Meet Amélie Koran, deputy CIO for the U.S. Department of Health and Human Services, Office of the Inspector General, and one of the keynote speakers at the upcoming InfoSec World 2018 March 19-21 in Lake Buena Vista, Florida. Her March 19 keynote address, “Are We There Yet? Getting There is Only Half the Trip,” highlights some of the things security has done right, what it’s done wrong and where security stands today.
Security Boulevard interviewed Koran by telephone and email. Here are some of the interesting things she had to say:
Amélie Koran is deputy CIO for the U.S. Department of Health and Human Services, Office of the Inspector General. Her 25-year path to DHHS OIG includes time at The Walt Disney Company, Carnegie Mellon University CERT/CC and The World Bank. Koran began her work in the public sector as lead enterprise security architect for the U.S. Department of the Interior, then moved to lead continuous diagnostics and mitigation implementation for the U.S. Treasury Department. She later spent time doing a leadership development rotation as part of the President’s Management Council Fellowship, serving the Federal CIO in supporting cybersecurity policy analysis and legislative review.
Security Boulevard: Where does security stand in 2018? What wrong roads did we drive down to arrive here?
Koran: I wouldn’t necessarily say we’re facing a complete dumpster fire this year, the way 2017 turned out to be. But it’s only February. There’s lots of time left for 2018 to prove me wrong. The good news is that there is a growing awareness of where we stand. More organizations are making the effort to track what’s been going on in security. However, with awareness, it’s often too difficult to penetrate the signal-to-noise ratio with all the information vying for our attention.
Flashy vulnerability announcements like Spectre and Meltdown do almost as much damage as a breach notification from Equifax, but the problem lies with short attention spans and the lack of will to do anything about it. Recently, the Consumer Financial Protection Bureau (CFPB) opted not to pursue a deeper dive into the issues with consumer data lost by Equifax, months after Congress’ attention already moved on to something else.
Unfortunately, there are very few security-beat reporters like Brian Krebs, who follows up with a series of stories on specific incidents to try to keep them in public awareness. While working at the Office of Management and Budget (OMB) during Heartbleed and finishing my rotation there after the ShellShock vulnerability in 2014, there was a tepid response from organizations on the use of open source software in many critical systems. It’s not that open source software was the problem, per se, it was the lack of resources that most open source projects have to perform code audits and other software-quality rigors. Many organizations see the use of these projects as “free,” like taking a mint from a restaurant on the way out (or a handful).
Security Boulevard: How do you course-correct for that?
Koran: By waking up organizations to the fact that they must filter back a fraction of the money they are saving in not paying for a commercial software license to ensure the code is robust and secure. Just a trickle of funds going back to support code-auditing (often handled by a stewardship foundation like Apache and Linux) provides immunity for others who choose to use the same package—it’s a force multiplier. This is one of the better course corrections we can perform right now as more and more critical infrastructure is built upon open frameworks and code.
GitHub’s Security Alerts for Vulnerable Dependencies program launched last year is a step in the right direction, even if it’s only scoped to hosted projects. It does look at the glue that binds a lot of these software projects together. I’d only hope similar tools and services are also launched. I’m extremely curious as to whether Google/Alphabet’s new security startup, Chronicle, will offer a free version for use by companies who want to start a program using these tools.
Security Boulevard: What should we have learned from past mistakes?
Koran: There are at least a couple of things that come readily to mind. First, we need to stop chasing marketing. Conferences and emails are filled with the latest claims to stop or prevent the latest threat or eliminate a vulnerability. A classic example is the hawking of security products and services related to the Meltdown and Spectre CPU flaws in the context of the lookalike Skyfall and Solace hoaxes. But security vendors rarely address the issues that exist from a basic process and management standpoint that are a lot easier to fix if priorities and resources are applied.
In considering the purchase of a security product, ask whether vendors will support an independent verification of claims, or provide a list of unbiased customers who can independently share their experiences.
The worst example I’ve seen of not learning from previous mistakes, especially in government, was when a shelfware package was effectively mandated because it solved a point problem. Because such a selection process rarely examines the product holistically, a decision is made without regard to the fact that environments and operating requirements vary, and sometimes vary greatly.
The Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) was just such a program. It had a very limited toolset that competed with many tools or services already in place or integrated within agencies’ various systems. The agencies with similar tools were told to either remove them or run them in parallel. In several instances, agencies were forced to alter their architectures or technical designs, some of which were in operation or development several years before the DHS program was foisted upon them.
In the end, they are left with a decision about whether to support a half-broken, mandated “solution” or give-up something for which budget allocations may already have been spent. A better use of the resources expended would have been to develop a vendor-neutral framework or interchange standard to which tools could have been built or modified to provide the aggregated data asked for by DHS and OMB.
Security Boulevard: How can security professionals help facilitate the adoption of best-of-breed security measures?
Koran: Organizational politics and company culture are sticking points. Security is and has always been an outlier in the operations of many organizations. More and more organizations are trying to integrate Agile and DevSecOps into their development practices, when most of them never involved security effectively in their preceding waterfall processes. Let’s just say that there are a lot of preconceptions among the stakeholders arrayed around the table. And this is just one example of where political and cultural friction is occurring.
Many startups are nearly immune to this challenge, short of bad habits brought in by developers and engineers from previous positions. But for older, more established organizations a New Deal for security, like DevSecOps, may be viewed as a sea change, fraught with bruised egos, hurt feelings and eventually a lot of heel-dragging if you don’t open minds and get buy-in up and down the organizational chart.
One of the common foibles among the security community, and inhibitors to career growth, is a lack of soft skills among many of its practitioners. Often, the reason some bad ideas and activities get sewn into operations is not due to political maneuvering or fear of change. It happens merely because the method of prevention wasn’t internally marketed very well.
Security Boulevard: Another serious problem that security faces is that the U.S. is a nation of people who are, for the most part, security-illiterate—and worse, they may be in denial about it. This affects individuals and organizations alike. It’s clear we need to educate. How would you go about addressing it?
Koran: We need to get to a basic level of technical literacy and security awareness. I grew up in an era when we had home economics and workshop in middle school. Much as we used to have “Home Ec,” we now need something like Home Tech. For example, we’ve got the consumer version of internet of things going in many homes, which includes Amazon Echo, Google Home and Apple HomePod, for starters. People are putting their trust in the companies behind these products to operate in a secure fashion and handle their data in a proper way.
It’s vital for everyone to understand general privacy and trust issues. We’re not training people to advocate for the privacy and better handling of their own data. Examples like Equifax should be teaching us that we aren’t the customer, we’re the product: a commodity to be sold. We’re not teaching people to advocate for themselves and others in this new technical arena where we’ve been reduced to numbers and database fields.
At the post-secondary-education level, we should move beyond thinking of security as the province solely of computer science and engineering students and begin looking at it as a [multidisciplinary topic].
I hate to say it, but security is one case in which standardized education might be a good thing. We have the successful D.A.R.E. program for drugs. We need something like its equivalent to keep kids from clicking on malware ads on their phones.
We’re at an inflection point when it comes to directing security’s course. But how can we use that inflection point to start influencing the behavior of folks who are not technologists or security professionals? Raising awareness about cybersecurity and privacy will be security’s greatest challenge over the next five years. It’s only going to become more important as we continue delivering more advanced technologies and services that will rely on people to be more aware of the security risks and more comfortable with their ability to deal with them. Having an always-on microphone in the house is just the beginning.