X

Q&A: Defcon's Jeff Moss on cybersecurity, government's role

Hacker Jeff Moss talks about being an adviser to the Department of Homeland Security, national ID cards, and how social media sites could deliver public emergency alerts.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
13 min read

Jeff Moss, founder of Black Hat and Defcon. Darington Forbes

As a hacker and organizer of Defcon, an event where computer security vulnerabilities and exploits are routinely unveiled, Jeff Moss seemed an unusual choice when he was named to the Homeland Security Advisory Council in June.

But his background and lack of government experience brings a fresh, outsider's perspective to a public sector plagued by a fast-changing threat landscape, perpetual turf wars, and bureaucratic inertia.

With National Cyber Security Awareness Month under way, CNET News discussed with Moss his new role, his thoughts on the national ID card debate, and how the government wants to use social media sites for public emergency alerts. This edited interview is the first of two parts. Part two will run on Monday.

Q: So, how's it going on the Homeland Security Advisory Council?
Moss: It's going pretty well, it's pretty exciting actually. Recently we did a recommendation, I'm sure you read about it, the homeland security color codes. There are the five color codes. Normally the country is on like yellow or orange. I think we've only been to red once. But we've never been to the two lowest, blue and green. So the system was up for review. It turns out that the color codes work really well for industry and government. They have procedures in place. They do things automatically when the color codes are changed. It is actually successful for them but for the third group that uses them, civilians, it actually doesn't work well at all.

Right. We don't understand it. We're like, what does it mean? Is it real?
Moss: How does it give us any actionable information? How should we change our behavior based on it? That's what came out of the report was that it's very hard for civilians to do anything with it and it causes confusion, and it's the No. 1 source of ridicule. The system needs to stay because it's valuable for the other two groups, but it needs to change was the conclusion of the report. So they had a couple of recommendations and one was to just get rid of the two lowest colors because honestly we've never been at them; make the new normal orange. Three levels is probably more realistic than having five. The U.K. doesn't have five either, I think they have three.

The other big thing was if something is happening in New York, you don't need to raise it for the whole country, so make them more applicable for a geographic location. Localize it more. And then some other recommendations I thought were reasonable were make it a default where the level is automatically lowered if nothing affirmative happens. So the onus is on the officials to constantly justify why it needs to stay at a higher level. They had some other really common-sensical recommendations. You should tell people without revealing any sensitive security information or sources why did it get raised? Why did it get lowered? Is the threat over or is this an ongoing threat that we just now think is less important?

What if you could have a feed coming from DHS and other government agencies, say, to Twitter or Facebook or MySpace or whatever? ... End users would know it's still the official word, it hasn't been modified or changed.

They want make it all much more transparent to the public. So if they say we intercepted these people trying to board a plane with these liquids so we're going to go got a higher level around airports...something like that, instead of a blanket generalization that's applied to the whole country without explaining when the threat goes away or is mitigated. I know some members of Congress agreed with the report and it was generally really well received. Now the Advisory Council, we all unanimously agreed with it, and now it's off to the secretary (of Homeland Security). I was expecting a lot more bureaucrat-ese but that report I couldn't find anything to nitpick with because it make a lot of sense.

Two (reports) before that we were dealing with the Real ID versus Pass ID debate. (The Bush administration was) trying to create basically a national identity card and when that didn't happen they created this Real ID standard that would cause all the states to have standardized features on their driver's licenses. That's different from an enhanced driver's license which is used in place of your passport when crossing into Canada or Mexico.

You need biometrics (and to) verify the information through approved two other sources. It's an attempt by the feds to make sure information getting into the DMVs is actually valid and there's a paper trail there and the information from one state can be easily shared with another state. It seemed fairly reasonable. But then you started looking at some of the provisions and it turns into another one of these giant unfunded mandates from the feds. A lot of the civil libertarians got up in arms over it and I'm not really pleased either. States started to rebel.

The DHS was saying if you don't have one of these driver's licenses that is approved you're not going to be able to fly. So these governors got together and came up with an alternative plan called Pass ID. It removed it from being a state unfunded mandate, reduced the database requirements, reduced some of the ID requirements, made it much more feasible and reasonable, phased in on not such an immediate time table, didn't seem to have Big Brother issues. DHS is not going to want to go to war with these states. I think there's a realization you have to come to some compromise and Pass ID seems like a good compromise, but now you've got to convince Congress.

