Tuesday, August 11, 2009
Joe Mazzafro

Cyber Threats and Cyber “In Security”

With the President and the Congress consumed with the scope and details of national health care legislation, there has been little interest in summertime Washington for intelligence issues.  The Professor Gates/Police Sergeant Crowley “beer summit” even made the vitriolic exchange between Speaker Polesi and CIA Director Panetta seem tired. As CIA Director Panetta was recommending “moving on!” in a Sunday Washington Post Op-Ed, news was breaking that he had cancelled a program for assassinating terrorist leaders that Vice President Cheney had directed not be briefed to the Congressional leadership.  Thank goodness for Congressional recesses!

Given the monotony of the CIA/Congressional soap opera, I thought this might be a good time to get to George Friedman’s book “The Next Hundred Years,” which I found provoking because the STRATFOR CEO definitely does not see the future as an extrapolation of the present.  Since we cannot fast forward to the end of the century, however, it seems best to stay in the present  -- at least for this month’s discussion -- where cyber continues to be the national security “special entre” as Twitter and Facebook recover from recent distributed denial of service attacks.

Beyond Melissa Hathaway’s resignation from  her White House position as the as the cyber security principal on the National Security Council (emphasizing the point that the Cyber Security Coordinator (aka Cyber “Czar”) remains curiously vacant for reason’s “illuminated” in the July MAZZ-INT), ruminations about other events in the cyber domain continue apace.  For instance, DoD established the U.S. Cyber Command with DIRNSA dual hated as the Combatant Commander (“CC”, but I still like CinC better!) of this STRATCOM Sub-Unified Command.  Meanwhile the IC published NIE2009-03 “The Global Cyber Threat to the U.S. Information Infrastructure (U)”, which is the first NIE on cyber in four years.  Coincidently in the private sector Booze Allen Hamilton (BAH) under the auspices of the Partnership for Public Service published “Cyber In-Security,” which is a study documenting that the federal government is having trouble finding and recruiting the cyber security workforce it needs.

I get confused which was proposed first, but given how long Cyber Command has been in gestation, perhaps it is too early to expect a cyber czar to have been identified and put in place.  No matter, the stand-up of U.S. Cyber Command on 01 October means that NSA’s (along with the IC and DoD by extension) dominance over cyber space will expand.  In terms of DoD attacking foreign cyber infrastructure as well as protecting the “dot mil” domain from adversary cyber threats, NSA’s dominance is probably a good thing, but less so when it comes to protecting “dot gov” and very problematic for securing “,” “dot org,” “dot net,” etc.  I am sure it is not lost on this audience that DIRNSA serving concurrently as the Combatant Commander of CYBERCOM not only adds to NSA’s clout as a combat support agency, but also represents the deepest convergence to date of operations and intelligence.  The issues associated with DIRNSA also being a CC alone are enough in my view to ensure that NSA will have little bandwidth for understanding the federal and private sector components of cyber security.  Perhaps there is something for a “cyber czar” to do after all!

Being classified it is difficult to say much of substance in this setting about the Cyber Threat NIE, but having read it I can assure you that if you have been following cyber issues for the past five years nothing in this NIE will startle you at a strategic level.  Significantly (at least to me) there was informed private sector input to this NIE by cleared individuals.  I also learned from others familiar with this NIE that Jim Gossler from the Sandie National Laboratory is doing considerable work on understanding cyber and the threats it poses to the national information infrastructure.  While NIE 2009-003 often lurches toward, if not into, “problem admiration” (i.e. describing how cyber is a really large very hard problem that is extremely dangerous) it does address who is capable of threatening the cyber security of the U.S. and how best to protect against these threats, though I thought the NIE’s recommendations here were overly generalized and a bit sophomoric.

The overriding finding of BAH’s “Cyber In-Security” report is that our federal government will be unable to combat the cyber threats it faces without a more coordinated, sustained effort to increase cyber security expertise in the federal workforce.  The report goes on to cite four structural impediments to building a stronger federal cyber security cadre of expertise:


1.       The pipeline of potential new talent is inadequate

2.       Fragmented governance and uncoordinated leadership hinders the ability to meet federal cyber security workforce needs

3.       Complicated processes and rules hamper recruiting and retention efforts

4.       There is a disconnect between front-line hiring managers and government’s HR specialists


As a general proposition, this says to me that the federal government and the military is going to have to play “money ball” regarding cyber talent:  recruit them through education and assured well paying positions until they are too expensive to retain in government service, but use retention bonuses and funded retirement to try to keep at least a few from going to the “free agent” market“Cyber In Security” finds having a White House level Cyber Security  Coordinator essential to effectively mitigating these barriers to the federal government getting the in the house cyber security talent it needs.  Maybe not though since when you look at recent history, military education and training have provided the foundational cadre for America’s aviation and space industries and it can do the same for cyber.  Broadening and deepening the nation’s cyber security talent pool is something Cyber Command will cause to happen just by existing!

Finally there was a report by the New York Times on 02 August that a cyber attack plan to cripple the financial system of Saddam Hussein’s government as a precursor to avoiding military action against Iraq in 2003 was not “green lighted” by President Bush because of concerns about unintended collateral damage that could lead to financial chaos on a global scale.  My suspicion is that the U.S. concerns about cyber security are well founded because we know the resources needed to mount an effective non-attributable cyber attack are widely available to individuals as well as nation states that are likely not to care about unintended consequence of such an action and may even relish them.

That’s what I think; what do think?

Share Your Thoughts:

Looks like there's a Freudian Slip in this article: "DoD established the U.S. Cyber Command with DIRNSA dual hated as the Combatant Commander. . ."

Comment submitted previously; this is a correction to my e mail address.

Collin are you suggesting Secretary Gates is Fruedian? Do DIRNSA's now need to be schizophrenic?!?!? joemaz

A solid, calm, professional perspective from over there at DHS. About time.

Thanks Dave joemaz