In my last blog, I ended with a quote from a 2011 Foreign Affairs magazine article written by former U.S. Deputy Secretary of Defense William J. Lynn III. In the article he stated the Department of Defense has a five pillar strategy for operating in cyberspace:
“…treating cyberspace as an operational domain, like land, air, sea, and outer space; employing active defenses to stop malicious code before it affects our networks; protecting commercial networks that operate the critical infrastructure that our military relies upon; joining with allies to mount a collective cyber defense; and mobilizing industry to redesign network technology with security in mind.”
According to the U.S. Government Accountability Office (GAO), the following is the definition of critical infrastructure:
“Critical infrastructures are systems and assets, whether physical or virtual, so vital to our nation that their incapacity or destruction would have a debilitating impact on national security, economic well-being, public health or safety, or any combination of these. Critical infrastructure includes, among other things, banking and financial institutions, telecommunications networks, and energy production and transmission facilities, most of which are owned by the private sector. As these critical infrastructures have become increasingly dependent on computer systems and networks, the interconnectivity among information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt critical systems, with potentially harmful effects.”
Secretary Lynn also stated in his article:
“Extending advanced cyber defenses to critical infrastructure is one of the strategy’s most crucial objectives…Within critical infrastructure, the private defense companies that build the equipment and technology the U.S. military uses are especially important to protect. Their networks hold valuable information aboutU.S.weapons systems and their capabilities”
This brings me to the focus of today’s blog. On 14 May I participated in a Department of Defense Bloggers Roundtable with Eric Rosenbach, Deputy Assistant Secretary of Defense for Cyber Policy, and Richard Hale, Deputy Chief Information Officer for Cybersecurity. The subject: The Pentagon’s Recent Initiatives to Improve Defense Industrial Base (DIB) Network Defenses and Allow DIB Companies and the Government to Reduce Damage to Critical Programs When Defense Information is Compromised.
Mr. Hale began by giving some background on the topic:
“A bit more than four years ago, the Department of Defense started a program to better protect DOD information that sits in the defense industrial base companies’ networks. And the idea behind the program was to share unclassified and classified government information that can help these companies protect DOD information better.
The program — the idea with the program was that it was going to be completely voluntary, companies could join if they wanted. And then a second important idea in the program was that companies, again on a strictly voluntary basis, could report cyber incidents back to the department, including could share malware that’s found on their company’s systems, with the government, government would analyze that and then push back out to the participating defense industrial base companies and push back out to the rest of the federal government any threat information that could be derived from that, including signatures that could go right into defenses or a cyberattack detection and diagnosis systems.
So that defense industrial base cybersecurity program, again, has been in operation for a bit more than four years…
The main defense industrial base cybersecurity program had been capped at 36 companies until the DOD published a rule in the Federal Register. The rule is approved by the Office of Management and Budget and was published last Friday. So what that means is the program can now expand to more companies. The eligible companies are cleared defense contractors that have facility clearances because they have to be able to handle classified information.”
Mr. Rosenbach added the program:
“…involves using specialized intelligence information, working through DHS and providing it to Internet service providers to scan incoming Internet traffic to select member of the defense industrial base.
Just a real quick reminder about why we were trying to do this. The defense industrial base companies face a kind of unrelenting attack from sophisticated actors who are trying to steal intellectual property and sensitive defense information. And we wanted to try to do something to address that more-sophisticated threat because the defenses of everyday firms may not necessarily be a — (inaudible) — to defend against those.
…This model, from the legal, technical, operational and policy perspective, is something that we invested a lot of work in. And that involves different actors, including DOD intelligence community, the Department of Homeland Security and the Internet service providers. It’s something that we’re pretty proud of, and I think offers the potential to have not only a model of support for the defense industrial base and the Department of Defense, but possibly, if this is where the interagency and the White House decides, protection of critical infrastructure.”
When asked what was being done so that the program did not violate the Posse Comitatus Act (The Posse Comitatus Act of 1878, still in effect, was passed to prevent U.S. military personnel from acting as law enforcement agents on U.S. soil.) Mr. Rosenbach replied:
“…the Department of Defense isn’t actually operating domestically in any way in this case.
