Pages

11 December 2014

What is on the Pentagon Cyber Chief’s Holiday Shopping List?

December 4, 2014 

 

Forget the Internet of Things. The Defense Department has to deal with an Internet of stuff -- helmets, heaters, prosthetics and every other piece of military equipment that is becoming computerized.

On Thursday evening, in front of cyber purveyors, DOD Chief Information Security Officer Richard Hale rattled off technologies he wants to help secure the stuff, the cloud and computer settings. 

1. Antivirus for Elevators

"DOD has a lot of stuff," Hale said at a forum hosted by the Security Innovation Network, a public-private initiative to advance the cyber field. For all the convenience the Internet of Things promises, it is a security problem.

"Fighter planes, ships, medical devices, whatever -- elevators -- all have computers in them," he said. "So they all are attackable."

Hale said he would like some support securing “embedded computing.”

According to the 2014 PricewaterhouseCoopers U.S. State of Cybercrime Survey, all Americans could use this sort of help.

An "evolving area of risk lies in physical objects—industrial components, automobiles, home automation products, and consumer devices, to name a few—that are being integrated into the information network. . . The interconnection of billions of devices with IT and operational systems will introduce a new world of security risks for businesses, consumers, and governments," the report stated.

2. Telepathic Clouds

"I’m always nervous about handing stuff over to other people," Hale said of the potential hazards associated with letting Web services providers handle DOD data. The military is short on technologies that can "do collaborative attack detection, diagnosis and reaction” to address the risk of compromises.

When an adversary strikes the cloud, multiple organizations in multiple locations -- such as the Defense Information Systems Agency or Cyber Command, the victim and the Web services provider -- must respond in unison.

“How do we all work together very quickly to keep that mission on track or protect that data?" Hale asked.

Hale might want to purchase a couple of items on the Department of Homeland Security's wish list, specifically technologies that would roboticize information sharing and problem solving. At the same event, Peter Fonash, DHS' chief technology officer for the Office of Cybersecurity and Communications, said he would like to put emergency response and decision-making on autopilot.

Machines would strategize against the adversary in "cyber real-time,” he said. Today, cyber response personnel sometimes automatically receive alerts from network sensors, but the kill chain slows down at that point. An analyst needs time to make sense of the sensor data. And then, another person has to decide whether to take action.

"By the time we’ve done all those things, the adversary is already well embedded, has maybe stolen a lot of information," Fonash said. "So we need to get to automated decision-making, taking automated courses of action."

The second item on Fonash's list: instant exchanges of threat tips that are machine readable and comprehensible to humans.

"We need to get to the point where we can share information on an automated basis and that we understand both the syntax and the semantics of the information that we’re sharing,” he said.

3. Fewer Computer Settings

Defense must be able to "maneuver" in response to a cyberattack, by "tinkering with the settings of complicated pieces of equipment,” Hale said. The firewalls alone in the department have hundreds of thousands of policy rules. It would be nice to have technology that can supervise policy settings across the department's networks, he said.

“What’s going to happen when I make these policy changes that I think are going to help contain or drive out bad guys?” Hale questioned. “No human being can understand this. . . there is no way any human analyst has a prayer of taking all of those thousands of settings, multiplied by thousands of settings and making sense of them.

No comments:

Post a Comment