Have you done much with cybersecurity?
Moss: It is cybersecurity month, you know. One thing I wanted to point out, there's this realization that they want to enhance the alerting system and embrace the Web 2.0 technologies. It goes back to this theme I keep hearing from people there that they need to fully engage in the cyber area with distributing information. They want to be more transparent and they want to communicate information faster to broader audiences in different ways. The hangup seems to be, what are the best ways to do it? Let's say there's another (Hurricane) Katrina, a huge weather alert or a terrorist attack and you want to get the information out to everybody. Right now the only way to do that is to activate the whole emergency broadcast system or the emergency action system and have everybody's radio tell you, which they didn't even use during the World Trade Center attacks.

Why not?
Moss: I don't know. I was so frustrated. I have one of those emergency weather radios because we get a lot of storms (in Seattle) and my radio is constantly going off telling me about specific storms. It doesn't go off when there's a terrorist attacking my country. I just turned it off and threw it away. It's useless. So what if you could have a feed coming from DHS and other government agencies, say, to Twitter or Facebook or MySpace or whatever? And you subscribe to that channel or that feed, end users would know it's still the official word, it hasn't been modified or changed. There has to be some official ways of distributing this alert information in many different ways.

The president started out with a strong cybersecurity speech and then things started to slow down. Then there was the big battle over what is the DHS going to do? What is NSA going to do? It turned into a lot of politics.

Cell phones have this broadcast mode where it's possible for a cell tower to send a broadcast message out to everyone on the cell tower. They're wondering is there a way you could use these broadcast features to send out localized announcements? A university saying there's a school shooter on campus everybody leave. How do you communicate security sensitive information in a localized way? I think the technology group at DHS is spending a lot of time thinking about that. It was nice to see an acknowledgment in the report that we need to engage in social media or other media forms to communicate more than just on television or when someone gets up at the White House and makes an announcement.

Now we're into Cyber Security Awareness Month and DHS got authority to hire up to 1,000 employees in the next three years in the cybersecurity area, everybody from analysts to secretaries to reverse engineers and network architects. I'm sure you saw the articles about are there even 1,000 skilled people available.

What's your take on all that?
Moss: I don't think there are. It's great when agencies and groups come up with these really grand statements, that's what you're shooting for. You'd love to have 100 of the best, but Cyber Command wants 100 of the best and Air force 10th Wing wants 100 of the best (and Microsoft and IBM want 100 of the best). At some point there's just not enough people left. But they say when you work for government you're not really working for the money. People tend to do it for different reasons. You either do it because you're patriotic or you do it because you get to play with some really cool stuff that wouldn't ever be possible in the civilian world. And I think they're trying to address the third thing, which is pay.

The 60-day review released earlier this year concluded that the government is not prepared to respond adequately in the event of a cyberattack. Is it just a matter of having enough staff and having more trained staff?
Moss: Well it's that and a lot of it is bureaucratic fiefdoms. Whose in charge of what? Cyber attacks just have never happened. That's why everyone paid so much attention to Estonia when they were being attacked. What's the best way to organize yourself to respond to one of these things? And nobody really knows, I don't think, what agency calls what other agency and who responds in what order. They've been gaming it for a while, but until it actually happens a few times I think it's all new. I've recently heard that there was the competition sort of between not so much DHS, it was Air Force and NSA over the Cyber Command and NSA won that so that big cyber turf war is over and dying down. Now the energy is being put into actually building that command and figuring it out.

Sort of the same thing is going on with DHS. Who is actually going to be in charge of defending domestic government space? And they referred to it as the "Defend .gov Initiative." Who defends.gov? It's going to be the DHS and how do they do that and what does it mean? Because DHS, if they have this mission but they don't have the budget for it, can they really go to the Department of Agriculture, for example, and order them to change their systems but not really give them the resources or the budget to do it? It's not clear how much one agency will be able to go and dictate to another agency because everybody is just fantastically protective of their fiefdoms.

It does seem like there has been some turf war, some struggle for the cyber security position or role.
Moss: And there are some competing ideas. The current idea is you have these, in DHS lingo its called TICs, Trusted Internet Connections. It's sort of what the military did...where let's say you were on a military base somewhere and you wanted to go search Google, your connection would leave the military network and go off to the civilian network. And there were hundreds and hundreds of thousands of these connection points between the two networks and the DOD (Department of Defense) realized there was just too many to watch and they need to have a plan to reduce the number between the two networks. So they have this multiyear strategy to reduce the number, and I don't know what the end number is.

DHS needs some of (the NSA's cybersecurity) talent and they need some of that expertise. So there's some sort of working arrangement being sorted out where until DHS can get their own talent pool sorted out, NSA will send people over.

