The Defense Department announced today that it will invite vetted hackers to test the department’s cybersecurity under a unique pilot program. The “Hack the Pentagon” initiative is the first cyber bug bounty program in the history of the federal government.
News media attention recently has focused on high-profile cyber events. These include the unprecedented Office of Personnel Management (OPM) breach that exposed more than 21 million personal records, including security clearance information; massive identity theft issues at the IRS; the attack on Sony; as well as compromises at Target, Home Depot and more. This attention has raised awareness about the risks in cyberspace. Most if not all of those events are suspected to have been the work of nation-state criminal actors.
Cyberspace is one warfighting domain that will not allow us to conduct business as usual. Unlike the domains of land, sea, air and space, which are well-understood and whose doctrines are well-established, cyberspace represents a new and challenging frontier. It demands that we take a very different approach to developing doctrine, acquiring capabilities and conducting operations. But sometimes we approach these challenges using traditional methods and timelines that may not deliver the desired results quickly enough. Several areas need to be addressed to be successful.
Rapidly evolving cyberthreats challenge all levels of government, and recent incidents such as the Office of Personnel Management data breach illustrate the importance of shielding public and private-sector organizations from such attacks.
Last year proved lucrative for cyber criminals, and 2016 is shaping up to be even better, with a seemingly unsuspecting victim in the hacking crosshairs: driverless cars, according to Dell Security. In 2015, hackers carried out a massive number of breaches against organizations and government agencies in spite of the millions of dollars spent not only to safeguard networks, but also to hire security experts and train employees on proper cyber hygiene, according to the company’s annual cybersecurity report released Monday.
President Barack Obama championed cybersecurity efforts Tuesday in seeking $19 billion for the cause as part of his fiscal year 2017 budget proposal. Additionally, he signed two executive orders to seek to strengthen government networks against cyber attacks while protecting personal information.
The budget proposal for FY17, which begins October 1, is a 35 percent increase over the current fiscal year.
The buzzwords du jour are cyber at sea, a vulnerability that quickly rose in prominence within the maritime domain to jockey for attention and funding among competing disciplines. Unrelenting cyber attacks firmly positioned the emerging specialty alongside antisubmarine warfare, autonomous undersea vehicles, mine countermeasure systems and port protections, to name a few. NATO’s knowledge repository for maritime science and technology initiatives juggles all of these in its search for innovative security solutions, says Rear Adm. Hank Ort, RNLN (Ret.), director of the Centre for Maritime Research and Experimentation.
The U.S. Navy is implementing new technologies and capabilities as it embraces information warfare (IW) as a warfighting domain. These include incorporating IW on existing platforms and greatly expanding disciplines such as electromagnetic maneuver warfare.
Securing the cyber domain commands as much attention as it does effort and dollars—and yet, in spite of years of work to fortify enterprises, it is the fast-paced ecosystem known as the Internet of Things that gravely threatens the security of the world’s greatest military. With mere clicks on a computer, hackers have the knowledge and power to wreak havoc in the defense arena, with experts warning that it is just a matter of time before threats become realities, particularly in three distinctly vulnerable areas of vehicle safety, healthcare and supply chains.
The realization that the U.S. military is losing its comfortable superiority over the airwaves has propelled the Defense Department to transform the electromagnetic spectrum into a new warfighting domain. This endeavor comes on the heels of the revolutionary doctrine change that established the cyber warfare domain not even a full decade ago.
Until now, cyberthreats have overshadowed electromagnetic spectrum (EMS) concerns. Chiefly, serious cyberthreats to U.S. commerce and national security caused by rapid technological changes siphoned attention and dollars from other domain coffers, including funding to improve the use of EMS.
As the growth in the capability and sophistication of cyber bad actors continues to threaten national and economic security in the United States, confusion reigns and a lack of clarity exists as to who is in charge and how to deal with a significant cyber event that could become an incident of national or even global consequence. No strategic blueprint provides high level direction, nor do any operational plans articulate roles and responsibilities for government, industry and other stakeholders during various thresholds of escalation throughout a significant cyber event.
