December 31, 2014
Technology is moving too fast to keep track of everything, but there’s one overarching trend that policymakers must not miss in 2015. Call it “convergence.”
Cybersecurity is no longer its own specialized function for tech geeks to take care of off to one side while the rest of the organization gets on with the real mission. To the contrary, cybersecurity is becoming an increasingly central concern for more and more institutions, from Sony Pictures to the US Army, from Marine Corps drone units to Pentagon cloud computing contractors. Integrating the new technology into operations will require new concepts, sustained funding, and open communications between government and industry — none of which is guaranteed in 2015.
We’ve seen something like this before. Back in the 1990s, organizations dealing with data — with networks, computing, and all things digital — converged with those that dealt with communications — until then an analog business — to create a unified approach to digital communications. It wasn’t easy, but we did it. Now there are positive signs we’re rising to the challenge once again. In 2014, for example, the US Army merged its Cyber Command with the Signal Center at Fort Gordon, creating a new Cyber Center of Excellence to integrate cyber warfare, electronic warfare, and communications.
In fact, all of the military services are beginning to integrate information technology positions — chief of information operations, commander of a cyber unit, and so on — with traditional operational skills such as aviation, intelligence, or artillery, because each military branch must develop the capability to support at least defense cyber operations and, in some cases, cyber attack. Commanders know that failure to stop a cyber threat may lead to mission failure, destruction of critical infrastructure, and even loss of American lives. That means the military must seamlessly integrate cybersecurity into both training and operations.
Consider cloud computing, which grew rapidly in the military in 2014. The combination of ever-larger amounts of data and ever-smaller budgets means that reliance on cloud computing will only increase. But if your data moves to the cloud, you need constant, reliable access to that cloud to do your job — which means you need cybersecurity. The Defense Department must engage closely with cloud service providers to figure out costs, risks, and requirements so the military gets solutions that are both cost-effective and safe.
We also need new ways of looking at Unmanned Aerial Vehicles (UAVs). Long associated with Intelligence, Surveillance, and Reconnaissance (ISR), drones are being increasingly used for other purposes, for example as communications relays to extend line-of-sight radio and data links. Such an “aerial layer” can reduce the military’s dependence on expensive (and potentially vulnerable) satellites. But as UAVs become more common in the skies, we need better command and control networks to keep them and manned aircraft from colliding by accident — and those networks had better be secure against cyber attackers who might make them collide on purpose.
We already know cyber attacks can have physical effects. Consider how the Stuxnet virus caused Iranian nuclear centrifuges to spin until they broke, or how the Shamoon virus forced Saudi Aramco to replace tens of thousands of hard drives. This year, we saw cyber attacks — in conjunction with threats of physical attack — scare Sony Pictures into almost completely cancelling the distribution of The Interview to movie theaters. (Fighting cyber with cyber, however, Sony ultimately made the film available online).
Overall, both awareness of cyber threats and defenses against them have improved. But better and broader coordination is needed between government and industry. The importance of this partnership cannot be overstated.
As early as 1961, outgoing President Dwight Eisenhower warned that industry, rather than the Defense Department, might become the driving force between new technology with military applications. The former four-star general knew that government spending alone could not sustain scientific and technological leadership when budgets and manpower declined after the Korean War.
Budgets and manpower are declining again. As Pentagon officials from outgoing Secretary Chuck Hagel on down have said, that means shrinking research and development dollars must be carefully targeted. Better use of scarce funds, in turn, requires engagement between government and industry organizations. Other, without open communications, industry may spend limited time, talent, and money developing things the military may not actually need.
Commercial off-the-shelf technology will work well for some missions. But the military has unique needs — for instance, in cybersecurity — that require specific solutions. Keeping the defense industrial base strong enough to produce those solutions requires Congress to stabilize the budget.
Mike Warlick, vice president of defense operations for AFCEA International, oversees AFCEA’s defense engagement through events, AFCEA’s Defense Committee and AFCEA operations.
Government officials, academia, business leaders, policy wonks and security experts have been mulling over how to implement an effective cybersecurity strategy for years. Being in a domain that is incredibly dynamic, loosely defined and operating in a constantly shifting environment does not mean that the quest for a solution must be interminable. The adoption of thoughtful, well-crafted cybersecurity policy must quickly move from theory to practice—now. And, this move must be holistic.
The first and most significant obstacle to establishing this holistic approach is to develop and foster a culture that understands the concepts, issues and dangers inherent in failing to appropriately address the cyberthreat. This culture encompasses an understanding of the trade-offs between mission success—whether military, government or commercial—the value of investments in cybersecurity and the full value of the loss of intellectual capital to cyber events, as well as appropriately establishing and managing acceptable levels of risk. A properly inculcated culture drives all other cyber-related efforts. Until cyber is viewed, integrated and understood in the same regard as the air, maritime, space and land domains, it will fall short of achieving the emphasis it requires. Cyber and cyber-related activities exponentially raise the level of value and effectiveness of capabilities operating in the other domains.
