Cyber Command Confronts Evolving Environment

The U.S. Cyber Command is taking the point in protecting military networks—including active defense—in cyberspace.

The newly created U.S. Cyber Command is starting its first year of operation in a race to secure the vital infostructure before a new generation of cyberattacks causes lasting damage to military, government and commercial information assets. This potential hazard is not theoretical; it already has been realized overseas, and it may be just a matter of time before U.S. cyber assets suffer devastating attacks.

A substantial portion of the U.S. Defense Department’s information flows over commercial networks, but the Cyber Command is not empowered to serve as the protective agent for nonmilitary assets. So, it must work holistically with other government departments and agencies that also have much to lose from cyberattacks.

Part of the effort to protect networks involves adopting an active defense instead of passive detection after the fact. Further down the timeline will be the creation of a secure Defense Department cyber zone separate from public network access.

Concurrent with these programs are ongoing measures to repel and protect networks from constant cyberattacks. However, many of the regulations that govern cyberspace are long outmoded and do not provide a foundation for effective security. Ultimately, government may need to make changes in practices and laws to account for the new cyber reality.

Malicious cyber activity causes hundreds of billions of dollars in lost revenue every year, and that threat includes the corruption and possible destruction of data. “My concern is that the threats are growing,” says Gen. Keith B. Alexander, USA, commander of the U.S. Cyber Command. Gen. Alexander, who also is the director of the National Security Agency (NSA)and the chief of the Central Security Service, casts a wary eye on the evolving threat and how its menace is becoming more severe with the passage of time.

“The threats that we knew in the past were mostly criminals, hackers and nation-states exploiting cyberspace,” he relates. “In May of 2007, that whole paradigm shifted from exploitation and criminal stealing of wealth to the attacks on Estonia.

“If you carry it forward to today, I’m concerned that those attacks will become increasingly more lethal,” Gen. Alexander declares. The effects that the disruptive attacks had on Estonia were huge, he continues. Yet, when those disruptive attacks ended, the targeted networks could resume operation. What may lie ahead are destructive attacks that would leave damage requiring considerable repair or replacement, and recovery would require an entirely different time line.

“I’m concerned that our nation’s infrastructure is not prepared for the next wave of cyberthreats that is coming—and that is the destructive capabilities,” he states.

Part of this problem involves the current cyber environment. “Technology is far outpacing our laws and policies,” the general observes. “The laws and policies that we developed in the 1980s and 1990s don’t account practically for the Internet, let alone the networks where we’re going.” The challenge is how to keep up with the way business is conducted in the current technical environment.

Gen. Alexander notes that part of the command’s mission is to be prepared to defend and support the Department of Homeland Security (DHS). That is a tasking that would take time to implement in a crisis, he explains. If the Cyber Command observes an attack on the civilian infrastructure, it has no authorities to stop it. “In physical space, if the United States were being attacked by weapons, the Defense Department would stop it. In cyberspace, we’re not yet there,” he charges.

The command trains its people to operate within current policies and laws, but leadership within Congress and the administration must be informed where policy and law changes are necessary to maintain cybersecurity. “We bring up where there are logical disconnects between law and policy and our current technology,” the general points out. “We still operate within the law, but you might have less protection than you would expect.”

The critical infrastructure is most at risk, Gen. Alexander states. The Defense Department depends on that and the infrastructure of other government agencies to carry out its mission.

The general worries that a particularly destructive attack might come about as a result of “a destructive tool that gets out of hand.” Imagine if some of the particularly contagious past viruses, such as “Melissa” and “I Love You,” had a destructive payload attached, he suggests. Some of these tools could destroy computer hardware as well as data, and the effects would be devastating. The difficult task is to prepare the Defense Department and the infrastructure for this type of attack, he allows.

“It’s a race against time,” the general warns. “I believe, right now, that we aren’t as serious about fixing that as we should be, and we need to get that front and center.”

The recent appearance of the sophisticated Stuxnet computer worm and its attack on Iran’s nuclear research centers is not changing the way the Cyber Command does business. “I don’t think that [Stuxnet] event forces us to do anything that we haven’t already planned to do,” Gen. Alexander says. The key to stopping any severe piece of malware may lie in the creation of a secure zone, and the command is proceeding along those lines.

This secure zone would house government and critical functions. These might include other agencies as well as critical infrastructure elements, the failure of which would prevent government from operating or pose a threat to public well-being.

Establishing this secure zone will entail creating an architecture that is “infinitely more defensible” and limits adversaries’ ability to intrude. The command is attempting to achieve this through its information technology efficiencies, the general notes.

Defending networks also will require an active defense approach. The general explains that an active defense differs from current security in that it does not wait for an adversary to demonstrate successful network penetration. Gen. Alexander likens it to a homeowner hearing a burglar attempting to break into his or her house. Current security measures are instituted after the burglar breaks into the network. With active defense, as soon as the burglar was detected, measures would be implemented.

Students in U.S. Air Force basic military training learn about defending cyberspace during a training class. The Cyber Command is tapping service expertise to build a cyberforce based on standards across each of the services.

