Network Intricacy Complicates Computer Defense

December 2011
By Max Cacas, SIGNAL Magazine


The National Cybersecurity and Communications and Integration Center, Department of Homeland Security, is in Arlington, Virginia. Photo courtesy of Federal News Radio.

Global network technologies challenge the U.S. agency that must protect them.

As more complicated networks develop and deploy unique and expanded capabilities, protecting U.S. cyber infrastructure grows more challenging. The Department of Homeland Security’s National Protection and Programs Directorate is responsible for defending the nation’s commercial and private networks. But with the complexity of these products, the directorate’s success increasingly depends both on sharing responsibilities among government organizations and between government and industry.

“There are so many roles to be played, and so much work to be done,” says Greg Schaffer, assistant secretary, Office of Cyber Security and Communications, National Protection and Programs Directorate (NPPD), “that no department or agency, or private-sector entity, can hope to get everything done by itself.” Teaming the resources of the Department of Homeland Security (DHS) with those of the U.S. Cyber Command, the law enforcement community, private sector entities involved in cybersecurity, as well as international partners, “is necessary to address the issues we face on a daily basis.”

The National Cyber Incident Response Plan helps overcome some of this complexity as it lays out the role of federal agencies, state and local governments, and private companies in protecting cybernetworks. The National Cybersecurity and Communications Integration Center (NCCIC), an around-the-clock facility located in the Washington, D.C., suburbs, serves as the nerve center for organizing the NPPD’s cyber response efforts.

The DHS has been able to see how the facility and the plan actually work together through a bi-annual, global cybersecurity exercise it coordinated in August 2010. The exercise, called Cyber Storm 3, demonstrated the benefits of organized, efficient, cohesive and action-oriented interagency and public-private coordination and decision making. It Integrated private-sector participants into operations, information sharing and action planning and identified areas of focus necessary to respond effectively to a significant cyber incident, according to findings after the exercise.

Schaffer explains that one significant byproduct of the plan, and of the Cyber Storm 3 exercise, is that increasingly, “We are bringing private-sector entities onto the [NCCIC] watch floor, and getting them more involved in helping us deal with the whole range of activities for cybersecurity, from a steady state, to significant cybersecurity incidents.”

In addition, he says the DHS continues work on the Trusted Internet Connection initiative, which is designed to reduce the number of locations where the federal government’s servers are connected to the open and public Internet. As part of that work, Schaffer says the DHS has been working to deploy security gear at the remaining Internet connection points to fulfill Federal Information Security Management Act (FISMA) requirements as they pertain to network security.

Schaffer notes that work also continues on Einstein 2, a DHS-developed cyber-intrusion and alert system that is being deployed on the networks of as many as nine federal agencies and also on those of several top commercial Internet service providers. Development work continues on Einstein 3, an advanced system that is being designed to prevent many cyber-intrusions and attacks from taking place.

Over the past few months, there have been numerous reports of cybersecurity breaches, as well as one well-documented and sustained long-term cyberattack by a foreign government, convincing Schaffer that protecting the nation’s cybernetworks is a “shared responsibility.” Recently, open discussions have occurred among federal agencies about the appropriate role they should play in protecting the nation’s cyber infrastructure.

As the .gov computer networks gain more visibility, Schaffer says he believes that, “The need to work together with all the government agencies that are responsible for putting their hands on the keyboard of their own networks” is essential.” The agencies, he suggests, need to address the issues evolving from the Einstein 2 technology as well as the continuing monitoring solutions being made available to other government agencies. “All of the solutions require that you get down in the weeds and make the changes in order to address what you see through those technologies,” he emphasizes.

The security of industrial control systems is another area that will receive more attention in the coming years, Schaffer warns. Within the last year, officials worked hard to deal with the spread of a computer virus called Stuxnet, which was designed to attack intelligence-based computers using an old version of the Microsoft Windows operating system running nuclear generating facilities in Iran. This incident underscored the need, long realized by private-sector cybersecurity experts, to do a better job of securing the networks of private companies.

“We’ve always seen the Stuxnet virus as something of a game changer,” Schaffer maintains, “in that it proved out some of the things that we have been worried about for some time. It was possible to impact the private controls in a way that would be significant. It helped to open the eyes of a lot of owners and operators of industrial controls that they did have to pay attention to how those systems were connected to other networks.”

In recent years, the DHS has expanded beyond the borders of the United States and its focus on domestic security, and has begun to reach out to nations with whom the United States shares a variety of interests, particularly in the security realm. Within the past year, for example, DHS Secretary Janet Napolitano has traveled to India and Australia to sign reciprocal agreements to cooperate on homeland security matters, including cybersecurity, with her counterparts in those countries.

“We’ve worked with the International Watch and Warning Network,” Schaffer explains, “to develop those CERT-to-CERT (Computer Emergency Readiness Team) relationships that are so important when incidents are occurring.” The ability to have those processes and procedures hammered out to enable working with other countries is necessary to develop trust across borders. That is also important, he says, to helping facilitate real-time information sharing when incidents take place.