Second, the major parties involved—the Defense Department, the Department of Homeland Security, civilian federal government, the intelligence community, industry and academia, for example—must accelerate the integration of their cybersecurity capabilities, understanding and knowledge. They need to establish an integrated approach to cybersecurity based on their collective best practices. For too long, these entities have pursued separate agendas without effectively melding together their total combined expertise. Their walls of mistrust must be eliminated. While various efforts have been made to share lessons learned, each respective group still tends to focus on its own needs and capabilities. There is a continued need for greater emphasis on a consolidated approach whereby the combined intellect and thought leadership can be integrated and united inside government and extended to the commercial sector and academia. While important, too much credit is attached to the steps that have been taken thus far.
Third, education is a key element to foster the appropriate culture. We must do a better job of educating and developing leadership across the defense government, industry, academia and the public at large to the full nature of the cyberthreat we are facing. Efforts such as the Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Program are confronting this issue, but its scope and focus are addressing too small of an audience to maximize its value. We need to expand the number of commercial and nongovernmental organizations that are brought into the cybersecurity process as well as the quality and quantity of information that is shared across these diverse elements. The reward of expanding the sharing of information outweighs the risk if properly managed. If leaders across industry, government and academia are not sufficiently educated about the threat, then they are not likely to expend the effort and the resources that are needed to meet the challenge. We need to double down on educating our senior leaders and decision makers across all domains about the cyberthreat we face.
Risk management is at the heart of any cybersecurity strategy. There is no silver bullet looming to prevent or defend against cyber attacks, so we must be able to manage the risk. An effective risk management strategy must focus on the critical mission needs of an organization and the ability to protect that mission against interruption. A definition of risk management, highlighted in 2010’s National Research Council study titled “Information Assurance for Network-Centric Naval Forces,” is that “Risk is measured by the consequences of things that go wrong and the corresponding likelihoods of occurrence. When consequences can be extreme, the likelihood of occurrence needs to be virtually eliminated. A rigorous mission risk analysis of information assurance issues is likely to lead to a better understood and more rational set of investment and system design priorities.” The more critical the mission, the closer to zero that likelihood of occurrence must be driven.
The critical and key mission architecture, rather than enterprise architecture, should be the focus for cybersecurity efforts. The network, its systems and its applications must be managed through a strong configuration management/configuration control process. Aircraft configuration changes and upgrades are managed through a structured block upgrade process. Ships adhere to a similar level of process and discipline when doing alterations and upgrades. Why not networks, systems and applications? It should not be a tedious bureaucracy, however. This would ensure that finite resources are allocated for the most highly prioritized use and that security and mission resilience is considered in design. This requires providing a high level of systems engineering to accommodate growth and security—a level of engineering that is fast becoming a lost skill.
This recommendation focuses on the military, but these activities must extend throughout all government, industry and academia. Under the holistic approach, cyberthreat information sharing across the disciplines must be emphasized. In particular, we need to understand the operational tradeoffs between the risk of failing to share information versus the risk of sharing it and having it disclosed to inappropriate or unauthorized parties.
Threats to cyberspace can come from multiple vectors. A fragmented approach to cybersecurity unnecessarily opens up gaps and seams in our overall security posture than invites exploitation. A smart holistic approach is necessary, and it must begin now.
- See more at: http://www.afcea.org/content/?q=node/13740#sthash.3uCmUndj.dpuf
DISA Targeted to Tackle Network Defense Role
The U.S. Defense Department integrates cyber operations and defense.
The U.S. Defense Information Systems Agency is being tasked with an operational role in the cyber domain, namely network defense. The new role creates a formal relationship between the agency, U.S. Cyber Command and the military services; integrates network operations and defense; and should ultimately improve security.
Adm. Michael Rogers, USN, who leads both the U.S. Cyber Command and the National Security Agency, began promoting the plan months ago. The Defense Information Systems Agency (DISA) primarily has been a technical and acquisition organization, but it also operates segments of the department’s network infrastructure. “We need to integrate operations of the networks and our defensive workforce into one team. You are more effective in both operating a network and defending a network when you do it with one integrated approach,” Adm. Rogers says. He adds that network operation skills and network defense skills enhance each other.
“As a result of that, we decided we needed to create a relationship between U.S. Cyber Command and DISA,” he explains.
The various players have been hammering out an agreement for months to define exactly how that relationship will work. Those players include Terry Halvorsen, the Defense Department’s acting chief information officer, and Lt. Gen. Ronnie Hawkins, USAF, DISA director. “I’ve been working with DISA, the services, the combatant commanders and the department, particularly the chief information officer,” Adm. Rogers reports. “I’ve sat with Gen. Hawkins and said what we need to do is create an operational construct that creates a direct linkage between U.S. Cyber Command, DISA and the U.S. Cyber Command service components.”
