Ed Amoroso, author of Cyber Security, has been active in cybersecurity since he got involved in adding enhanced security to the Unix operating system in 1985. He shared with us his thoughts on the implications of cloud computing to cybersecurity, the “inertia” against adoption of the cloud, how the generation gap affects the introduction of new technology, and why education is key to any cybersecurity strategy. Here are some choice quotes:
- “While you wind up with a smaller number of gateways to government, you have massive carrier infrastructure sitting as the first line of defense — and that is way better than what we have in government today”
- “Instead of a perimeter model, a federal agency should just be able to tell their cloud provider, “Here’s my policy, I want you to authenticate with following this, here is my identity management system, these are the valid individuals who can grab this and these are the conditions under which they can grab them.”
- “[Cybersecurity] starts with awareness. Make sure end users, citizens, and people working in businesses and government are more aware of cyber attacks and preventive actions everyone can do to protect themselves from these attacks.”
ExecutiveBiz: How did you get involved in information security?
Amoroso: I took a job at Bell laboratories in 1985 where I met a wonderful man named Bob Morris. Bob was right out of central casting — he had the whole beard, Birkenstocks, etc. Bob had also been one of the Unix masters who invented big chunks of the Unix operating system. He was working on a project that had a compelling goal: adding enhanced security functionality to the Unix operating system. I got involved in this Unix project and was immediately hooked. And I have enjoyed it ever since.
ExecutiveBiz: As Senior VP and CSO, talk to us a bit about your responsibilities at AT&T.
Amoroso: My responsibilities fall into two integrated areas. The first area is ensuring that the AT&T global network infrastructure and computing infrastructure, and networks we operate on behalf of customers, are protected in real time from all forms of cyber attack. This can range from sophomoric pranks by youngsters to criminally intended activity, as well as terrorist or potentially nation-/state-sponsored attacks.
The second area includes security policy, planning, and architecture for AT&T’s enterprise, and lead design, development, and operations support for AT&T’s managed and network-based security services.
ExecutiveBiz: I understand that you have written four books, in addition to a number of articles. What was your motivation behind the books, particularly Cyber Security, which I understand is written for lay readers?
Amoroso: I’ve always stayed connected to academia. I’ve been on the computer science faculty of the Stevens Institute of Technology for 20 years, so most of the books that I’ve written were written for my graduate students. Recently, I wrote Cyber Security to try and help explain to CSOs and CSIOs a lot of computer security and technical issues they had read about, since I had a pretty good sense about the problems they faced because I deal with these problems every day. The book is also written for technical folks who in some sense might be a little bit daunted trying to understand the cyber security discipline so they can become experts, which is not an easy thing to do.
ExecutiveBiz: I understand that you are a member of EDUCAUSE, which recently published an edition of EDUCAUSE review that dealt with the issue of cyber security. What role do see education playing in the effort to further cyber security and what role do you see organizations, like EDUCAUSE, playing and what roles do you think they should play?
Amoroso: It starts with awareness. Make sure end users, citizens, and people working in businesses and government are more aware of cyber attacks and preventive actions everyone can do to protect themselves from these attacks. We try to contribute our time, energy, and whatever systems we can to any organization, such as EDUCAUSE, and also a whole host of universities because training is such an important aspect of effective cyber security policy. Training and awareness have a very interesting nuance that, if unattended to, will come back to bite you.
ExecutiveBiz: You had mentioned some interactions with the private sector and government professionals, how cognizant are these kind of people about the cyber threat? Employees in general and then in particular the CIOs and those dealing directly with these issues?
Amoroso: At the state and local levels, they don’t often have big budgets so they tend to rely very heavily on service providers and others for assistance. At the federal level, there are some civilian agencies that do great work on cyber security. At the military and intelligence level, it has been my observation that some of the finest minds in computer and network security reside in that area. We think that the cyber threat to the civilian agencies has grown so significantly that they need an enhanced lever of cyber security, and the GSA Managed Trusted IP Services (MTIPS) modification to the Networx contract is a great place to start.
ExecutiveBiz: What are some of the other goals with MTIPS that you are really looking at?
Amoroso: The MTIPS program began with a call for implementation and evolution of the Trusted Internet Connection mandate. Today, there are gateways all over the place and they are managed differently. This is not a good way to proceed, and MTIPS is a way to fix this problem. MTIPS enables agencies to leverage the power of cloud computing to enhance network infrastructure security. The power of our “smart cloud” is not just customer traffic mitigation. AT&T can offer its MTIPS services through the AT&T Cloud to take a proactive approach to cyber security by detecting and diffusing security threats via network traffic in our cloud before they become a risk to our agency customers.
While you wind up with a smaller number of gateways to government, you have massive carrier infrastructure sitting as the first line of defense — and that is way better than what we have in government today. This is why MTIPS has generated a great deal of interest from many federal agencies, and these early responses indicate that MTIPS is going to be a very big success.
ExecutiveBiz: With cloud computing and the big federal push to move into that arena, you do see some backlash against that. And you do have some individuals becoming increasingly skeptical about cloud computing. What would you say to these individuals to build a case for cloud computing?
Amoroso: The controversy is not so much about whether putting applications in a ubiquitous place makes sense, but the controversy is around the perimeter. Right now, the model that everybody uses is to hunker down behind a big wall with your applications. Today’s reality, however, is a lot different While the URL filter in the office prevented a PC from going to select sites, anyone can be take a BlackBerry, open the browser and go right to a gambling site.
Instead of a perimeter model, a federal agency should just be able to tell their cloud provider, “Here’s my policy, I want you to authenticate with following this, here is my identity management system, these are the valid individuals who can grab this and these are the conditions under which they can grab them.”
Most of the resistance is based on this perimeter inertia and maybe even a generation gap, since many young people in government are completely comfortable accessing Facebook and Twitter via the cloud. I don’t think anybody has to make a case for cloud, I think it is such an architecturally sound concept that it is just going to happen. We think that’s a good thing.
ExecutiveBiz: What is something about yourself that people would be surprised to learn about you?
Amoroso: It depends on who you are talking to. I grew up in a family where computer science was a popular topic in our household and where we watched the whole discipline grow. My dad had the second or third Ph.D. in computer science ever and maybe the first master’s degree in computer science ever. He did it in the early ’60s at the University of Pennsylvania. So the life of computer science kind of tracks me since I’ve done it my whole career.