USA — Cyber Solutions Depend on Partnerships, Official Says

WASHINGTON — Defense Depart­ment offi­cials are reach­ing through­out gov­ern­ment and the pri­vate sec­tor to lay the frame­work for long-term solu­tions in com­put­er net­work secu­ri­ty, the department’s head of cyber pol­i­cy said today.

Defense lead­ers have rec­og­nized the impor­tance of cyber­se­cu­ri­ty, as not­ed in the Qua­dren­ni­al Defense Review, by cre­at­ing U.S. Cyber Com­mand as a sep­a­rate enti­ty to han­dle the evolv­ing issues around net­work secu­ri­ty, Robert J. But­ler, deputy assis­tant sec­re­tary of defense for cyber pol­i­cy, said as part of a pan­el of speak­ers at a cyber­se­cu­ri­ty sym­po­sium spon­sored by the Wash­ing­ton chap­ter of the Armed Forces Com­mu­ni­ca­tions and Elec­tron­ics Asso­ci­a­tion.

AFCEA is a non­prof­it mem­ber­ship asso­ci­a­tion serv­ing the mil­i­tary, gov­ern­ment, indus­try and acad­e­mia as a forum for advanc­ing pro­fes­sion­al knowl­edge and rela­tion­ships in com­mu­ni­ca­tions, infor­ma­tion tech­nol­o­gy, intel­li­gence, and glob­al secu­ri­ty.

Solu­tions to man­ag­ing cyber­se­cu­ri­ty demand the full part­ner­ship of the pub­lic and pri­vate sec­tors, But­ler said, adding that pri­vate-sec­tor Inter­net ser­vice providers are at the core of deci­sions about pri­va­cy ver­sus secu­ri­ty and tech­ni­cal know-how.

“You can’t just do it with the fed­er­al sec­tor,” But­ler said. “You have to have the ISPs and oth­ers who real­ly under­stand the net­works involved.”

Retired Air Force Gen. Ronald E. Keys, a senior advi­sor at the Bipar­ti­san Pol­i­cy Cen­ter and a for­mer com­man­der of Air Com­bat Com­mand, mod­er­at­ed the pan­el. He said the depart­ment had to stand up Cyber Com­mand to coor­di­nate both secu­ri­ty and net­work capac­i­ty issues.

“The biggest issue in the mil­i­tary was we did­n’t know who the hell was on our net­works” due to the mas­sive num­bers of mil­i­tary, civil­ian employ­ee and con­trac­tor users, Keys said. He added that when a sub­or­di­nate com­mand with­in Air Com­bat Com­mand became infect­ed with a virus, he had the unit removed from the net­work until the prob­lem was resolved. Such a shut­down isn’t pos­si­ble when pri­vate com­pa­nies hold the author­i­ty, he not­ed.

“If I go to an ISP to kick some­one off, and they do it, then they get sued,” Keys said. “The ques­tion becomes how do we strip the pro­pri­etary and cus­tomer con­cerns off the infor­ma­tion so we can share it?

“This thing is the Wild West out there,” he added. “It’s pick your dys­func­tion: gov­ern­ment bureau­cra­cy or the pro­pri­etary and prof­it motive.”

Army Brig. Gen. John Davis, Cyber Command’s direc­tor of cur­rent oper­a­tions was on the pan­el. He said mil­i­tary lead­ers have to stay abreast of threats out­side the depart­ment, since 90 per­cent of the department’s net­works run through pri­vate domains.

“We need to be cog­nizant about what’s going on out there, because it has a direct effect on us,” he said. “We are all con­nect­ed in this busi­ness.”

Edu­ca­tion and aware­ness of cyber­se­cu­ri­ty issues are crit­i­cal, But­ler said, through train­ing sce­nar­ios such as the government’s “Cyber Shock­wave” exer­cise held in Feb­ru­ary. A video syn­op­sis of the exer­cise, shown at the sym­po­sium, depict­ed senior U.S. nation­al secu­ri­ty lead­ers react­ing to an ongo­ing, large-scale cyber attack that left some 20 mil­lion Amer­i­cans with­out cell phone use, and the east­ern half of the coun­try with­out elec­tric­i­ty. Inter­net con­nec­tiv­i­ty slowed to a crawl, dis­abling air­lines, air traf­fic con­trol, media out­lets – near­ly every­thing.

The melt­down pur­port­ed­ly was traced to a “bot,” or virus attack, ini­ti­at­ed from a smart phone in Rus­sia. With senior lead­ers dis­cussing the sit­u­a­tion on a cable news net­work, the attor­ney gen­er­al in the sce­nario said U.S. law did not give author­i­ty to quar­an­tine cell phones, from which the virus was spread­ing. “We are in a sol­id, mil­i­tary response role,” the scenario’s home­land secu­ri­ty sec­re­tary said.

Navy Rear Adm. Michael A. Brown, deputy assis­tant sec­re­tary for cyber­se­cu­ri­ty at the Home­land Secu­ri­ty Depart­ment, said the suc­cess of Cyber Com­mand rests on the Home­land Secu­ri­ty Department’s abil­i­ty to pro­vide secu­ri­ty capa­bil­i­ties and capac­i­ty.

“We just can­not wait for an event to occur before we know how we’re going to oper­ate,” Brown said. “The vast major­i­ty of our capa­bil­i­ties and capac­i­ty rests in the pri­vate sec­tor.” Davis under­scored the impor­tance of cyber­se­cu­ri­ty to the mil­i­tary, not­ing Cyber Com­mand is work­ing to improve its abil­i­ty to catch poten­tial threats ear­li­er.

“There is a lot at risk in the bal­ance between being able to oper­ate and con­nect with each oth­er and our under­stand­ing of the vul­ner­a­bil­i­ties out there, and the grow­ing threats to our sys­tem,” Davis said. “All of our mis­sions, all of our equip­ment, is depen­dent on cyber­space.”

U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)