The agreement will create a Joint Force Headquarters for Department of Defense Information Networks, which will be referred to as JFHQ-DoDIN. “That is a function that we will assign to DISA to execute, and then we’ll partner as we move forward. And DISA in turn will have a command relationship with our service components. Part of the challenge is that our networks are largely constructed along service lines. Every service runs its own network,” he says.
Speaking at DISA’s Forecast to Industry Day, Fort Meade, Maryland, in August, Mark Orndorff, the agency’s program executive officer for mission assurance, said the reorganization aims to centralize defense policies and shore up vulnerable “seams in the defense approach that don’t make any sense from a cyberdefense perspective.” He added that the seams provide adversaries an opportunity to walk through undetected.
“The plan is not to say DISA is going to take over,” Orndorff said at the event. “I think it’s more that DISA will be working with the services, providing the infrastructure to enable each of us to more effectively do our own cyber responsibilities.”
The inherent inefficiencies in the current arrangement have bothered Adm. Rogers for a long time, he indicates. “In my previous life, where I was the Navy’s Fleet Cyber Command commander, I was responsible for my service’s networks. And I never understood why every service pays to operate and maintain a global network backbone. Why don’t we have one integrated global backbone, and then each service focuses on the connections between that global backbone and their tactical users? Why are we spending manpower, time, effort and money to replicate capability across four services? It makes no sense to me. And quite frankly, when I look at the future, I don’t think it’s a financial model that we can sustain,” he contends.
The Joint Information Environment (JIE) is a critical part of the future vision. “Our operational vision, a global joint backbone, does not reflect the reality of the network structure today. That’s why JIE, to me, is so important. That’s the path we will use to achieve that global joint backbone that’s common across all the services and across all the geographic regions and the combatant commanders,” the admiral states.
He reports that key players are on board with the plan, but the shift will not necessarily be easy. “Clearly, there are challenges. We’ve got to change the network construct to achieve the operational vision for the future. Any time you change something as significant as the network backbone of the department, you’re talking about challenges in money, you’re talking about challenges in design and architecture, and perhaps most important of all, you’re talking about changes in culture,” he acknowledges. “I see great buy-in from DISA; I see great buy-in from the services; I see great buy-in from the department’s leadership. It just all takes more time than you would like.”
During the DISA industry forecast, Gen. Hawkins also acknowledged that the reorganization will not be quick. “Any organization that has gone through this dramatic of a change, it takes time, and we understand that,” Gen. Hawkins said at the event. “We believe we are on the right track in getting this done. We know we’ll have some bumps in the road, and we’ll fix that.”
The admiral envisions a cyberforce on par with other warfighters. “We’ve done a good job of articulating our force structure needs and the broad operational vision that we need to execute in order to maximize the effectiveness of those capabilities that we’re creating. I want to generate that capability and bring it to a level where it’s every bit as trained and ready as any carrier strike group that’s over in the Central Command area of responsibility, as any brigade combat team on the ground in Afghanistan,” he asserts.
Making that vision a reality requires greater network situational awareness than the department currently possesses. “I’d like to make sure we have the tools in place to really have true situational awareness of just what is going on in our networks,” Adm. Rogers says.
He explains that it is difficult to defend something that cannot be visualized. “As an operational commander, I am used to walking into a command center, looking at a visual depiction that—through symbology, color and geography—enables me to very quickly come to a sense of what’s happening in this space and what decisions that I as a commander need to be making. We are not there yet in the cyber arena.” And getting there is essential to providing the speed, flexibility and mission effectiveness needed, he adds.
Simply defining what knowledge is critical for cyberwarriors presents a challenge. “We’ve got to create a system that you can tailor to the needs of the commander because it’s not just about U.S. Cyber Command having situational awareness of what is going on within the network domain. It is about the department and its subordinate elements having awareness of what’s going on,” Adm. Rogers says.
Maj. Gen. Alan Lynn, USA, DISA vice director, told the industry day audience that the individual services can aid departmentwide situational awareness by sharing data feeds on attacks. “Let’s say they have attack vectors coming toward them. They all can see those individually. Where we have greater impact is if we could see the total picture of the attack so that we can do the large data analytics. If we have an attack on one, we would already know, especially with something new,” Gen. Lynn said at the DISA event. “We’d know what that was so we could spread the word to all of the other services.”
The military services are working on cyber situational awareness solutions, as is the Defense Advanced Research Projects Agency (DARPA) with its Plan X program, Adm. Rogers notes. Plan X seeks to build an end-to-end system that enables the military to understand, plan and manage cyberwarfare in real-time, large-scale and dynamic network environments.
“I’m interested in something in cyber that is very consistent with the approach we’ve used in the other domains because one of our concerns—in Cyber Command, in particular—has been to come up with methodologies that complement what is going on in the other warfighting environments out there,” Adm. Rogers says. “We cannot sit here and tell ourselves that cyber is so special, so different, so unique that everything we do has got to be different.”
