Defense Department Reworking Cyber Strategy
Cyber Symposium 2013 Online Show Daily, Day 1
Maj. Gen. John Davis, USA, senior military advisor for cyber to the U.S. undersecretary of defense for policy, set the tone at the 2013 AFCEA International Cyber Symposium, Baltimore, when he told the crowd that his position—which was just approved last August—indicates how seriously senior leaders view the cyber arena to be.
Speakers across the spectrum highlighted the U.S. government’s growing dependence on computer networks and the need to keep those systems secure, even though the vast majority of systems are owned by the private sector. They also emphasized the growing, ever-evolving threat and offered a number of solutions to help tackle the issue.
“In an environment of reduced resources, that the department thought it was worth it to put a general officer in the Office of the Secretary of Defense for Policy is an indication how serious senior department leaders are taking this particular subject,” Gen. Davis stated. He quoted a number of high-level officials, including Defense Secretary Leon Panetta and his successor Chuck Hagel, both of whom have repeatedly warned of the potential dangers of the cyber threat. “Senior leaders in the department and beyond the department understand that cyber is a problem and cyber is important. They’ve made cyber a priority, and there’s a sense of urgency,” he said.
The general launched an in-depth discussion of the Defense Department’s strategy for operating in cyber space, which he indicated is already outdated. The “thin” little document has been guiding the department for two years. And it’s two years old. "What’s two years in cyber years? They’re kinda like dog years. This is like 20 years old as fast as the cyber domain evolves and changes,” he said. “So, as you might imagine, we are already working on the next version of this and what it will do to drive the department forward for the next several years.”
While the department already has accomplished a great deal, Gen. Davis indicated, a lot still needs to be done. He outlined three cyber missions and three types of cyber forces to conduct those missions. “National mission forces will be prepared to counter adversary cyberattacks on our country, a second larger set of combat mission forces will be prepared to support combatant commanders as they execute military missions integrating cyber capabilities and effects into their military contingency plans and operations alongside traditional capabilities and effects. And still other cyber protection forces, which are the largest set, will operate and defend the networks that support military operations worldwide,” he said.
He also outlined an initiative to “employ new defenses operating concepts to protect department networks and systems.” For the past two years, the department has been developing operational concepts from the doctrinal level down to tactics, techniques and procedures. “The department has developed extensive capabilities to defend its thousands of computer networks working across hundreds of installations in dozens of countries around the globe. We limited our connection points between Defense Department networks and the rest of the Internet, and we put some of our most sophisticated defensive capabilities at those critical points in order to protect our freedom to maneuver in cyberspace,” he reported.
Those defensive capabilities include enterprise content filtering, which ensures that critical information is available without having to implement Internet protocol techniques. Also included are an enterprise email security gateway and other sensors that “combine real-time intelligence with software that can act on the intelligence in real-time, enabling us to adjust our defensive posture ahead of the threats.”
Additionally, the Defense Department is in the process of standardizing and consolidating networks and data centers to improve operations and achieve a more common security architecture as a part of the Joint Information Environment (JIE). As part of the JIE, the department is implementing an identity-based tool to link information of authorized users and prohibit unauthorized use.
Gen. Davis pointed out that more than 99 percent of electricity and more than 90 percent of voice and communication services the military relies on come from civilian sources, which is why the department has a role to play in protecting the networks that control those services.
Those comments about the military’s reliance on privately-owned networks segued into the first panel discussion of the conference, which centered around the critical infrastructure and enabling information sharing between the government and private sectors.
Thomas Ross, senior defense and intelligence advisor Harry Reid, Senate majority leader, said that his boss has been trying to get the Senate more focused on cyber issues for the past three or four years. The Senator tried to bring together the eight different committees that affect cyber and steer those committees to pass comprehensive cybersecurity legislation. But the effort faces significant challenges. “There’s no real legislative or legal framework governing what our government does in the realm of cybersecurity. There are some piecemeal laws, but no baseline framework for what we’re trying to do,” Ross stated.
“Information sharing is one of the important components of that legislation,” Ross said. He added that more than 100 existing laws block the free flow of cyber threat information between government and the private sector and that government has been working on creating an authoritative body to clear up for everyone what can or cannot be shared and under what circumstances information can be shared.
Ross also mentioned a widening gap between the haves and have-nots in the private-sector cyber arena. Larger companies, he said, can do great things with the information while smaller companies may not have the resources or expertise to act on the information.
Verne Boyle, director of technology and engineering at Northrop Grumman’s Cyber Solutions Division, referred to the critical infrastructure as a “high-profile battleground,” and suggested that some challenges regarding information sharing have not yet been addressed, including “speed and scale” of the information sharing problem, which cannot keep up with the threat. He mentioned polymorphic, or constantly changing malware, saying that more than 500,000 new samples appear each year. Additionally, the command and control domain changes by the minute, meaning adversaries get to dwell on the networks for several hundred days at a time. “The cause of that is automation. The adversary has found a way to fully deploy automation as a part of their architecture, so when I think of information sharing, I think of solutions that remove people from the center of the information sharing architecture. It will be difficult, if not impossible to defeat that automation with only people, so the speed and scale is significant,” Boyle said.