Officials: Cyber Research Needs Innovation, Talent

WASHINGTON, March 21, 2012 — As a crit­i­cal enabler of Defense Depart­ment busi­ness and mil­i­tary oper­a­tions and the DOD com­mand-and-con­trol back­bone, cyber is the focus of intense research and devel­op­ment in an envi­ron­ment where suc­cess means get­ting out ahead of an evolv­ing threat.

Dur­ing the unclas­si­fied por­tion of a hear­ing of the Sen­ate Armed Ser­vices sub­com­mit­tee on emerg­ing threats and capa­bil­i­ties yes­ter­day, experts from DOD, the Defense Advanced Research Projects Agency and the Nation­al Secu­ri­ty Agency dis­cussed the department’s vul­ner­a­bil­i­ties and needs. 

DARPA’s bot­tom-line mes­sage today [is] that DOD is capa­bil­i­ty-lim­it­ed in cyber, both defen­sive­ly and offen­sive­ly,” DARPA Act­ing Direc­tor Kaigham “Ken” J. Gabriel told the pan­el. “We need to change that.” 

Much of what he could share in the unclas­si­fied ses­sion already is known, Gabriel said: 

— Attack­ers can pen­e­trate DOD networks; 

— Users are the weak­est link in cybersecurity; 

— The defense sup­ply chain and phys­i­cal sys­tems are at risk; and 

— The Unit­ed States con­tin­ues to spend bil­lions on cyber­se­cu­ri­ty with lim­it­ed increase in protection. 

“Our approach to cyber­se­cu­ri­ty is dom­i­nat­ed by a strat­e­gy that lay­ers secu­ri­ty onto a uni­form archi­tec­ture,” Gabriel explained. “This approach … is not con­ver­gent with a grow­ing and evolv­ing threat. That’s the defen­sive picture.” 

In cyber offense, he added, mod­ern war­fare demands the effec­tive use of cyber and kinet­ic means. 

“The tasks required for mil­i­tary pur­pos­es are suf­fi­cient­ly dif­fer­ent that we can­not sim­ply scale intel­li­gence-based cyber capa­bil­i­ties and ade­quate­ly serve the needs of DOD,” the act­ing direc­tor said. 

For exam­ple, he added, “a cyber exploit that always caus­es the tar­get sys­tem to crash is not much of an intel­li­gence exploit, but it may be exact­ly the effect a DOD mis­sion calls for.” 

DARPA-devel­oped tech­nolo­gies are wide­ly preva­lent in mil­i­tary, intel­li­gence and com­mer­cial use today, but much remains to be done, Gabriel said. “From our van­tage point,” he added, “the great­est vul­ner­a­bil­i­ty in cyber offense for the DOD is the lack of capa­bil­i­ties with pro­por­tion­al­i­ty, speed and diver­si­ty of effects.” 

“It’s very much an envi­ron­ment where we have to con­tin­u­al­ly up the game and get ahead of the threat,” Zachary J. Lem­nios, assis­tant sec­re­tary of defense for research and engi­neer­ing, told the senators. 

“We start­ed in com­put­er net­work defense years ago with the perime­ter defense strat­e­gy — a fire­wall strat­e­gy. We then moved to an envi­ron­ment where we have on the com­mer­cial side embed­ded agents that look at net­work traf­fic,” he said. 

Even­tu­al­ly, Lem­nios added, “we’re mov­ing to a point where no longer will we be look­ing for par­tic­u­lar attacks, but we will be design­ing sys­tems on the com­mer­cial side that morph auto­mat­i­cal­ly — actu­al­ly change their fea­tures and oper­at­ing roles to respond to threats before the threats present themselves.” 

Pres­i­dent Barack Obama’s fis­cal 2013 Pen­ta­gon bud­get request includes a $3.4 bil­lion invest­ment in cyber activ­i­ties, of which $486 mil­lion is ded­i­cat­ed to sci­ence and tech­nol­o­gy invest­ments, he said. This invest­ment is sig­nif­i­cant, he added, giv­en the department’s com­plex set of cyber­se­cu­ri­ty respon­si­bil­i­ties and challenges. 