Cyber has its differences—no geographical boundaries, for example—but it also has many of the same traditional elements as other domains, he explains, suggesting the network defense forces need to “maximize the ability to use terminology, tactics, techniques and procedures that are understood by others,” and then ask what they need that is different. Like other warfighters, network warriors need to know if a particular action has succeeded, and if not, what the next set of actions needs to be, he offers.
Adm. Rogers compares the iDISA Targeted to Tackle Network Defense Role
December 1, 2014
By George I. Seffers
E-mail About the Author
The U.S. Defense Department integrates cyber operations and defense.
The U.S. Defense Information Systems Agency is being tasked with an operational role in the cyber domain, namely network defense. The new role creates a formal relationship between the agency, U.S. Cyber Command and the military services; integrates network operations and defense; and should ultimately improve security.
Adm. Michael Rogers, USN, who leads both the U.S. Cyber Command and the National Security Agency, began promoting the plan months ago. The Defense Information Systems Agency (DISA) primarily has been a technical and acquisition organization, but it also operates segments of the department’s network infrastructure. “We need to integrate operations of the networks and our defensive workforce into one team. You are more effective in both operating a network and defending a network when you do it with one integrated approach,” Adm. Rogers says. He adds that network operation skills and network defense skills enhance each other.
“As a result of that, we decided we needed to create a relationship between U.S. Cyber Command and DISA,” he explains.
The various players have been hammering out an agreement for months to define exactly how that relationship will work. Those players include Terry Halvorsen, the Defense Department’s acting chief information officer, and Lt. Gen. Ronnie Hawkins, USAF, DISA director. “I’ve been working with DISA, the services, the combatant commanders and the department, particularly the chief information officer,” Adm. Rogers reports. “I’ve sat with Gen. Hawkins and said what we need to do is create an operational construct that creates a direct linkage between U.S. Cyber Command, DISA and the U.S. Cyber Command service components.”
The agreement will create a Joint Force Headquarters for Department of Defense Information Networks, which will be referred to as JFHQ-DoDIN. “That is a function that we will assign to DISA to execute, and then we’ll partner as we move forward. And DISA in turn will have a command relationship with our service components. Part of the challenge is that our networks are largely constructed along service lines. Every service runs its own network,” he says.
Speaking at DISA’s Forecast to Industry Day, Fort Meade, Maryland, in August, Mark Orndorff, the agency’s program executive officer for mission assurance, said the reorganization aims to centralize defense policies and shore up vulnerable “seams in the defense approach that don’t make any sense from a cyberdefense perspective.” He added that the seams provide adversaries an opportunity to walk through undetected.
“The plan is not to say DISA is going to take over,” Orndorff said at the event. “I think it’s more that DISA will be working with the services, providing the infrastructure to enable each of us to more effectively do our own cyber responsibilities.”
The inherent inefficiencies in the current arrangement have bothered Adm. Rogers for a long time, he indicates. “In my previous life, where I was the Navy’s Fleet Cyber Command commander, I was responsible for my service’s networks. And I never understood why every service pays to operate and maintain a global network backbone. Why don’t we have one integrated global backbone, and then each service focuses on the connections between that global backbone and their tactical users? Why are we spending manpower, time, effort and money to replicate capability across four services? It makes no sense to me. And quite frankly, when I look at the future, I don’t think it’s a financial model that we can sustain,” he contends.
The Joint Information Environment (JIE) is a critical part of the future vision. “Our operational vision, a global joint backbone, does not reflect the reality of the network structure today. That’s why JIE, to me, is so important. That’s the path we will use to achieve that global joint backbone that’s common across all the services and across all the geographic regions and the combatant commanders,” the admiral states.
He reports that key players are on board with the plan, but the shift will not necessarily be easy. “Clearly, there are challenges. We’ve got to change the network construct to achieve the operational vision for the future. Any time you change something as significant as the network backbone of the department, you’re talking about challenges in money, you’re talking about challenges in design and architecture, and perhaps most important of all, you’re talking about changes in culture,” he acknowledges. “I see great buy-in from DISA; I see great buy-in from the services; I see great buy-in from the department’s leadership. It just all takes more time than you would like.”
During the DISA industry forecast, Gen. Hawkins also acknowledged that the reorganization will not be quick. “Any organization that has gone through this dramatic of a change, it takes time, and we understand that,” Gen. Hawkins said at the event. “We believe we are on the right track in getting this done. We know we’ll have some bumps in the road, and we’ll fix that.”
The admiral envisions a cyberforce on par with other warfighters. “We’ve done a good job of articulating our force structure needs and the broad operational vision that we need to execute in order to maximize the effectiveness of those capabilities that we’re creating. I want to generate that capability and bring it to a level where it’s every bit as trained and ready as any carrier strike group that’s over in the Central Command area of responsibility, as any brigade combat team on the ground in Afghanistan,” he asserts.
