The second and final day of AFCEA’s SOLUTIONS Series event focusing on cyberspace demonstrated that the military and government are still perplexed by this new domain. In speeches and panel sessions, most agreed on the problems but few agreed on the solutions. In fact, many of the proposed solutions were diametrically opposed.

Rear Adm. Michael A. Brown, USN, deputy assistant secretary for cybersecurity and communications and NCS manager, DHS, described many of the activities that are now taking place to leverage DOD capabilities to protect systems used for the economy and information sharing. On the other hand, most attendees agreed that efforts such as these are too little too late, and progress on most activities of this kind is extremely slow. In the meantime, the dangers increase, and the U.S. is even less prepared to defend against cyberattacks.

Partnering with industry was a hot topic as part of the solution to cyberspace threats for many of the experts. However, even they agreed that open unfettered information sharing on cyberspace topics with the commercial sector is difficult at best because of the very nature of the information: highly classified.

Some of the experts proposed that additional policies for securing cyberspace were the solution to current issues. However, others who have been in the information technology profession for some time said that the time for policies is over. Stacks and stacks of policies already exist–and are ignored. The issue is more one of enforcement of current policies or scrapping policies all together and boiling information down to classified or unclassified. The former would require a specific policy and stiff penalties for violations; the latter would be widely available.

While some panelists and speakers claimed that the root of the cybersecurity problem is the existence of too many networks, others pointed out that having a single network makes the U.S. even more vulnerable to devastating attacks. In addition, while some attendees and presenters put out a call to arms for speeding up cybersecurity solutions and processes, others preferred a more incremental approach to these issues to ensure the steps being taken now are appropriate and can be built upon in the future.

And while a lively discussion took place about the need for a “cyber czar” who has total awareness of the issues and ensures that cybersecurity is a priority, has adequate resources and is done properly, the idea of a single person as the head of a newly created department did not sit well with many of the attendees.

Training was another bone of contention. Everyone agreed that there is a need for additional training and that the training that now goes on needs to be monitored and not just “a check in the box.” However, at the same time, most admitted that first government agencies must determine the priority of information that needs to be taught during training, and at this point these priorities vary greatly from agency to agency and service to service.

There was no shortage of opinions expressed during the discussions, and perhaps that in and of itself speaks volumes about the state of cybersecurity today. The positive aspect of the discussions that took place is that it opened the dialogue about a critical problem; the negative part may be that everyone has different views on the same problems, which makes attaining a single solution—or even a group of agreed-upon solutions—nearly impossible.

What’s your solution to addressing the threats the U.S. and all nations face in cyberspace? Should there be a cybersecurity czar? Should the number of networks be decreased, for example, by making the DOD’s network separate from all others and the Internet? What should be the training priorities for the services and government agencies? Are new policies needed? How should they be enforced and what should be the penalty for breaking them? Tell us. Tell the experts by contributing to the SOLUTIONS Series wiki or commenting on this article. Event attendees, take this opportunity to say what you didn’t or couldn’t say during the conference. And those who were not able to attend the conference, add your two cents. Now is the time because the one thing that everyone at the conference agreed about is that later may be too late.

Two leaders in the intelligence realm shared their main concerns about security and cyberspace to a packed auditorium at AFCEA’s SOLUTIONS Series “Cyberspace at the Cross Roads: The Intersection of Cyber, National and Economic Security.” Rosemary Wenchel shared some of the ways cyberspace has changed the world, and Dawn Meyerriecks explained the solutions the government will be looking for in the future.

Wenchel, director of information operations and strategic studies, Office of the Undersecretary of Defense (Intelligence), pointed out that the Internet and cyberspace have actually caused many to ask, “Where did the earth go?” Current laws and policies are based on geography and may not even be relevant to many aspects of cyberspace and cybersecurity, Wenchel said.

Not only does cyberspace break the mold on what nations have considered sacred boundaries, but it also is a multiple-layered environment that defies the policies, laws and activities people of all nations had come to accept, she added. This leads to confusion about how threats can be dealt with today. In the past, events between nations were linear: peace, crisis, war. The multidimensional aspects of cyberspace mean that these three can go on simultaneously, and while this state is confusing, it also offers opportunities for collaboration, conflict and competition, Wenchel stated.

