One of the government’s premier scientific research institutions is focusing its resources on defending computer systems against cyberattackers. The Sandia National Laboratories has concluded a recent two-day conference on cybersecurity by announcing plans for a new Cyber Engineering Research Institute (CERI) that will have a presence on both Sandia campuses in New Mexico and California. CERI is expected to more closely coordinate with industry and universities in developing new tactics to enhance cybersecurity. CERI also will explore ways to encourage more students to take up cybersecurity studies and may develop a major prize competition to spur innovation in cybersecurity.

The Air Force and Arlington County, Virginia, are taking preventative measures against hackers such as the ones that recently attacked Sony, costing them over $170 million. It’s not just money at risk for government networks, however.

The Air Force has the lead for the Next Generation Airspace and lead for the Department of Defense. Arlington County, which collaborates extensively with the department on many levels, has undertaken continuous monitoring and risk analysis and is currently evaluating its supervisory control and data acquisition (SCADA) systems.

Maj. Gen. Edward L. Bolton Jr., USAF, director of cyber and space operations, office of the DCS for ops, plans and requirements, led a discussion with B.G. Ranck Jr., director of warfighter systems integration at the office of the Secretary of the Air Force, and Mark Orndorff, PEO for Information Assurance and NETOPS for DISA at the AFCEA D.C. chapter’s cyber security luncheon on May 20 describing the Air Force’s approach.

Gen. Bolton asked everyone in the audience to say at what level they thought we should protect. The audience answered that we should protect “every link at every level.”

He also suggested that Air Force’s biggest issue with communications is the “lack of transportability” of the equipment and parts driven by its inability to interoperate between stovepiped systems. He described a soldier as having to carry a pack with three computers, multiple batteries, and multiple wires in order to communicate.

According to Bolton, the Air Force will focus on three main areas: capabilities, employment, and people. He also stated that the Air Force will change the discussion from aircraft allocation to “what information do I need vs. how many airplanes do I have in the air?” It also maintains that, “every airman must have a certain understanding of cyber.”

The Defense Department envisions a joint architecture and joint services information-sharing requirement that is not specific to a particular agency that promotes interoperability and information sharing across previously discrete domains. In keeping with this vision, the Air Force will migrate away from the plethora of often proprietary and stove-piped systems and transition to a single standards-based network. These systems often do not interoperate with other systems both in and outside of the Air Force. The Air Force will channel the resulting savings into building operational capability.

Gen. Bolton also asked the defense contracting community to help the Air Force by not perpetuating proprietary and controlled environments and boxing the Air Force into a technology or proprietary solution.

Though the panel focused primarily on the network and interoperable systems, it did not address the issue of SCADA systems, which are an integral part of Air Force and Defense Department infrastructure. We often don’t realize that our traffic lights, transportation systems, bridges, dams, power systems, water treatment plants and other systems contain digital information vulnerable to attack and theft even though they are not a part of other network systems.

Arlington County has undertaken an initiative to evaluate its SCADA systems and mitigate any risks found. In a public forum, Chief Information Security Officer David Jordan mentioned an article that described how U.S. officials who initially were going to conduct a public forum to discuss the risk of SCADA systems quietly decided the risk was too great to bring it to the public’s attention and cancelled the forum. “We started with the critical infrastructure systems; those connected to the network and are conducting other evaluations according to priority. SCADA systems are vital in the support of day-to-day life in a city,” Jordan stated.

But there are other important systems not directly under the control of the jurisdiction or the Federal Government; such as local phone switching center operating systems, cable, and wireless broadband operating systems and their related command and control networks, he continued.

The Defense Department would do well to conduct similar analyses across the Defense Department, if these are not already under way.

Being successful in the era of irregular warfare will require a focus on new ways of building and preparing the force, according to a panel of military and civilian experts. Speaking at the 2011 Joint Warfighting Conference, the Wednesday panelists emphasized training and education using innovative approaches to build a force capable of winning in a rapidly changing arena.

Brig. Gen. John W. Bullard Jr., USMC, prospective deputy commanding general, Marine Corps Combat Development Command, declared that the key to the future will be education—however, there is no silver bullet. The military must invest in officers and senior enlisted personnel both in training and education. The true art will be not necessarily having the answers, but instead knowing to ask the right questions, he said, citing the need for a doctrinal framework that is flexible.

Training should focus on methodologies and critical thinking rather than on specific skills that might not be useful, emphasized Maj. Gen. Charles J. Dunlap Jr., USAF (Ret.), former deputy judge advocate general, U.S. Air Force. Capt. Evin Thompson, USN, Naval Special Warfare Branch head, Expeditionary Warfare Division, Navy Staff, decried the military culture that does not like to share information. We need to turn our military into an organization with an external outlook so that we can communicate with everyone with whom we share this world, he stated.

Above all, the military must create an environment that effectively recruits and keeps technologically, offered Eric Bassel, director of the SANS Institute. The military needs to create a recruitment, training, education and assessment process for the cyber side to keep cyber experts for the long term.