Making that vision a reality requires greater network situational awareness than the department currently possesses. “I’d like to make sure we have the tools in place to really have true situational awareness of just what is going on in our networks,” Adm. Rogers says.
He explains that it is difficult to defend something that cannot be visualized. “As an operational commander, I am used to walking into a command center, looking at a visual depiction that—through symbology, color and geography—enables me to very quickly come to a sense of what’s happening in this space and what decisions that I as a commander need to be making. We are not there yet in the cyber arena.” And getting there is essential to providing the speed, flexibility and mission effectiveness needed, he adds.
Simply defining what knowledge is critical for cyberwarriors presents a challenge. “We’ve got to create a system that you can tailor to the needs of the commander because it’s not just about U.S. Cyber Command having situational awareness of what is going on within the network domain. It is about the department and its subordinate elements having awareness of what’s going on,” Adm. Rogers says.
Maj. Gen. Alan Lynn, USA, DISA vice director, told the industry day audience that the individual services can aid departmentwide situational awareness by sharing data feeds on attacks. “Let’s say they have attack vectors coming toward them. They all can see those individually. Where we have greater impact is if we could see the total picture of the attack so that we can do the large data analytics. If we have an attack on one, we would already know, especially with something new,” Gen. Lynn said at the DISA event. “We’d know what that was so we could spread the word to all of the other services.”
The military services are working on cyber situational awareness solutions, as is the Defense Advanced Research Projects Agency (DARPA) with its Plan X program, Adm. Rogers notes. Plan X seeks to build an end-to-end system that enables the military to understand, plan and manage cyberwarfare in real-time, large-scale and dynamic network environments.
“I’m interested in something in cyber that is very consistent with the approach we’ve used in the other domains because one of our concerns—in Cyber Command, in particular—has been to come up with methodologies that complement what is going on in the other warfighting environments out there,” Adm. Rogers says. “We cannot sit here and tell ourselves that cyber is so special, so different, so unique that everything we do has got to be different.”
Cyber has its differences—no geographical boundaries, for example—but it also has many of the same traditional elements as other domains, he explains, suggesting the network defense forces need to “maximize the ability to use terminology, tactics, techniques and procedures that are understood by others,” and then ask what they need that is different. Like other warfighters, network warriors need to know if a particular action has succeeded, and if not, what the next set of actions needs to be, he offers.
Adm. Rogers compares the importance of the cyber mission in future wars to logistics. “I think one of the experiences that we’re going to see in the 21st century is, as an operational commander, regardless of your mission, you need to have a sense of what is going on in your networks, where you’re taking risks and the impact of that network structure and its activities on your ability to execute your mission,” he says. “To me, cyber is very, very foundational to the future.”
Sandra Jontz, director of content development and executive editor, contributed to this report.
Sandra Jontz, director of content development and executive editor, contributed to this report.
Commercial leaders press for a presidential cyber advisory committee to spur national dialogue between industry and the government.
The private and financial sectors are pressing for better governmental answers to the costly cybersecurity challenges still plaguing the nation. They want the White House to create, as a minimum first step, an interagency or oversight group to facilitate information sharing. This small step is seen as a critical link between industry and government to organizing the fragmented cybersecurity efforts needed to quash mounting attacks.
While federal efforts abound, they are coordinated haphazardly, with gaps and no overarching governance—in spite of a preponderance of existing documents, plans, regulations and actions, according to experts.
A year has passed since the breach of Target Corporation’s information security in which hackers stole 40 million credit and debit card numbers, and yet no national coordinated clearinghouse exists for the formal sharing of information and lessons learned that might mitigate future attacks. A spate of high-profile data breaches has hit big retailers and financial institutions, but cybersecurity in the United States remains a lax patchwork of ill-defined rules and dubious regulations.
But this is not for a lack of trying, some experts say. For years, officials as high as the president of the United States designated cybersecurity as one of the most serious economic and national security challenges—even though, of the 21 top issues listed on the whitehouse.gov home page in October, cybersecurity ironically is not among them.
The nation might have gotten close to a solution with the interim National Cyber Incident Response Plan (NCIRP), drafted in 2010 and developed according to the principles outlined in the National Response Framework. “The NCIRP is designed in full alignment with these initiatives to ensure that federal cyber incident response policies facilitate the rapid national coordination needed to defend against the full spectrum of threats,” the document reads. “The NCIRP focuses on improving the human and organizational responses to cyber incidents, while parallel efforts focus on enhancing the community’s technological capabilities.”
