Cyber defense must be resilient, because it will never be invulnerable, former DOD official says

Connect with state & local government leaders
Join Our Community
Featured eBooks
A New Era of Social Media Regulation
Strengthening State and Local Cyber Defenses
Making AI Work for Government
Insights & Reports
Get to know Bedlock Safety
Presented By BedLock Safety
Download Now
Using AI-powered location intelligence, state and local governments can build a sustainable future
Presented By Nearmap
Download Now
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Offense now trumps defense in the emerging theater of cyberwar, and he United States must focus on the resilience of its critical infrastructure, former Assistant Defense Secretary Franklin Kramer said Tuesday at the Black Hat Federal Briefings.

Offense now trumps defense in the emerging theater of cyberwar, and the United Sates should focus on making its critical infrastructure resilient enough to withstand and deter attacks, former Assistant Defense Secretary Franklin Kramer said Tuesday at the Black Hat Federal Briefings in Arlington, Va.

“The current system can be made much better, but is not fully fixable,” Kramer said in his opening keynote to an audience of federal and private sector security professionals. He warned against letting the perfect become the enemy of the good and said the goal of defending critical infrastructure should be resilience rather than invulnerability. “Good enough is not a bad goal.”

Kramer, a national security and international affairs expert who was assistant secretary of defense for international security affairs under President Clinton, said cyberdefense requires the cooperation of public and private sectors and suggested establishing a Skunk Works to advance the art.

Related stories:

FERC lacks the juice to enforce smart grid security, study finds

WikiWars: The face of future conflicts

Skunk Works, a name first applied to the Lockheed Martin Advanced Development Program for developing advanced aircraft, has come to be used for a program that can rapidly bring together technical expertise across a variety of fields with minimum bureaucracy and maximum autonomy.

“We have really only begun to think about cyber conflict,” Kramer said. He described it as a rapidly evolving area that will require a capacity for both offensive and defensive action, a fact that has been recognized in the establishment of the U.S. Cyber Command. But the boundaries cyber and kinetic warfare and the parameters of response are policy issues that still are being worked out.

“There has been a lot of discussion about whether we’re already in a cyberwar,” he said.

Incidents of the past two years illustrate that cyber conflict, if not full scale war, is here, he said. He cited the apparent use of cyber attacks by Russia during its 2008 war with Georgia, Chinese hacks against Google and other companies, the WikiLeaks exposure of classified U.S. documents and the emergence of Stuxnet as an apparent stealth weapon.

Kramer said that most cyber conflicts probably will fall into a gray area that characterizes much current military activity, “conflict but not war.”

The U.S. response to provocations and attacks in this area short of war include a full range of responses, including diplomatic and economic, as well as military measures. This will hold true in cyber conflicts as well, Kramer said. “This does not mean only cyber on cyber.” Response to a cyber attack also could include kinetic response from traditional weapons and still fall short of full scale war.

But there are some key differences in the cyber arena, Kramer said. The ease of entry by non-nation states and the ease of use of cyber weapons could make it easier for a cyber conflict to escalate and more difficult to contain. It also is uncertain whether the United States will be able to dominate a battlefield in cyberspace the way it can count on doing in traditional warfare.

These factors, along with the usual trend in technology for functionality to outrun security, give an advantage to offense and put a premium on beefing up defenses of our critical infrastructure. Kramer cited the current level of security in the nation’s electric grid as an example.

“It’s not enough, we need to do more,” he said.

A recent study by the Government Accountability Office found that although a framework of standards is emerging for securing an intelligent energy grid, federal overseers lack the authority to require industry compliance. The Energy Independence and Security Act of 2007 (EISA) directed the Federal Energy Regulatory Commission, the primary federal regulator of the electricity system, to adopt standards for smart grid security and interoperability.

“While EISA gives FERC authority to adopt smart grid standards, it does not provide FERC with specific enforcement authority,” the GAO report said.

Kramer said, “it is likely going to take legislation,” to bring better security to privately owned critical infrastructure. Not in the form of prescribed solutions, but by shaping the market to drive security, much like was done from the 1970s to the 1990s to improve environmental controls in the private sector.

This will not mean perfect security, however.

“It is inconceivable that the electric power industry can be immune from cyber attack,” Kramer said. The grid will have to concentrate on becoming resilient, not invulnerable.

NEXT STORY: Guess who still leads the world in sending out spam

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.