“We would do something very similar to that,” he continues. “As communications flow by, you have to look at what are the problems that you see in those communications or in your still environment—and is it defensible.”

The same approach can apply to existing malware. Cyber warriors should hunt within defense networks for existing malware instead of waiting for the malware to act. “We know that people have gotten in; we find malware there, but we don’t hunt. We clean up that malware, but we don’t go beyond it,” Gen. Alexander observes.

The first step in these efforts is to apply active defense measures to the Defense Department, which currently is implementing that program. Then, the command would provide the technical capabilities to the DHS and other organizations as needed.

In addition to operating and defending Defense Department networks, the Cyber Command also must grow a cyberforce to carry out that mission in a time of increasing threat, Gen. Alexander notes. This involves recruiting, training and retaining a cyber cadre for the long term. Some of the programs for producing cyber personnel take up to 18 months, the general adds.

Building this cyber cadre will both tap and supply expertise among the services’ cyber commands, Gen. Alexander continues. With the command training as a joint organization, standards will be the same across each of the services and the cyber components. The services would train and equip their cyber personnel in a joint environment, but they largely would remain assigned to their own service components, over which the U.S. Cyber Command has operational control. Gen. Alexander characterizes the relationship between his command and those of the individual services as “wonderful.”

The Cyber Command also will be working across U.S. government departments and agencies to improve the nation’s cybersecurity. The command cannot involve itself in actively securing the civilian infostructure, but it can lend a hand to organizations that do, such as the DHS. The training of personnel would follow the same guidelines used for the military services.

“It is less accurate and relevant to talk about the unique characteristics of air, land, sea and space when you’re talking about cyberspace,” Gen. Alexander posits. “We need to think about linking all those together in our domain.”

As part of the DHS, the U.S. Coast Guard’s own cyber command does a great deal of the “operate and defend” today, the general observes. The Defense Information Systems Agency (DISA) plays a major role in defending Defense Department networks in its role as the major backbone provider. As the major service provider down to the combatant commands, DISA executes network defense as directed by the Cyber Command. A DISA support element is located at the command as part of its joint operations center, which helps “inextricably link” DISA security activities with the U.S. Cyber Command, the general says.

Some defense network traffic travels over commercial assets, and protecting that traffic requires collaboration rather than customization. The partnership with
the DHS is important for protecting these networks along with rest of the critical infrastructure. “We don’t protect the networks in the infrastructure alone,” Gen. Alexander points out. “It’s a team effort, and we have to do it in conjunction with Homeland Security and with industry. Both of those have to work together, and that’s the only way we can do it.”

He explains that the Cyber Command brings to the table its technical expertise along with that of the NSA. The DHS has the mission of protecting nonmilitary government and the critical infrastructure, and the collaboration between that department and the command is key. Instead of implementing special measures for defense information traveling over commercial networks, the command will work with others to protect those networks as a matter of course.

Among the important challenges to meet is that of cyber situational awareness, which the general describes as absolutely vital to effective cybersecurity. “You’ve got to be able to see cyberspace in a way that is meaningful to people who operate and defend in this area,” he declares.

However, current practices have more in common with 1980s gaming rather than with the 21st century digital age, he charges. Those games would provide only limited information about an environment. To deal with today’s cyber challenges, planners must apply software visualization capabilities that provide insight into diverse aspects of cyberspace.

Achieving effective cyber situational awareness will be much harder than other security aspects such as active defense, Gen. Alexander warns. “We’re working it, but that’s going to take time. Hopefully, it won’t take us the 20 years it took to build the software to visualize war games,” he says.

Above all, network operators and users must employ best practices to exploit fully established security measures. “Much of the problems we see in network security could be fixed just by implementing common sense practices and antivirus [software],” he says. But, another 20 percent will require Cyber Command and its agencies to address them using their expertise. And, the original 80 percent is not fully addressed, as defense users are not yet engaging in best practices.

Gen. Alexander suggests one solution might be the creation of an international organization for information systems analogous to the World Health Organization. This new organization would establish antivirus standards to help ensure that systems are secure. This approach would limit the ability of adversaries to penetrate and exploit an information infrastructure as a cyber weapons platform. The current environment is wide open for exploitation. “[It is as if] everybody were allowed to fly, but nobody has to have a license,” he offers. “In cyberspace today, everybody can build up a computer, but nobody is required to defend or have that computer [security] at a certain level.”

A partnership with industry is essential for the key elements of the infostructure on which the government will rely in crisis or war, Gen. Alexander states. “Industry owns and operates the majority of that critical infrastructure, but we need to work with them. We have capabilities and technologies that could help them, along with classified insights into some of the malicious software that we could share with industry under special conditions. We need to set those conditions up and figure out a way to operate,” he offers, adding that the departments of Defense and Homeland Security are examining how to establish those conditions for a successful partnership, beginning with some test programs.

WEB RESOURCES
U.S. Cyber Command: www.stratcom.mil/factsheets/cc/
National Security Agency: www.nsa.gov
Department of Homeland Security cybersecurity: www.dhs.gov/files/cybersecurity.shtm