This week I attended the annual Cyberspace Symposium put on by the Rocky Mountain Chapter of AFCEA. As they say on their web site:
“AFCEA is an international organization that serves its members by providing a forum for the ethical exchange of information. AFCEA is dedicated to increasing knowledge through the exploration of issues relevant to its members in information technology, communications, and electronics for the defense, homeland security and intelligence communities.”
Typically AFCEA conferences give the government a forum where they can talk about what they are currently doing and what problems they’re facing and need industry and academia to help out with. The theme of this year’s event was: Protecting Cyberspace: Policy, Partnerships, and Practical Solutions. The event was well organized, informative and thought provoking.
The first day of the Symposium focused on Policy. Mark Weatherford, the first Deputy Under Secretary for Cyber Security at the US Department of Homeland Security from 2011-2013, opened with what I call an Intelligence Preparation of the Battlefield (IPB) talk. According to an Army Field Manual:
IPB is the best process we have for understanding the battlefield and the options it presents to friendly and threat forces…IPB is a systematic, continuous process of analyzing the threat and environment… It is designed to support staff estimates and military decision making.
In this case the battlefield Mr. Weatherford discussed is the Internet of Things (IoT). As with most cyber terminology, there are still no universally agreed upon definitions (a topic for another blog), but he describes it as a concept that connects the unconnected and brings together people, processes, data and things. He also recommended looking at what the Federal Trade Commission had to say on the topic in a January 2015 report. Here’s what the report had to say:
The Internet of Things (“IoT”) refers to the ability of everyday objects to connect to theInternet and to send and receive data. It includes, for example, Internet-connected cameras that allow you to post pictures online with a single click; home automation systems that turn on your front porch light when you leave work; and bracelets that share with your friends how far you have biked or run during the day.
Six years ago, for the first time, the number of “things” connected to the Internet surpassed the number of people. Yet we are still at the beginning of this technology trend. Experts estimate that, as of this year, there will be 25 billion connected devices, and by 2020, 50 billion.
In less than a generation we’ve become dependent on the IoT, and he predicts in the next decade we won’t be able to exist without it.
Weatherford said this isn’t all bad. Some of the examples he gave included situations like wine grapes will be monitored electronically for perfect sugar content, smart garbage cans will tell waste management staff when the garbage cans need to be emptied, every part of an aircraft will be electronically monitored for signs of failure, and pill bottle caps will be linked to allow doctors to see if patients take their medicine.
The downside is that is we haven’t even begun to figure out the security impact. Mr. Weatherford used Berkstrom’s Law to open that part of the discussion:
He stated your car is a computer and can be hacked. A Chevy Volt has more lines of computer coded than an F-22. He stated it’s also easy to hack hospital equipment. The big takeaway I got from his talk was that Washington was still working on policies and authorizations for their role in cybersecurity. Complicating this is the fact that internet is primarily a private sector domain and this complicates developing a national security strategy. It will require a partnership of government, industry, and state and local governments to solve. This was a theme throughout the three-day symposium.
There were a couple of afternoon panels on various policy issues but the talk I found most relevant was the luncheon keynote by Lt General Ronnie Hawkins the Director of the Defense Information Systems Agency (DISA). As they say on their website:
DISA is a combat support agency of the Department of Defense (DoD). The agency is composed of nearly 6,000 civilian employees; more than 1,500 active duty military personnel from the Army, Air Force, Navy, and Marine Corps; and approximately 7,500 defense contractors. The agency provides, operates, and assures command and control and information-sharing capabilities and a globally accessible enterprise information infrastructure in direct support to joint warfighters, national level leaders, and other mission and coalition partners across the full spectrum of military operations.
General Hawkins said DISA has reorganized to focus on five Cs: cyber, cloud, collaboration, and command and control. For his talk he indicated he would focus on cyber and command and control. Last month DISA launched a new organization called Joint Task Force-DOD Information Networks that will take over the defensive work from the U.S. Cyber Command. As I understand it CYBERCOM can focus on strategy while DISA will concentrate on defending the network.
During his talk, the general said what he’s looking for from industry is help with what he called “the left of boom” on the cyber kill chain. Specifically, he’s looking for help in doing the analytics and figuring out when the bad guys are doing surveillance and target planning. He would like to know days and months ahead of the event.
(Note: Lockheed Martin intrusion analysts Eric Hutchins, Michael Cloppert and Dr. Rohan Amin wrote the seminal paper on Intelligence-Driven Computer Network Defense and it was first published at the 6th Annual International Conference on Information Warfare & Security in March 2011.)
He’s also working with others to determine what defensive cyberspace sovereignty means. This refers to the supreme authority of to do things like observe, orient, decide, and act. I was a little puzzled and asked if you had an incident where a U.S. ship suffered a cyber attack in a geographic region say like the Black Sea, who had the mission of responding to help was it the geographic commander in this case European Command or the new DISA organization. He replied unless it affected all Department of Defense networks it would be the geographic commander.
Think I’ll end here. I’m traveling back home tomorrow but will do a follow on blog next week. As always, my opinions are my own.
