Training Vital to Network Defense

Education and training are key tools to create skilled professionals such as these U.S. Air Force electronic warfare personnel.  Well-trained specialists are the first line of defense against various online threats to U.S. government networks.

U.S. military and government computer networks are under constant attack from a variety of shadowy online enemies. Until recently, these threats were individuals or small groups without any major financial support. But just as advances in technology are making solo hackers more dangerous, the nation also faces a growing cyber threat from well-funded and equipped groups backed by organized crime or nation-states.

To counter this evolving menace, the U.S. Defense Department and the government’s civilian agencies not only must focus on acquiring new network defense technologies, they also need to improve their human capital by training personnel to be aware of and react accordingly to threats. According to Eric Bassel, a director at the SANS Institute, an organization dedicated to monitoring the Internet for online threats, the last several years have seen network threats shift away from individual hackers mostly interested in stealing data, to a second, more malicious wave of intruders intent on damaging or destroying networks. He now believes that the world has entered a third phase consisting of organized crime attacking government infrastructure and Fortune 500 companies. “That’s created a whole different dynamic. The other guys entering the fray are nation-states,” he says.

As opposed to the image of the lone hacker working in a basement, this third phase of attacks can be best imagined as well-funded computer laboratories run by teams of crack programmers—all the things that a nation or a criminal syndicate can afford. Bassel notes that the Defense Department has already determined that the next major  conflict will have a cyberspace component.

Combat operations in this new cyber battlefield will be integrated with other missions. But to achieve this integration, the services must fully merge physical and cyber operations. For several years, the Defense Department has run a series of exercises featuring cyberwar aspects, but it kept the online component separate from the rest of the event. Bassel explains that the generals running the exercises kept the cyber aspect separate because a handful of personnel could bring the entire event to a halt. “It’s not too different from where we were with electronic warfare back in the 1980s, when you could send up a Wild Weasel and jam our communications systems and the war game had to stop,” he says.

Because there is now a consensus in the Defense Department that cyber warfare is a part of any operation, the military is beginning to integrate it into training and war games. Bassel believes that this merging of capabilities is a major step towards accepting and integrating cyber components into warfighting.

This growing awareness of cyber warfare has led the Defense Department to release Directive 8570, which focuses on building the work force necessary for a cyber-savvy military. Bassel explains that people are the key because there is no single software product that can act as a silver bullet for the government’s security needs. “There are some wonderful products out there, but if they’re not used by people who understand what’s going on, they’re not going to work,” he says.

Directive 8570 focuses on providing personnel with the skills necessary to defend government networks. This effort cannot be a single-service type of initiative, Bassel says. The Defense Department will provide commercially available certifications that can be quickly upgraded to meet evolving security needs. The government examined the different roles that the personnel would play if they were going to be managers or technicians at the tactical or strategic levels. The Defense Department created a matrix to categorize personnel in specific roles and required them to acquire commercial certifications. “It’s certainly not perfect, and the execution of this will be difficult because when they put it together, the certification and training wasn’t funded, but the spirit and intent are right on. We have to get a base-level awareness on everybody,” he maintains.

Providing certification and operational requirements will help guide the Defense Department in the process of training network administrators and managers, says Bassel. But he notes that the implementation of Directive 8570 is a year behind schedule and that it may be too wide in scope, because certain qualifications such as systems architects and engineers currently do not fit into the directive’s job and requirements descriptions. Additional chapters have been added to the directive to cover new jobs.

Besides the government’s training requirements, the major trend detected by the SANS Institute is the increased funding and organizational levels of hackers. Bassel explains that the government’s response to these threats has been to emphasize human resources and procurement. He believes that this is an appropriate response because the military would otherwise be reacting disjointedly to individual threats. A human-resources-centered response ensures that the military’s network personnel have the skills and training to cope with these threats. The U.S. Air Force is already examining the potential for hiring new types of airmen (SIGNAL Magazine, February 2008), and developing new training methods (SIGNAL Magazine, January 2008).

