Different Circumstances, Different Approaches Define Cybersecurity Thrust
Cyberspace may be a single ubiquitous entity, but securing it entails varying actions by diverse users.
AFCEA International Cyber Symposium 2014
The SIGNAL Magazine Online Show Daily: Day 2
Quote of the Day:
“There are no good solutions when you are under cyber attack; there are only bad and very bad solutions.”—Lt. Gen. Johannes Kert, military representative of the Estonian Delegation, NATO Cooperative Cyber Defense Centre of Excellence
No single solution, no single course of action, no single training regimen exists for combating cybermarauders on the Internet. Cyber officials are striving to establish guidelines for cybersecurity, yet they acknowledge that every organization in every nation has varying needs and must pursue different tracks to achieve what they determine is effective cybersecurity.
Each nation imperiled by cyber attacks has different criteria for security measures, and each one is pursuing different areas of interest. In the defense community, each individual military service has different issues it must address, even as the services seek common ground in combating cyber attacks. And, private sector entities have different concerns for protecting elements of the critical infrastructure without sacrificing the advantages generated by modern networking.
Planners seeking to establish common criteria for securing cyberspace must accommodate these differences to ensure that their guidelines are followed effectively. They must create a doctrine that is broad enough that organizations can develop their own doctrine within it. And, as the threat continues to evolve, the very concept of cybersecurity faces revision.
These points were among the many that emerged on the second and final day of AFCEA’s Cyber Symposium held in Baltimore June 24-25. Titled "Cyber Awakening: Protecting a Nation's Security," the symposium on Wednesday focused on diversity of opinion and approach, including international aspects.
Those international aspects were on display in the day’s opening panel, which featured several NATO officials. One point that emerged was that the alliance, which is built around all members coming to the defense of another member under attack, does not yet have a cyber policy for its Article 5, which defines that collaborative defense. Lt. Gen. Mark O. Schissler, USAF, deputy chairman, NATO Military Committee, admitted that NATO does not know how to define Article 5 in a cyber context. The alliance realizes this is an important issue, he said, and it is working to address it.
Dr. Velizar Shalamanov, director, demand management, NATO Communications and Information Agency, allowed that it is difficult in this uncertain environment to define an Article 5 attack. He suggested that Article 4 (consultation) and Article 6 (crisis management) may be applied before Article 5 in a cyber attack.
Lt. Gen. Johannes Kert, military representative of the Estonian Delegation, NATO Cooperative Cyber Defense Centre of Excellence, offered the perspective of a nation that has faced a cyber attack. “When you are in crisis, it’s so difficult to identify how you are being attacked,” he related. “Later, you understand, but you may not catch it immediately.
Gen. Kert described how his nation responded to the severe cyber attack it suffered in 2007 by engaging in several nationwide actions that created new organizations and strengthened the ability of existing groups to secure cyberspace. Estonia established a state information systems agency that included a national computer emergency response team, a cyberdefense department and a critical infrastructure department along with a “department of after-check” designed to determine if tasks were fulfilled and done effectively.
Training and preparation are key, Gen. Kert emphasized. He warned against complacency by saying, “There are no good solutions when you are under cyber attack, there are only bad and very bad solutions. You have to train, train and train beforehand.”
Differences of opinion among NATO members is not a new trend, but it is a major hurdle to overcome as the alliance pursues cybersecurity. One problem that lies in the legal realm: each NATO nation has its own laws that define privacy and civil liberties, so no single policy would work across the alliance. Other contentious issues involve security priorities, especially among countries that have different exposure to cyberthreats.
Two of the common denominators that constitute NATO cybersecurity policy are training and teaming with industry. Various institutions are being employed to train cybersecurity experts, and NATO is moving toward establishing a cybersecurity school. “The way we’ve trained and become an effective military coalition, we have to do the same thing with cyber,” said Gen. Schissler. “Not all NATO nations believe cyber is a domain, but it’s not too early to begin training together.”
Melissa Hathaway, president of Hathaway Global Strategies and a former acting senior director for cyberspace with the National Security Council, offered that engaging private sector innovation will help NATO increase its agility, manage costs and increase its ability to ensure national and transatlantic security. Shalamanov said his agency is focusing on partnerships, especially with industry in several areas, because it is the only way to be successful in cyberdefense. He noted the alliance is working closely with the NATO Industrial Advisory Group to develop ways cooperating with industry.
Hathaway charged that the very nature of cybersecurity is changing, and it needs to be refocused. Defenders of cyberspace need to concentrate on the critical services provided by the critical infrastructure, not the infrastructure itself, she stated. A focus on the critical infrastructure may lead to officials missing the vulnerabilities and money allocations needed for protecting critical services.
“It’s time to stop talking about infrastructure and time to start talking about services,” she declared.
The U.S. military has been building cyber teams within each of the services, and they are encountering a variety of challenges as they address their individual service needs. Each service faces different focal points for cybersecurity, and each must train individually without going off in different directions. A panel comprising cyber officers representing each of the services expressed the same desire for finding common ground in training.
Brig. Gen. Robert J. Skinner, USAF, deputy commander, Air Forces Cyber, said that most of the teams will bring similar skill sets. What will be different will be their mission focus.
“We train for the known, and we educate for the unknown,” he stated.
Speaking at the day’s keynote luncheon, U.S. Defense Department Acting Chief Information Officer Terry Halvorsen noted the difficulty in establishing effective security standards. It is easy to set new security requirements that apply to a clean slate, he observed, but that is a problem in the Defense Department where most of the information technology is legacy. “We have to establish a minimum level for legacy systems that is effective and that we can achieve today,” he stated.
Halvorsen also told an attentive audience that defense networks may have to make do with minimum security because of tight budgets limiting options across the board. “I want for all these networks, the minimum level of security to get the mission done,” he declared. “If we try to do the best security everywhere, we will not get to what we want. We don’t have the money; we don’t have the time.
“The minimal level security we do today will be different from the minimum level security we have two years from now,” Halvorsen continued. And, he added, the department “absolutely has to know what it costs. If we don’t know what things cost, we won’t be able to fund them.”
The private sector will be seeing more unclassified defense data in its storage systems. “We’re going to move more things into the commercial world—the unclassified business world,” Halvorsen declared. In 28 days, the department will issue policy guidelines that let industry store, move around and play with level 3 to 5 data, he added. He emphasized that these will be guidelines, not standards. “We’re getting away from prescriptive solutions.”
Halvorsen also called for software that uses the minimum bandwidth to do the job. And, he expressed concerns about the department’s routers and switches. “They’re old and they don’t always allow us to do what we want to,” he said, adding that the department is working that problem right now.
Above all, the defense cyber work force needs to include fresher ideas and outlooks, he declared. “We need to attract a younger work force. We’re filling jobs, but we’re not getting the right mix. Diversity is needed.”
Halvorsen also called for easing regulations to allow a greater two-way flow of expertise between the Defense Department and industry. “We have to be able to move people back and forth between industry and government,” he stated. “We don’t get successful unless that happens.”
The Cyber Symposium will be back in 2015! Keep an eye out for news of it at www.afcea.org/events.