Security technology fundamentally flawed, says ex White House CIO

Former White House CIO Carlos Solari recently joined Lucent Technologies. He has 25 years experience in American government and private industry positions, including 13 years as an officer in the U.S. Army, and more than six years as a senior executive with the FBI.

From 2002 to 2005 he was the Chief Information Officer for the Executive Office of the US President. There he was responsible for the implementation of a complete computing modernization, with IT security a central part of the work.

He took time out on a recent trip to London to talk to Brian McKenna for Infosecurity.

You spoke at the Gartner IT security summit in Washington last week about trust based security, in the context of the convergence of IT, telecoms and digital media. What were you putting across at that event?

Essentially a critique of the current approach of bolting on security after the fact. This also entails not dealing with the security of highly complex networks. The idea is born from the notion that in order to really apply security to the systems we have today you need to build it in from the inside.

And how do you apply that without the use of a standard that you can use to be consistent across the industry? Trust based solutions have to be built on standards, such as the X.805 standard that Bell Labs and Lucent professional services advocate.

The point here is to ensure that any device in a network has been designed to a reference-able measure of security. You also have to have the ability to determine its state of health by some mechanism by which it can ‘check to its good mirror’.

If you do that in a comprehensive way, and pass the information on to a central management console, you can provide an ability to adjudicate whether a device has been modified from its authorized state.

All that sounds great, but, at least at a certain level of abstraction, it sounds like, say, a Cisco story on NAC (Network Admission Control).

It is similar to the NAC and Microsoft’s NAP. But those approaches are resident more at the configuration level, where somebody builds an image and deploys a device in conformance with that image. Our model goes down deeper – how do we know that the device, the OS and so on are built to some level of security if you don’t have standards?

Today there are just too many things to try to manage securely. The basic messages should be: build secure and stay secure through device attestation.

Are there lessons from your experience at the White House that you think are of more general applicability?

Well, that experience illustrated well the core problem. Despite applying the best security tools we could at the White House, I never really felt that we were actually in front of the problem, but were instead always chasing the problem. We were not constrained by budgets, but, you see, no amount of spending money on the current approach is really going to solve the problem. Fundamentally, we cannot say that we can defend networks today. And I felt that I had to go back out into private industry to figure out how to solve the problem in a more fundamental way.

There are three legs to it: we need to prevent, detect, and respond. We are dealing with the problem at the end points — the LAN or the devices. But we need to bring into play the ability to apply preventive measures inside the cloud.

At Bell Labs we are working on how to resolve DoS attacks in the cloud, for example. And there is some work being done in detecting the propagation of a worm in the cloud through traffic analysis. So you will see research emerging from our labs that tackles security in this more basic kind of way.