Future adversaries are likely to wage new types of warfare against U.S. and coalition forces based on varying types of conflict, according to a panel of experts at Joint Warfighting Conference 2011 in Virginia Beach, Virginia.

“I worry about disruptive threats such as cyber and EW [electronic warfare],” said Lt. Gen. William J. Rew, USAF, vice commander, Air Combat Command. Gen. Rew expressed concern that the young people who’ve grown up always having the global positioning system GPS may be ill-equipped to handle warfare with those high-technology capabilities are denied. He related that the Air Force Injected a significant amount of that activity into a wargame at Nellis Air Force base recently, and that caused significant problems with participants.

A similar position was adopted by Lt. Gen. Dennis J. Hejlik, USMC, commander, U.S. Marine Corps Forces Command. “On the cyber side, the question is who’s out there that is going to take some magical moments away from us,” he declared. “There are some smart enemies out there” that might deny effective us of GPS, for example, the general said.

Lt. Gen. Robert L. Caslen Jr., USA, commanding general, U.S. Army Combined Arms Center and Fort Leavenworth, offered that the future threat is probably a sort of a hybrid threat, such as Hezbollah in its operations against Israel. This is a non-state adversary that wages new types of asymmetrical warfare but, because of its state sponsorship from Iran, has some state capabilities.

Cyberspace security experts no longer can afford the luxury of traditional security that detects malicious operations when they begin, said Lt. Gen. Robert E. Schmidle, USMC, deputy commander of the U.S. Cyber Command. This active approach must be extended across the civilian realm of cyberspace as well as in the military arena, he said.

“You can’t have static defense where you wait for something to happen,” the general declared at the Joint Warfighting Conference 2011. “You’ve got to be out in the network hunting for malware.”

One approach is an agile tipping and cueing capability similar to that employed in signals intelligence (SIGINT). Applying that approach to cybersecurity would help head off threats before they achieved their malicious goals.

Gen. Schmidle allowed that the .mil network is well-protected, but huge vulnerabilities exist in other networks that also are vitally important. “There are critical pieces of our infrastructure, part of our national security, that must be robustly defended against threats,” he warned.

Malicious threats in cyberspace are entering a new territory that is more menacing than previously experienced, according to the deputy commander of the U.S. Cyber Command. Lt. Gen. Robert E. Schmidle, USMC, told the kickoff address audience at the Joint Warfighting Conference 2011 in Virginia Beach, Virginia, that cyberspace is seeing the beginnings of the development of new types of destructive tools. These tools are software that has no purpose other than the destruction of other software or even hardware, he explained.

As an example of the potential for this type of damage, the general cited an accident that occurred recently at a Russian power plant. The facility was remotely operated and controlled via a supervisory control and data acquisition (SCADA) system. One turbine did not have a proper radio frequency identification tag, so the remote operator did not have information on it relating to its maximum speed. That operator did not know when the turbine was spinning out of control until it shredded in the turbine room, destroying much of the facility and killing more than 70 people.

This was an accident caused by SCADA, and it portends the damage that could be done by a malicious hacker who broke into the network. “Almost all power systems in United States are run by SCADA networks,” Gen. Schmidle said. “Just imagine what vulnerabilities are out there.”

Creating a deterrence strategy in cyberspace similar to the Cold War approach to nuclear weapons is a difficult proposition, according to Gen. Keith Alexander, USA, who commands U.S. Cyber Space Command and is director of the National Security Agency.

 “There is no deterrence model out there analogous to what we had during the Cold War for nuclear détente. If you think about it, there are no rules of the road yet. There are no norms. We don’t have all that figured out, so there is no deterrence strategy. In fact, I would posit that it is much more difficult to have a deterrent strategy in cyber space because all countries, nation states and non-nation states, can have these capabilities in cyberspace,” says Alexander.

Speaking at the AFCEA Homeland Security conference, Alexander called for greater cyber situational awareness and a more active network defense. He also said government can protect the nation’s networks while also protecting individual privacy and civil liberties, and he called for the public to demand more secure technologies.

 Alexander offered several statistics to demonstrate what he called a phenomenal rate of change. He said that there are now 2.06 billion Internet users worldwide and that in 2010, 107 trillion e-mails were sent, which equals about 294 billion per day, 89 percent of which were spam. In addition, there were 35 billion tweets last year, which he predicts will “really take off this year.” Facebook just crossed 600 million users. If they were a country, Facebook users would be the third largest nation on Earth. In 2001, the average person had less than a gigabit of storage. In 2010, that was 128 gigabits, and in 2020 it is predicted to be 131 terabits, according to Alexander. “It took two centuries to build the Library of Congress—29 million books, 2.4 million recordings, 4.8 million maps, 57 million manuscripts. Today, that would take five minutes on the network. Five minutes,” he says.

