Earlier this year, detailed information about the bomb resistance of a new Department of Defense (DoD) building in Virginia was compromised. Reuters broadcast the information worldwide. The news organization did not obtain the document by hacking network systems, but rather accessed the “official use only” document on the Army Corps of Engineers website. This incident is just one example of the thousands of data breaches that occur as a result of internal information leakage rather than an outside attack.

In their 2011 Information Security Report, the U.S. Government Accountability Office (GAO) shed light on why internal leaks are so prevalent. The report’s survey of 24 major federal agencies found that employees with significant responsibilities are not properly trained on security measures. To that end, there is a critical need to further educate government personnel on how to keep sensitive information secure.

With tightening budgets and increasingly demanding performance requirements, agencies must resist the temptation to be compliance-driven and exclusively rely on quick fixes. A holistic approach bringing together people, processes, and technology into an enterprise-wide solution and a strong risk management framework is a viable and effective strategy for improving cybersecurity.

The U.S. Military engages in full simulations and digital war games to train for battle, and these methods and best practices can be repurposed for the cyber battlefield. Government workforce education and training that is regularly practiced and put in action will help prevent data leakage and save budget dollars.

Frequent penetration testing, simulated cyber and social engineering attacks, or even something as simple as a pop-up tip of the day on an employee’s computer will help make agencies more secure inside and out. After all, policies are only as effective as the people enforcing and enacting them.

Benjamin Franklin once said, “A small leak can sink a great ship.” Investing in the education of the government workforce, utilizing proactive training methods, and aligning policy, technology, and people can ensure smooth sailing.

Prenston Gale is the lead internal Subject Matter Expert for Information Security within Dynamics Research Corporation (DRC). He also serves as a solutions architect for emerging government requirements, building new frameworks and customized methodologies that are deployed in service of government clients. 

The views expressed by our guest bloggers are their own and do not necessarily reflect the views of AFCEA International or SIGNAL Magazine.

Where the 20th century was the age of airpower, the 21st century will be the age of cyberpower, according to the U.S. Air Force’s chief information officer (CIO). Lt. Gen. William T. Lord, USAF, told the closing keynote luncheon audience that the growth in cyberspace’s importance is outstripping even its own metrics for progress.

What he referred to as “Android’s Law” has accelerated Moore’s Law when it comes to change. Mobile devices are driving a global cultural change, he offered, and that change is breaching barriers and crossing into new territory. For example, social media was the tipping point in recent revolutions, the general pointed out.

Part of this transformation involves a shift toward emphasis on capabilities rather than on constructs. “We focus on the network, when in fact it’s the work of the network,” he said. As smart phones proliferate among military users, the need grows for a network that is device-agnostic, he added.

Situational awareness that borders on command and control (C2) may be necessary to protect vulnerable networks in the nation’s critical infrastructure. The threat to these increasingly complex industrial control systems will require more than just commercial off-the-shelf security solutions, according to a panel of experts at TechNet Asia-Pacific 2011 in Honolulu.

Rear Adm. Paul Becker, USN, the U.S. Pacific Command (PACOM) J-2, warned that the proliferation of control systems, coupled with a lack of network situational awareness, are prime opportunities for cybermarauders. In calling for C2 of networks, he noted that while nation-states appear to be the only cyberthreat with the ability to attack the nation’s infrastructure, organized crime now is able to develop or hire hacker talent.

Bryan Richardson, a critical infrastructure security expert with Sandia National Laboratories, stated that the good situational awareness tools that the infrastructure needs largely must be customized specialty solutions, although some could come from traditional information technology sources. Sandia has performed many assessments, so it understands the different types of systems and what needs to be done for them, Richardson said.

David Rolla of the Hawaiian Electric Company added that a good network situational awareness tool must be able to weed out legitimate security threats from natural disasters or even overzealous marketing events. His company is trying to put in place a holistic system that protects the entire network from start to finish.

The new technologies that are enabling elements of the critical infrastructure to operate more efficiently also are making them more vulnerable to devastating cyberattacks. Advanced mobile connectivity and supervisory control and data acquisition (SCADA) systems have created fertile ground for cybermarauders to target key aspects of the infrastructure a number of ways.

These were the findings of a panel comprising a number of experts from Hawaii and the U.S. Pacific Command (PACOM) at TechNet Asia-Pacific 2011 in Honolulu. Rear Adm. Paul Becker, USN, the PACOM J-2, described how the use of SCADA industrial control systems was a primary threat to the infrastructure. These systems are the focus of malevolent hackers, whose growing sophistication has increased the likelihood that they will be able to launch a devastating attack.

David Rolla of the Hawaiian Electric Company elaborated on how the SCADA threat has grown. Companies such as his have trended toward more integrated and more sophisticated control systems, and greater interconnectedness means more interdependency. The need for a communications infrastructure, which requires external communication links, also has increased vulnerabilities. Where the threat used to be broad-based—such as simple denial of service—it now takes the form of highly targeted attacks focused on a single entity, Rolla said. “We’re coming to a point where there is no such thing as a trusted source,” he warned.