So some of the information that’s collected from DOD intelligence organizations is passed to the Department of Homeland Security to check over it, make sure there’s nothing there in particular that would violate civil liberties, Fourth Amendment concerns. Then passed from DHS, who has the lead for the relationship with Internet service providers, to the Internet services providers where they scan the traffic.
All of this is done with the consent of the companies. So it’s completely voluntary to join the operation, and it’s also completely voluntary, you know, to withdraw. Any information exchanged is all done on a voluntary basis.”
I asked if we had continued success with this program, would it lead to a more comprehensive policy which would be able to defend our critical infrastructure? Mr. Rosenbach replied:
“…that’s a little bit what I was hinting at when I said I think the model is something that could be used to scale to protect critical infrastructure as well.
But I want to be very clear: that’s not a decision that we at the Department of Defense would make. That’s something that would be led by the White House, and the Department of Homeland Security would have the lead–the lead for domestic cybersecurity.
But the advantage of the model is that because it’s done on the network and by the companies that provide the Internet service to even the critical infrastructure, you have a lot of flexibility for scaling it and using these enhanced measures.
It’s kind of unrealistic, I think, in this day and age to think of putting government-built boxes that would scan the network and protect the entire country, just because it’s technically almost certainly unfeasible, and there are a lot of civil liberties and privacy concerns that I think would probably keep that from happening, too.”
I followed up with another point saying if we don’t come up with a solution where we get a sense of what’s happening on the network, we would not be able to identify what is just a cyberhack against a particular company and what might be a larger-scale cyberattack in terms of warfare against the United States.
Mr. Rosenbach replied:
“Here’s one way to think about that, is that there are different places along the architecture of the Internet where you might be able to see an attack coming. One is at the border of individual firms or the critical infrastructure network where there’s kind of a perimeter defense.
One — another might be at the border of the nation of the United States or other countries where you could look at this.
And then using intelligence mechanisms, there are other places out in cyberspace where you may be able to see an attack either being perpetrated or planned.
So we don’t want to rely just on one specific solution. And this is the one that would most likely help somewhere in between the national borders and the borders of specific firms.
But you know, you have to be realistic, too, about the Internet and the volumes of data you’re talking about. Right now it’s, I would say, pretty hard to understand how you would see all Internet traffic for the nation and scan it, even if there were a policy or legal decision that you could do that. So you have to try to invest in the best risk-mitigation factors as you can and do other things in national security to try to lower the risk to the country for that type of attack you’re talking about.”
I was able to get in one more question saying the issue for me has always been that some companies are reluctant to bring up that they’re under attack. So if you’re trying to figure out if something is just an isolated incident, a criminal-type activity, versus a larger-scale thing, unless we can have a more-comprehensive policy where people report the cyber events we will still have gaps in our cyber defense.
A very patient Mr. Rosenbach replied:
“…I’d say one of the other things that we’re trying to push forward is the legislation that’s on the Hill right now in the Senate. The Lieberman-Collins bill has provisions in there that have requirements for people to report when they’ve been hacked. So it would be very helpful in getting more of that forensic evidence that helps the government understand what’s going on.”
One of the major concerns I’ve always had for the cyber issue is the fact that laws and regulations are out of date, don’t exist, or inadequate to address the problem. The process is so gridlocked it may take a major cyber incident to get needed legislation and regulations passed. On the positive side this DIB initiative by the Department of Defense highlights what’s good about cyber defense efforts. A lot of critics have said that cyberwar is more hype than reality, citing the fact that we haven’t had a cyber Pearl Harbor as evidence. I believe the fact we haven’t yet had a cyber Pearl Harbor can be attributed to the hard work of countless people in responding to the threat. Cyber defense efforts may have a long way to go but many people are working the problem. They are coming up with as many solutions as possible given the constraints they are working with.
For an excellent run down on cyber legislation efforts, check out this blog by Sarah Granger. I think I’ll end here. As always, my views are my own.