WASHINGTON, March 21, 2012 — As a critical enabler of Defense Department business and military operations and the DOD command-and-control backbone, cyber is the focus of intense research and development in an environment where success means getting out ahead of an evolving threat.
During the unclassified portion of a hearing of the Senate Armed Services subcommittee on emerging threats and capabilities yesterday, experts from DOD, the Defense Advanced Research Projects Agency and the National Security Agency discussed the department’s vulnerabilities and needs.
“DARPA’s bottom-line message today [is] that DOD is capability-limited in cyber, both defensively and offensively,” DARPA Acting Director Kaigham “Ken” J. Gabriel told the panel. “We need to change that.”
Much of what he could share in the unclassified session already is known, Gabriel said:
— Attackers can penetrate DOD networks;
— Users are the weakest link in cybersecurity;
— The defense supply chain and physical systems are at risk; and
— The United States continues to spend billions on cybersecurity with limited increase in protection.
“Our approach to cybersecurity is dominated by a strategy that layers security onto a uniform architecture,” Gabriel explained. “This approach … is not convergent with a growing and evolving threat. That’s the defensive picture.”
In cyber offense, he added, modern warfare demands the effective use of cyber and kinetic means.
“The tasks required for military purposes are sufficiently different that we cannot simply scale intelligence-based cyber capabilities and adequately serve the needs of DOD,” the acting director said.
For example, he added, “a cyber exploit that always causes the target system to crash is not much of an intelligence exploit, but it may be exactly the effect a DOD mission calls for.”
DARPA-developed technologies are widely prevalent in military, intelligence and commercial use today, but much remains to be done, Gabriel said. “From our vantage point,” he added, “the greatest vulnerability in cyber offense for the DOD is the lack of capabilities with proportionality, speed and diversity of effects.”
“It’s very much an environment where we have to continually up the game and get ahead of the threat,” Zachary J. Lemnios, assistant secretary of defense for research and engineering, told the senators.
“We started in computer network defense years ago with the perimeter defense strategy — a firewall strategy. We then moved to an environment where we have on the commercial side embedded agents that look at network traffic,” he said.
Eventually, Lemnios added, “we’re moving to a point where no longer will we be looking for particular attacks, but we will be designing systems on the commercial side that morph automatically — actually change their features and operating roles to respond to threats before the threats present themselves.”
President Barack Obama’s fiscal 2013 Pentagon budget request includes a $3.4 billion investment in cyber activities, of which $486 million is dedicated to science and technology investments, he said. This investment is significant, he added, given the department’s complex set of cybersecurity responsibilities and challenges.
The DOD enterprise system includes 15,000 networks and 7 million computing devices across hundreds of installations in dozens of countries that are used for business operations. But the DOD cybersecurity capability must extend beyond the enterprise system, Lemnios said, to include mission-critical command and control networks, cyber physical systems and cyber radio frequency systems — communications systems — that make up DOD’s tactical systems.
“The emergence of networked tactical systems and cyber physical systems have created new opportunities for increased cyber security attack and disruption,” the assistant secretary said.
The cyber operational domain is built on measures and countermeasures, he added, where technical depth, operational innovation and technology transition are the ingredients for leadership.
“The key to success for all our cybersecurity efforts is talent — the workforce we have in our laboratories, in academia, in industry, in our small business community and the workforce of tomorrow,” Lemnios said.
DOD has several programs to advance the cyber research and development workforce, he said. These include the Comprehensive National Cybersecurity Initiative that attracts high school and college students into cyber security, the DOD Information Assurance Scholarship Program for scholars who want to complete a degree in cyber-related fields, and efforts involving the services.
At the National Security Agency, the research enterprise supports the agency’s information assurance and signals intelligence mission with a highly skilled technical workforce, Michael A. Wertheimer, NSA’s director of research and development, told the panel.
Better than a third of the workforce has PhDs, another third has master’s degrees, and just under a quarter have bachelor’s degrees, Wertheimer said. But poor recruitment and retention practices have caused U.S. production of computer scientists to decline, he added. NSA has created a three-year prototype post-doctoral program to attract new talent, he said.
At DARPA, to create cyber capabilities with the diversity, dynamic range and tempo of DOD operations, the agency launched a program called Cyber Fast Track, which taps a pool of nontraditional experts and innovators, many of whom operate in the “white-hat” hacker community.
“Half of our so-called cyberpunks — the group of about a half a dozen or eight program managers at DARPA — don’t have PhDs,” Gabriel said. “Their skills, their capabilities, their insights are coming from their practice in the community. And frankly, it will have a shelf life.”
Like all the program managers who work at DARPA, “they’ll go through the three to five years, and they’ll move on, and others will come in with a newer, different perspective,” he added.
“I think that’s an interesting thing about cyber. … It has such a fast refresh and short shelf life that we may have opportunities for a different model of how we retain that capability,” he said.
U.S. Department of Defense
Office of the Assistant Secretary of Defense (Public Affairs)