Meyerriecks, deputy director of national intelligence for acquisition and technology, ODNI, announced that fiscal year 2012 is likely to bring a substantial investment in research and development at the Office of Science and Technology Policy level.

A year ago, the ODNI sponsored a workshop with the NSA to determine what solutions need to be developed to change the game in the cyber domain, she revealed. One reality that must be taken into consideration when creating cybersecurity solutions is that not all information is created equal. As a result, technologies must be developed that can protect general information but then be ramped up to protect sensitive material.

Meyerriecks also said that workshop participants determined that members of the IC are likely to deploy systems that are much more diverse than they have in the past. In addition, a scientific framework must be developed that provides economic incentives to those who put effort into securing their cyber domain.

Workshop participants decided that it is time to treat cyber security as health and safety issues have been addressed in the past. Just as there are public health policies and capabilities, so too should the public be made aware of cyberthreats, and these threats from all sectors should be reported to one organization so they can be tracked, much like outbreaks of a flu virus are tracked today. “We need a CDC for cyber,” Meyerriecks proposed.

Other areas that are likely to receive a lot of attention in the future, including in the FY2012 budget, will be developing technical means to improve analytics and risk management, increase our understanding of data in cyberspace and establish shared data sets as a basis for collaboration. “We are way underserved by our analytics. We don’t use the information we have,” she said.

Like previous AFCEA SOLUTIONS Series events, the one focusing on cyberspace features three concurrent track sessions, each addressing specific aspects of the conference topic. Panelists participating in Track 1 sessions at “Cyberspace at the Cross Roads: The Intersection of Cyber, National and Economic Security” are discussing the foundational issues in cybersecurity. Track 2 panelists are exploring current initiatives that are addressing the cyber threat. Experts leading dialogue in Track 3 sessions are examining long-term plans for cybersecurity.

At one of this morning’s Track 1 sessions, Capt. Joe Grace, USNR, led a lively discussion about how to keep up with emerging threats. One topic that all panelists agreed is growing in importance is the increased use of wireless devices. NSA Information Assurance Director Richard Schaffer pointed out that everyone wants to use these devices so wireless mobility and tracking have become points of great interest. To address this issue, this summer the NSA kicked off the Mobility Challenge. Working with industry, the agency is exploring how to take wireless technologies right out of the box and use them in a secure environment.

Capt. Grace posed the question to the panelists and audience: How do you educate people in the government about the wireless world? From the Office of the Undersecretary of Defense (Intelligence), Senior Policy Analyst David Hollis pointed out that educating government personnel about anything that has to do with the cyberworld is difficult. “We are living in an information world with industrial age processes. By the time we write the policy, it’s obsolete. Generally, we force people to use one product and they want to use other products as well,” Hollis shared. To solve at least part of this issue, Hollis participated in a Tiger Team that—in six months—came up with 10 products that were made available through the GSA Schedule.

Schaffer described another way to address the threats that new technologies are creating. He said that security must be able to be handled through machines rather than humans. To that end, the Security Content Automation Protocol, or SCAP, standard is THE game-changing technology of this decade, he said.

While all of the panelists and many of the audience members agreed that creating and enforcing standards is one way to deal with the threats emerging capabilities pose, they also admitted that there will be friction between the military services to deploy those standards.

Track 2 afternoon panelists discussed the long-term cyber roadmap. The consensus appeared to be that a roadmap doesn’t yet exist but a lot of questions do. Among the top issues that still need to be resolved is which organization will be responsible for what aspects of cybersecurity in the future. First, the international nature of the Internet means that one country cannot police all of cyberspace. In addition, because cyberattacks can take place against nations, should the military be involved and what would be the equivalent of a shot over the bow in the cyber domain? Because cybermarauders can emerge from within a country, what is the role of organizations such as DHS?

But members of the Track 2 panel came up with more than just questions. They also reached some consensus about answers. All agreed with Sherri Ramsay, the morning speaker, that there needs to be a better way to gain situational awareness in the cyber domain. They also agreed with the morning’s Panel 1 members that educating users is critical and that automated security systems offer some of the best approaches at this point.