Framers intended the NCIRP to be the federal strategic document, supplemented by playbooks of tactical and operational details, to address varying cyber incidents. It had a dual purpose: to establish the strategic framework for organizational roles, responsibilities and actions; and to set up protocols for leaders to be prepare for, respond to and coordinate recovery from a cyber incident. But its implementation fizzled. The Department of Homeland Security (DHS) established National Level Exercise 2012 (NLE 2012) in accordance with the National Exercise Program to serve as the nation’s comprehensive exercise program for planning, organizing, conducting and evaluating national-level exercises, to include incorporating the National Response Framework Cyber Incident Annex and NCIRP.
Other documents and reports exist to serve as foundations for an otherwise seemingly daunting governmental task of fortifying cyber vulnerabilities. In 2009, for example, the president released the Cyberspace Policy Review, calling for a 60-day comprehensive review of U.S. policies and structures for cybersecurity and introducing a 10-point, near-term action plan. Some of the suggestions were realized, such as the creation of a national public awareness and education plan.
October is National Cyber Security Awareness Month. However, people might not know it by looking at federal websites, some of which failed to even mention the campaign during the designated month. A sampling in mid-October showed no prominently displayed mention of the awareness strategy on websites for the Defense Department, Department of Veterans Affairs, the U.S. House of Representatives, the U.S. Senate, Bureau of Alcohol, Tobacco, Firearms and Explosives, the U.S. Capitol Police, the Centers for Disease Control and Prevention (in spite of the Ebola scare that drove people to the site for information), the CIA, the U.S. Coast Guard, the Defense Finance and Accounting Service or the Defense Intelligence Agency, to name a few.
The National Security Telecommunications Advisory Committee’s (NSTAC’s) 2011 Report to the President on Communications Resiliency called for accelerated efforts for the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) mission to be fully operational by 2015. A 2009 NSTAC cybersecurity collaboration report outlines steps for the government—in partnership with industry—to create a joint, integrated, public-private cyber incident detection, mitigation and response operational capability. The agency called for increasing private sector fusion, for example, into the NCCIC. Additionally, the DHS has spent millions of dollars to host the Cyber Storm biennial exercise series—four of them so far—in an effort to provide the framework for the most extensive government-sponsored cybersecurity exercise of its kind. Little information sharing, details of gaps and vulnerabilities and best practices to shore up weaknesses have come from the exercises, experts say.
“A lot of work was put into developing cyber exercises. The whole reason we do exercises is to identify gaps,” says industry expert Bob Dix, vice president of global government affairs and public policy at Juniper Networks. “We’re supposed to develop improvement plans, a plan of action and milestones for how to address those gaps, and then we’re supposed to test them the next time around to see if we have gotten any better. We haven’t done any of that. With four exercises, we’ve spent tens of millions of taxpayer dollars on them; why don’t we have a sustained and comprehensive national educational and awareness campaign to teach people how to better protect themselves in cyberspace?”
What is lacking, say some, is a robust information-sharing plan between the private sector and government, spurring businesses and the financial industry, to include the Securities Industry and Financial Markets Association that represents big firms on Wall Street, to push for establishment of an interagency or a nonprofit oversight committee of government and industry representatives.
“This new age of cybercrime has ushered in with it a need for companies to work with various arms of the government that are involved in investigating cybercrime, protecting critical infrastructure or regulating data security practices,” Kimberly Peretti, a partner at Alston & Bird and co-chair of the law firm’s security incident management and response team, writes in the Bureau of National Affairs Incorporated’s Privacy and Security Law Report. “The cyberthreat has not abated, and … the need for established methods of direct government-to-private sector and private-sector-to-government sharing has been highlighted.”
Fear stymies some of the information sharing in the private sector—fear of sharing proprietary details or personnel data, and fear of prosecution should federal officials deem the sharing could violate antitrust laws. Legal experts often caution their clients against sharing because no clear guidelines govern information sharing.
Some of the onus to easing legal restrictions could fall on Congress, contends the Heritage Foundation. “Given that cybersecurity threats are very real and costly and that voluntary information sharing is an inexpensive and privacy-enhancing way of staving off these threats, Congress should consider ways to facilitate sharing,” foundation writers state. Lawmakers could update ambiguities in outdated communications laws, the writers add, specifically the Wiretap Act and the Stored Communications Act, written in 1986 to deal with telephone privacy protection issues, which seem to prohibit sharing of cybersecurity information. Liability protections could encourage companies to share rather than fear lawsuits if damages result from shared information. And shared information should be protected from public release under the Freedom of Information Act.
A U.S. congressional bill might address the issues. The Senate version of the Cybersecurity Information Sharing Act of 2014, approved by the Senate Intelligence Committee in July, seeks to expand information shared about cybersecurity threats and defensive mechanisms between the government and industry. Language in the legislation includes a call for increased sharing of classified and unclassified cyberthreat information, authorizing the voluntary sharing of cyberthreat information by individuals and companies with each other and the government while safeguarding personally identifying information; enacting liability protections for individuals and companies that appropriately monitor and safeguard their own networks; and limiting the government’s ability to use information it receives for cyber-related purposes, not for inappropriate investigations or regulation.
