On the morning of Aug 19th, Gov Exec Magazine and Nextgov.com hosted an excellent panel on Coordinated Cyber Defense at the National Press Club. The panel consisted of Brian Fredericks the lead for defending the DIB networks in the Department of Defense’s OASD NII (Defense’s CIO), Jim Lewis, CSIS’s Cyber Leader, LtGen Ken Minihan, former DirNSA, now working for Paladin Capital Group, and Allan Paller, Dir of Research, SANS Institute. The panel was moderated by Jill Aitoro, the Cyber reporter for the two hosting organizations.
The conversation was fairly wide ranging, and moved from the threats to the role of leadership, to the competition within government for leadership, to the debate about the role of government regulation, and finally to future government structures. The panelists were forthright and candid, and at times not too optimistic.
In their self introductions, the all mentioned Richard Clark as a having played a key role in their initial entrance to the cyber world. The most interesting one was Paller’s story about the so-called “Dirty Minds Project” that was initiated by Clark. It was a brainstorming session about how others might try to harm the USA. In the cyber realm, Pallor said that the conclusion was that it would not be the technology that would fail in an attack. He said the group asserted that if an enemy attacked in waves, with brief pause in between, eventually, we would breakdown, and they would get through. It was an intriguing concept that unfortunately was not raised again.
In the area of threats, all agreed that the threats were up, in both frequency and sophistication, and that we were far more aware of them than ever before. Minihan said that this accounted for a perception that this was a bigger issue today than it was in the past. The telling part was that they all emphasized that the public in general and the majority of the highly interested parties had no idea of the true magnitude of the threat. Paller quoted a letter from the head of British MI5 to the top 300 firms in the UK. In it the counterintell chief said that any of the firms who do business (any business) with China were having their computer networks (and those of their lawyers) attacked with the same frequency and intensity as the government networks, and by the same assets. Lewis said simply that the US was a target rich environment, and that we were in (not heading for) a strategic conflict, waged in the cyber area.
Minihan also used the analogy of an iceberg, saying that the part of the threat with which we were familiar (hackers, DDoS attacks, etc) was only the “unstructured” threat. The “structured” threat (coming from peer competitors and highly organized groups) was part below the water, and thus the real danger.
They all agreed that good leadership was the overlooked key to better (not perfect) cyber security. Only if leaders (CEOs vice CIOs or CISOs) got involved would an entity make real progress. Fredericks mentioned that the DSD was meeting with the CEOs of the DIB companies to make this point and solicit their help to protect these critical assets.
There was quite a bit of discussion of regulation, private / public partnerships and how these could help the effort. No conclusions were reached, but two very interesting points were made. One was that NIST was ill suited to set the standards for cyber security, because it didn’t know anything about security. It was likened to asking someone who didn’t know how to build a building to devise the building codes. The other interesting point was when Lewis (one of the authors of CSIS’s “Report on Cyber Security for the 44th President”) sighed and said that perhaps, “Cyber Security is just too hard for the US to achieve.” His obvious discouragement was disheartening. He also discussed the role of the White House in cyber briefly. He mentioned that his report called for a separate organization similar to the US Trade Rep, while others wanted an Operational Cell in the Executive Office of the President. Still others were calling for an entirely new agency. Again, his discouragement with the lack of forward movement (after so much potential) was evident. Paller said that since the government knew the threats the most completely, they should set the specifications for security products.
All next agreed that we must begin doing realistic exercises that include cyber attacks, not simulations, but real attacks. This was seen as the only way to pursue improvement. Lewis again had the most interesting comments, when he said that the threats to Critical Infrastructure in not the big problem, but the threat to intelligence and information is our biggest worry. The former “may” happen, the latter is happening everyday, and at a huge cost. In reference to supply chain security, Paller also said that it is impossible to find an implanted threat once it is inside software or hardware. He went on to point out that building it all in the US is not a panacea, as the enemies could still plant malware through agents or insiders.
In final comments, Lewis said that we’ll never get rid of social networking tools like Twitter, Facebook, and LinkedIn. They improve productivity, and frankly younger workers will quit if they don’t have access to the tools with which they “grew up with.” Paller added on to this train of thought, saying that they real “weapon” of the future (today really) is the techie who can design systems that attack and defend while still allowing everyone to use the tools they have come to love. He also said that of the big federal integrators, SAIC had the inside track on supporting the cyber efforts, because they were doing the most to develop cyber warfare personnel.
A last personal note, I looked around the room and saw six Navy uniforms, and none from any of the other three services. Maybe the others were busy, but it was clear the Navy is taking this seriously.