Amidst dire threat warnings, cyber warriors grow increasingly adept.
While many cybersecurity experts preach the gloom and doom of more advanced adversaries attacking U.S. networks, one government official contends that U.S. network defenders can meet the challenge. Training, education and technological improvements are showing dividends in a better-prepared cyber workforce.
The cyber threat, according to some experts, comes from China, Russia or Iran and includes attacks sponsored by nation-states or by organized crime. But in one sense, the threat remains the same, and it comes from within. “The greatest threat is the same threat that has always been in place, and that is we are growing ever-reliant on technology,” explains Debora Plunkett, who leads the Information Assurance Directorate at the National Security Agency (NSA). “That reliance is both a blessing and a curse. It enables us to do the business of government and to be efficient in our everyday work, but it exposes us to vulnerabilities that might occur naturally in the system or that might be inserted into the system.”
While the growing persistence and sophistication of adversaries have become a common drumbeat in information security circles, Plunkett sees greater skills and increased sophistication on the homefront—in the military, other government agencies and industry. “I think the future, quite frankly, is brighter than the past largely because we have a populace who has awakened to the potential risks associated with using information technology that we are now so dependent on. We have folks who are asking really good questions, who are challenging us to develop and deliver solutions in some new and innovative ways, and who are calling on us in ways like never before,” Plunkett reports.
As one example, she cites the participants in the NSA’s annual Cyber Defense Exercise designed to test the expertise and ingenuity of students from the U.S. service academies, the Naval Postgraduate School and the Royal Military College of Canada. NSA’s top information security professionals put those students to the test. Sponsored by the Information Assurance Directorate, the most recent exercise was held in April. The U.S. Air Force Academy won its fourth trophy, and its first consecutive victories, since the annual competition began in 2001.
Cyber warriors who assess and defend the U.S. government’s most sensitive communication systems challenged the ability of student teams to protect networks designed, built and configured at the students’ respective schools. Working at Lockheed Martin’s facility in Hanover, Maryland, another group of specialists graded each team’s ability to maintain network services effectively while detecting, responding to and recovering from security intrusions or compromises. The entire three-day exercise was conducted on virtual private networks, according to an announcement on the NSA website. “Our team here who develops the exercise scenario each year is having to use more and more sophistication in coming up with ways to stump [the students]. To me, that’s a real testament to the fact that the bar is being raised, even in the academies,” Plunkett says.
During the exercise, the students were confronted with a mix of existing, familiar threats and more innovative technologies and techniques they could see more of in the future. “The intent is not only to simulate real-world activities and to give students at the service academies an opportunity to exercise what they’ve been learning, but also to give them what we consider real-world experience in actively and consciously defending against an adversary. In this case, the adversary is us,” she says. “Ultimately, our objective is to build the cyber warrior, to build within the military and across the civilian population expertise in students who are able to operate and work in cyberspace. We are constantly looking for, recruiting, training and developing the next group of students.”
The exercise is no cakewalk, according to Plunkett. “We make it tough for them. We have teams back here who make it very difficult for them to keep their networks up and running, and they have an opportunity then to both learn and appreciate the work that we do on a daily basis,” she says.
The cyber exercise is a part of improving the standard on information assurance, which is a major focus for Plunkett’s directorate. “One of my really big priorities is to raise the bar for security—certainly for our national security systems, but by extension, for all of government and even outside of government,” Plunkett says. “If we can raise the consciousness and awareness of those who have to make investment decisions about security—make them smart enough so that they are making the right decisions—we have a fighting chance of raising the bar not just for government but for the populace.”
Improving standards, of course, also requires improving available technologies. The NSA compiles an annual list of top technology challenges. That list helps agency personnel and their industry partners to focus on areas critical to advancing the mission. “Some of the areas that fall on my list this year—some of which were on my list last year—include mobility, intrusion detection, continuous monitoring, virtualization and trusted platforms,” Plunkett reports. “All those things are critical not only today but also in the coming years as we continue to mature capabilities and advance our security needs.”
Over the longer term, she says, automation also is essential. “The real key to operating in cyberspace is automation. A lot of activities today are not as automated as we all know we need them to be, whether it’s automated patching, detection or continuous monitoring. We have lots of opportunities to improve those capabilities in the coming years,” Plunkett adds.
The Information Assurance Directorate works closely with the NSA Information Assurance Research Laboratory. The directorate helps to establish requirements for the information assurance mission and then works with laboratory personnel to find solutions. “We have a great partnership where we work together on testing the results and ultimately deploying them,” Plunkett notes.
She counts the Fishbowl pilot project as a recent success for the directorate and for the agency. The project provided 100 Android devices to users across 25 organizations, saving time and money while providing secure, cutting-edge electronics to a variety of users. The project is transitioning from NSA to the Defense Information Systems Agency, which will implement an operational capability. The project began with the relatively modest objective of providing mobile devices for use on the NSA campus, Plunkett says. Initially, the devices were required to offer only a voice communication capability, which has since been expanded to include data. Now, officials expect to continue adding capabilities and also to provide the devices to users overseas. (See page 41).
The directorate is making progress on other important fronts as well. “We’ve had quite a number of successes over the past couple of years in the areas of cloud computing and architecture. Specifically, developing the capabilities that allow us to securely wrap and tag data within the cloud. We’re actually pretty excited about that. It’s a trusted data format that we’ve actually made available to those outside of NSA, our partners as well as industry, who will be able to depend on some of these same formats to use data in the cloud,” Plunkett reveals.
The Information Assurance Directorate’s mission is to protect and defend national security systems, in part by developing processes and services and specifying requirements for security products. Directorate personnel also assess the security of national security systems and provide guidance and mitigation instructions for hardening infrastructure or recovering from an intrusion. Those personnel travel around the world to assist customers in protecting networks or in developing products with built-in security. “And we also have a growing analytic effort where we are looking at bodies of information assurance data and analyzing trends that might help us understand systemic security problems that may be happening in various places around the globe, and ultimately developing solutions or specifying requirements,” Plunkett adds.
Plunkett continually praises cybersecurity personnel defending U.S. data. “We have a phenomenal work force,” she declares. “We have always enjoyed—and continue to enjoy—tremendous capability, tremendous determination, tremendous excitement and energy among our workforce. We really have the best here,” she concludes.