Cyber threat looms, but its full scope remains murky

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Amber Corrin
 

Connecting state and local government leaders

By Amber Corrin

|

Military leaders and analysts say evolving cyber threats, which some believe could produce a "digital Hurricane Katrina," will require the Defense Department to work more closely with experts in industry.

The landscape is volatile, the rules of the game are fluid, and the adversaries remain cloaked in anonymity. In this ambiguous war, the actual threat is unpredictable, sometimes indecipherable, and it’s difficult to tell whether either side is gaining ground.

The location of this battlefield is not a desert road in Iraq or a terrorist redoubt in Afghanistan. It’s what has emerged as the forefront of modern warfare: the cyber theater, where traditional rules of engagement don’t always apply.

In cyberspace, enemy combatants can pry, spy, implant, extract and dismantle more quickly and more secretly than in the physical terrain of traditional warfare. In some cases, the threat is mundane, involving nothing more complex than defaced Web sites or denial-of-service attacks, such as those inflicted on the nation of Georgia in August 2008 by someone, perhaps the government, across the Russian border. But the potential for more damaging attacks is significant.

“The fact that physically destructive cyberattacks were not carried out against Georgian critical infrastructure industries suggests that someone on the Russian side was exercising considerable restraint,” states a report recently published by the U.S. Cyber Consequences Unit (CCU). The independent organization assesses the likelihood and possible consequences of cyberattacks and cyber-assisted physical attacks.

One important result of the emerging cyber threat is a new way of thinking about national security and defense.

“Every day I wake up and say, ‘Welcome to the 21st century. We fight in terms of nanoseconds,’” said Army Brig. Gen. LaWarren Patterson, deputy commanding general at the Network Enterprise Technology Command.

To meet the threat, the Defense Department recently created a high-level cyber command charged with spearheading the development of cyber warfare strategies, both defensive and offensive. However, DOD is not alone in this battle, and so creating the command is only the first step. Experts say the military cannot fight this battle without non-military allies. Many stakeholders exist outside the Pentagon.

Indeed, the Pentagon must ultimately change its culture, say independent analysts and military personnel alike. It must create a collaborative environment in which military, civilian government and, yes, even the commercial players can work together to determine and shape a battle plan against cyber threats.

Assessing the threats

Although most experts agree that DOD faces evolving threats, not everyone agrees on how serious those threats are. Are would-be cyberattackers a scattered group of individuals looking for easy hits, or are they a well-organized, well-funded cadre that is biding time before striking hard?

Sami Saydjari, president and founder of the nonprofit Cyber Defense Agency, believes the latter is true.

Before a congressional committee two years ago, Saydjari painted a grim picture of the country after a cyber disaster: Think digital Hurricane Katrina on a national scale. He urged the government to provide for the defense of a U.S. cyber territory that is as legitimate as physical land.

He recently said the country’s vulnerability to cyberattacks is worse and cites the continued integration of and dependence on information systems.

Military officials think in terms of network centricity, in which the goal is to ensure that warfighters always have access to the data they need. But that approach makes those systems a big target, Saydjari said.

“Net-centricity is great, but it creates huge levels of risk that [are] not well calculated or well thought-out by the government,” he said.

The concerns are real, but the concept of a digital Hurricane Katrina and similar doomsday theories might be embellished, said Jim Lewis, director and senior fellow at the Technology and Public Policy Program at the Center for Strategic and International Studies. “It’s really hard to derail a large country that has a lot of infrastructure,” he said. “People tend to exaggerate. I love the Bruce Willis movies, but that’s just not the truth.”

Lewis said less dramatic but equally dangerous espionage and crime represent the true perils.

“How would you feel about China getting our designs for the F-35" stealth fighter jet? he asked. “What about those who rob U.S. banks over the Internet from Russia, with no chance of prosecution? [Hackers] that are breaking into our systems to steal military secrets or prepare for potential sabotage…these are the real threats.”

Those threats are emerging as a priority after high-profile cyberattacks on government sites in Lithuania, Kazakhstan, Georgia and Estonia in recent years. The attacks were widely believed to have originated in Russia.

The attacks included graffiti on Web sites and total shutdowns of banks and media outlets. Although they were not catastrophic, they undermined national morale and raised an unnerving red flag to the rest of the world.
The CCU’s report on the Georgia campaign details the preparation, planning, execution, targets, effects and key lessons learned.

Also, according to those researchers, Russia and other would-be cyberattackers are capable of worse damage than they have unleashed so far.

Scott Borg, who co-wrote the CCU report, said specific targets and methods were limited and carried out in a disciplined manner. Denial-of-service attacks, which overload servers and thereby incapacitate Web sites, were the primary weapons.

“It could have been disastrous,” Borg said. “The capabilities of carrying out a devastating attack are there ... but this was a more humane system of attack. We don’t know who it was — civilian organizers, possibly the Russian government. We do know there was a lot of exchange of information between the Russian military and the attackers on message boards.”

