President's Commentary: Enough Procrastination Over Cybersecurity

December 1, 2014
By Lt. Gen. Robert M. Shea, USMC (Ret.)

Government officials, academia, business leaders, policy wonks and security experts have been mulling over how to implement an effective cybersecurity strategy for years. Being in a domain that is incredibly dynamic, loosely defined and operating in a constantly shifting environment does not mean that the quest for a solution must be interminable. The adoption of thoughtful, well-crafted cybersecurity policy must quickly move from theory to practice—now. And, this move must be holistic.

The first and most significant obstacle to establishing this holistic approach is to develop and foster a culture that understands the concepts, issues and dangers inherent in failing to appropriately address the cyberthreat. This culture encompasses an understanding of the trade-offs between mission success—whether military, government or commercial—the value of investments in cybersecurity and the full value of the loss of intellectual capital to cyber events, as well as appropriately establishing and managing acceptable levels of risk. A properly inculcated culture drives all other cyber-related efforts. Until cyber is viewed, integrated and understood in the same regard as the air, maritime, space and land domains, it will fall short of achieving the emphasis it requires. Cyber and cyber-related activities exponentially raise the level of value and effectiveness of capabilities operating in the other domains.

Second, the major parties involved—the Defense Department, the Department of Homeland Security, civilian federal government, the intelligence community, industry and academia, for example—must accelerate the integration of their cybersecurity capabilities, understanding and knowledge. They need to establish an integrated approach to cybersecurity based on their collective best practices. For too long, these entities have pursued separate agendas without effectively melding together their total combined expertise. Their walls of mistrust must be eliminated. While various efforts have been made to share lessons learned, each respective group still tends to focus on its own needs and capabilities. There is a continued need for greater emphasis on a consolidated approach whereby the combined intellect and thought leadership can be integrated and united inside government and extended to the commercial sector and academia. While important, too much credit is attached to the steps that have been taken thus far.

Third, education is a key element to foster the appropriate culture. We must do a better job of educating and developing leadership across the defense government, industry, academia and the public at large to the full nature of the cyberthreat we are facing. Efforts such as the Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Program are confronting this issue, but its scope and focus are addressing too small of an audience to maximize its value. We need to expand the number of commercial and nongovernmental organizations that are brought into the cybersecurity process as well as the quality and quantity of information that is shared across these diverse elements. The reward of expanding the sharing of information outweighs the risk if properly managed. If leaders across industry, government and academia are not sufficiently educated about the threat, then they are not likely to expend the effort and the resources that are needed to meet the challenge. We need to double down on educating our senior leaders and decision makers across all domains about the cyberthreat we face.

Risk management is at the heart of any cybersecurity strategy. There is no silver bullet looming to prevent or defend against cyber attacks, so we must be able to manage the risk. An effective risk management strategy must focus on the critical mission needs of an organization and the ability to protect that mission against interruption. A definition of risk management, highlighted in 2010’s National Research Council study titled “Information Assurance for Network-Centric Naval Forces,” is that “Risk is measured by the consequences of things that go wrong and the corresponding likelihoods of occurrence. When consequences can be extreme, the likelihood of occurrence needs to be virtually eliminated. A rigorous mission risk analysis of information assurance issues is likely to lead to a better understood and more rational set of investment and system design priorities.” The more critical the mission, the closer to zero that likelihood of occurrence must be driven.

The critical and key mission architecture, rather than enterprise architecture, should be the focus for cybersecurity efforts. The network, its systems and its applications must be managed through a strong configuration management/configuration control process. Aircraft configuration changes and upgrades are managed through a structured block upgrade process. Ships adhere to a similar level of process and discipline when doing alterations and upgrades. Why not networks, systems and applications? It should not be a tedious bureaucracy, however. This would ensure that finite resources are allocated for the most highly prioritized use and that security and mission resilience is considered in design. This requires providing a high level of systems engineering to accommodate growth and security—a level of engineering that is fast becoming a lost skill.

This recommendation focuses on the military, but these activities must extend throughout all government, industry and academia. Under the holistic approach, cyberthreat information sharing across the disciplines must be emphasized. In particular, we need to understand the operational tradeoffs between the risk of failing to share information versus the risk of sharing it and having it disclosed to inappropriate or unauthorized parties.

Threats to cyberspace can come from multiple vectors. A fragmented approach to cybersecurity unnecessarily opens up gaps and seams in our overall security posture than invites exploitation. A smart holistic approach is necessary, and it must begin now.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Share Your Thoughts:

Lt. Gen. Shea –

I wish to respond to your prescient commentary (SIGNAL, December 2014) on cybersecurity procrastination, and offer solutions. Specifically, I would like to reply to your comments on cybersecurity best practices and the need to educate and develop leadership.

The Department of State’s Information Assurance Branch (IAB) has developed, and now offers a series of role-based best practices courses, designed in accordance with the NIST SP 800-16 requirements. These courses are available to all federal government departments and agencies as part of the DHS certified Information Systems Security Line Of Business granted to State’s Diplomatic Security Training Center (DSTC). Courses that are currently available are for Information Systems Security Officers, Application Developers, and Executives. All courses are instructor led, either at the DSTC classrooms in Dunn Loring, VA, or at a customer site. Students enroll and provide reimbursement via an SF-182. In the near future, best practice courses for System Administrators, System Owners, and Managers will be offered. All of these courses are the culmination of instructor and subject matter expertise acquired since IAB began providing role-based, instructor led offerings to Department of State IT security professionals in 1998. Risk management is an underlying theme in all courses. In addition to these best practice courses, IAB can customize courses to meet the specific security requirements of individual federal departments and agencies. Customers who have, or are currently using this service, include DHS, SSA, FBI, NARA, NRC, and NIST.

Regarding the need to educate and develop leadership on the threat, IAB has developed a course for federal executives. This is currently offered for the SES, Secretary, and Ambassador level. This desk-side or classroom briefing is designed to educate executives on the history of cybersecurity; cybersecurity leadership and the information assurance team; understanding threats, risks, and incident handling; management errors; and the laws governing cybersecurity. While this course is currently offered to federal employees, there are opportunities to provide this to private industry executives.

Following my attendance at AFCEA Bethesda’s Cybersecurity Technology Symposium in December, I was invited by Chapter VP, Technology Symposia Harold Youra to provide a white paper outlining these initiatives. I hope through the synergy of AFCEA and our cybersecurity training, we can provide the solution to your concern of procrastination.

Semper Fi,
Col. Mike Riley, USMC (Ret)
Edgesource Corporation
Program Manager
Information Assurance Branch
AFCEA 55167740

Excellent discussion - I was enlightened by the info , Does anyone know if I would be able to locate a fillable OPM SF 182 document to fill in ?

Share Your Thoughts: