Dr. William Luti, a retired career naval officer and former special assistant to the president for defense policy and strategy at the White House, is executive vice president for Digital Management’s cybersecurity division. Prior to joining DMI, Luti served as vice president of strategy at Northrop Grumman’s Information Systems sector, where he played a leading role in defining the sector’s growth strategy. While at the White House, Luti co-chaired the Cybersecurity and Communications Policy Coordinating Committee, working with his Homeland Security Council and Office of the Director of National Intelligence counterparts to bring the Comprehensive National Cybersecurity Initiative to the president’s desk for signature. In addition, he was responsible for interagency management for homeland and cyber defense, security cooperation, international defense agreements, national space policy, defense plans in support of military operations, and defense transformation. During his career as a naval officer, Luti served on the Chief of Naval Operations Executive Panel and Strategic Studies Group. He commanded an aviation squadron, an amphibious assault ship, and an amphibious ready group. Luti is also a veteran of the 1991 Desert Storm air campaign.
The New New Internet: How do you believe your background in the White House and in the Navy has helped you in your current position?
Bill Luti: I’d say that my White House and Navy experience, above all else, has given me a very personal, first-hand understanding of the cybersecurity challenges we face, along with the critical importance of addressing these challenges correctly. There’s nothing like working to manage interagency use and sharing of critical national-security information to build an appreciation of how tremendously complex and difficult it is to share what needs to be shared, while maintaining security. And of course, my years as a career naval officer certainly have given me a tremendous respect for the consequences of failing to secure our information assets properly.
TNNI: You’re leading the cybersecurity division for a company called Digital Management. What attracted you to the company?
Luti: Digital Management is not a household name yet, but I’d watch the space. Digital Management is a tremendously innovative team of some of the best, most strategic thinkers I’ve known. The company has built a track record of finding innovative ways to use technology to transform government operations. In the cybersecurity space, Digital Management is delivering practical solutions that raise the real-time situational awareness and security posture of DoD and civilian agencies throughout the federal government. Even more important, Digital Management is at the heart of an industry transformation in cybersecurity solutions, helping to define it, shape it and make it a reality. We actually played a significant role at the NSA’s first Trusted Computing Conference last month in Orlando, Fla. This is a very exciting place to be right now.
TNNI: It seems we keep hearing about the need to protect the nation’s digital infrastructure. Do you believe the situation is any more dire now than it has been for, say, the last five years?
Luti: It’s an unfortunate fact of life that constant reminders of dangerous situations and dire consequences can sometimes do the opposite of what they’re intended to do. Rather than galvanizing us into action, repeated warnings can sometimes make us complacent. Fortunately, I don’t believe this is the case with cybersecurity. The threat is so easy to quantify, it’s impossible to ignore: Companies like Symantec have documented nearly a 20-fold increase in malware signatures in just the past three years. In fact, there’s now more ‘bad’ software being created every day than ‘good’ software. Studies show that more than half of the PCs in the country have some sort of malware running on them right now. The White House Cyberspace Policy Review said that the nation loses up to a trillion dollars from cyber crime every year. The DoD’s Quadrennial Defense Review says there are seven million DoD computers being used every day in 88 countries to run thousands of warfighting and support applications, and calls the number of potential vulnerabilities, ‘staggering.’ The good news, I believe, is that the message is getting through, and meaningful actions can be taken and are being taken to address these threats.
TNNI: While you believe the situation is bad, you think it’s possible to turn things around? At an operational level, what could a CISO in government or industry do to better protect their information assets?
Luti: I’m sure I won’t be able to offer a comprehensive answer in just a minute or two, but I think I can point to some useful strategies and technologies. First, I’d suggest that it should be clear to everyone by now that the answers don’t lie in building static defenses alone. We all know the story of the Maginot line of fortifications that the French built to defend themselves against Germany prior to World War II. It was a marvelous wall, but the Germans simply went around it. Spending time filing reports detailing whether your systems are compliant is probably not helping much. We just don’t have a good idea of what’s taking place on our networks. We need a shift to a more dynamic posture with an emphasis on continuous monitoring and situational awareness. It’s gratifying to see that current updates being made to FISMA rules seem to be moving in this direction. Second, it’s time to start doing real-time intrusion prevention and active defense – not just after-the-fact intrusion response. And this, of course, will drive requirements for a real-time, automated forensics and attribution capability. There are some very interesting solutions breaking ground in this area today. We’re partnering with several innovative technology companies that provide many of the pieces to solve the cybersecurity puzzle. One example is a product that watches enemies attack a virtualized environment. It’s able to dynamically generate defenses in real time that can prevent infiltration of the real working environment.
