This is not just about the uniformed services. We all have skin in the game.
Last week I attended a Cybersecurity Symposium at the University of Washington-Tacoma. One of the presentations I was impressed with came from the head of the joint Cyber Command for U.S. forces. See my notes from his talk below. I'll be highlighting a few more things in the coming weeks from his remarks.
Lt. Gen. Edward Cardon, commander, U.S. Army Cyber Command
Cyber is often considered a bad word. We are in the middle of a technology revolution with smart devices doing what multiple devices did previously. Advanced technology is moving fast. Google says we can’t predict the future because it is moving so fast. We can’t predict what it will be three years from now.
The threat side is also moving very rapidly. Disruption, degradation and destruction is the sequence we are on now. Iran’s attack on our financial organizations. Criminal organizations in Eastern Europe and what they did to Target. Cyber is not the issue, it is the people behind it.
Everything is becoming more complicated. Look at where wearable devices are going. No one single person knows everything anymore in either hardware or code.
There is a good report called Verizon Report. The commercialization of the weapons is a huge issue. You can rent botnets. We have more vulnerabilities today because of our connection to the Internet for all our activities — that includes critical infrastructure.
This is not a government alone issue. We need collaboration and cooperation between all sectors of our society. The Department of Defense, DHS and FBI are the key federal players. Remember that .com is protected by private industry. DHS has done some good work in ISAC. Not all federal departments want to share and the same is true with the private sector.
We might have a cybersecurity bill coming soon. We have been working on this since 2006. In the military we consider cyber as a domain. This cyber domain is joint for all the military services. The construct for Cyber Command is all joint. It is all man-made, and it is global. When we normally divide up the world we divide it by geography. In cyber this does not apply.
There is a new DoD Cyber Strategy that was released recently by the DoD secretary. This is unclassified.
There are defensive and offensive cybersecurity operations. Offensive is all classified. Remember that 10 percent of all passwords on the Internet are “Password” and “admin.”
What if we encrypt all data all the time? Don’t click on any hyperlinks! You know when things are amuck is when things don’t work right. The offense will always lead the defense. The defense has to be right all the time. We have to have a defense in depth. You can’t buy your way out of this. This accentuates our academic community.
Work factor analysis is needed to know what to protect and how to do it. SCADA is incredibly important.
The core is getting harder and the edge is getting weaker. How we protect needs to change. The primary target is not where the entry point is.
Speed counts. The response to a sophisticated attack is usually taking months. This is increasingly about the data. The attackers want the data! We should not be moving data in an unencrypted manner.
We need a core approach. It is not an IT issue. How we articulate the risk is important. Retaining talented people is the issue. They need high-end people. Getting them is not the problem. How do we have programs where we bring in people from the civilian side and share experiences? The younger generation only stays in a job for one to two years. The U.S. Army is creating a cyberbranch of about 3,000 people, a small fraction of the total force.
We (Cyber Command) are looking to better connections to the West Coast.
Kansas, Washington and Michigan are the states to look at for how the National Guard is being used. There is a fear in the DoD that we could end up with National Guard working against U.S. citizens. This is an issue for using the National Guard more. The sharing between the FBI and other entities is also hard.
Some U.S. states have elected attorneys general. They tend to be more risk adverse. How we work multistate for natural disasters, we don’t have that yet for cyber issues.
There is a rapidly developing cybersecurity capability on the civilian side. These new threat documents produced by them are sharing them with their customers. These would have been classified top secret years ago. We need to do joint exercises. The new cyberbranch will give us meaningful capability.
When you say 99 percent of our network is patched, that means that 1 percent is still open to exploitation. The offensive side sees this as a great opportunity.
The cooperation between Canada and the USA on the defense side is good when it comes to information sharing. NORAD is a good, workable model, but we don’t have the same organization in place yet for cyber issues, although we do have Northern Command that provides for a military interface in general.
Trust and belief issues are huge with our younger generations. Insider threat is perhaps our biggest issue to overcome. It goes beyond trust to fundamental belief issues.
Big changes are being made in the military toward retaining people. For instance, give newly commissioned officers the grade of major. Letting enlisted become warrant officers at the end of their six-year enlistment. He believes that he needs to be able to retain a third of their workforce. 15 cadets are being commissioned from West Point in the cyberbranch.