Network Session I

From AFCEAWiki

1 Session I: Continuity of Operations for Critical Missions
2 Abstract

[edit] Session I: Continuity of Operations for Critical Missions

JOIN THE ONGOING SOLUTIONS DIALOGUE ON THE GOOGLE GROUP SITE

[edit] Abstract

Successfully defending the Information Environment from sophisticated adversaries is a serious challenge. How do we ensure mission success when networks, are down, degraded or untrusted? Partnership between the DoD and our industry allies is critical to ensure survivability for our National Security Missions in the face of sophisticated cyber threat. Industry Considerations: Increased Participation in Exercises (Cyber storm III). Technology and consulting to enable mission focused network operation. Intelligence sharing on threats, dependencies and cascade effects. Increased focused on knowing dependencies, failure modes & cascade effects.

[edit] Moderator

Mr. Perry Luzwick

[edit] Panel

Mr. Anthony Bargar, OASD/NII
Mr. Bill Neugent, MITRE
Mr. Don O'Neill, President, Center for National Software Studies
Prof. Russell Rochte, Joint Military Intelligence College

[edit] Threads

DISCUSSION TOPIC 1: NATIONAL SECURITY DEPENDENCE ON THE PRIVATE SECTOR

To what extent does DOD dependence on the Private Sector exceed Private Sector commitment?

The government with its dependence on the industrial base finds itself in the mesh of the critical infrastructure, but is the government just another sector or does it have a governance and oversight role?

Anthony Bargar comments:

Threats have shifted from random attacks and "pranks" to a more organized and focused effort, coordinated across dispersed resources, aimed at financial and political targets.

GIG Mission Assurance - Making sure the GIG "works under fire", and that data is not only accurate, but we can recover from successful attacks. We can't make everything resilient and redundant, so we have to decide on "mission Essential Functions".

DoD IG Report - 60% of programs lack contingency plans, and of those that have one, 80% have not tested them.

Don O'Neill comments: This is all a management question.

Preparation, Opportunity, and Cleanup costs drive decisions in the private sector. We are not hearing the discussion framed in this way. We are instead, we are hearing stovepiped discussions about resources not under our actual control. Industry infrastructure is comprised on an accidental system of systems, and the government is in the mesh of this system.

It is time for the government to play a supernumerary role before the system is no longer controllable or manageable.

We simply don't understand how dependent the DoD is on the private sector...so we have to guess. Real answers are not known with certainty. The protection model is not appropriate to the challenge.

We need to move beyond the combination lock to a strategy more like a chess game - with some flexibility, and move the locus of control from protection to resilience.

Critical Infrastructure holders have not coordinated recovery time objectives - no incentive to do so. How do you measure immediacy of needs, and reconcile and prioritize them?

Resiliency and recovery times need to be measured and updated at least annually.

BASE DEFINITION OF RESILIENCY Resiliency is the ability to anticipate, avoid, withstand, minimize, and recover from the effects of adversity, whether natural or manmade, under all circumstances of use.

The full text of Don O’Neill’s comments are found at: Framing the Issue and Vision For Resiliency, Don O’Neill, Center for National Software Studies, http://members.aol.com/oneilldon2/competitor12-2.html

Bill Neugent comments:

We're naked in cyberspace...tests show a 98% success rate of bad guys penetrating our networks. Perhaps we should rethink our expectations...we are getting a 2, and they are getting a 98. Maybe this is a fight we should not expect to win...but change our way of thinking. Assume they are inside, and assure the mission instead of the system.

We need to exercise for real - tabletop or otherwise, let's stop pretending the adversary has no cyber forces. What do we realyl need to protect? Have we thought through requirements for mission resilience? How do we reconstitute our infrastructure. This is different thinking from that of the past.

When we fight, we sould go after the networks...we would want to "own" the networks, not in an obvious way...so wouldn't they want to do that to us? How would you defend against that? A public/private partnership is the only way to defend against this threat.

We need to think longer term...we could be losing a war 20 years from now and not even know it.

Q - Characteristics of an exercise? A - Need to involve the user, and to plan for three events: Safety of flight (so to speak), Protect the exercise from adversaries so they can't exploit our training, and keep costs under control so as not to bust the budget day one. We need better playbooks, better and more realistic scenarios.

Q - Business Practices - what about protection? And how do I talk to leadership about the urgency of this problem to the laymen (non-IT or IA people) who make the decisions? A1 - Shape the discussion in terms of TCO or other business models that address cost in terms they understand (keep the technology out of the discussion). A2 - Problem is that Federal Government gets it but the private sector does not always get it.