Rand Beers, DHS undersecretary, NPPD, recently wrote about some of the achievements that have occurred. He pointed out that progress is being made in improving security at high-risk chemical facilities; using digital technology to assist State Department diplomats in determining who should be allowed to enter the United States; and improving the sharing of biometric data to help identify undocumented aliens and potential terrorists.

Returning to industrial control security, Schaffer also says it is vital for the DHS to engage with international partners. “The supply chain of manufacturers of devices used throughout the United States or for industrial control systems comes from overseas,” he explains.

Earlier this year, the White House released its International Strategy for Cyberspace, which also calls on the DHS to take the lead in developing international relationships in the realm of cybersecurity.

 “Cybersecurity has gotten a level of attention recently that it’s never really had before,” Schaffer suggests. That visibility makes cybersecurity one of the nation’s top priorities, as he notes is evident in a number of President Obama’s statements on the issue.

Nevertheless, in the short term, the DHS’s NPPD, as with other government agencies, faces reduced funding as the White House and Congress grapple over how to address the ballooning federal deficit. That is the financial reality not only for federal officials, but also for state and local governments, as well as U.S. allies.

 While cybersecurity will be scrutinized carefully, Schaffer believes that, “To be sure that our investments are appropriate, the impacts to cybersecurity funding will likely be consistent with the level of focus and attention.” As a result, he says he does not expect that cybersecurity efforts will experience the types of cuts that most anticipate will occur in other programs.

Department of Homeland Security (DHS) National Protection and Programs Directorate:
DHS Blog, “Protecting Our Nation’s Physical and Cyber Infrastructure Since 9/11”:
DHS Cyber Storm 3 Final Report (July 2011):

Cyber Professionals Wanted; No Experience Necessary

As reports on the economy continue to show high unemployment and underemployment numbers in the United States, the government cyberoperations sector not only is still hiring, but also frantically searching for people to fill its ranks. Joan Dempsey, a senior vice president at Booz Allen Hamilton who formerly served as deputy director of Central Intelligence for community management, says both the government itself and the contracting companies that support it are struggling to fill positions that handle federal cyberoperations.

The convergence of the Defense Information Systems Agency, the National Security Agency and U.S. Cyber Command in the area of Fort Meade, Maryland, has made that area a particular hotbed for cyberwork. Dempsey says that growth and demand are high and unlikely to decrease anytime soon. The problem is finding qualified personnel to take the jobs; officials have long warned that too few U.S. students are pursuing careers in science, technology, engineering and mathematics (STEM). Dempsey explains that another big problem is the disinclination of women to pursue professional opportunities in these fields. In cybersecurity, for example, she says that Department of Labor standards report less than 15 percent of such professionals are women, though females account for more than 50 percent of college graduates.

Even as the U.S. STEM community is encouraging students to pursue careers in these fields, companies and the government are looking for ways to hire people with other degrees and experiences. Dempsey herself studied political science and then public administration, but over the course of her government career—which included more than 25 years as a U.S. Navy Reserve intelligence officer—developed skills to bridge technology, policy and implementation. She explains that technical proficiency must also be steeped in the mission of the government. Because of the need for this diversity, the government is looking for people with a variety of backgrounds who can be trained in the technology portions of the jobs.

Booz Allen has started a Cyber Boot Camp that trains people with an interest in or inclination for any of the substantive aspects of cyberoperations to work in the cyberarena. “That has been very successful in pipelining people into this field,” Dempsey says. “To be perfectly honest, once they get a taste of it, it’s easy to get them hooked.” She believes that those who participate in the program quickly learn that more opportunities exist than they thought. Booz Allen also has training for people with deep technical skills who need to learn how to apply them in a fast-moving environment.

The company, similar to many other government contractors and agencies, is recruiting extensively within the Washington, D.C., area and increasingly beyond it. As it widens its pool in terms of both knowledge and location, Booz Allen remains selective. “We are looking for the best of the best,” Dempsey states. “We want people who are motivated and have the potential to be successful.” She adds that employees who want to make significant contributions to their workplace and the world can find those opportunities in cyber. “It’s really the 21st century career field,” Dempsey says. “I would encourage your readers and women to look at this as a potential career field that would be satisfying and rewarding.”

Booz Allen also has a database that it uses to identify skills that are important or lend themselves to cyberwork, as well as a mentoring program to help employees as they progress in their career so they understand what will be expected. Many of the skills, degrees and experiences desirable to these programs have nothing to do with technology. Legal backgrounds and policy expertise, for example, both have application in cyberoperations. Current acquisition procedures can make it difficult for government agencies to procure what they need to do their jobs effectively. People with experience in those areas could help alleviate that problem.

Though industry and government are not running complementary recruiting programs, many cyberprofessionals will start working in one sector and then switch to the other so that people who come into the field can benefit the government’s cybermission in several ways. “I see that back and forth as a positive thing,” Dempsey explains, because it builds a better understanding between federal agencies and the corporate partners working to support them.

To support employees, Dempsey believes organizations need to have modern workplace policies that enable balanced professional and personal lives. Because the nature of cyberwork is 24/7, it can accommodate various scheduling needs.—Rita Boland

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.