Leaders Push for Innovative Cyber Information Sharing

Thoughts by experts about the ability of the military to defend cyberspace are centering around the concept of improved partnerships, which may be outside of the Defense Department’s usual practices. A lot can be gained from the insight of coalition partners and think tanks—wisdom and information that the DOD may not have tapped into, experts said.

The increased interaction that is needed is important for the battle in cyberspace, suggested leaders at the AFCEA Defensive Cyber Operations Symposium (DCOS) in Baltimore on May 17. The panel included moderator Rear Adm. Kathleen Creighton, USN, deputy commander, Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN) and panelists Brig. Gen. Stephen Hager, USAR, deputy commander of operations, Cyber National Mission Force, U.S. Cyber Command; Capt. James Mills, USN, chief of staff, U.S. Fleet Cyber Command/U.S. 10th Fleet; Gregg R. Kendrick, executive director, U.S. Marine Corps Forces Cyberspace Command; and Lt. Col. Rick Howard, USA (Ret.), chief security officer, Palo Alto Networks.

Gen. Hager recognized that the technology—cyber-related and otherwise—that is coming is very important. However, since capabilities are always going to change, the government could look to think tanks and other policy organizations for help in understanding what the changes mean. “Cyberspace actually comes down to a human element and we still need leaders and policymakers that understand how affects it that domain.” He warned that because technology is changing so rapidly, some senior leaders don’t have that technical ability and understanding of its impacts.   

In a way, Department of Defense policies may be standing in the way of improved partnerships and better cyber warfare, added Capt. Mills. “We have always struggled I think because we don’t fight by ourselves, we fight as a coalition with our partners,” he said. “And the way that some of the policies have been within DOD, it has been a bit difficult to share a lot with our partners in cyber on the defensive side of the house.”

He suggested that DOD and coalition partners could improve on sharing threat information to better understand where the threat is coming from. All parties need to understand the critical nodes that need to be protected and the risks they are taking on when operating together, Capt. Mills said.

The captain shared that there has been progress within the Navy with a couple of coalition partners in the Far East in building better cyber relationships on the policy side. And on the technology side, he saw that some of the partners—such as the Australians—are more agile than the United States. They are able to deliver capabilities out to their fleet in a much more rapid fashion.

“In some ways we need to learn from them,” Capt. Mills acknowledged. “It’s more of a policy piece in getting those structures in place where we have a free flow of the right types of information at the right classification level to share, so that they are better apprised as to what the threats are against the coalition. It needs to be a two-way street.”

Not all cyber defenders are created equal. If a control system is under threat, a different kind of cyber operator expertise may be needed, says Capt. Mills, USN @USFLEETCYBERCOM #AFCEACyber pic.twitter.com/o8U8BwHCWe

— Kimberly Underwood (@Kunderwood_SGNL) May 17, 2018

The United States should also consider a cooperative construct, according to Kendrick.

“People are critical,” Kendrick said. “We are talking about data, but in the end state, personalities matter. And it seems like we form coalitions when we need or want something.” If the United States can get the law and policy right, it should establish an international coalition cyber support center. He likens it to the American cooperative. In that kind of partnership, “everyone has skin in the game.”  

Gregg Kendrick, executive director @MARFORCYBER: when there are cyberattacks to companies or to the government, you don’t always have to respond in cyberspace #AFCEACyber pic.twitter.com/nHNlAlswUs

— Kimberly Underwood (@Kunderwood_SGNL) May 17, 2018

Howard offered his perspective from the commercial sector, where security vendors like Palo Alto Networks have created a cyber threat alliance. The security industry found that it made sense to share defensive cyber information, he said. His company, like others, works to update products automatically, when they find adversarial attacks. They saw they could make the updates in minutes, “then we could share and blanket the world with prevention controls.”

It is important to require sharing in such group, and to have accountability, measure the amount of cyber information sharing and “public shame” those who don’t share, if necessary.

Howard pointed out that adversaries have maybe 50 strategies of cyber attacks, and if partners can share that information, it would improve the cyber fight. “We have to remember that humans are doing the attacks, and their playbooks don’t change that often,” he said. “We need to understand completely their playbooks and take that to the offensive side to learn how to attack [using their methods].”

And the burden to attack will continue to fall to the government and military. Their role is important, as the “commercial industry is never ever going to do offensive cyber,” Howard stated. “We gladly defer that to the government.” For example, in the attacks on Sony Corp., which the U.S. government attributed to North Korea, the United States stepped in and said that it would respond at the time and place of its choosing. “This was unprecedented,” Howard noted. “This is an example of shared risk.”

The commercial industry is never ever going to do offensive cyber. We gladly defer to the government on this, offers Rick Howard, chief security officer @PaloAltoNtwks #AFCEACyber pic.twitter.com/epk5ME4HIa

— Kimberly Underwood (@Kunderwood_SGNL) May 17, 2018