In Cybersecurity, the Basics Matter
Failure to complete routine patching continues to present cyber risks to the United States.
Completion of certain cybersecurity tasks may be simple, yet they are not being done, leaving the United States vulnerable to cyber attacks.
And with the nation facing cyber aggressors who “never sleep, are increasingly capable and have seemingly endless resources,” much more needs to be done, warns Brig. Gen. Christine Rummel, J-6, director, Cyberspace Operations, North American Aerospace Defense Command (NORAD)/U.S. Northern Command (NORTHCOM), Peterson Air Force Base, Colorado.
NORAD and NORTHCOM are responsible for protecting the U.S. homeland (and North America, for NORAD). For those organizations, Rummel, as their J-6 chief information officer, is responsible for cyberspace operations and is the deputy J-3 for cyber.
“My mission is to direct cyberspace operations and provide a secure, collaborative information environment enabling command and control and execution of both the NORAD and NORTHCOM missions,” the general explained.
Rummel joined NORTHCOM/NORAD as the J-6 last August, after spending 30 years in the Army Signal Corps and several years in the cyber community.
“The cyberspace domain, as we all know, is a borderless, complex, globally interconnected system of systems that we must protect 24 hours a day, seven days a week, 365 days a year,” Rummel stated.
For entities wanting to cause harm digitally, the barriers to entry to conduct a cyber attack “are very low,” she said. “The proliferation and ease of access to cybersecurity hacking tools has enabled anybody with ill intentions able to launch a cyber attack on the dark web.”
There are even organizations that offer cyber attacks as a service for bad actors.
“The cyber threat is real, and we must all remain vigilant in our charge to protect our information technology systems,” Rummel shared.
The problem is that our neglect is making it easier for the cyber marauders.
For example, the Chinese government-backed Salt Typhoon actors that breached U.S. telecom and government networks exploited a known vulnerability that had a patch that was available for nearly four years.
“As of the 23rd of January, 91% of nearly 30,000 publicly reachable instances of this vulnerability still have not been updated, and the hole is not closed. Every single one of you should be asking the question of, ‘Why, why does it take so long to patch a known vulnerability?’” Rummel continued.
Every company should also be asking if they are taking the necessary precautions to ensure that their systems and capabilities are secure for their customers, the J-6 emphasized.
It should not take months or years to patch a vulnerability, she said.
Do not pass on a risk to me that I am unaware of and that I am not prepared to address.
Moreover, new technology is not needed to solve this issue. Instead, it is about getting back to basics and consistently finding and patching vulnerabilities; doing so will mitigate risks.
NORAD/NORTHCOM and the U.S. Department of Defense as a whole have to depend on information technology, networks and command and control systems, which all have to be free from dangerous cyber vulnerabilities.
“The cyber domain is the key mission enabler that enables the Department of Defense an asymmetric military advantage, ensuring dominance over near-peer adversaries,” she explained. “In a military conflict without a secure, reliable and resilient cyber domain, we simply do not have the information advantage, and we cannot effectively protect our homeland.”
To vendors who make information technology solutions, Rummel advised a return to the basics of cybersecurity and a reduction of risks.
“Do not pass on a risk to me that I am unaware of and that I am not prepared to address,” the general stressed.
Rummel spoke February 12 at the AFCEA Rocky Mountain Cyberspace Symposium 2025.
The Rocky Mountain Cyber Symposium is organized by AFCEA International's Rocky Mountain Chapter. SIGNAL Media is the official media of AFCEA International.