The services also are beginning to integrate their security certificate-based capabilities into their training cycles. Bassel shares that the SANS Institute has received many requests for training packages geared for non-IT personnel such as infantry officers. “We never heard about that three years ago. Those guys are saying ‘I know this is dangerous, and I don’t know enough about it, so help me,’” he explains.

The other facet of the government’s response to cyber threats is procurement. Bassel notes that the U.S. Air Force led efforts within the Defense Department to standardize methods to compel vendors to ensure that products have security features and that they are deployed in the most secure formats.

Reflecting on his experience as a military officer before he joined the SANS Institute, Bassel observes that typical terrorist attacks are tactical in nature. For example, roadside bomb attacks in Iraq and Afghanistan, although costly in lives, only represent tactical defeats for U.S. and coalition forces. Even the major terrorist attacks of September 11, 2001, were, by military definition, tactical defeats for the United States. But technology may soon change this equation. “The thing that threatens me and the folks who are closest to this is that for the first time in history, the asymmetry of battle has really gone all the way over to the far side of the spectrum,” meaning that a small cell of cyber terrorists can now not only have a tactical victory, but also maybe a strategic one, he says.

This increasing capability is appealsing to terrorists, criminal organizations and nation-states. Bassel explains that in asymmetric warfare, the goal is to attack a nation’s weak spots, not their strengths. “Now the bad guys can do that without having a blue-water navy or air superiority. They can attack our critical infrastructures and change our way of life,” he says.

In a major conflict between nation-states, the first activity will almost certainly be in cyberspace, Bassel says. Instead of alerting an adversary by moving large combat units, a range of operations can be undertaken in cyberspace, from intelligence gathering to attempting to cripple or take down entire power and utility grids.

Another area for concern is the growing military reliance on wireless data networks. For example, an F-22 squadron might wirelessly download its maintenance records to ground personnel before landing at an overseas base. If this data were intercepted, an enemy would know the status of that particular squadron and its needs. “It’s an area where that kind of tactical intelligence would be very beneficial [to an enemy],” says Bassel.

This growing threat environment is reinforced by recent major cyber attacks. The Russian government was originally a suspect in the 2007 attacks that shut down the Estonian government. But Bassel explains that it was determined that the attacks actually originated from Russian citizens living in Estonia. “That’s the thing to think about: how a very small group of people can have such a massive impact on a very large group of people,” he says.

The vulnerability of commercial infrastructure to cyber attack is another concern for the U.S. government. The Department of Homeland Security recently conducted a successful test to determine if a dam’s generator could be shut down via the Web. Bassel says that this “silver bullet” program capable of shutting down a power grid is not very difficult to write.

Protecting U.S. critical infrastructure is vital because 90 percent of it is privately owned. But raising public awareness in the private sector remains a challenge. Bassel notes that until two years ago, many individuals responsible for managing critical commercial infrastructure did not understand the risk. He explains that in automating power grids and other infrastructure by connecting remote sensors to monitor the machinery at a dam or power plants, the private sector lowered operational costs but also created a security risk. 

Compared to the private sector, Defense Department networks are very well defended. But this defense is often an illusion because once the heavy outer layers are breached, many government computer networks have vulnerable internal architectures. Bassel believes that the federal sector must shed its “moat” mentality, noting that even the most well-protected castles were breached by persistent attackers. “We’re going to have breaches. So once they’re in, how do you handle the threat or mitigate it?” He explains that a flexible, layered defense is the best value and well-trained personnel are vital to supporting the network.

Flexible procurement is also vital for network defense. Bassel explains that instead of the services each acquiring its own branch-specific software, the Defense Department now is purchasing applications that can operate across all agencies. He notes that this is a concept derived from steps the military took to streamline equipment purchases. In the 1980s, the military began standardizing how it acquired hardware to make it easier to support parts. For information technology applications, standardized software allows patches and other protection to be rolled out quickly across an enterprise. The key to managing these changes is a growing awareness that cyberspace threats can appear suddenly and must be handled with equal speed. “I don’t think there’s too many ostriches out there. I think there’s a realization that changes have to be made relatively quickly,” he says.

Web Resources
SANS Institute: www.sans.org
SANS Internet Storm Center: http://isc.sans.org