DHS is trying to do the same thing with the initiative to have more traffic pass through these TICs that can then be monitored and you can get an idea of what is going on. That spurred another debate which is, on one hand now your eggs are in less baskets and you can monitor your eggs and look for trends and do more intrusion detection but because your eggs are in less baskets there are less baskets to attack. There are fewer connection points to have to DOS (denial of service). I'm not in that camp. I like the idea of having less connections to monitor because the counter to having less things to attack is well you buy more bandwidth. Have you heard of this Einstein system?

No.
Moss: It's the civilian governments defensive. It's like their IDS (intrusion detection system). So there's a technology road map. If you go to a government system or leave a government system you would pass through this Einstein system and so the idea is once you have everything in these TICs you can start to analyze flows and look for interesting patterns.

Can you talk a little bit about the leadership of the cybersecurity effort. When are we going to have a new cybersecurity czar? Who might it be? Seems like there's been a revolving door as far as the directorships. What's going on?
Moss: Yeah. Without naming names nobody knows. And every time you have a conversation with a different agency everybody says, well what have you heard? What rumors have you heard? The rumor was always that in two weeks there would be an announcement and I've heard that for the last four or five months. And there are two theories. One I've heard is it's just really hard now. A lot of people who were potentially under consideration have taken themselves out or they're really hard to vet and they keep having issues because of all the scrutiny the czars have been getting.

And the other one (theory) is that the longer you go without a czar the more they realize that maybe they don't need one, that what they envision what a czar doing, the role is changing. Maybe now this person is more important on a strategy level and a coordination level and maybe this person isn't going to lay down the blueprint for what technology to buy or what strategy to impose. I like that because I really think it needs to be a coordinator position. They need to work the intelligence, the military and civilians. And they need to have good visibility with the president and the national security staff.

So it's probably more important to get the right person and explain the position so they don't end up with one of these "all the responsibilities and none of the authority" situations, which is what it sounded like, (a) multiple reporting structure with little budget and little staff and no real authority. That didn't sound like a recipe for success.

That being said, DHS has had some turnover. Melissa Hathaway left (and Rod Beckstrom resigned). I don't know if it's the course of normal turnover or if it's frustration at the pace at which things are happening or resistance to change. Rod wanted to make some changes, everybody wanted to make some changes, and they're used to having an impact and I think things were moving very slowly. The president started out with a strong cybersecurity speech and then things started to slow down. Then there was the big battle over what is the DHS going to do? What is NSA going to do? It turned into a lot of politics. That's from an outsider perspective.

All the people I've met at that level, (Phil Reitinger, director of the National Cybersecurity Center at DHS, and Rand Beers, (under secretary for the National Protection and Programs Directorate at DHS) are very impressive. I just don't know really what's underneath the surface. But those guys seem really on the ball. They're saying reasonable things. They don't have crazy inflated egos or trying to throw their weight around. So it's different from what I expected or the way it was portrayed. It makes you want to get involved more or participate more. It's actually been really refreshing for me.

That's good to hear. So are we set as far as the domestic cybersecurity initiative and role and czar reporting to the White House and not being under the auspices of the NSA?
Moss: I don't know. When you talk about what's the role of NSA with DHS for helping protect .gov, the way you hear people talking about it is, NSA has all this experience and they have a different structure when it comes to compensation so they can just woo everybody because they have much more authority for hiring. Historically, they had to hire academics and engineers and people with specialized skills used to higher salaries. So their hiring structure is built up around that so it's easier for them to lure computer and software guys than say it is (for) DHS. They generally usually win in the recruiting battles. They've got a lot of talent over there and DHS needs some of that talent and they need some of that expertise. So there's some sort of working arrangement being sorted out where until DHS can get their own talent pool sorted out, NSA will send people over. I have a feeling it's going to be something like an internal government loaner program.

You have a unique perspective. Your background is very different from the others on the council. Has your background as a hacker helped you in your role advising the government and helping them think about things from a diff perspective? Is there a diff perspective?
Moss: Yeah, there definitely is a different perspective but it's not very visible yet, I don't think. We haven't had enough meetings, we haven't had enough issues come up that are directly cyber related so I haven't gotten a chance to really shine yet just because there are a million ongoing things. Cyber is just one aspect. The big piece that's missing is what are the states doing? I don't hear a lot of statewide initiatives for cybersecurity--there's only a couple of states that are trying to be proactive about this and I can't remember them all. One is New York because they have to be with all the financial networks. Washington state. Louisiana, of all places. And I can't remember the fourth. All the attention seems to be on the federal side but at some point the states are going to have to get involved.