The Defense Department’s FY 2012 budget proposal features $2.3 billion for improved cyber capabilities, according to figures released this afternoon. Key elements of that funding include $0.5 billion for the Defense Advanced Research Projects Agency (DARPA) to invest in cyber technologies. Funding also will be provided to the Defense Information Systems Agency (DISA) for cyber identity, monitoring and enforcement.

The budget will increase funding for training cyber analysts, for improving Global Information Grid (GIG)-wide situational awareness, for developing pilot programs for supply chain risk management and for improving intrusion detection and analysis.

Future cyber spending includes $0.5 billion from FY 2012 through FY 2016 to plan, design, construct and outfit a Joint Operations Center for the U.S. Cyber Command at Fort Meade, Maryland.

Our cyber adversaries threaten us as individuals, communities, nations and members of the global community. We risk ruined credit, emptied bank accounts, government privacy information held hostage or destroyed, disabled defense systems and destruction to our infrastructure. Many recognize that our existing organizational and acquisition models can’t respond quickly enough to meet the cyber challenge. Why not establish a neutral entity to act as an impartial system integrator that collaborates global efforts and resources to anticipate and defend against our cyber adversaries?

Many efforts address the cyberthreat from different perspectives, but, none exists such as the one above. We are gradually addressing the cyberthreat but at a rate far less than our adversaries are outsmarting us. The Department of Defense recognizes the cyberdomain as its own separate domain along with air, space, land and sea. However, our existing acquisition and collaboration models can’t keep up. Our adversaries might be a single person with an inexpensive device that can disable a country like Estonia, or nation-states, criminals, terrorists and organized crime. The cost of entry is low. Whole underground networks exist to recruit as well as buy and sell illicit capabilities. Viruses, worms, trojans and more can propagate around the world instantly.

Robert Rodriguez, founder of the Security Innovation Network (SINET) says, “The time is yesterday to explore and invest in new collaboration models.” SINET unites cyber entrepreneurs, venture capitalists, government experts and academics to bring together entrepreneurs and academics who create cyber capabilities with those who can implement them. Stanford University is also a sponsor of and supporter of SINET.

A number of academic institutions actively pursue advanced training and research in cybersecurity. Stanford University and Georgia Tech collaborate. The Stanford University Computer Science Department has also partnered with the Secret Service. The Secret Service and FBI have their respective public-private partnerships. The NSA hosts centers of excellence at many of our nation’s academic institutions. There are other small efforts across the country.

“Cyber Security demands a community effort–deterrence starts with collaboration,” according to Riley Repko, Air Force Senior Advisor, Cyber Operations and Transformation. Realizing that current models weren’t enough, the Air Force asked Repko to come out of the private sector to develop a means of engaging the private sector, the true domain “owners.” Tom Patterson’s  October Government Computer News article “Inside the Pentagon’s Cyber War Games” describes Repko’s desire for “raising the awareness to the innovative competencies the warfighter could exploit by extending their reach into the private-sector–globally.” Why can’t we leverage resources via a ‘trusted’ and scalable mechanism that manages these capabilities? We have tested this model demonstrating considerable merit, but, we need Repko’s leadership and dedicated funds with the right mix of public and private sector talent to make it come to fruition.

This impartial entity could build on the many efforts under way through government, private industry, individual and non-profit entities. It could establish a repository of global resources, identified by capability, in a private and secure environment that could instantly reach out to experts around the world who could address a particular aspect of a cyberthreat. This model would protect government and industry’s need for privacy as well as protect suppliers’ intellectual property. Security and privacy are fundamental to the success. Unlike today’s models, we could potentially find solutions in a matter of minutes, hours and days rather than months or years after the fact. How then, do we get started?

Christine Robinson is president of Christine Robinson & Associates, LLC; an enterprise architect currently on assignment to the Air Force Strategic Visual Information Mapping (SVIM) initiative; advisor to Arlington County; and advisory board member to EmeraldPlanet and its global television show. Robinson writes extensively and speaks about security to audiences worldwide.

The views expressed by our guest bloggers are their own and do not necessarily reflect the views of AFCEA International or SIGNAL Magazine.

(ISC)2 has created an application security advisory board that includes information professionals from the Asia-Pacific region, Europe and the Americas. The board will recommend ways to increase awareness of software that is not secure and help software developers understand how to introduce security directly at the software development level.

During its first meeting, the experts made recommendations about issues such as how to overcome problems the proliferation of nonsecure software causes. According to (ISC)2 officials, 80 percent of today’s cyberattacks occur at the application level.

Subject matter experts of the 14-member board specialize in the software life cycle. They include representatives from business, public and nongovernmental organizations. Among them is Andreas Fuchsberger, lecturer in information security, information security group, Royal Halloway, University of London, and security, privacy and identity standards lead, Microsoft Corporation. Anthony Lim, director, security, Asia-Pacific, Rational Software, Suntec; Dave Stender, associate chief information officer for cybersecurity and chief information security officer, U.S. Internal Revenue Service; and Bola Rotibi, research director, Creative Intellect Consulting Limited, United Kingdom, also are members of the advisory board.