Cyber Challenge: Cybersecurity Policy:
Where Are We and Where Do We Need To Be?
Potomac Institute for Policy Studies
Notes taken by: Theresa Payton, Fortalice, LLC.
This was the 6th seminar in a Cyber Security forum. Speakers were candid and are potential GFIRST candidates for panels.
• There is a role for the government in how to monitor the private sector
• There were generally negative comments about DHS and its ability to alert, warn, protect, inform Federal civilian .gov and CIKR
• Proposed a framework such as the Energy and Navy joint effort regarding nuclear propulsion program to organize cyber efforts
• Recommended internationalization and creative law enforcement as an approach because there is no cyber space—everyone is somewhere under someone’s jurisdiction.
Potomac Institute was founded in 1994 and is non-partisan. Their focus:
• Policy implications of technology and scientific advances
• Ethical, legal, and social issues with new advances
• Forecasting and trends
• Terrorism - Kinetic and technology inter-relationships
• Emerging Threats and opportunities
• National Security
Video of the event:
Opening Remarks by Speakers:
⁃ Lt General Robert M. Shea, USMC (Ret), Previous roles: USMC Director for C4 Systems, Joint Staff; Developed the first National Military Strategy for Operations in Cyberspace, Currently: EVP Strategy at Smartronix, Inc.
⁃ James A. Barnett, RDML, USNR (Ret), 32 year career USN, Currently: FCC - Chief of Public Safety and Homeland Security Bureau (although he spoke as a private citizen)
⁃ Ambassador David Smith (Ret), Previous roles: Nominated by President HW Bush (Bush 41) to lead U.S. - Soviet Defense and Space Talks; Chief of Staff for Congressman Jon Kyl (AZ); Assistant for Strategic Policy and Arms, Control for Senate GOP Leader Bob Dole; Joint Chiefs of Staff., Currently: Senior Fellow for the Potomac Institute
⁃ Daniel Gallington, Esquire, Previous roles: USAF; Special Assistant to SecDef; DAS of Defense for Territorial Security; NRO; DOJ; OSD; U.S. Delegation to the Nuclear and Space Talks with former USSR, Currently: National security and intelligence policy consultant for Potomac Institute
• Supply Chain Risk cannot be reduced to zero. There is always risk associated with network security, therefore we should inventory the elements of the national network, identify and declare criticality to prioritize security measures and propose regulatory measures—much like how the FCC views the Communications infrastructure (signaling transfer point (STP) used as an example)
• Malware and bot nets - FCC acts based on FACA. There are 24 best practices for prevention and mitigation. CSIRC is drafting a voluntary code of conduct for ISPs as Japan, Germany, and Australia have done. Need performance metrics
• Route hijacking requires secure border gateway protocols for network control. There is a cost to the carrier so need to think in terms of a collective action by industry with government incentives to secure the Internet against hijacking
• Network reliability for legacy communications is understood. There is an FCC requirement to report outages and from that, FCC has the data to correct problems. There is no such system for broadband
• Encouraged partnership between government and academia
• Coordinating cyber across the government is a challenge; there are few models and few who understand the complexity. Organizations are distrustful of DoD
• Policy makers challenge: in a triangle, the base is 30% noise, not malicious intent; 30-80% is fixable with a good acquisition strategy, needed training and education—cultural and awareness block our get well plan; the remaining top 20% is the complex part of the threats and at least 10% of that is manageable, but we spend our time on noise
• Two axioms: the nation that uses tech the most, has the most to "lose"
• Challenges for Cyber:
• Need a more effective communication and coordination structure that is responsive to all elements of power
• Need a legal framework for accountability
• Need a national model such as the interagency group established by Executive Order 12344 on nuclear propulsion program: key points-8 year appointment. Holistic job description
• Intelligence Community should be major contributors instead of driving the debate
• We need more cyber SMEs and "operator" involvement
• Review resource allocation ratios across attack, warning, indicators; better definition and focus
• Need proper metrics [example: 40,000 attack hits a day does not tell much]
• Need a better education/information campaign where we raise the bar on users
• Need to get away from ‘technically satisfactory/lowest cost’ Acquisition model for cyber
To make a point about cyber following Shea’s acquisition comment: while in the Senate with John Glenn, Glenn spoke of going to the moon based on rockets built by the lowest bid.
Axis of four elements
• Technology: from script kiddies to high tech, you cannot ignore either end of the spectrum
• Actors: Nation states are the major actor: China and Russia. Terrorists, cyber social malefactors: lulzsec or anonymous are self appointed loyalty to their own ideals. Others include hooligans, hacktivists and criminals: annoying viruses or website takeovers and theft
• Purpose: motivations—and we need scenarios to better train and understand this aspect
• Internationalization: there is no cyber space: whatever happens falls under someone’s jurisdiction!
• Too many proposals out there for international cooperation
• Need to recognize we are clashing government systems. The "hands across the water" approach does not work. We are defending our interests against other parts of the world. They understand us but see it differently. No amount of explaining or demanding will make them stop
• American power needs to define when cyber constitutes an act of war and define cyber and kinetic responses. These are arrows in our quiver. If you attack the USA, something bad will happen to you
• Stop using an "ideal" standard. Recognize interests, build deterrence strategy, and articulate that power is holistic
• Deterrence=capability x will (perception of power/America is no longer a super power)
• See countries as adversaries; there is a nexus of crime/government in Russia and China.
• Build cooperation for border crime and support cross border law enforcement
• The Budapest Convention is a good working concept. Effective with like-minded countries. Unfortunately, US currently tells Russia what we know and they do not reciprocate. Use creative law enforcement
Inherent cyber vulnerabilities for USA
• Open society
• Large private cyber infrastructure
• Indirect government control / regulation
• Huge cyber leverages
• Much critical infrastructure / design is pre cyber risk concern
• Vulnerable to a crippling attack but saved because we are a large cyber espionage target
• Vulnerable to serious cyber attack gas, banking, waste management, water, communications—disproportionate vulnerability for terrorists
• Vulnerable from a few powers that makes us a preferred target
• The technical break through, the force multiplier, the known unknown could be a huge issue
Lines are drawn between missions: defense, offense/counter/aggression. How we test our systems is antiquated. We also do not do it because the results would be embarrassing.
• There is content blow-back (Information Operations vs Public Affairs)
• There are discrepancies between jurisdictions: law enforcement, national security and State/Local
• Roles and missions: replications and duplications
• Senior leadership in cyber is not qualified
• Oversight mechanisms
Other comments from Q&A:
• Cyber is a hybrid: signit, emp, com sec, atomic energy act, USSID-18, FISA, title 18
• Encouraged everyone to read a good document that is not widely used: ection 413 DHS act, section 515 charter about situational awareness
• Arab spring caught us off guard. There are two DARPA projects trying to help us understand how the Arab spring came about and why we were surprised
• Congress dysfunction: in total disarray around cyber—a long way away from doing anything productive about cyber
• No confidence that DHS can protect our infrastructure. DHS won’t be effective for years to come
• Executive branch should do an assessment and adjudication leveraging lessons learned from nuclear power. Urgency at the Executive branch should be there but it's not. The solution requires Presidential leadership
• Urgency in the private sector is not there - not sure what the incentives need to be to encourage innovation and eventually better protection strategies
• The USA will not adequately address cyber until a catastrophe happens
• It needs George Marshall (Marshall Plan) personality and focus to solve this problem
• Silicon Valley is about sharing information and openness; government is focused on closed communications