An additional blueprint exists that could aid officials in drafting rules for information sharing. The Three Mile Island nuclear accident in 1979, the worst in U.S. commercial nuclear power plant history, highlighted failures of existing organizations and governance. Yet, after-action reports netted rapid, revolutionary and sweeping changes within the nuclear industry, to include the establishment of effective nationwide information sharing and governance processes. In 2013, President Barack Obama issued an executive order to improve cybersecurity of the nation’s critical infrastructure, which also stressed improved information sharing.
Past efforts have not made it easier or more welcoming for industry to voluntarily share its own intelligence. “We need to allow for a more healthy environment and a safe haven, so to speak, to bring those communities of interest together to be able to take information sharing to the level of actionable sharing versus just sharing of potential post-event data,” says William F. Pelgrin, CEO and president of the Center for Internet Security.
While industry might clamor for better cybersecurity dialogue, businesses are hesitant to relinquish control, particularly to the government. “The Obama administration was trying, a few years back, to come out with a cybersecurity bill that actually had some teeth in it,” said Sanford “Sandy” Reback, senior technology analyst for Bloomberg Government, at a Fairfax County Chamber of Commerce cybersecurity forum for small businesses. “And it didn’t make it through Congress because most of the business sectors said, ‘We don’t want you, the government, telling us what we need to do to protect our own systems,’—in many instances, for very good reasons,” Reback continued. “They think they’re on the front lines. They understand the technology. Things are changing very quickly. The government is not in a good position to [adapt to the changes.] That’s one of the main reasons we’re in this situation where it’s a voluntary framework kind of supplemented by this patchwork quilt … of different laws.”
“We’ve done a great job on awareness,” adds expert John Gilligan, president and chief operating officer of Schafer Corp. “You can’t go a day without hearing about cyber-security issues. But we haven’t changed behavior yet. How do we change behavior in a positive way?”
Protecting Soldier Networks From Threats, Inside or Outside
NIE efforts in the laboratory and in the field will bring better, more secure cyber capabilities to bear.
A tactical operations center monitors an NIE. Securing cyber capabilities, starting in the laboratory then extending to the field, is a priority for the U.S. Army.
A tactical operations center monitors an NIE. Securing cyber capabilities, starting in the laboratory then extending to the field, is a priority for the U.S. Army.
Cyber is becoming more critical in battle every day, and the U.S. Army is adjusting its Network Integration Evaluation to reflect that reality. The service branch is introducing new digital features to the training event from the laboratory to the field.
During the most recent evaluation, which occurred in October and November, several cyber features made their debut. For the first time, the Army Research Laboratory Survivability/Lethality Analysis Directorate (ARL/SLAD) became part of the lab-based risk-reduction efforts in the lead up to the hands-on portion of the event. That work is helping to find earlier vulnerabilities that previously would have been discovered during the field portion of the Network Integration Evaluation (NIE) so experts can resolve any issues before giving the technologies to soldiers. “Is it going to find everything? No, no lab test is ever going to find everything, but I think it is allowing us to move the ball down the road from the perspective of being more proactive to find these issues,” says Jennifer Zbozny, chief engineer for the Program Executive Office for Command, Control and Communications-Tactical (PEO C3T).
The lab-based risk reduction that took place before NIE 15.1 is one of the biggest pushes to do more cybersecurity work in the evaluations. By moving assessments into the laboratory, soldiers save time on the ground. It also helps ensure that updates are loaded before the fieldwork and that mitigation measures are in place when necessary.
Matt McVey, lab-based risk reduction configuration management and operations lead, System of Systems Engineering and Integration (SoSE&I) Directorate, explains that not only does his organization provide the capability for units to test individual systems, but in the laboratory the units also have the opportunity to connect into the system of systems environment. This opportunity allows users to identify vulnerabilities and access points they might have missed when developing in a vacuum.
Also new for NIE 15.1 was a draconian approach to ensuring passwords are changed and that units really control them. Many of the systems in the evaluations come with default passwords when delivered. These need to be changed to specific passwords that users memorize. “I think that alone is going to help in terms of some of the threats we’ve seen before,” Zbozny says. “Passwords get out, and somebody gets into the network.” Troops might not have passwords at NIE, but they have connectivity, so once they obtain a password, they are in the network. Officials hope these fixes make the network more robust and secure.
The dangers of near threats have made headlines in recent years, and cybersecurity professionals often cite users as their biggest concerns. If people get their hands on passwords, they are one step closer to looking around on the network. Zbozny says misuse by authorized personnel is not her team’s biggest concern. Systems primarily run on the secret Internet protocol router network, which already has controls in place. However, dangers from inside as well as outside remain, so the Army is improving its user training.
