By: Jared Serbu
Cyber Command News
Over the last half dozen years, cyberspace has come into its own as a major topic and an operational domain in the Defense Department.
Current and former federal officials say that while DoD has made some progress in the cyber arena, major challenges remain when it comes to protecting both the military and the nation from electronic attack.
Two weeks ago, Leon Panetta, the Secretary of Defense, stood on the deck of a decommissioned World War II aircraft carrier and warned a group of business executives that the United States was vulnerable to an attack that could be every bit as damaging as the event that started that conflict: a coordinated assault on the nation via cyberspace.
"The collective result of these kinds of attacks could be a cyber Pearl Harbor; an attack that would cause physical destruction and the loss of life," Panetta told a gathering of the Business Executives for National Security aboard the U.S.S. Intrepid museum in New York. "In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability."
Panetta's warning wasn't exactly new. Last year, in DoD's first-ever strategy for operating in cyberspace, the department proclaimed that both the nation and the military itself were vulnerable to cyber attacks. The secretary also has invoked the Pearl Harbor metaphor before.
What was new was that, for the first time, the nation's top Defense official was giving a major policy speech devoted entirely to cyber issues, reflecting an understanding of the threats among senior military leaders that took years to evolve.
"The fact that he gave it was awesome," said Rob Carey, who has served in IT leadership positions in DoD for more than a decade and now serves as its deputy chief information officer. "And the fact that he understands it is no easy feat. Five years ago, senior leaders weren't too terribly concerned about this IT and cyber business. Now it's buried in their lexicon. I think what he pushed out there was a wonderful compilation of what's going on in the here and now to try and drive a sense of urgency around what's happening."
Top of the list of worries
The military's uniformed leadership says they, too, have cyber at the top of their lists of worries and priorities. Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff, said recently few people in the department could have been found uttering the word "cyber" a decade ago.
"Now I think cyber is the black swan," he told a Silicon Valley audience recently. "Because we don't know exactly what capabilities exist out there, but we do know our vulnerability. So cyber is the threat that concerns me the most."
Nonetheless, DoD has made significant progress on the cybersecurity front over the last several years, experts inside and outside of government say. Observers consistently point to the threat information sharing programs the department has set up with the industrial sector, the creation and maturation of U.S. Cyber Command, locking down individual computers through host-based security systems, and the development and implementation of core computer security controls in partnership with intelligence agencies and the National Institute of Standards and Technology.
DoD laid the foundation for those improvements with at least two key events in the middle of the last decade. DoD created the Joint Task Force for Global Network Operations in 2004, enabling DoD to begin to mandate computer security measures to the field for the first time rather than simply suggesting them. Two years later, then-Lt. Gen. Charlie Croom, JTF-GNO's commander, signed what's regarded as a groundbreaking directive in ordering the deployment of PKI-enabled Common Access Cards, creating secure, two-factor authentication for every user who accessed DoD's unclassified networks.
"Implementing a global identity management system, helping JTF-GNO get stood up, putting in place the first-ever training and certification program to handle that daunting challenge of education to deal with the cyber problem were all significant milestones," said Robert Lentz, who served as DoD's chief information assurance officer at the time and now heads his own consulting firm, Cyber Security Strategies. "We put out a lot of policies, and we can be criticized for putting out lots of policies, but there weren't any at the time. We needed to get them done first. Because of the fact that there weren't a lot of cooks in the kitchen, we were able to put together a lot of groundbreaking decisions and strategies necessary to move the ball forward."
Aftermath of SIPRNet attack
DoD realized it had to move the ball forward further when in 2008 its secret Internet protocol network (SIPRNet) was hit with a malware attack via an infected USB thumb drive. A year later, Robert Gates, then the Secretary of Defense, signed the order creating U.S Cyber Command, a four-star military command designed to harmonize all of the military's cyber activities under one roof.
Panetta said the command has made rapid progress since then.
"Cyber Command has matured into what I believe is a world-class organization," he said. "It has the capacity to conduct a full range of missions inside cyberspace. And it's also working to develop a common, real-time understanding of the threats in cyberspace."
Retired Lt. Gen. Steven Boutelle, who served as the Army's chief information officer from 2003 to 2007, agreed the standup of Cyber Command was a big deal.
"When that acknowledgement came that we had an issue big enough to create a four-star command in order to address the issues within the dot-mil domain, that was massive," Boutelle said. "Now, we've done that, we've grown those and we're maturing those, but they're starting to make an impact. I say starting to make an impact because when they bring commands together and move a bunch of people together and examine leadership issues and laws and training and infrastructure, it's complicated. We still have a lot of things on roles and responsibilities within those commands to work out."