How to best equip cyber warfighters—both at home and abroad—is an ongoing debate complicated by persistently improved and interesting tools for cyber analysis, security and ethical hacking that makes picking the “best tool,” or even “the right tool for the job,” very much a matter of opinion and preference.
With so much cybersecurity focus concentrated on firewalls, intrusion detection systems, Web proxies and other protective measures, Domain Name System, or DNS, attacks have risen as a threat du jour compromising organizations’ networks.
"As all of the other doors to the enterprise are locked, [cyber intruders] found an unlocked door and it’s right now DNS," says Ralph Havens, president and CEO of Infoblox Federal.
Cyber attacks increasingly target the U.S. military and other federal departments, causing these agencies to rely on technology to accomplish their goals, which also increases the size of their attack surface. It’s a Catch-22, and staying one step ahead of hackers trying to infiltrate an IT environment is challenging. It can be nearly impossible if those tasked with protecting that environment don’t have visibility across all of the systems and infrastructure components.
The federal government cautioned its agencies and federal contractors of a network vulnerability that could let hackers access systems. The scurry to inform agencies and instruct them to patch for vulnerabilities occurred after the discovery of unauthorized code during a review of Juniper Networks software.
Juniper is one of the largest providers of firewalls and network software, and the Defense Department is one of its larger federal customers. The revelation prompted federal oversight into the incident, including by officials from the Pentagon and the Department of Homeland Security, amid fears that the hack could permit spying of users' networks.
The season to hunt white-tailed deer draws to a close, and being an avid hunter, I’m already planning for the next season using information gleaned from this go-around in addition to maps, data from trail cameras, temperature input, moon phase and the movement patterns of game. While planning tools are plentiful, they mean little without automation on the back end to make sense of it all.
Deer hunting can be much like cyber hunting, the methodology organizations use when traditional security solutions fail to keep out intruders.
Complying with federal cybersecurity standards, though essential for the defense industrial base and national security at large, presents immense fiscal challenges for smaller businesses that struggle every day to meet the demanding requirements—without breaking the bank.
If not addressed soon, small business noncompliance with the standards spelled out in the Defense Federal Acquisition Regulation Supplement, or DFARS, could have the unintended consequence of severely diminishing the sector’s role in defense contracting, exacerbating concerns about bringing the entire industrial base into compliance. It is a responsibility shared by all businesses doing work for the Defense Department—small, medium and large.
A burgeoning breed of combatants fights in a convoluted new domain where no one has blazed a trail, where no history books offer lessons or guidance. These warriors sometimes use untested offensive and defensive network maneuvers to secure cyberspace, the increasingly important and congested battleground rapidly becoming the attack venue of choice.
The technology to succeed in this ongoing fight actually already exists, as does the well-trained work force, experts say. The question now hovers over what ethical guidelines the United States will employ to carry out cyber warfare—where dynamic real-world events shape the malleable rules of engagement.
The exciting advent of nanotechnology that has inspired disruptive and lifesaving medical advances is plagued by cybersecurity issues that could result in the deaths of people that these very same breakthroughs seek to heal. Unfortunately, nanorobotic technology has suffered from the same security oversights that afflict most other research and development programs. Nanorobots, or small machines, are vulnerable to exploitation just like other devices.
But the others are not implanted in human bodies.
The phenomenal transformation of computer networks from limited and simple to vast and complex has contributed to such great advances. Great but susceptible advances.
The U.S. Army and its Cyber Command are building momentum to create the institutional and operational structure required to conduct and support missions in the cyber domain. Now is the time to seriously address the challenges of attracting and retaining soldiers with the talent needed to take on the enemy. As Lt. Gen. Edward C. Cardon, USA, commanding general of Army Cyber Command, often states: Technology, as significant as it is in the rapidly changing face of warfare, will not be the deciding factor in who will dominate in this domain. It’s the people.