The cyber world is a tough and dangerous place in the U.S. with robots stalking the unwary and strangers invading everyone’s private places.
And, according to some of the nation’s top officials with responsibility for network operations, manpower, training, acquisition, operations and coordination are all in jeopardy, experts tell the HASC subcommittee on Terrorism, Unconventional Threats and Capabilities.
“I would say that first we have to lay out an operational framework that will work,” says Lt. Gen. Keith Alexander, director of the National Security Agency and a contender to lead a new cyber command. “There are some that are on the table that just don’t make technical sense. Then we decide what we need legally to make that work.”
Complicating those issues is the reality that the Defense Department, which is most prepared to respond to a cyber attack, will not be a likely target.
“Realistically, [a cyber attack] will be asymmetrical against industry and critical infrastructure,” Alexander says. “So the question is the partnership between defense, the Department of Homeland Security and intelligence community. That has to be clear and the rules have to be laid out and walked through. We haven’t gone far enough yet.”
There’s also going to be classic title fight between Moores’ Law (which contends that computing power doubles about every 18 months) and the federal acquisition process which often moves glacially.
“We have an industrial age acquisition process trying to operate in the IT space,” says Lt. Gen. William Shelton, the U.S. Air Force’s chief information officer. “It’s not adequate. We’re in reasonably good shape with [rapid acquisition of slightly modified off the shelf equipment]. The acquisition agility is there. But we don’t often exercise the capability and sometimes we revert [to old, slow methods]. In the Air Force we’re forcing an architecture that will allow better solutions.”
In addition, there is a fundamental question of what constitutes warfare in cyberspace. The U.S. needs to define those terms and its officials need to be careful in using them. Describing the U.S. as being under constant attack is not useful, the experts contend.
“We’re constantly being probed, not attacked,” Alexander says. “What happened in Estonia and Georgia is closer to attack. The problem is the attribution – who [is attacking]? We have the inherent right to defend first and then attribute. [Moreover,] We need a more specific set of terms to define when spying operations turn into warfare.” The network speed communications between agencies about attacks also is missing with the ramification, he says, that “If we’re not aware of it, we can’t mitigate it or attribute it.”
So far, the inter agency linkages are a flop.
From the perspective of the NSA and the Joint Functional Component Command for Net Warfare, “The way we’re approaching cyber security today doesn’t work,” Alexander say. Help could arrive in the form of a Defense Dept. sub-unified or joint-functional component command that can shuffle cyber defense and offense, like troops or aircraft to “support the combatant commands and ensure there is freedom of maneuver in cyberspace,” he says.
The list of cyber short falls is a long one.
There are “issues with training, equipping and tactics, techniques and procedures,” Alexander says. “I would like to say our networks are secure but that would not be correct. What we’ve wrestled with over the last six months is is a strategy for closing those vulnerabilities very quickly.” Recent efforts have involved restrictions on the use of removable media, keeping anti-virus software up to date and monitoring the periphery of networks for probing efforts.
And as most war fighters know, a good offense is critical for a good defense.
“If we try to defend our networks like we do a castle, we will never be successful,” Alexander says. “We have to defend it on the network globally. That also means we need an early warning system between networks automatic tipping and cueing at network speed to defeat future threats like some of the robot networks that are out there.”
There will be varying cyber needs. Industry can harden its networks and almost sever it completely and almost insure security. But military in the field and the banking industry, for example, will have communications that are both wireless and wired – operating globally – with far different vulnerabilities than many industries.
“The discussion we’re going to enter into once the [White House’s] 60 day review is over is what is the role and responsibility of DHS and [what are] the legal and operational frameworks for sharing classified threat signatures with industry at network speed so that it is defensible,” says Alexander. Those are areas that are technically easier to do than to set the legal framework. If we give the anti-virus community a classified signature, how do we ensure [it isn’t quickly in the hands] of our adversaries?”
Right now, the Joint Interagency Task Force for Offensive Operations “is well run,” Alexander says. What is lacking is an integrated defense with alerting and cueing capabilities.”
“Clearly we need a partnership in every [domestic and international] tier,” Shelton says.