Sherri Ramsay, director of the NSA’s Central Security Service Threat Operations Center, opened AFCEA’s SOLUTIONS Series today by admitting that the intersection of cyber, national and economic security has changed the way her organization interacts with industry. Citing statistics that cybercrime has cost individuals more than $2 billion, Ramsay called for shared network situational awareness across the U.S. government, industry and individuals. This holistic approach must include information about who owns, operates and defends the networks, she said.

“Cyberspace at the Cross Roads: The Intersection of Cyber, National and Economic Security,” is the third in this year’s SOLUTIONS series of forums and is taking place December 2-3 at the National Conference Center. The event features presentations by military and government leaders as well as three tracks of panel sessions that are designed to prompt discussions among attendees.

Despite the need for a holistic approach to cybersecurity, Ramsay acknowledged that determining how to do it poses many challenges. She related that while discussing cyber defense with her counterparts in New Zealand, she described the change in tactics as the difference between playing football and playing soccer. While the former involves offensive and defensive teams taking the field separately, the latter calls on offensive players to go on the defense as soon as possession of the ball changes sides. The New Zealanders agreed that a change has taken place but said that cyber defense today more resembles rugby.

Ramsay called on government, industry and individuals to be more proactive in their part of cybersecurity. To this end, the NSA now uses the term “Team Cyber” every day to describe how it is enacting cyber defenses. Members of the team include the government, industry and academia to such an extent that the NSA has actually brought antivirus vendors into the same room with government network defenders to observe networks under attack. The vendors were then given the information and signatures they would need to improve the next version of their products.

Everyone responsible for cybersecurity must be able to communicate at cyber speed, Ramsay emphasized. “If we don’t reach that status today, we’ll only be able to do damage assessment,” she stated.

Ramsay shared a number of ways industry can help in the fight against cyberterrorism. Among them are creating visualization tools that can handle huge amounts of data, analysis products that can predict an adversary’s next move and collaborative tools that provide secure ways to share information. She also called for better cross-domain solutions, highly searchable data storage capabilities, standards and increased training.

Whether it’s needs versus wants, open conversations versus regulations to protect intellectual property or oversight versus open development, agencies and the commercial sector must find the happy medium for acquisition processes to be truly reformed. These were the tough issues experts discussed at AFCEA International’s SOLUTIONS Series event today. The conference, which took place at the National Conference Center, Lansdowne, Virginia, as well as via the SOLUTIONS the Web site, began with a presentation by John W. Nyce of the U.S. Department of the Interior and ended with a town hall meeting where attendees posed their questions and made their points to Maj. Gen. (Sel.) George J. Allen, USMC, director C4 and CIO of the U.S. Marine Corps; Frank Anderson of the Defense Acquisition University; and Tony Montemarano, DISA’s component acquisition executive. In between, experts on three panels presented their viewpoints on training, requirements and lessons learned.

While some speakers and panelists said they believe the acquisition system could be improved but is generally solid, others pointed out where total reform is needed. Some of the key points shared:

• “We are 20th century managers managing a 21st century work force,” Montemarano said.

• Need to bring the younger generation—the “G Generation,” which stands for Google Generation—to these types of discussions and conferences.

• Top three issues identified by the Town Hall panelists:
Anderson:
*Technology in the work place is moving faster than the acquisition processes that are in place.
*Aging work force.
*Reviewing curriculum to ensure proper training.

Montemarano:
*Processes intended to be flexible; work force culture NOT flexible.
*Acquisition processes need to be embraced NOT avoided.
*DISA move to Fort Meade and agency is losing talent daily.

Gen. Allen:
*Technology is moving faster than we can acquire it.
*Network security needs to be built in upfront.
*“Green” IT.

• The IT procurement paradigm is shifting at least in part because of a shift to cloud computing by DOD. Both the government and industry is driving this change.

• Benefits of cloud computing include cost effectiveness, quickness, increased flexibility and “green.” Challenges include security, vendor management and pricing.

• To move to cloud computing, a team that understands the requirements must be formed; a governance model must be in place; and employee training must improve.

• “I’m not telling you that I have the answers. I don’t think anyone does,” Nyce said about cloud computing challenges.

• “We have not made any kind of strides in putting our acquisition [processes] in electronic form,” Nyce stated.

• The cornerstone to describing requirements well is communications between the government and industry.

• There is a lack of willingness on the part of government agencies to talk to industry. The RFI process is NOT a good way to understand the available solutions.