TNNI: Most of what we do today seems to be focused on defending systems that are inherently vulnerable. Do you see anything on the horizon that could be pointing toward an environment that is more fundamentally secure?
Luti: Yes. And I think this is very exciting. I believe trusted computing technologies show real promise to transform the IT security landscape. Trusted computing is a fundamentally new approach to cybersecurity that has been developed by the Trusted Computing Group – an independent consortium of technology-industry leaders. Digital Management has been a member for some time. Most security models focus on maintaining lists of known threats, and trying to block them from infiltrating protected systems. This is OK, but as attacks and attackers become more sophisticated and persistent, this line of defense has become increasingly — some would say unacceptably — porous. The trusted computing approach is to build protections into the hardware devices themselves that can help ensure that systems are safe before they’re used or before they’re allowed to connect to networks. Verifying the identity and integrity of devices before allowing them to access network resources means that only known machines, with approved software – and nothing else – can get access to the network.
TNNI: What makes this trusted computing approach more secure – isn’t it just as vulnerable to subversion as other IT security models?
Luti: The key to security in trusted computing solutions is in establishing a hardware-based root of trust, and building an unbroken chain of trust from that foundation. Archimedes said, ‘Give me a lever and a place to stand, and I can move the world.’ Trusted computing relies on a secure crypto chip called the Trusted Platform Module as that secure place to stand. To walk through it step by step, with a trusted – or trustable – device, a snapshot, or a measurement of the device hardware and software is taken when it’s in a known safe state. Results of these measurements of device identity and software integrity are stored on the TPM. Each time a trusted device boots, the identity of the hardware itself, then the integrity of the software are verified against the measurements secured by the TPM. This is done step by step – from the basic input/output system to the OS loader, to the OS itself. Securing everything in a separate secure crypto chip eliminates the vulnerabilities that are present in software-only solutions. With this kind of security, you can be sure that only known computers are on your network, and that they’re running only authorized software. What’s exciting about this is that it may finally bring an end to the arms race between malware creation and detection.
TNNI: It begins to sound like trusted computing would require a wholesale replacement of entire IT Infrastructures to be effective. Is this true? Are there incremental solutions that rely on the trusted computing approach that could improve security without requiring whole new infrastructures to be deployed?
Luti: Ultimately, the entire infrastructure does need to be rebuilt on this new foundation. Forward-thinking organizations are piloting high-assurance environments based on trusted computing now. But of course this can’t and won’t happen all at once. Many organizations are taking incremental steps: One large professional services firm recently announced that it’s executing a plan to use the TPMs on 150,000 desktops to store private keys. Other organizations are leveraging the TPM for key management and single sign-on, or using it to provide assurance of machine identity on protected networks. The Opal drive specification, another trusted computing standard created by the TCG, is being used by many hard drive manufacturers to provide hardware-protected disk drives that are always completely encrypted with keys that can’t be extracted. I’m sure there will be many more trusted computing solutions like these available as the technology catches on.
TNNI: How relevant is trusted computing to the movement to a cloud-services model?
Luti: Very relevant. In fact, I would say that trusted computing technologies could hold the key to making the cloud-services model usable by government agencies and businesses with high security requirements. There’s a very justifiable concern about the security of cloud computing. It’s built on a multi-tenant model that relies on software based virtualization to separate and secure multiple users’ and organizations’ data. If not properly secured, that software is vulnerable to remote software-based attacks, which can quickly spread like a wildfire through a virtual forest of tenant operating systems. So, while cloud computing is a next generation model for efficient, cost-effective operations, it can also be an accelerant for any ‘cyber fire.’ So, cloud computing is probably the biggest case-maker for trusted computing, because securing virtualization and making sure no untrusted machines are on the network is the only way to get to an adequate level of confidence in the cloud. The TCG has established a new working group that brings government and industry together to address these issues and is working on creating a security framework for cloud computing, including private, public and hybrid cloud environments, as well as virtualized and non-virtualized ones.
TNNI: You mentioned government and industry working together with the TCG. Is government doing anything else to promote the adoption of trusted computing?
Luti: Yes, and again, I think we’re seeing some very positive signs here. Just last month, the NSA hosted its first ever Trusted Computing Conference and Exposition in Orlando. Digital Management was actually an event sponsor, and presenter. It was an impressive gathering. What’s exciting is that the urgency around our need to secure cyberspace finally seems to be working to drive government and industry to coalesce around trusted computing security standards. Since mid-2007, it’s been a requirement that all PCs sold to the Defense Department must have TPMs installed. Now, it’s beginning to look like the NSA is stepping up to provide some leadership — defining requirements for the use of trusted computing in government environments. This could give these technologies a real boost, and move us all much closer to a fundamentally safer computing environment.