INTERVIEW: John P. Casciano, systems recon specialist

CASCIANO: I would liken it to academics. In terms of our understanding the problem within the government, we're at the undergraduate level, probably somewhere between sophomore and junior year. We've hypothesized solutions, and we're to the point of starting to test some of those solutions. I would rate performance across the government probably as a C or C-.CASCIANO: Some parts of the government recognized the threats and vulnerabilities earlier and have done something about it. Others have been a little slow on the uptake. Probably the part of the government that is farthest in front is the Defense Department, which really has been in the security business for at least 10 years in terms of identifying resources and working the problem.The Air Force back in 1988 or '89 started investing in information assurance, and by 1993 stood up the Air Force Information Warfare Center and the Air Force Computer Emergency Response Team.CASCIANO: I'd prefer not to name names. Let me address it in a more general way, in what the laggards are not doing.The first part of that has to do with focusing on the problem, developing the security policy, making sure there is a level of awareness within the department, enforcing standards on people and their networks, and performing the necessary follow-up in terms of plugging known vulnerabilities and doing the vulnerability assessments.In my experience the most successful people in this area are those who gain an appreciation for just where their problems are by vulnerability assessments'either through white-hat teams, which work one-on-one with them to find the holes and to put in place the fixes, or the so-called gray-hat and red-hat assessments that get a little more aggressive and give no notice.And you've got to be willing to invest in systems administration training. It serves no useful purpose to take an untrained individual who is new to the organization and make him or her a systems administrator without some kind of training. It cannot be a low-paying job with low expectations. If we treat it that way, then we will fail.CASCIANO: Pay and career development are certainly part of it. The government and companies have to be willing to pay the price for security.The Office of Personnel Management as part of the new national plan for critical information systems protection is going to reclassify jobs. We don't even have good job categories for systems administrators and cybersecurity specialists. And we've got to be able to give these people some visibility into their career growth, so that they will at least be tempted to stay where they are.I see this as a national problem, and I think the administration does, too. One of the things the administration has come up with is the idea of a cybercorps'kind of an ROTC program to encourage high school and college youngsters to get degrees in computer security and then commit to work for the federal government for a period of time. That is going in the right direction, but it's not very well funded at $25 million a year.CASCIANO: The Internet grew as a high-tech way to communicate, to encourage experimentation and freedom of expression, and it caught on so fast that the policy community has had a difficult time coping with it.I think people who worry about the information economy and our vulnerabilities in the cyberdomain, who worry about information warfare aspects of this from a military standpoint, are and have been doing things to work on the problem. But it's not something that the American public at large has gotten educated on. It's not a presidential campaign issue.The only time the popular press covers security is when you have something newsworthy, such as in early February when several companies had distributed denial-of-service attacks. But the issue has pretty much died down, and it is not really affecting the lives of Americans.CASCIANO: We don't think twice when we go to a restaurant and hand over a credit card. But what is different is that in a restaurant or in a store you have some human connection and a reasonable expectation that the credit card number will be used for the reason that you intended. There have been abuses, but at least where the problem happened gives you a place to start looking for the source of the abuse.What is insidious about cyberspace is that there is no human connection, and abuses can take place on a mass scale without your ever knowing about it until late in the game.There was an incident where someone tried to extort $100,000 out of a company called CD Universe [of Wallingford, Conn.], and he ultimately published 2,500 credit card numbers on the Internet.There was another incident six or eight months ago where somebody published the Social Security numbers of flag officer nominees for the services. In a case like that you could have your identity stolen and your credit ruined.CASCIANO: According to testimony by the intelligence community, there are at least 18 countries that are known to be engaged in some kind of offensive information warfare capabilities. They're not necessarily our friends, although some of them are.The use of cyberspace could mean we don't have to put human beings in harm's way. It's part of the natural evolution. Weapons and ways of using weapons have changed over the years. There is no reason, now that we're in the information age, we shouldn't take advantage of the information media in warfare.CASCIANO: I can refer you to two things that already have been reported. One was a question to Gen. Henry H. Shelton, chairman of the Joint Chiefs of Staff, back in October, as to whether certain tools were used in the Kosovo operation. And he indicated that there had been.The other thing I would cite is the fact that the Office of the Secretary of Defense and the Joint Chiefs in October gave the Unified Space Command in Colorado responsibility for computer network defense. And, come the first of October next year, the command will be given responsibility for computer network attack.CASCIANO: The first thing is we have got to educate the public and especially the business leadership of the country about the problem. Since we're all connected in this information economy, a vulnerability anywhere is a vulnerability for all, so there has to be that public-private partnership.There needs to be honest dialogue within the country about just what the vulnerabilities are and how as a country we can pull together to deal with the problem. It's a national security issue, it's a military security issue, it's an economic security issue, and in the final analysis it's a physical security issue when you talk about the threats to critical infrastructures.We need to recognize there is not going to be a single solution. If you think there is going to be a magic piece of software or a magic black box, you're mistaken. It's got to be a continuous process of policy, strong processes and hardware and software.I commend the administration for attempting to put a focus on this problem and making some investment, although I think the investment really falls short of what we need. Agencies have been asked to make trade-offs within their budgets. Some are doing this, some are not, and consequently the results have been and are going to continue to be spotty.