The DOD enter­prise sys­tem includes 15,000 net­works and 7 mil­lion com­put­ing devices across hun­dreds of instal­la­tions in dozens of coun­tries that are used for busi­ness oper­a­tions. But the DOD cyber­se­cu­ri­ty capa­bil­i­ty must extend beyond the enter­prise sys­tem, Lem­nios said, to include mis­sion-crit­i­cal com­mand and con­trol net­works, cyber phys­i­cal sys­tems and cyber radio fre­quen­cy sys­tems — com­mu­ni­ca­tions sys­tems — that make up DOD’s tac­ti­cal systems. 

“The emer­gence of net­worked tac­ti­cal sys­tems and cyber phys­i­cal sys­tems have cre­at­ed new oppor­tu­ni­ties for increased cyber secu­ri­ty attack and dis­rup­tion,” the assis­tant sec­re­tary said. 

The cyber oper­a­tional domain is built on mea­sures and coun­ter­mea­sures, he added, where tech­ni­cal depth, oper­a­tional inno­va­tion and tech­nol­o­gy tran­si­tion are the ingre­di­ents for leadership. 

“The key to suc­cess for all our cyber­se­cu­ri­ty efforts is tal­ent — the work­force we have in our lab­o­ra­to­ries, in acad­e­mia, in indus­try, in our small busi­ness com­mu­ni­ty and the work­force of tomor­row,” Lem­nios said. 

DOD has sev­er­al pro­grams to advance the cyber research and devel­op­ment work­force, he said. These include the Com­pre­hen­sive Nation­al Cyber­se­cu­ri­ty Ini­tia­tive that attracts high school and col­lege stu­dents into cyber secu­ri­ty, the DOD Infor­ma­tion Assur­ance Schol­ar­ship Pro­gram for schol­ars who want to com­plete a degree in cyber-relat­ed fields, and efforts involv­ing the services. 

At the Nation­al Secu­ri­ty Agency, the research enter­prise sup­ports the agency’s infor­ma­tion assur­ance and sig­nals intel­li­gence mis­sion with a high­ly skilled tech­ni­cal work­force, Michael A. Wertheimer, NSA’s direc­tor of research and devel­op­ment, told the panel. 

Bet­ter than a third of the work­force has PhDs, anoth­er third has master’s degrees, and just under a quar­ter have bachelor’s degrees, Wertheimer said. But poor recruit­ment and reten­tion prac­tices have caused U.S. pro­duc­tion of com­put­er sci­en­tists to decline, he added. NSA has cre­at­ed a three-year pro­to­type post-doc­tor­al pro­gram to attract new tal­ent, he said. 

At DARPA, to cre­ate cyber capa­bil­i­ties with the diver­si­ty, dynam­ic range and tem­po of DOD oper­a­tions, the agency launched a pro­gram called Cyber Fast Track, which taps a pool of non­tra­di­tion­al experts and inno­va­tors, many of whom oper­ate in the “white-hat” hack­er community. 

“Half of our so-called cyber­punks — the group of about a half a dozen or eight pro­gram man­agers at DARPA — don’t have PhDs,” Gabriel said. “Their skills, their capa­bil­i­ties, their insights are com­ing from their prac­tice in the com­mu­ni­ty. And frankly, it will have a shelf life.” 

Like all the pro­gram man­agers who work at DARPA, “they’ll go through the three to five years, and they’ll move on, and oth­ers will come in with a new­er, dif­fer­ent per­spec­tive,” he added. 

“I think that’s an inter­est­ing thing about cyber. … It has such a fast refresh and short shelf life that we may have oppor­tu­ni­ties for a dif­fer­ent mod­el of how we retain that capa­bil­i­ty,” he said. 

Source:
U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs) 

Team GlobDef

Seit 2001 ist GlobalDefence.net im Internet unterwegs, um mit eigenen Analysen, interessanten Kooperationen und umfassenden Informationen für einen spannenden Überblick der Weltlage zu sorgen. GlobalDefence.net war dabei die erste deutschsprachige Internetseite, die mit dem Schwerpunkt Sicherheitspolitik außerhalb von Hochschulen oder Instituten aufgetreten ist.

Alle Beiträge ansehen von Team GlobDef →