But Boutelle, now a vice president at Cisco Systems, said the department's most significant single cyber accomplishment so far has been to begin exchanging real-time threat information with industry. The program began as a pilot project in 2007 with 34 companies, then called the Defense Industrial Base Cyber/Information Assurance pilot program. It was made permanent and expanded earlier this year; the department says 64 companies are involved now.
"That is a great start as a volunteer program, and it needs to grow," Boutelle said. "In the cyber world, you cannot stand alone and protect your networks and your enterprise. You have to share information with other government entities, commercial entities and global entities. I know that's the direction U.S. Cyber Command is heading, but it's got to be a team sport."
Lentz, the former DoD cybersecurity chief, said the establishment of the DIB program is the achievement he's most proud of during his time in office.
But despite their large roles in improving DoD cybersecurity over the past several years, both of the former defense officials are far from satisfied with the progress the department has made.
Responding to swiftly advancing technology
Boutelle said the department has indeed moved the ball forward since 2006. But technology has marched forward even faster.
"When Charlie Croom rolled out that memo on CaC, it became a major milestone for all of us and it was foundational on a certain level in communicating to certain leaders that we had issues that had to be mitigated," he said. "But you look from that date in 2006 until today, we've had exponential changes in technology, and getting understanding [of cyber issues] across a much broader community has been the most difficult part. That's been the issue we've been dealing with across the nation, not just across the Department of Defense."
Boutelle said despite extensive efforts to train federal employees on information assurance, particularly in DoD, he worries about inadvertent insider threats to government systems. He points to a penetration test the Department of Homeland Security reportedly conducted last year.
When the agency's penetration testers secretly scattered USB thumb drives in the parking lots of federal agencies, curious employees or contractors picked up 60 percent of the devices and plugged them in to government networks, potentially exposing federal systems to the same threat vector used by the attackers who got their malware onto DoD's SIPRNet in 2008. And in the DHS test, when the USB stick had an official-looking government logo on it, the rate went to 90 percent.
"So we're still operating at that level. It was a demonstration that really illuminated where we really are," Boutelle said.
And Lentz, who still advises the Pentagon on cybersecurity, said the biggest issues he wrestled with while he was in DoD are still there as though frozen in time. The biggest one, he says, is a lack of centralized, authoritative governance for cyber issues.
"Many years ago, even before 9/11, we brought the top CIOs and CEOs from industry into the Pentagon to discuss moving DoD into the information age. The number one comment was that you need a ruthless dictator to really drive information technology and to drive change and acceptance and compliance and the kind of operational discipline that one needs to have in order to counter the cyber threats," Lentz said. "And those threats are escalating beyond what all the experts' views had been about where they would be at this point in time."
But Lentz said more than a decade later, DOD has yet to establish a "ruthless dictator" for cyber policy.
"I'm a huge believer that the CIO is really the focal point in an information-age business. Unfortunately, they oftentimes get trivialized to just managing the IT budget, and in fact I think the CIO actually has lost influence and power, and is still being treated as a support role rather than a leadership role," he said. "We need to have a single entity up there who sits at the boardroom table who's obviously working with the operational commanders like Cyber Command, but who's making the investment decisions, making the budgetary decisions, handling the policies and strategies that have to be enacted and measured. That all needs to fall in the lap of one individual. We're talking about the information age here, moving the Pentagon from an industrial age, and it's all about information."
DoD's future in cyberspace
From Panetta's perspective, at least two big tasks are in DoD's immediate cyber future. One is the development of new rules of engagement to guide the military's offensive and defensive operations in cyberspace. Panetta said he expects to sign off on the rules in the coming months.
A second, he hopes, is getting Congress to act on an overhaul of the nation's cyber laws to enable more information sharing and protect the nation's critical infrastructure. The Obama administration is considering a stop-gap executive order to accomplish some of the same objectives in the meantime.
In his New York speech aboard the U.S.S. Intrepid, he warned that foreign governments already were using cyberspace to probe the nation's power grid and water systems, and that the country is unprepared to respond.
"Before Sept. 11, 2001, the warning signs were there. We weren't organized. We weren't ready and we suffered terribly for that lack of attention. We cannot let that happen again. This is a pre-9/11 moment," he said.
Boutelle agreed the vulnerability of critical infrastructure is a critical issue. Even though he says the department has a long way to go when it comes to cybersecurity, it at least has the legal authority to defend itself against attacks.
"We know what's critical infrastructure, but we have no one protecting it today," he said. "If we're attacked in the physical world, we know what to do. If we are attacked through the cyber world into the dot-com world, our banking, our shipping, our airlines, there's no one protecting that today. That's probably the single most important thing we need to do is get some bipartisan legislation out of the Congress."