Prof Russ Rochte comments:

Most critical aspect ot Resiliency must account for personal and corporate psychological resilience...the people involved. Second, people are networks, and human-centric networks don't have firewalls. RUMINT, the media, etc. will all serve to make the fear factor worse. Third - failing to plan for a train the people can doom otherwise elegant technological solutions. All plans begin and and with the people.

Q - Is there an existing forum for engagement on this subject for hte private sector? How do we make the business case - is the greatest threat the overabundance of capacity which has lulled us into complacency? A1 - Little cross-sector interaction, but rich discussion within stovepipes. People don't mind talking about their common problems, but are reluctant to stand "naked to the world". A2 - At the national level, there is some cooperation starting, but within sectors. There needs to be a framework to shape the discussion. We also need to raise awareness across constituents. A3 - We owe a lot to our adversaries, who have helped us to get better at becming aware.

Comment - there actually is a lot of discussion and good work going on, across all 18 sectors of critical infrastructure. Dureing hurricane Gustav, we (for the first time) had a cross-sector group involved to inform decision makers.

Q - We used to do "red team" attackson bases back in the SAC days (Global Shield) - do we still do that? A1 - There is some thinking-through type exercises going on, but not to the extent of the GS exercises 9it is not what it needs to be). A2 - It comes down to better plans and exercises.

Q - Different forces use the network and IA in different ways - do our adversaries have the same dependencies as we do? Is there a balance of power? A1 - We haven't seen a real adversary in a full-on attack yet. We need to compartmentailze our capabilities in order to build resiliency. A2 - WalMart and eBay...we are about hte most IT dependent country in the world. There are a lot of places that are becoming more IT dependent. A3 - Assumption is that we proceed in a lawful manner, but our adversaries may (probably won't) play by the same rules. What if VISA couldn't process transactions on Black Friday? What will our response be? A4 - Resileincy as a means of deterrence...we can take a hit and then come back and and counter-attack. Concern is attribution and whether we can respond kinetically to a cyber attack.

Q - What is the best deterrence? A1 - Cross-sector collaboration in event of attack, can we leverage the other elements of national power...because we share the commoon infrastructure. A2 - Lots of work being done at the national level to solve this problem...and by nature this is not something we want to talk about publicly.

Q - OK, so the adversary is in the network...what are we doing, and how do we act - differently, or the same? A1 - We need to shake the foundation of our processes on this. We can't keep them out, so we need to position ourselves to fight them in our space. We need to look at investing in fallback capabilities - this all costs money. We have to get past these notions that cyber will be done cheaply. Requirements need to address resiliency - including unit readiness. A2 - Increased intel sharing and fusion are part of the strategy.

Q - Is there a training initiative in this space? How do we traing people? A1 - NMIC is exploring an educational program, but trianing is not my AOR (Rochte) so I prefer not to comment on that. A2 - Work is being done on an IO/IA cyber range - to practice and test as part of training and exercises.

Q - Resiliency vs redundancy...what is the difference and is there a debate? A1 - Redundancy is backup to a system. Resiliency is more the system of systems approach, to offset propagating and crosscut effects. Hard to backup a system of systems. A2 - We need to ask, "what do we want to happen..." in order to decide how to prepare. A3 - Resiliency is not just technology - it is people, processes, doctrine, DOTMLPF, all of that in order to review risk management models, etc., in order to protect what is key. A4 - Which functions do I preserve? That is the very basic question we need to answer. We need to retain those folks who have the skills necessary in a non-cyber environment...break out the slide rules... A5- Preserving trust aspects...opening the doors tomorrow is important, and mught be the key driver for decisions.

Q - Intel support to IO and resiliency - how do we quantify or profile the adversary like we do kinetic threats...is there something we can do to answer a Commander's PIRs and IRs. A1 - Everyone is naked in cyberspace...so ther eis a lot of collecting we can do. A2 - Alerts based on traffic, etc. that can key assets.

Q - JTF maneuver environment - network opns - info flowing - how do we compartmentalize to our advantage? A1 - Mr. Lentz' strategy is to understand the local requirements at the tactical level in order to come up with solutions that allow the sharing of info.

Q - Are there investments in the operational world that can speed restoration of combat power in this space? Is there an "idiot light" for knowing when to fix/invest/etc? A1 - It would be good to have a way to do that - to understand what and when to do something based on a pre-planned protocol. It is likely not money-related...more so capability related. Maybe we need some sort of SWAT team for situations like this. A2 - The military does a good job of measuring, so there must likely be a way to apply that mindset.