The price of failure to provide adequate cybersecurity ultimately may be too high for any nation to tolerate. Yet, the cost of effective cybersecurity may be too much for a nation to afford. The consequences of a damaging cyberattack on a part of the critical infrastructure could be catastrophic, yet securing national capabilities from cyberattack will require more than just government or industry action. Both groups must work in concert to produce results that are greater than the sum of their parts, but no single approach to cybersecurity will work to protect the diverse government and commercial assets that are both extremely vulnerable and highly critical to a nation’s well-being.
Vulnerabilities and solutions were among the focal points in AFCEA’s two-day Cyber Symposium held June 24-25 in Baltimore. Titled “Cyber Awakening: Protecting a Nation’s Security,” the symposium featured a range of civilian government, military, industry and academia leaders describing the nature of various threats as well as the challenges facing decision makers and cybersecurity professionals alike.
The commander of the U.S. Cyber Command, Adm. Michael S. Rogers, USN, described how one challenge to engaging industry and academia in the cybersecurity effort involves overcoming long-held and recent reluctance on the part of these two groups toward cooperating with the government. “How do we bring together expertise from the private sector and academia with government … when one of the partners is not fully trusted?” he asked.
“If we can’t create an environment with a dynamic information flow and information sharing in a real-time basis, it’s like we’re fighting with one hand tied behind our backs. Cyber is the ultimate team sport,” Adm. Rogers emphasized.
The Department of Homeland Security (DHS) has several efforts underway to engage the private sector in the fight against cyberattacks, said Suzanne Spaulding, undersecretary for the National Protection and Programs Directorate at the department. The DHS works every day to make this public/private partnership effective, she emphasized. The department’s whole-of-nation approach entails bringing in private-sector partners. This includes a strong focus on ensuring that privacy laws and civil liberties are maintained from the start, she said.
Spaulding continued that the key issue is not what is happening in cyberspace, but its effect on the critical infrastructure. “The consequences that really keep us awake at night are physical consequences,” she stated. “It’s not just what’s happening in cyber, it’s the cascading physical consequences.”
Those physical consequences could bring a nation’s activities to a halt or cripple its economy.
Melissa Hathaway, president of Hathaway Global Strategies and a former acting senior director for cyberspace with the National Security Council, offered that defenders of cyberspace need to concentrate on the critical services provided by the critical infrastructure, not the infrastructure itself, she stated. A focus on the critical infrastructure may lead to officials missing the vulnerabilities and money allocations needed for protecting critical services.
“It’s time to stop talking about infrastructure and time to start talking about services,” she declared.
A devastating cyberattack could be an act of war. Yet even NATO, which is built around all members coming to the defense of another member under attack, does not yet have a cyber policy for its Article 5, which defines that collaborative defense. Lt. Gen. Mark O. Schissler, USAF, deputy chairman, NATO Military Committee, admitted that NATO does not know how to define Article 5 in a cyber context. The alliance realizes this is an important issue, he said, and it is working to address it.
Lt. Gen. Johannes Kert, military representative of the Estonian Delegation, offered the perspective of a nation that has faced a cyberattack. “When you are in crisis, it’s so difficult to identify how you are being attacked,” he related. “Later, you understand, but you may not catch it immediately.”