New cyber threats demand new cyber solutions

Evolve or die.

That’s the imperative guiding the development of cybersecurity technologies and strategies across government and industry. The ongoing evolution of the federal IT enterprise, extended in all directions by advances in networking and mobile technology, must be matched to similar advances in information and network security.

But above all, the nature of the current cybersecurity threats requires a new way of thinking. The old approach to cybersecurity, which was based on defending the perimeter, cannot hold up against the wide array of cyber threats that agencies now face.

“Threats to systems supporting critical infrastructure and federal operations are evolving and growing,” according to a February 2013 report by the Government Accountability Office. “The increasing risks are demonstrated by the dramatic increase in reports of security incidents, the ease of obtaining and using hacking tools, and steady advances in the sophistication and effectiveness of attack technology.”

The growing threat is reflected in the fact that the number of cybersecurity incidents reported by federal agencies increased 782 percent from 2006 to 2012.

But a number of agencies are working to address these threats. The Air Force Research Laboratory, for example, recently issued a broad agency announcement (BAA) for cybersecurity research.

The lab, based in Rome, N.Y., is seeking ways to ensure that critical systems remain operational in the face of cyber threats. One area of interest is what’s known as cyber agility. The goal is to make network and system architectures more dynamic, so that they are more difficult for cyberattackers to target.

Another topic of interest is system self-regeneration. The goal is to avoid the necessity of taking a system off-line if it is somehow compromised. This is especially important for mission-critical systems in the field.

“What are needed are systems that are able to dynamically recover with immunity in mission time without human intervention in response to unforeseen error and/or previously unknown cyberattacks,” the BAA states.

The Department of Homeland Security is looking at a broad range of possible solutions as part of its own BAA, through which it awarded 34 contracts in October 2012. As part of this program, DHS is funding research into how cybersecurity can be strengthened at the hardware level -- what DHS officials call hardware-enabled trust.

"With cyber threats steadily increasing in sophistication, hardware can provide a game-changing foundation upon which to build tomorrow’s cyber infrastructure," the BAA states. "But today’s hardware still provides limited support for security, and capabilities that do exist are often not fully utilized by software. The hardware of the future also must exhibit greater resilience to function effectively under attack."

Besides the departments of Defense and Homeland Security, the other agencies involved in cybersecurity research and development are the National Science Foundation, the Energy Department and the National Institute of Standards and Technology.

Although these agencies are doing a lot of promising work, GAO is concerned about the lack of coordination. What is needed, the auditors say, is a cybersecurity research and development agenda that goes beyond the goals or needs of individual agencies.

“Although the federal strategy to address cybersecurity issues has been described in a number of documents, no integrated, overarching strategy has been developed that synthesizes these documents to provide a comprehensive description of the current strategy, including priority actions, responsibilities for performing them, and time frames for their completion,” auditors wrote in the February report.

In any case, while R&D work continues, agencies will be looking for any edge they can get in their ongoing battle against cyberattackers. One increasingly popular approach is the use of threat intelligence services, according to market research firm IDC.

Traditionally, cybersecurity measures have been developed by studying past cyberattacks and identifying the general signature of those attackers. But given the increasing evolution of security threats, the effect of such an approach is limited. Now more and more organizations are turning to firms that can provide intelligence on existing threats, “creating a shift in security posture toward being more proactive,” according to IDC.