuable. Can you put any confidence in a security program that requires any end user awareness or education? No.

How did you get into computer security?
Yoran: Originally through gaming way, way back when, before it was called gaming, video games. I had my first introduction to computer security as a comp science student at West Point. There was an information security course that was taught and I found it to be a very fascinating topic.

Where did you go from there?
Yoran: On graduation from West Point, I inter-service transferred and served for five years in the Air Force...because it was in the leading edge of adopting technology and focusing on computer security. In the early days, I started with an organization that became the DOD CERT team, the Department of Defense's Computer Emergency Response Team and worked there for a number of years and then got out in the '98 time frame and started a company called RipTech, a managed security services company, knowing absolutely nothing about business. It was 1998 I figured how hard can this be? Everybody's making a couple of billion dollars and so I jumped into the business world...Symantec bought RipTech in 2002 and in 2003 I went into DHS as the cyberguy, the national cybersecurity director, really trying to help the government get the federal effort off on the right foot I did that for a year or so and got out of the government in late 2004 and since then have been involved in a series of IT security business mostly as an investor or board member until 2006 when I organized a management buy out of NetWitness and focused on bringing its product and technology to market.

So tell me about that. What is it?
Yoran: NetWitness at its core is a network forensic engine. The government started the development effort almost 10 years ago, looking at packet switched data networks, trying to be able to rapidly produce intelligence about what's happening on a data network because they clearly saw the evolution of technology in this direction. The company that was developing the product was a services company and really not very well suited to bring this technology to success as a product. So I got some investors together and we basically did a management buy out of the developers, the patents, the patent filings they applied for and we had a series of additional capabilities we wanted to add to the product...

Do you do online banking?
Yoran: I do, because laziness drives so much of my behavior. Absolutely not the right thing to do, but I'm lazy.