Friday, October 21, 2011

Cybersecurity Policy Challenges

Cyber Challenge: Cybersecurity Policy:

Where Are We and Where Do We Need To Be?

Potomac Institute for Policy Studies

Notes taken by: Theresa Payton, Fortalice, LLC.

Executive Summary

This was the 6th seminar in a Cyber Security forum. Speakers were candid and are potential GFIRST candidates for panels.

Several highlights:

There is a role for the government in how to monitor the private sector

There were generally negative comments about DHS and its ability to alert, warn, protect, inform Federal civilian .gov and CIKR

Proposed a framework such as the Energy and Navy joint effort regarding nuclear propulsion program to organize cyber efforts

Recommended internationalization and creative law enforcement as an approach because there is no cyber space—everyone is somewhere under someone’s jurisdiction.


Potomac Institute was founded in 1994 and is non-partisan. Their focus:

Policy implications of technology and scientific advances

Ethical, legal, and social issues with new advances

Forecasting and trends

Terrorism - Kinetic and technology inter-relationships

Emerging Threats and opportunities

National Security

Video of the event:

Opening Remarks by Speakers:

Speakers included:

Lt General Robert M. Shea, USMC (Ret), Previous roles: USMC Director for C4 Systems, Joint Staff; Developed the first National Military Strategy for Operations in Cyberspace, Currently: EVP Strategy at Smartronix, Inc.

James A. Barnett, RDML, USNR (Ret), 32 year career USN, Currently: FCC - Chief of Public Safety and Homeland Security Bureau (although he spoke as a private citizen)

Ambassador David Smith (Ret), Previous roles: Nominated by President HW Bush (Bush 41) to lead U.S. - Soviet Defense and Space Talks; Chief of Staff for Congressman Jon Kyl (AZ); Assistant for Strategic Policy and Arms, Control for Senate GOP Leader Bob Dole; Joint Chiefs of Staff., Currently: Senior Fellow for the Potomac Institute

Daniel Gallington, Esquire, Previous roles: USAF; Special Assistant to SecDef; DAS of Defense for Territorial Security; NRO; DOJ; OSD; U.S. Delegation to the Nuclear and Space Talks with former USSR, Currently: National security and intelligence policy consultant for Potomac Institute

Speech 1

Supply Chain Risk cannot be reduced to zero. There is always risk associated with network security, therefore we should inventory the elements of the national network, identify and declare criticality to prioritize security measures and propose regulatory measures—much like how the FCC views the Communications infrastructure (signaling transfer point (STP) used as an example)

Malware and bot nets - FCC acts based on FACA. There are 24 best practices for prevention and mitigation. CSIRC is drafting a voluntary code of conduct for ISPs as Japan, Germany, and Australia have done. Need performance metrics

Route hijacking requires secure border gateway protocols for network control. There is a cost to the carrier so need to think in terms of a collective action by industry with government incentives to secure the Internet against hijacking

Network reliability for legacy communications is understood. There is an FCC requirement to report outages and from that, FCC has the data to correct problems. There is no such system for broadband

Speech 2

Encouraged partnership between government and academia

Coordinating cyber across the government is a challenge; there are few models and few who understand the complexity. Organizations are distrustful of DoD

Policy makers challenge: in a triangle, the base is 30% noise, not malicious intent; 30-80% is fixable with a good acquisition strategy, needed training and education—cultural and awareness block our get well plan; the remaining top 20% is the complex part of the threats and at least 10% of that is manageable, but we spend our time on noise

Two axioms: the nation that uses tech the most, has the most to "lose"

Challenges for Cyber:

Need a more effective communication and coordination structure that is responsive to all elements of power

Need a legal framework for accountability

Need a national model such as the interagency group established by Executive Order 12344 on nuclear propulsion program: key points-8 year appointment. Holistic job description

Intelligence Community should be major contributors instead of driving the debate

We need more cyber SMEs and "operator" involvement

Review resource allocation ratios across attack, warning, indicators; better definition and focus

Need proper metrics [example: 40,000 attack hits a day does not tell much]

Need a better education/information campaign where we raise the bar on users

Need to get away from ‘technically satisfactory/lowest cost’ Acquisition model for cyber

Speech 3

To make a point about cyber following Shea’s acquisition comment: while in the Senate with John Glenn, Glenn spoke of going to the moon based on rockets built by the lowest bid.

Axis of four elements

Technology: from script kiddies to high tech, you cannot ignore either end of the spectrum

Actors: Nation states are the major actor: China and Russia. Terrorists, cyber social malefactors: lulzsec or anonymous are self appointed loyalty to their own ideals. Others include hooligans, hacktivists and criminals: annoying viruses or website takeovers and theft

Purpose: motivations—and we need scenarios to better train and understand this aspect

Internationalization: there is no cyber space: whatever happens falls under someone’s jurisdiction!


Too many proposals out there for international cooperation

Need to recognize we are clashing government systems. The "hands across the water" approach does not work. We are defending our interests against other parts of the world. They understand us but see it differently. No amount of explaining or demanding will make them stop

American power needs to define when cyber constitutes an act of war and define cyber and kinetic responses. These are arrows in our quiver. If you attack the USA, something bad will happen to you

Stop using an "ideal" standard. Recognize interests, build deterrence strategy, and articulate that power is holistic

Deterrence=capability x will (perception of power/America is no longer a super power)

See countries as adversaries; there is a nexus of crime/government in Russia and China.

Build cooperation for border crime and support cross border law enforcement

The Budapest Convention is a good working concept. Effective with like-minded countries. Unfortunately, US currently tells Russia what we know and they do not reciprocate. Use creative law enforcement

Speech 4:

Inherent cyber vulnerabilities for USA

Open society

Large private cyber infrastructure

Indirect government control / regulation

Huge cyber leverages

Much critical infrastructure / design is pre cyber risk concern

Cyber assumptions:

Vulnerable to a crippling attack but saved because we are a large cyber espionage target

Vulnerable to serious cyber attack gas, banking, waste management, water, communications—disproportionate vulnerability for terrorists

Vulnerable from a few powers that makes us a preferred target

The technical break through, the force multiplier, the known unknown could be a huge issue

Lines are drawn between missions: defense, offense/counter/aggression. How we test our systems is antiquated. We also do not do it because the results would be embarrassing.

There is content blow-back (Information Operations vs Public Affairs)

There are discrepancies between jurisdictions: law enforcement, national security and State/Local

Roles and missions: replications and duplications

Senior leadership in cyber is not qualified

Oversight mechanisms

Other comments from Q&A:

Cyber is a hybrid: signit, emp, com sec, atomic energy act, USSID-18, FISA, title 18

Encouraged everyone to read a good document that is not widely used: ection 413 DHS act, section 515 charter about situational awareness

Arab spring caught us off guard. There are two DARPA projects trying to help us understand how the Arab spring came about and why we were surprised

Congress dysfunction: in total disarray around cyber—a long way away from doing anything productive about cyber

No confidence that DHS can protect our infrastructure. DHS won’t be effective for years to come

Executive branch should do an assessment and adjudication leveraging lessons learned from nuclear power. Urgency at the Executive branch should be there but it's not. The solution requires Presidential leadership

Urgency in the private sector is not there - not sure what the incentives need to be to encourage innovation and eventually better protection strategies

The USA will not adequately address cyber until a catastrophe happens

It needs George Marshall (Marshall Plan) personality and focus to solve this problem

Silicon Valley is about sharing information and openness; government is focused on closed communications

No comments:

Post a Comment