At the Frontline: Fairfax County CISO Michael Dent

Securing enterprise-wide computer networks is one of the most important and daunting challenges faced by modern day security managers. The task can be made even more difficult in the public sector, which has limited resources in many cases and has to secure a treasure trove of data and systems from hackers.

The threats from cyberspace are numerous. Last month, a hacker who said he just wanted to prove a point about how vulnerable the country’s critical infrastructure facilities were to cyber-attack posted diagrams of the sewer system in Houston, Texas, online. In retaliation for what it felt were unjustified arrests of Occupy Boston demonstrators, the hacktivist group known as "Anonymous" in October obtained and released the email passwords and user names of 1,000 Boston police officers.

In this "At the Frontline" interview, Michael Dent, chief information security officer for Fairfax County, Va., discusses the challenges involved with securing computer networks in the public sector and shares his thoughts on the cyber security landscape.

With the regularity that city and county governments are experiencing data breaches these days, what are some of the biggest challenges you face in securing Fairfax County’s computer networks?

The biggest challenge that we have right now is probably managing our mobile devices. There are so many different kinds that are out there. The technology is so much easier now for users to be able to bring in their own personal devices and hook them to our network or try to gain access to things like our exchange systems using active sync. That’s probably the biggest risk that we have now.

Given the budget constraints that local governments are under across the country, how have you been able to provide the security measures that are required to keep sensitive information in Fairfax County safe?

I find the best way to start that, for people in our position like CISOs, is you’ve got to understand the business that you are protecting and the malicious activity that goes on out there. We build security around the different businesses that we have such as HIPPA and PCI. We’ve done a pretty good job, I think, of getting to know the businesses out there and bringing them in and finding out what they’re requirements are for both day-to-day operations, all the way to the law that governs over their business.

How big of a threat have these so-called "hacktivist" groups like Anonymous become to local CISOs like yourself and how do you prevent them from breaking into your network?

I am firm believer of defense in depth. We have built a very robust architecture and we utilize the safe blueprint… in that we’ve segmented out our network, according to the business and according to the needs. We’ve got multi-faceted DMZs (demilitarized zones) that are out on our perimeter… and we’ve segmented off. Being a local government, we have to provide for our public libraries, our parks and recreation facilities, the teen centers and things like that, so we’ve been able to segment that Internet traffic away from our business traffic. For instance, most of our HIPPA data is all protected via an internal DMZ that we’ve built special security around. Anything that deals from a PCI standpoint, we’ve built a specific DMZ that protects it. There’s multiple layers that any of these groups that are out there, if they want to get to it, they would have to get through multiple layers. There are millions of attacks against our website daily. We see them, we know what they are and if anyone is successful past the first layer, by the time they are at the second layer we’ve got alarms and mitigation points in place that will let us know and then we can defend even more.

How much of a challenge is it to get government officials to realize the cyber security dangers that they face and how do you get them to "buy-in" to investing in network security technology?

We have an IT steering committee, which consists of our county executive, the management and budget folks, of course our chief of IT and some of the other county exec deputies that he has that deal with the other businesses. I give them a monthly briefing. They get to see the number of attacks. We brief on everything from external attacks to the Internet use of our employees so they see what’s going on and if there are any trends. I can pretty much graph that out for them at their level so they see. And then, based on business needs as well, if we have a business that is going to have data that is sensitive to a certain degree, then I would brief them on what that means and what costs are going to be associated with protecting that data.

What kinds of security technologies and procedures do you utilize to keep county workers protected on the network?

We use Internet filters that protect them from themselves and the sites they try to go to. We use intrusion detection systems, intrusion prevention systems and firewalls. A lot of the new technologies and applications coming out have application firewalls. To me, one way to really get the employees to understand is to have a good awareness program. We have had an annual security awareness day up until this year. We’re deploying an online security awareness program that the users will be required to take by policy annually.

With all the cyber security threats that local governments are up against, how can they adequately prepare and prevent network intrusions without the proper funding?

A lot of it stems on making sure that you’re knowledgeable about what’s going on in the world. That’s a huge part of it, especially for the people in our position. If you’re not aware of what’s going on, you don’t have any way of identifying the countermeasures that you can put in place. Having a budget is always the best thing in the world, but the first and foremost for me would be the awareness of your employees because they’re going to be your first line of defense when they’re using your systems. And then two, working with your businesses to ensure they understand the data they have and knowing what level they need to protect to it, trying to get investment into securing those before they’re data is available or out there for use is a big thing that we stress now. While we centralize security, we also try to emphasize to the businesses that it is their data, we are the stewards of their data, but as the data owners they have an obligation to invest as well in protecting their data and not just leaving it up to the IT shop or security shop to do it.

What kind of landscape do you see as it relates to network security on a local government level in the future? Do you see the same hazards that the DHS feels may be headed out way in terms of hackers breaking into utilities and other critical infrastructure if stronger measures aren’t implemented?

If stronger measures aren’t taken and people in our positions don’t take it a little bit more seriously, it’s going to affect the nation as a whole. While we’re Fairfax County and we do most of our infrastructure for wastewater treatment to the electric grids and all, we have an obligation to our partners that are around us here in the national capital region. We have an ability to communicate in our jurisdiction and I have to be able to trust my partner jurisdictions that they’re doing what they’re supposed to. We do a lot of check and balance on that by using a central policy on that network we use for that that we all agree to and we all stand with and we follow. If I were to feel there was vulnerability on my side, I’m duty-bound and obligated to let my partners know. I expect the same from the partner jurisdictions that we have. If I were to let the wastewater treatment plant we have here Fairfax County be hacked or attacked, the possibility of what could happen to I-95, which would affect the East Coast up and down, I don’t even want to think about what could happen. With that said, we’ve taken extreme measures to protect that infrastructure. We almost treat it separately or individually from all others.