In Georgia, the targets of the attacks were primarily the Web sites of media outlets and government entities. “The government now has to start worrying about a wider range of attackers, all kinds of entities that are informal, dispersed and communicating indirectly,” Borg said. “As expertise is diffused and more people get these capabilities, the threat grows bigger over time.”

The need to collaborate

The the impending launch of the Cyber Command marks a turning point for the arming of official information networks. But the success of the command depends largely on cultural factors that do not show up in any organizational chart.

Gen. Carter Ham, commanding general of U.S. Army Europe and Seventh Army, called the command’s establishment a historic moment. But he also advised DOD officials to ensure that their plans for the command heed the lessons of history and a more traditional era of warfare.

The key is information sharing. During the Cold War, the Soviet Union kept tight control of information and blocked people from easily communicating, while the United States let information flow more freely. The Berlin Wall fell because those firewalls collapsed under their own weight, he said.

“We are at a crossroads,” Ham said. “Do we want to build and sustain firewalls between our organizations? Or can we look for an approach that constructs an infrastructure that mirrors the environment in which we find ourselves, which is much more collaborative.”

Borg also sees danger in bringing a Cold War mindset to the cyber theater. The concept of deterrence based on mutually assured destruction does not work in cyberspace because we do not know who we are dealing with or how to reach them, he said.

“We have a lot to rethink,” Borg said. “We’re moving into a world where deterrence and retaliation are only used on occasion. We need alliances.”

Others agree that a collaborative approach will be integral to the success of cyber defense, and DOD seems to be taking the idea seriously as it prepares to launch the Cyber Command.

“It’s a matter of how do we take several global commands under a single" contiguous U.S. command? asked Maj. Timothy O’Bryant, a staff officer at the Office of the Army Chief Information Officer. “We need to synchronize our efforts and figure out the lanes [of communication] and eliminate redundancies.”

“Joint and coalition warfare is not a natural state, especially in command and control,” said Gen. James Mattis, NATO supreme allied commander for transformation and commander of U.S. Joint Forces. “But going without joint efforts is obsolete. No nation on its own can keep its people safe. We need to learn to work together.”

Unlikely bedfellows?

In the era of cyber warfare, any coalition must include industry.

Experts say DOD and the government as a whole still have not fully capitalized on their ability to influence the development of commercial cybersecurity solutions. Industry vendors have the expertise, but government has the money.

“Government may be a late adopter, but we should be exploiting its procurement power,” said Melissa Hathaway, former acting senior director for cyberspace for the Obama administration, at the ArcSight conference in Washington last month.

“A public/private partnership is necessary to protect the national infrastructure,” she said. “It’s the cornerstone of cybersecurity, and cybersecurity is the cornerstone of the global economy.”

Such a partnership reflects the blurred boundaries between the defense and civilian domains in cyberspace. Cybersecurity threats are common to everyone.

“We need a new relationship between the military and the critical infrastructure industries if we want to protect our critical infrastructure,” Borg said. “We all operate in cyberspace now. It’s not a separate region or command.”

Although one analyst praised the efforts to make organizational changes at DOD, he also stressed the need to give industry more freedom. “The real issue is a lack of preparedness and defensive posture at DOD,” said Richard Stiennon, chief research analyst at independent research firm IT-Harvest and author of the forthcoming book "Surviving Cyber War."

“Private industry figured this all out 10 years ago,” he added. “We could have a rock-solid defense in place if we could quickly acquisition through industry. Industry doesn’t need government help — government should be partnering with industry.”

Industry insiders say they are ready to meet the challenge and have the resources to attract the top-notch talent that agencies often cannot afford to hire.

Industry vendors also have the advantage of not working under the political and legal constraints faced by military and civilian agencies. They can develop technology as needed rather than in response to congressional or regulatory requirements or limitations.

“This is a complicated threat with a lot of money at stake,” said Steve Hawkins, vice president of information security solutions at Raytheon. “Policies always take longer than technology. We have these large volumes of data, and contractors and private industry can act within milliseconds.”

Many experts fear it will take an attack or some form of disaster to spur the government into faster action. Some say more money is needed, while others say a cultural shift is necessary even beyond the military. Too often, cybersecurity solutions have been developed in pieces, with each technology reacting to a specific need, they say. But such an approach means that industry is always one step behind.

“What will it take to drive innovation and spur a game-changing technology?” Hathaway asked. “Our speed, scale and solutions must outpace our opponents, and we need to move from point solutions to enterprise solutions.”

Saydjari said it will take a significant change in how the United States invests in research efforts because the government must align its investment in cybersecurity with its reliance on technology.

“The U.S. needs an attitude change,” he said. “We don’t hesitate in the physical world to invest lots of money to protect ourselves, but in cyberspace, that burden is placed on industry and the commercial sector. Cyberspace is more valuable than we reflect in investment. Our leadership and the public don’t understand the degree to which we rely on computers and the Internet.”

Meanwhile, some observers worry that people will not realize the seriousness of the threat until it’s too late.

“It’s not a real theater until something bad happens and people wake up,” said Col. Quill Ferguson, chief information management officer at U.S. Army North. Until then, “the back door is open.”

NEXT STORY: State Department deploys electronic asset-tracking system

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.