In previous NIEs, leaders have seen passwords written on paper and posted inside vehicles, where anyone can see them. These leaders are trying to instill the discipline to maintain control of passwords at all times. Lt. Col. Carlos Wiley, USA, integration and execution division chief for SoSE&I, explains that soldiers from the 2nd Brigade Combat Team, 1st Armored Division, are made aware of the vulnerabilities in security as part of their NIE training. “Technically, we can find all the faults, but if the unit and the soldier are not tracking it, then the [red team] can get in,” Col. Wiley says.
Two blue teams took part in the NIE Validation exercise, and ARL/SLAD performed an analysis of them on WIN-T Increment 2 while the 1st Information Operations Command did an operational assessment of their work on all facets not connected to that network increment. “We must ensure from a holistic approach that the entire network is hardened,” the colonel explains.
PEO C3T now is working on a cyber road map that will lay out known vulnerabilities, describe how the organization expects to fix them and address bigger picture measures of additional network security. Officials want operations to be easier, not more difficult, for soldiers, so a major thrust of the effort is to refrain from adding complication to the network. With two-factor authentication, for example, experts say they can obtain the same security benefits without using a token-based method. Zbozny further explains that “down the line, we’re looking at things like biometrics. We would like to get to the point where really we just use some type of biometric signal. It’s different in the tactical world.” In the field, considerations must be made for items such as gloves, which make fingerprinting problematic. Authentication requires customization to the battlefield, so PEO C3T is working with the Army’s Communications-Electronics Research, Development and Engineering Center to examine developmental capabilities for tactical biometrics that will replace current capabilities. While those technologies were not ready for NIE 15.1, pilots for two-factor authentication functions could occur next spring in 15.2.
Most of the cyber road map is classified, but officials can discuss the Intelligence Community Information Technology Enterprise (ICITE). Zbozny says it may “very well change how we do business from a data perspective.” This unified data capability was developed by the National Security Agency, spans many agencies and provides support to the Defense Department (SIGNAL Magazine, October 2013, “Information Sharing ...). “The bottom line is it’s going to bring what I call ‘hardening’ of our data on our network to make it impenetrable,” she states. “I hesitate to say anything is ever impenetrable, but that’s the intent. That really does change the landscape.”
ICITE would alter focus from people entering the network to what they could damage. By locking down that data, ICITE reduces the potential harm intruders can inflict. Work on that took place in NIE 15.1, and depending on the assessment of its value, it may become part of the data dissemination strategy for the Command Post Computing Environment.
Fiscal year 2015 is expected to be active for PEO C3T in terms of trying to enhance its security patching capability. Zbozny says personnel need to patch faster and respond quicker to vulnerabilities. They also need to reach a point where all their systems have the ability to pull patches off a secure portal and automatically download them rather than requiring a disk or other medium. “I don’t know that we’re going to get that all done for every system in PEO C3T in [fiscal year] ’15, but certainly the intent is to make a lot of progress down that path,” she explains. Today’s mission command systems can respond quickly and download patches. The focus is to move the rest of the systems to that same status.
A push for more cyber in the NIE is not necessarily new. Zbozny says the effort is how mission command reached its present point. However, the networking of forces is becoming increasingly important in the tactical world as well as for drawing services from enterprise networks. A vulnerability on one system is a risk for everyone, and as the Army continues to build out bigger networks, cybersecurity becomes a bigger issue for everyone. Industry has to deal with many of the same considerations. Before those NIE partners can enter the laboratory, they need to understand the information assurance requirements and their vulnerabilities. If they have vulnerabilities, the Army prohibits them from network access. Col. Wiley says “that’s where risk reduction comes in as well.”
PEO C3T is looking to bring industry in on many parts of the Simplified Tactical Army Reliable Network, or STARNet, the middle phase of its Network Modernization Roadmap. Cyber is an area it definitely wants to enhance. To accomplish the task, the program office collaborates with science and technology (S&T) partners to ensure development against gaps, thus spending Army money wisely. It looks to industry to fill other gaps that come from outside the S&T community. In November, officials held a briefing for industry that laid those out as well as needs outside of cyber. Zbozny says more events will be held in the future.
Another move underway to improve cybersecurity is certified ethical hacker training. A mobile team visited Aberdeen Proving Ground, where PEO C3T is based, and asked for the community to provide the training course last year. It helped students learn about threats and the latest techniques hackers are using as well as how to apply that knowledge to efforts such as the NIE. That way, experts can identify and react to risks better.
Col. Wiley likens that training to wargaming: It helps troops know their enemy. “The course lays out what all the known threats are, and it’s constantly updated,” he says. “That gives us a better understanding on who’s going to try to get in the network and what procedures they will be using to try to get in the network, so we can recognize them.” Soldiers on the ground see degradation in performance but might not know the origin of the problem. Rather than a system issue, the problem might be a result of a hacking attempt. Having troops more involved in the security process helps them understand attacks and how to recognize signs of one.
- See more at: http://www.afcea.org/content/?q=node/13735#sthash.k01fCW5v.dpuf
No comments:
Post a Comment