Wednesday panel discussions and presentations at the TechNet Land Forces East conference in Baltimore delved into the nuts and bolts of cybersecurity and how they fit with the men and women of the military who are called upon to protect computer networks from those with malicious intent.
Morning panelists addressed the question of whether anyone can truly trust the hardware components their agency or service buys for their network in an age when multinational companies provide many substantial components such as network switchers and routers. Dan Wolf, president of CyberPack Ventures, believes it is a sign that America has ceded much of its technological edge when there are so many cases of counterfeit products sold for networks that “work for 20 minutes” and then quit. He said that another risk is that so many buyers fail to ask important questions of their vendors about the authenticity of products. And Wolf suggested that cybersecurity concerns and threat assessments may need to be addressed in future iterations of federal purchasing regulations. In a similar vein, consultant Jim Payne suggested that the time has come for agencies to abandon price alone as the primary factor in network component purchasing and instead balance price against actual performance.
When considering the defense of cyberspace, a midmorning panel of military cybersecurity experts tackled how to prevent cyberattacks on military networks, with an eye toward possibly defending domestic private networks as well. Panel moderator Mary Lee, of the National Security Agency’s Cyber Task Force, noted that the very nature of the Internet requires that teamwork among often disparate groups and organizations be a part of the solution.
Lt. Gen. Vincent Brooks, USA, commanding general of the U.S. Army Central/3rd Army, raised more than a few eyebrows (and grudging acknowledgement) when he openly identified users—everyone from clerks to flag officers—as the weakest link in the cybersecurity chain. He said cyber attackers design their attacks knowing that somewhere, someone will click on a seemingly innocuous link that will unleash havoc on a network. Rear Admiral Robert Day, USCG, and director of the U.S. Coast Guard’s Cyber Command, noted that in a similar vein, he still finds it necessary to remind “coasties” that it is inappropriate to attach unauthorized USB thumbdrives to Coast Guard computers lest they provide an entry way for malicious software. Brigadier Gen. Kevin Nally, USMC and Director, C4, and Chief Information Officer for the U.S. Marine Corps, described training that his command is designing to help middle-to-higher ranking officers stay up to date on the latest cybersecurity issues.
Training is also on the mind of Lt. Gen. Richard P. Mills, USMC, deputy commandant for Combat Development and Integration with the U.S. Marine Corps. He noted that training and education within the force is the most important plank of cybersecurity policy. Mills, who led Marines in Afghanistan in 2010, related how he used cyber resources at his disposal to help protect his network from enemy intrusion, and even launch some of his own cyber incursions against the enemy. He also described how cybersecurity is becoming a key part of MAGTF, the overarching doctrine of Marine Air-Ground Task Force that defines how Marines prepare to go to war,
The day ended with an examination of how trust enters into the relationship between America’s military and partner nations. Major General John Davis, senior military advisor for cyber to the Under Secretary of Defense (Policy) echoed a theme heard in the morning panel by declaring that “Cybersecurity is a team sport,” the kind in which U.S. forces work hand-in-hand with partner nations when it comes to network security. Davis noted that for some time now the U.S. military has been integrating cybersecurity concerns into the joint bilateral/multilateral training exercises that take place yearly.
At the same time, Major General Steven Smith, USA, Assistant Chief of Staff, G-6 U.S. Army Central/3rd Army, and Commanding General for the 355th Signal Command, noted that while working with coalition partners is nothing new for the Army, the notion of doing so in the cybersecurity and network realm is. Providing an industry twist to the “partners” challenge, Greg Gardiner, chief architect, government and defense solutions with NetApp, believes that new thinking is required to successfully fold cybersecurity into how the military buys networking products. For one thing, he said, it is important for the acquisition process to morph into one defined by “months rather than years.” He noted that his colleagues in industry do this to turn a profit, and that to stimulate innovation, government must consider incentives. And he urged those who buy networking products to put an end to needless customization of products to save money.