• Many times, government agencies talk about what they want rather than what they need.

• One-on-one meetings with contractors are better than large forums like Industry Days, BUT government procurement personnel must be sure to share the exact same information with each company.

• Must be communications among the user, contract officer and procurement office. Bring the user in earlier in the procurement process.

• “As a contractor, I am disappointed with the government’s commitment to using small businesses,” Anthony Jimenez said during one of the panel sessions.

• Solutions exist to solve current problems, but they cannot be identified quickly.

• Recommendations: improve communications between government organizations; improve acquisition planning; define requirements better to increase the success rate; and trust the contractors’ judgment.

• The challenge in setting requirements for IT is the balance between just enough definition and not too much definition.

• Oversight of IT projects must be different than it is for other platforms.

• Training at the Defense Acquisition University needs to include courses in purchasing IT, which is different than purchasing platforms.

• Need to have the right people in place, and it’s not just about training—it’s also about experience.

• Need to move away from proprietary solutions.

• Need simpler, smaller, net-enabled solutions, but policy is not flexible enough.

• Opinions vary on the acceptability of teleworking.

Acquisitions experts from the government and private sectors agree that the procurement system is broken, but they do not necessarily agree about how to fix it. Meeting at AFCEA International’s SOLUTIONS Series conference today, a consensus was achieved on contributing factors to the problem. Long acquisition cycles strip the effectiveness of many of the IT systems that are being purchased by the time they hit the field. Time and cost estimates are not realistic from the beginning of the purchasing process. Leadership to bring about true change is lacking. These were just some of the topics brought up during today’s discussion, a discussion that will continue tomorrow on the second day of “IT Acquisition: Shifting to a Modern Paradigm,” taking place at the National Conference Center as well as broadcast via the Web.

Many attendees were interested in a quick way to share some of the highlights of the speeches and panels with their bosses. Among the ideas and information shared during the conference:

•“Shouldn’t we look for leaders who can clear up the complexity? Can we make this any harder?” Sue Payton said.

•The U.S. Army is changing its acquisition strategy to procuring services.

•The Army’s Program Executive Office (PEO), Enterprise Information Systems, is changing the title of deputy PEOs to portfolio information managers.

•The Army’s acquisition IT enterprise will be evaluated and changed in manageable chunks, each with its own schedule, budget and set of requirements. Now, the need exists to work on the seams as well.

•The U.S. Marine Corps needs: energy alternatives for the tactical environment; products that will lighten the load Marines must carry; and forward logistics support ideas.

•Realistic and knowledge-based estimates of time and cost must be at the beginning of the procurement process. Cost estimates are provided with a 50 percent level of confidence; this should be 80 percent.

•The acquisition work force must be trained better and expanded.

•Acquisition requirements must be reformed in terms of margin and realism; the military must accept that programs may go wrong yet take risks.

•Government needs to be more involved with industry. Acquisition rules MUST be modified so that government organizations can have discussions directly with companies.

•Industry needs to help agencies understand their innovations and ideas by describing them in a way that procurement officers can UNDERSTAND what they offer.

•Every service needs cybersecurity built in upfront, not as an add-on.

•Some said warfighters are using all the commercial technology they can get their hands on because official procurement takes too long; others disagreed, saying there is discipline in the services, and warfighters follow the rules when using communications systems.

•Cloud computing is the future for the DOD.

•Standards are good but also can stifle innovation.

•Process for certification and accreditation for commercial products is necessary but takes too long.

•Some said that warfighters’ needs MUST be considered when developing IT systems; others said that warfighters can’t be asked to define requirements because they don’t know about available technologies. For example, how do warfighters ask for iPhone capabilities if they don’t know what those capabilities are?

•“How do you purchase an iPhone in an eight-track acquisition world?” Joe Grace asked. One answer is ID/IQ contracts.

•One problem is the way contracts are designed. For example, contractors are paid to provide help desks, but the goal is to purchase systems that won’t require users to call for help all the time. How can this approach be reversed?

•Commercial companies such as Marriott International face the same types of IT procurement issues. To address them, the company has a strategy to grow, but grow sensibly. The company used to “build to last,” but now “builds to change,” Laura Bouvier said.

What do YOU think is the biggest problem with the government acquisition system? How do YOU think it can be fixed?