Blog: Cybersecurity Requires Your Input

December 3, 2009
By Henry Kenyon

The second and final day of AFCEA's SOLUTIONS Series event focusing on cyberspace demonstrated that the military and government are still perplexed by this new domain. In speeches and panel sessions, most agreed on the problems but few agreed on the solutions. In fact, many of the proposed solutions were diametrically opposed.

Rear Adm. Michael A. Brown, USN, deputy assistant secretary for cybersecurity and communications and NCS manager, DHS, described many of the activities that are now taking place to leverage DOD capabilities to protect systems used for the economy and information sharing. On the other hand, most attendees agreed that efforts such as these are too little too late, and progress on most activities of this kind is extremely slow. In the meantime, the dangers increase, and the U.S. is even less prepared to defend against cyberattacks.

Partnering with industry was a hot topic as part of the solution to cyberspace threats for many of the experts. However, even they agreed that open unfettered information sharing on cyberspace topics with the commercial sector is difficult at best because of the very nature of the information: highly classified.

Some of the experts proposed that additional policies for securing cyberspace were the solution to current issues. However, others who have been in the information technology profession for some time said that the time for policies is over. Stacks and stacks of policies already exist--and are ignored. The issue is more one of enforcement of current policies or scrapping policies all together and boiling information down to classified or unclassified. The former would require a specific policy and stiff penalties for violations; the latter would be widely available.

While some panelists and speakers claimed that the root of the cybersecurity problem is the existence of too many networks, others pointed out that having a single network makes the U.S. even more vulnerable to devastating attacks. In addition, while some attendees and presenters put out a call to arms for speeding up cybersecurity solutions and processes, others preferred a more incremental approach to these issues to ensure the steps being taken now are appropriate and can be built upon in the future.

And while a lively discussion took place about the need for a "cyber czar" who has total awareness of the issues and ensures that cybersecurity is a priority, has adequate resources and is done properly, the idea of a single person as the head of a newly created department did not sit well with many of the attendees.

Training was another bone of contention. Everyone agreed that there is a need for additional training and that the training that now goes on needs to be monitored and not just "a check in the box." However, at the same time, most admitted that first government agencies must determine the priority of information that needs to be taught during training, and at this point these priorities vary greatly from agency to agency and service to service.

There was no shortage of opinions expressed during the discussions, and perhaps that in and of itself speaks volumes about the state of cybersecurity today. The positive aspect of the discussions that took place is that it opened the dialogue about a critical problem; the negative part may be that everyone has different views on the same problems, which makes attaining a single solution-or even a group of agreed-upon solutions-nearly impossible.

What's your solution to addressing the threats the U.S. and all nations face in cyberspace? Should there be a cybersecurity czar? Should the number of networks be decreased, for example, by making the DOD's network separate from all others and the Internet? What should be the training priorities for the services and government agencies? Are new policies needed? How should they be enforced and what should be the penalty for breaking them? Tell us. Tell the experts by contributing to the SOLUTIONS Series wiki or commenting on this article. Event attendees, take this opportunity to say what you didn't or couldn't say during the conference. And those who were not able to attend the conference, add your two cents. Now is the time because the one thing that everyone at the conference agreed about is that later may be too late.

Share Your Thoughts:

I beleive that we need to figure out how to share a certain amount of the data without exposing us to security leaks. I know that when we do Cyber Sercurity and Forensics that we need to share some of the details with the security community at large without exposing at risk areas. The reason for this is that others may have knowledge that share commonalities that either need to know or need to share with others. So how do you "OPEN" the arena up enough too allow for a sharing of brain trust without compromising the agency or military branch? I think we need to create a larger secure group vis-a-vis Infragard where there is enough trust and relationships built that all teams feel comfortable in sharing some or all details of attacks and other challenges. For instance we have a Cyber security team that maintains members with TS/SCI clearance which allows us to know and share most data with most agencies. But I think that we need to take it beyond that and perhaps use a DOD accepted ID such as FIXs ( FIXs.org) that offers secure clearance levels for contractors so that civilians can be invited into the secure arena and be allowed to participate in helping to evolve the sercuity practice in the FED and Military space.

Just my two cents

Great idea, Mr. Fisher, and thanks for taking the time to comment. I believe what you're talking about would be similar to the Information Assurance Technology Analysis Center (http://iac.dtic.mil/iatac/), which has been around for some time and has brought the right people together in the right place. I would encourage you to contact the IATAC with your suggestion, and pass this blog on to others to get the conversation on this very important topic going! Thanks again!

As a past participant of the excellent AFCEA Solutions Series, I commend the work that AFCEA does to put on this excellent forum. I concur with your observations and offer that it would more aptly renamed the AFCEA Problem Identification Series.

While dialogue is always good, that is about all that has come out of the series after two full years. One problem is that there are many folks in denial about the failure of the current security model and certain others that understand that many proposals put forth in these discussions are simply unattainable for the same reason.

Why anyone thinks that there is something that can be leveraged out of DoD to private industry is confusing, since the whole point of partnering with industry in the first place is that it could move much more quickly than a behemoth bureaucracy.

The rest of the dialogue is highly circular. The root of the cybersecurity problem is not too many networks, but too many inherently insecure networks. Inherently insecure networks lack the ability to enforce policies and secure data sharing collaboration and data hand-offs without adding risk exposure, due to a lack of internal controls.

The consensus for additional training is troubling as well. Why do we need more training? The current model is failing so we had better pile on more layers. Of course, it is the additional layers of complexity that will require everyone from the janitor up to have a black belt in IT security.

I am not pointing out these observations just to be critical. I offer an alternative model in fact, on your own SOLUTIONS Series wiki. (see Trustifier Trusted Computing Base) There you will see that we bring an actual SOLUTION to the table that successfully defended against the top DoD Red Team this summer.

I would recommend to anyone who is serious about finding a solution to anything, that they start first with something that appears to work as the basis, instead of building on top of failed models.

Bravo, Mr. Lewis! It's obvious that you've given both the series and the cybersecurity problem a lot of serious thought, and you expressed your opinions well. I'm also glad that you offered a solution to cybersecurity that should be considered. Perhaps that's the real reason for this series -- to identify the problems, to foster discussion and then for participants to offer solutions either through our blog or the Solutions wiki. Thanks for doing both!

Share Your Thoughts: