Officials: Cyber Research Needs Innovation, Talent

WASHINGTON, March 21, 2012 — As a crit­i­cal enabler of Defense Depart­ment busi­ness and mil­i­tary oper­a­tions and the DOD com­mand-and-con­trol back­bone, cyber is the focus of intense research and devel­op­ment in an envi­ron­ment where suc­cess means get­ting out ahead of an evolv­ing threat.

Dur­ing the unclas­si­fied por­tion of a hear­ing of the Sen­ate Armed Ser­vices sub­com­mit­tee on emerg­ing threats and capa­bil­i­ties yes­ter­day, experts from DOD, the Defense Advanced Research Projects Agency and the Nation­al Secu­ri­ty Agency dis­cussed the department’s vul­ner­a­bil­i­ties and needs.

DARPA’s bot­tom-line mes­sage today [is] that DOD is capa­bil­i­ty-lim­it­ed in cyber, both defen­sive­ly and offen­sive­ly,” DARPA Act­ing Direc­tor Kaigham “Ken” J. Gabriel told the pan­el. “We need to change that.”

Much of what he could share in the unclas­si­fied ses­sion already is known, Gabriel said:

— Attack­ers can pen­e­trate DOD net­works;

— Users are the weak­est link in cyber­se­cu­ri­ty;

— The defense sup­ply chain and phys­i­cal sys­tems are at risk; and

— The Unit­ed States con­tin­ues to spend bil­lions on cyber­se­cu­ri­ty with lim­it­ed increase in pro­tec­tion.

“Our approach to cyber­se­cu­ri­ty is dom­i­nat­ed by a strat­e­gy that lay­ers secu­ri­ty onto a uni­form archi­tec­ture,” Gabriel explained. “This approach … is not con­ver­gent with a grow­ing and evolv­ing threat. That’s the defen­sive pic­ture.”

In cyber offense, he added, mod­ern war­fare demands the effec­tive use of cyber and kinet­ic means.

“The tasks required for mil­i­tary pur­pos­es are suf­fi­cient­ly dif­fer­ent that we can­not sim­ply scale intel­li­gence-based cyber capa­bil­i­ties and ade­quate­ly serve the needs of DOD,” the act­ing direc­tor said.

For exam­ple, he added, “a cyber exploit that always caus­es the tar­get sys­tem to crash is not much of an intel­li­gence exploit, but it may be exact­ly the effect a DOD mis­sion calls for.”

DARPA-devel­oped tech­nolo­gies are wide­ly preva­lent in mil­i­tary, intel­li­gence and com­mer­cial use today, but much remains to be done, Gabriel said. “From our van­tage point,” he added, “the great­est vul­ner­a­bil­i­ty in cyber offense for the DOD is the lack of capa­bil­i­ties with pro­por­tion­al­i­ty, speed and diver­si­ty of effects.”

“It’s very much an envi­ron­ment where we have to con­tin­u­al­ly up the game and get ahead of the threat,” Zachary J. Lem­nios, assis­tant sec­re­tary of defense for research and engi­neer­ing, told the sen­a­tors.

“We start­ed in com­put­er net­work defense years ago with the perime­ter defense strat­e­gy — a fire­wall strat­e­gy. We then moved to an envi­ron­ment where we have on the com­mer­cial side embed­ded agents that look at net­work traf­fic,” he said.

Even­tu­al­ly, Lem­nios added, “we’re mov­ing to a point where no longer will we be look­ing for par­tic­u­lar attacks, but we will be design­ing sys­tems on the com­mer­cial side that morph auto­mat­i­cal­ly — actu­al­ly change their fea­tures and oper­at­ing roles to respond to threats before the threats present them­selves.”

Pres­i­dent Barack Obama’s fis­cal 2013 Pen­ta­gon bud­get request includes a $3.4 bil­lion invest­ment in cyber activ­i­ties, of which $486 mil­lion is ded­i­cat­ed to sci­ence and tech­nol­o­gy invest­ments, he said. This invest­ment is sig­nif­i­cant, he added, giv­en the department’s com­plex set of cyber­se­cu­ri­ty respon­si­bil­i­ties and chal­lenges.

The DOD enter­prise sys­tem includes 15,000 net­works and 7 mil­lion com­put­ing devices across hun­dreds of instal­la­tions in dozens of coun­tries that are used for busi­ness oper­a­tions. But the DOD cyber­se­cu­ri­ty capa­bil­i­ty must extend beyond the enter­prise sys­tem, Lem­nios said, to include mis­sion-crit­i­cal com­mand and con­trol net­works, cyber phys­i­cal sys­tems and cyber radio fre­quen­cy sys­tems — com­mu­ni­ca­tions sys­tems — that make up DOD’s tac­ti­cal sys­tems.

“The emer­gence of net­worked tac­ti­cal sys­tems and cyber phys­i­cal sys­tems have cre­at­ed new oppor­tu­ni­ties for increased cyber secu­ri­ty attack and dis­rup­tion,” the assis­tant sec­re­tary said.

The cyber oper­a­tional domain is built on mea­sures and coun­ter­mea­sures, he added, where tech­ni­cal depth, oper­a­tional inno­va­tion and tech­nol­o­gy tran­si­tion are the ingre­di­ents for lead­er­ship.

“The key to suc­cess for all our cyber­se­cu­ri­ty efforts is tal­ent — the work­force we have in our lab­o­ra­to­ries, in acad­e­mia, in indus­try, in our small busi­ness com­mu­ni­ty and the work­force of tomor­row,” Lem­nios said.

DOD has sev­er­al pro­grams to advance the cyber research and devel­op­ment work­force, he said. These include the Com­pre­hen­sive Nation­al Cyber­se­cu­ri­ty Ini­tia­tive that attracts high school and col­lege stu­dents into cyber secu­ri­ty, the DOD Infor­ma­tion Assur­ance Schol­ar­ship Pro­gram for schol­ars who want to com­plete a degree in cyber-relat­ed fields, and efforts involv­ing the ser­vices.

At the Nation­al Secu­ri­ty Agency, the research enter­prise sup­ports the agency’s infor­ma­tion assur­ance and sig­nals intel­li­gence mis­sion with a high­ly skilled tech­ni­cal work­force, Michael A. Wertheimer, NSA’s direc­tor of research and devel­op­ment, told the pan­el.

Bet­ter than a third of the work­force has PhDs, anoth­er third has master’s degrees, and just under a quar­ter have bachelor’s degrees, Wertheimer said. But poor recruit­ment and reten­tion prac­tices have caused U.S. pro­duc­tion of com­put­er sci­en­tists to decline, he added. NSA has cre­at­ed a three-year pro­to­type post-doc­tor­al pro­gram to attract new tal­ent, he said.

At DARPA, to cre­ate cyber capa­bil­i­ties with the diver­si­ty, dynam­ic range and tem­po of DOD oper­a­tions, the agency launched a pro­gram called Cyber Fast Track, which taps a pool of non­tra­di­tion­al experts and inno­va­tors, many of whom oper­ate in the “white-hat” hack­er com­mu­ni­ty.

“Half of our so-called cyber­punks — the group of about a half a dozen or eight pro­gram man­agers at DARPA — don’t have PhDs,” Gabriel said. “Their skills, their capa­bil­i­ties, their insights are com­ing from their prac­tice in the com­mu­ni­ty. And frankly, it will have a shelf life.”

Like all the pro­gram man­agers who work at DARPA, “they’ll go through the three to five years, and they’ll move on, and oth­ers will come in with a new­er, dif­fer­ent per­spec­tive,” he added.

“I think that’s an inter­est­ing thing about cyber. … It has such a fast refresh and short shelf life that we may have oppor­tu­ni­ties for a dif­fer­ent mod­el of how we retain that capa­bil­i­ty,” he said.

U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)