Advanced threats perplex cyber defense efforts, panel says
Connecting state and local government leaders
A former general worries that it might take a digital Pearl Harbor to get officials serious enough about the problem.
Whether it’s an employee inadvertently opening a phishing e-mail, a rogue actor revealing internal vulnerabilities or a crop of hacktivists wreaking havoc with denials of service, the new advanced persistent threat has many faces, and defending against it requires a multipronged approach.
That approach includes elements such as intelligence, governance and strategic planning on the part of the public and private sectors, a panel of experts said today at 1105 Media’s Defense Systems Summit in Arlington, Va. An one retired general worried that it might take a digital Pearl Harbor before officials get serious enough about it.
Related coverage:
Advanced persistent threats are a new way of life
New cyber threats emerging, and IPv6 won't make defense any easier
“It’s a hard problem to solve because how do you predict a denial-of-service attack?” said Barry Hensley, vice president of the Counter Threat Unit at Dell SecureWorks. “We see advanced threats every day targeting intellectual property, mergers and acquisitions.... It’s critical to nation-states and to the future of business.”
At the Defense Department, there are plenty of directives and guidance, but the problem is implementing better action faster — and taking the cyber threat as seriously as traditional types, said retired Lt. Gen. Jeffrey Sorenson, a partner at A.T. Kearney and former Army CIO.
“It may take a Pearl Harbor or a 9/11 cyberattack for people to get serious about this,” Sorenson said. “We have to be able to do forensics in minutes and hours, not weeks and days.”
On the military side of the equation, much of the threat remains uncertain.
“Is it an issue of scale — in the Army, 1.2 million users — or is it an issue of processes?” Sorenson asked.
Gary McAlum, senior vice president and chief security officer at USAA, agreed that complexities within DOD, including interdependencies, complicate the threat.
“DOD is an enterprise of little enterprises. There is no end-to-end visibility,” McAlum said, adding that strong, clear governance will be necessary to achieve scale.
The pervasive use of IT in modern defense also contributes to the dangers of the cyber threat and heightens the military as a target.
“The Army is a particularly high-value target because, for the first time, everything we do, including weapons systems, IT is embedded inside,” said Daniel Bradford, deputy to the commander and senior technical director/chief engineer at the Army Network Enterprise Technology Command. “Our adversaries know they can’t take us on militarily, so they’re taking us on through [technology]. Whenever you diffuse command and control into the trenches, that’s a fragment you can’t control, and it becomes a target.”
Still, the military’s role in securing national interests in cyberspace isn’t yet well-defined, another aspect that increases vulnerability, said Scott Jasper, a lecturer at the Naval Postgraduate School. He noted that defining the military’s role is a precursor to defining an attack, and that’s something that requires consideration of Article 51 provisions and the laws of armed conflict and how they relate to cyber warfare.
“The military is in a tough spot in looking at these civilian infrastructures and applying the laws of armed conflict,” Jasper said.
It’s an issue that requires a fast resolution, Sorenson added.
“The persistent conflict in the cyber world today is just as real as anything,” he said. “You can have all the tools you want, but without the governance process, you can’t do anything with [them].”