SOLUTIONS: Cyberspace Plenary and Town Hall Notes
From AFCEAWiki
[edit] SOLUTIONS: Cyberspace Town Hall and Plenary Session Notes
[edit] The Honorable Michael Chertoff, Secretary of Homeland Security
0800 - Welcome remarks by Mimi Browning Welcome remarks by Kat Hollis
Solutions Series focus on dialogue rather than presentations, mentioned AFCEA Wiki and Google Docs, invited people to get involved This is a PPT Free zone
Remarks by Kent Schneider
Remarks by Secretary Chertoff Cyber Security is not exclusively a Federal or Private responsibility. Efforts have been made, some know, some not known, to attack the US Comprehensive National Cyber Initiative (CNCI) is another example of the efforts of this administration to protect this country There was a Cyber attack by “sympathizers” of the Russian government against Georgia prior to the invasion – a harbinger of things to come CNCI is an effort to integrate all tools of national power to protect our cyber infrastructure DHS has the responsibility under CNCI to coordinate all cyber security efforts across 18 prinicipal sectors of the US economy, and three main needs exist --Need to establish front lines of defense – need to get our own house in order --Civilian domains have had thousand of internet connections – need to reduce the number to a trusted few --Need to have a “watch office” that monitors and coordinates --Need to coordinate across military and civilian domains --Improve intrusion detection systems – Einstein II is real-time system, being deployed now --Einstein III will warn and actually block attacks --Need to protect the supply chain against embedded attacks --Need to defend against the full spectrum of effects --Need to help companies and organizations to protect their networks and data without mandating participation – that would cause a major backlash against the initiative --Need to shape future environment through education and generation of ‘leap ahead” technologies
Questions – paraphrased: Q: What do you think of the new idea that the President have a Cyber Security team reporting to him? A: Two issues – do you want to get the OOP involved in operational issues, there is legal risk and oversight risk , and two, let’s not create a “Rube Goldberg” organization…go slow and perhaps enhance the involvement of the White House, but not change everything at once
Q: Posner’s book about surprise attacks – he mentions that the attacks are usually against the hardest problems, and we tend to try and solve the easier ones first. How do we know as citizens that the $$ is going to the hard problems? A: We do have classified intelligence budgets – that is outside my scope. What makes this initiative different is that the past reports accepted that there was a difference between the civil and military domains, and this approach is a “bridge” approach to the problem…a partnership with the private sector and the government working together.
Q: Policing issues – is there a legislative piece to the strategy…and what would you suggest to the new administration in this space? A: Many attacks and criminal cases originate overseas – the UN Cyber Crime Convention…we have tried to get countries to sign up to it. We had cases when I was in the DOJ that got solved by working with other countries, but when you have tacit or open support of this activity by a country, then it is a national security problem
A: The opt-out question…the internet is an interdependent ecosystem, and what happens when a firm opts out? Q: Issue similar to Y2K – the principle was that if a company did not take care of its Y2K problems it was liable…this might be similar. The internet is a very individualistic medium, and therefore we need to attract rather than mandate. We can be an enabler but not necessarily have to be “sitting on” your system to help you. Need a performance-based system.
A: Nation-states not agreeing to certain initiatives, is there an ultimatum approach? Q: When is a Cyber Attack and act of war? That will be an interesting question for lawyers…I don’t want to theorize, but we do need to have a doctrine about when a threat becomes a national security problem…encouraging or condoning an attack, or when a country is incapable of preventing an attack perhaps. Need more discussion.
A: Likely Russian attack on DoD – can you talk about that? (Fox News) Q: We have seen increasing pace and consequences of attacks, without attribution, and we have seen people sympathetic to other governments involved.
A: CSIS suggestion about NSC and the HS council…integrate? Q: That is up to the next administration- and the setup and ranking of people is up to them and I owe it to the transition team to let them decide. HS advisor role will be up to the next administration. Ultimately all serve the needs of the President.
