I was interviewed a few weeks back by Chris Maher on Linkedin. The topic was concerning “Trusted Computing” and ramblings on security.
CM: Howard, as you know, I quoted you at the 2011 NSA Trusted Computing Conference & Exposition: “Well.. I believe in Americans. I believe that when we see various challenges that we individually step up and out to deal with them. We have put your faith and trust in leadership and leadership has been pounded with more work than they can handle (yes, I am being nice). That being said, it is up to us individually to lead where we are. We must individually work to change our own behavior and look to influence others by leading from where we are. If I am a Janitor, then I look for ways to be efficient in cleaning and thrifty in spending for supplies, or find ways to reuse supplies. If you are an Executive Assistant, find ways to make a difference in the office. If you are a Technical Strategist, teach everyone everything you know about Service Orientation and Trusted Computing and technical reuse models. It doesn’t matter who you are, it matters what you do. Our jobs do not define us holistically. In recent days I have seen civilian leaders (you know who you are) step up to the plate and take risks in order to share their ideas on how to create a more effective and efficient acquisition solutions. It isn’t only up to them. We will find more success together by working to change these behaviors and tackling the challenges we can see one person and one problem at a time…” (SOURCE):https://cohenovate.wordpress.com/category/howard-cohen/
It’s a great quote for a variety of reasons. That said, I want to focus on your awareness of and experiences with Trusted Computing. How you were first introduced to Trusted Computing?
Chris, Thank you very for clearly understanding and articulating the message of “leading from where we are.” I have been working for the Department of Defense for close to a decade now, before that I worked at a school division and the commercial industry. I have worked for Joint Forces Command, Joint Staff and now DISA. I started hearing about Trusted Computing while working at the school division, if anyone is going to break your system it will be the kids. I learned a great deal about system hardening as I entered the world of military architectures at J8. I started at US Joint Forces Command by using security technical implementation guides (STIGs) as we call them. Prior to that I was using non-military oriented technologies like hard drive sheriff, deep freeze, bootable cd os (barts PE), stuff like that.
And, in your estimation, why does Trusted Computing matter? Why is it important?
In enterprise computing you want to be able to leverage standards. We need the ability to look at metrics and we need to understand what “expected behavior” is. In other words, we need to be able to know when something is not working right. So you need standards so that experts can be on the same page and understand what they are looking for as “normal” as opposed to seeing something that “interesting” , if everyone is doing their own thing at the enterprise it makes it very complicated to know what the heck is going on. You have “shadow IT” that will compromise the integrity of the network simply because it exists. When working in an enterprise users and operators need to trust that mechanisms are in place to protect them. I can go on about this but the bottom line is that to know if something is wrong you need to establish that something is right. I believe that is why Trusted Computing is important.
CM: As you may know, Richard Stallman once rebranded Trusted Computing (TC) as “Treacherous Computing” which made a neutral set of technologies out to be a threat to open computing and/or our civil liberties. Stallman conflated Microsoft’s Palladium effort with the word of then TCPA. Ever since, TC has been dogged by the adjective “controversial.” For me, TC (including self-encrypting drives) actually protects my civil liberties by arming me, the digital citizen, with technologies that can defend my information from any intruder… including an intrusive government. But that’s just my opinion. How do you assess the intersection of Trusted Computing and civil liberties.
CM: Much noise is made by IT professionals about the difficulties of using TC, specifically going into the BIOS and having to turn on TPMs. And it must be said that there has not been the development of many applications that leverage TPMs. In your experience, is Trusted Computing too hard to implement?
CM: It’s been my contention that government MUST take the lead in adopting and recommending Trusted Computing. In this regard, I’ve been heartened by the NSA’s (more or less) full-throated endorsement of TC and by the CESG’s recommendation in favor its use. Further, as you may know, NIST 800-155 (in draft form) has recommended (or will recommend) the use of a hardware root of trust as a foundation for BIOS Integrity metrics. Still, it seems like .gov and .mil domains have been quite slow to fully adopt these open standards and technologies. In your view, what’s the state of play re: TC adoption within our government?
The cloud really refers to “off premise” services. These services are interconnected enterprise services that go beyond an organizations local physical infrastructure. This is very important to realize because it means that hardware and IT resources are still potentially under trusted controls of an organization which of course then leads to leveraging organizational standards etc.
My key point is that we can’t rely on technology alone. Technology as it is today can be overcome by the human brain. That being said, we still must put barriers in place to slow down attackers enough so that we can identify in some manner that our information is being attacked. It is the difference between having a lock on the door and adding a security system. Some people would say that adding a security system adds no value or is a waste of time. I think as we continue to build technological solutions to thwart attackers or secure the enterprise, we strongly need to consider how we can keep “a human in the loop” and have people involved in watching the various stores. As we move forward with these kinds of discussions we truly need to consider people, process, methods and finally tools which in my mind is where a lot of the Trusted Computing area currently addresses.