The third iteration of the Defense Department’s Global Information Grid (GIG 3.0) may represent a breakthrough in networking capabilities, but only current technologies need apply to build it, according to a Defense Department official. Mark Loepker, acting director for the Defense Information Assurance Program, told a panel audience at TechNet Asia-Pacific 2011 that industry should bring innovative solutions to the GIG table—only, a solution that is not supported by current technology is not a solution.

Participating in the panel via a videoconference link from Herndon, Virginia, Loepker emphasized that industry should bring products “with security baked in.” These GIG products also should embed identity and access management, and they must meet federal mobility challenges.

Mac Townsend, a data architect with the Defense Intelligence Agency, stated that industry should bring services that can be tested before they are implemented into the GIG. And former defense official Marv Langston, now with Langston Associates, suggested that the tough budget times that lie ahead may be a boon to innovative solutions. Declining budgets are the best time to get new ideas into the system, he said, because when budgets are rising, people do not listen to innovative suggestions because they are too busy spending money.

Building and operating the third version of the Global Information Grid—GIG 3.0—will require new forms of accountability both for security and for operation. Accordingly, identity and access management will be the key items as the next-generation defense network is developed, said a panel of defense networking experts at TechNet Asia-Pacific 2011.

GIG 3.0 would tap existing technology to provide better information sharing—particularly for interservice, interagency and international coalitions—along with improved cyber security and responsiveness, offered panel moderator Randy Cieslak, U.S. Pacific Command (PACOM) chief information officer (CIO). Cieslak emphasized the importance of defendable agile compartmented enclaves to fight through cyberattacks. These virtual enclaves would match use needs, and authorized information would be safely moved among them.

Mark Loepker, acting director for the Defense Information Assurance Program, said that part of the GIG would involve the thought process of managing risk. Participating in the panel via a videoconference link from Herndon, Virginia, Loepker cited data center and server consolidation, network standardization and optimization, and enterprise email, messaging and collaboration services as key attributes of the future GIG.

As social media permeates deeper into military organizations, leaders are confronting a host of challenges. However, those challenges largely are new incarnations of longstanding problems that have faced military communicators for generations.

A panel of experts at TechNet Asia-Pacific 2011 focused on how information sharing can exist within an information security environment. Many of their concerns proved to be more user-oriented than technology-based.

Addressing those concerns, Master Sgt. Andrew Baker, USA, 516th Signal Brigade, said that forces need to be more operations-security (OPSEC) oriented with new media. In the Army, the problem has been soldiers who did not consider that the information they were posting on Facebook was giving away operational details that could be used by an enemy.

“Right now, at the OPSEC environment, education is basic,” he said, calling for leaders to be more aggressive in OPSEC.

SPC E4 Anthony Vandergrift, USA (Ret.), who used social media in Afghanistan as an infantryman, related how some soldiers violated OPSEC while using social media. He described how some bought a 56k cell modem so that they could post information on social media sites. In doing so, they circumvented Army rules and could have put their unit at risk.

Building network security around firewalls is passé, as cybercriminals are employing innovative means to enter a network. Instead, security managers should concentrate on understanding the user, the application and the data, according to Tom Reilly, vice president and general manager, HP Enterprise Security.

Speaking at the TechNet Asia-Pacific 2011 Wednesday breakfast, Reilly described how new types of networking are rendering old measures obsolete. Traditionally, experts have looked at security as being a 100-percent solution that is layer focused. With the advent of mobile and cloud computing, perimeters are devolving and consumers want more access to information.

And, with cybercriminals attacking networks through applications, more holistic measures are needed. Instead of securing a network through its Internet protocol (IP) address, security managers must shift their focus to the user and his/her activities. This represents a move to shift security to them and the context around them. The key is to understand the user, the application and the data.

“If you properly use security management and listen to your network, you can protect and secure it,” Reilly stated.

The spread of mobile networking systems along with the use of social media have opened new backdoors for hackers with potentially serious consequences, according to a leading security expert speaking at TechNet Asia-Pacific 2011. Tom Reilly, vice president and general manager, HP Enterprise Security, told the Wednesday breakfast audience that this major information technology transformation is leading to an escalation of attacks, especially against applications, and cyberspace will be a more dangerous place as a result.

“Things are going to be much uglier in the cybercrime world,” Reilly declared. He added that our adversaries are evolving away from traditional marauders. Many of them now are working at the behest of nation states. And, of course, they constantly are improving their sophistication.

Ironically, while mobile computing has increased risk, the move to cloud computing may improve security. Reilly explained that the cloud provider would be responsible for security compliance, so individual users and groups would not be as much of a weak link in the security chain.

The United States should start pursuing some of the people who are hacking into U.S. systems and stealing intellectual property, said the former commander of the U.S. Pacific Command. Adm. Timothy J. Keating, USN (Ret.), told the audience at the opening keynote address for TechNet Asia-Pacific 2011 in Honolulu, Hawaii, that going after cybermarauders may be the only way to reduce their activities.

The admiral called for a “thorough review of our nation’s policy” with an eye toward taking action against cyberintruders. Saying it’s time to “let the Genie out of the bottle,” Adm. Keating said it was time to take down some of the people “who are persistent in getting into our programs.” By going on the offensive, the United States may have some effect on cyberintruders, he offered.