End of session 0852
Scott Winn
[edit] The Honorable Gordon England, Deputy Secretary of Defense
1000 – Deputy Secretary of Defense England
Introduction by Dale Meyerrose
Pres Bush remarks yesterday at West Point – cooperation between private and public sectors in Cyberspace is critical
America and her allies must have secure and unconstrained access and action in Cyberspace – with increased use of cyber domain, comes increased abilities as well as vulnerabilities
Evolution of cybercrime to cyberwarfare increases the danger, and over 120 countries have developed the ability to use the internet as a weapon against national and commercial interests I am less concerned about what other are doing than I am about what we are not doing…need a better trained and educated workforce. Number of scientists and engineers in decline, and this poses the greatest long term threat. More honors-level students enrolled in math and computer science than we have students in those disciplines. CNCI ID’s education and training as critical areas of focus I am hoping there is a silver lining in the current financial crisis – financial markets enable wealth, but a home is a real asset. When the value of an asset decreases, the financials built on the asset decrease in value. Hopefully, our people will be more focused on initiatives that create real assets – real value, rather than paper wealth. If we don’t shift back to creating real asset, we will lose in various domains, and we will lose by the sheer weight of numbers. Cyber attacks not going away, so we need to change our thinking and planning, like gunpowder changed warfare. We are at the early stages of this planning and thinking. Every morning, a remarkable thing happens in America – we wake up free, and not by accident or chance, because for 230 years people have stepped forward to protect that freedom. God bless all who have served and who serve. Questions (paraphrased): Q: Secty Chertoff mentioned other countries policies, and their effectiveness in defending their networks – China stated any attempt to damage their network is an act of war – are we limiting ourselves and our abilities to defend? A: We live in a free and open society. It would be difficult to get any restrictions on the net, so we need to rely on technical ability to defend. We are a technology-based economy, yet 1/3 of American high school students don’t graduate. This is a fundamental issue for the country. I don’t see our policies following the course of China. A: PME in the DoD has been reluctant to embrace cyber – why? What about leadership education? A: We put more money in the budget for increasing the size of schools, and directed the schools to fill seats. We need to have more emphasis – assuming at NDU, and we need to meet. Q: NMCI – security and owning an asset. The Navy is thinking about owning a network again. What is the difference in owning and renting? A: Underlying question…department lost a lot of technical abilities in the 90’s, and that is hard to build back up. Easy to destroy, hard to rebuild. We destroyed value in the 90’s. The first question is what can you do – do we have the basic talent to do this? Even if outsourced, how do we manage it? Q: Local internet in Iraq & Afghanistan…how secure are the networks? A: Systems work, and we need them. Like all systems, they are vulnerable. Need to make them as robust as possible, and improve them everyday. Q: Too many problems, can’t solve all of them, paradigm breaks. Is there a paradigm breaking in IT security? Has there been a look at the subject to understand the situation? Can you accelerate development and evaluation if this is the case? A: DoD does not drive technology – so if there are to be new approaches, then they need to come from the commercial sector. DoD can fund research, but at the end of the day, the source is not in government. Q: You illustrated the gap in education – at what point doe the Dept of Ed get involved? A: I don’t think the Dept of Ed is the solution – school districts are local. There are programs, but this is a local problem. People need to take an interest in their local systems. Session End 1035 Scott Winn
[edit] Mr. Mark J. Gerencser, Senior Vice President, Booz Allen Hamilton
Mark Gerencser (BAH) Football and Soccer as a metaphor for the cyber world, we are football, the threat is soccer. Football is linear, offense/defense separate, etc., and soccer is one unit which changes to match the situation. Spectators are being pulled into the game (untrained, no practice – a metaphor for the commercial sector) which is forcing us to work together.
SecDef recently integrated two organizations in decision making that enables them to actually coordinate and work together. We need to have a new legal policy, and a new willingness to share and help across entities which have not cooperated before. We need to find a new approach.
Yesterday’s football game is today’s soccer game – so we can’t reorganize every time the game changes.
BAH chartered an Economist study, and 77% of over 250 executives who responded said they had been attacked, and only 2% of US government said they have not seen an attack. We can’t wait for a “Cyber Pearl Harbor” to happen to get in the game. We need a mega-community to address this problem. Ideas and resources are shared between constituents, and the value of the network increases geometrically with the number of users (Metcalf’s Law) This mega community would be defined by the members and the problem addressed…so the larger view the community gives us is the key to solving the problem.
Game is always changing – cost of not addressing the problem is huge and growing. We need a new team and a new mindset.
[edit] Ms. Melissa Hathaway, Senior Advisor and Cyber Coordination Executive, ODNI
Does anyone have any notes to input to Ms. Hathaway's talk?
[edit] LTG Keith B. Alexander, USA, Director, National Security Agency, Chief, Central Security Service
LG Alexander – DIRNSA/CSS Rowlett/Friedman – founders of NSA Rowlett’s role in breaking Japanese code – he believed it could be done Balance of power in the battles of the Atlantic ebbed and flowed with the ability to break codes (Enigma) Problem set – how do you maintain the secrets necessary (like Enigma) while assuring the people that we are doing our job? Best information comes from having the attackers and defenders working together All the pieces of the DoD cyber warfare capability coming together as a team At least 6 major intrusions at World Bank originating in China Massive credit card fraud, from hijacking of more than 40 million credit card numbers Record number of data breaches – 70 million records compromised Passenger transit system in Poland using modified TV remote control, 4 cars derailed – done by a 14 year old AZ Roosevelt Dam, 12 year old hacker, had complete control of the SCADA system Chinese military “an adversary wanting to destroy the US only has to disrupt the financial system” Estonia – hit by cyber attack in April 2007, started over a soviet-era statue being moved, coordinated with rioting by Russian minority – chaos Need to have one real-time picture Need to partner with industry Need to share malware signature in classified and unclassified ways – how can we post their signatures while still protecting our networks Internet not built with security layer – we will have to build a new network that includes security, in a partnership with industry Need to ensure encryption is unbreakable Need to exploit information while working with people who want to protect it Q: Are you considering a relationship with NorthCom/DHS? A: Yes – need to share TTPs and help others to have a high level of assurance Q: How is the DoD going to work with industry? A: Need to allow us to protect information and follow a framework – the real key for industry is to have a framework in place that allow this. Q: CSIS report says the government needs to take advantage of the market for development of technology, but the right things have not been built – isn’t this a catch 22? A: The interenet was not built in a secure way – we need to build a secure network in apartnership with industry – and ask what do we need to get better at? How can we adapt? Q: Can you comment on Open Source? A: Open Source – I am a proponent of Open Source – Google has done wonderful things, Hadoop, etc. We don’t want to put the crypto out there, but OS allow us to get young people from the colleges to develop amazing software, and we can then secure it. Q: Talk about the lack of educated people in this country as compared with our adversaries? A: We have over 100 colleges partnering with us to bring people into the IA programs – this is a move in the right direction. We need to do more of this. We need a program that begins in the 4th grade – that is how early it has to start. O: Would like to hear your perspectives on securing the supply chain. A: Perhaps “trusted devices” and/or “logic trails” that allow us to validate information and the systems that we use. We need to come up with a mechanism that allows us to combine the two. Summary – we can’t do this by ourselves. We need help from industry.
[edit] Services Town Hall Session
- BrigGen George J. Allen, USMC
- Capt. Marshall B. Lytle, USCG
- Maj Gen David Senty, USAF
- BG Steve Smith, USAR
- VADM H. Denby Starling, II , USN
Panel discussion Joe Grace, BG Smith, MajGen Senty, Capt Lytle, VADM Starling Starling: The Navy has a combine-arms approach, with the attackers and defenders working together, and operating an enterprise network allows us to see across the entire spectrum and find the threat. We need to allow StratCom to have a view across the entire network. Smith: This is the most interesting job I have ever had. There is no adversary who would want to go against us head to head conventionally…this new warfare is disconcerting because the enemy is already in the wire. LG Sorensen has 20 years of acquisition experience, and the Army’s focus is on partnering with industry. We are taking a hard look at how we can change the way we approve products, including forming the 7th Signal Command, and moving all the DOIMs under Jennifer Skaman (sp?) so we can work more effectively. Allen: Products to the troops – particularly forward. We deploy teams to do the work forward, in coordination with JTF/GNO. We use internet schools to train them to industry standards. Senty: Shifting our mindset is critical - to be more responsive and making the network an operational issue not a command issue. Lytle: dotmil, dotgov – we need to partner as it is, since we work in both worlds. We rely heavily on standards, we have on network, one image, one active directory, so it is simpler for us to manage relationships and interconnections. Starling: Nothing lends itself better to joint warfare than networks – but the other aspect is a degree of central control we desire that is difficult to maintain…our networks are owned by multiple organizations which are hard to coordinate. All tend to agree that cyber is an area for the “6” to work, but the commander has to get on top of it and understand it. Is this the time for a new “cyber force”? Allen – We need to work together and we will be the cyber force. Starling: The idea is that every warrior will have to understand the cyber environment – I don’t think we will have a cyber force, we just need a more “3” focused cyber force than the “6” focused force we have now. Smith: Reservists are a critical piece of this puzzle. Lytle: Needs to be a skill set..3 and 2 are heavily involved, 6 is a capability provider. Audience – VADM Brown (J6): The 6 is a warfighter, not just a techie…we may need to flip our number to 9…the 6 is the real operator and needs to be on an equal footing with the 3 in support of the Commander
[edit] Joint Staff Town Hall
- VADM Nancy Brown, USN
- LtGen John Paxton, Jr., USMC
- VADM James Winnefeld, USN
[edit] SOLUTIONS Series Town Hall
- VADM Nancy Brown, USN
- The Honorable John Grimes
- Mr. Bob Lentz
- Mr. David M. Wennergren
