Earlier this month, a pump burned out mysteriously at a water plant in Springfield, Illinois. Log data traced the problem back several months to a command from an IP address in Russia that forced the pump to turn on and off repeatedly until it broke. When this news was leaked to the media from a cyber expert convinced that we were under attack by Russian hackers, a media frenzy ensued that made it all the way to Congress. On MSNBC, Rep. Jim Langevin, the  founder of the Congressional Cybersecurity Caucus, lamented our state of preparedness and called the attack, allegedly the first against the United States with a kinetic effect, yet another “wakeup call.” The weakness of American supervisory control and data acquisition (SCADA) systems was referenced by an anonymous hacker on PasteBin, which some in the press believed to be a confession. The worst fears of cybersecurity experts had been confirmed, foreign hackers could cause damage to US critical infrastructure through the internet.

Except that wasn’t what happened in Illinois, which highlights the difficulty of forensics and attribution in cyberspace. The DHS and FBI, who were investigating the alleged attacks, denied from the beginning that there was any proof of intrusion on the SCADA logs and recently concluded the investigation, releasing the results. The failure was due to a faulty command inputted by a contractor several months ago who accessed the system remotely while travelling through Russia on personal business. Over time, his mistake caused greater and greater errors until, several months later, the pump failed. While, as the source who initially leaked the suspicious information noted to defend his claims, there is no proof that the water plant wasn’t hacked, it seems very unlikely given corroborating evidence of the mistake.

The overreaction and debunking of this attack hurts both the cybersecurity field and the cybersecurity of the nation, as in this case those for and against the claims were both right and wrong. As this incident illustrates, when attacks come in the form of data and commands rather than bombs and bullets, it’s difficult to tell an enemy action from friendly fire, another side of the attribution problem which is just as important as tracking criminals through cyberspace. And, given the prevalence of cyber yellow journalism and cries of “cyberwar” and “cyber Pear harbors”, overreactions like this hurt the credibility of cybersecurity researchers and solution providers. This is problematic as, at the other end of the spectrum, the constant need for “wakeup calls” shows that we are still lagging behind the threat. In this case, though no attack took place, the SCADA failure proves that one can easily be implemented. All it took was a command from a contractor’s computer on his or her own time to damage and shut down critical infrastructure in the United States. That means that a malicious actor can get unauthorized access to SCADA systems abroad to produce the same effects, perhaps by stealing a contractor’s credentials through a fishing attack. And, it would be difficult to tell a mistake from a malicious insider or a hijacked account.

Though this alleged attack turned out to be a false alarm, it still serves as a “wakeup call,” one that we’ve gotten many times before. Thus, rather than dismissing the kinetic effects of cyber because this attack never happened, we need to try out best to make sure that it never will.

You may also like -

The Cybersecurity "Wake Up Call" and the Snooze ButtonCrying “Cyber Attack” in IllinoisCrucialPointLLCIL water system pump failure not cyber attackCrucialPointLLCThe Cybersecurity “Wake Up Call” and the Snooze ButtonCrucialPointLLCApparent cyberattack destroys pump at Ill. water utilityCrucialPointLLCAmerica’s critical infrastructure security response system is brokenCrucialPointLLC

Richard Spires, CIO of DHS, provided written testimony on 12 services that they have moved to the cloud. The first service often moved to the cloud is email, which DHS has started by putting FEMA’s email to the cloud. They have 8 private clouds already set up, and 3 services in the public clouds.

The private cloud services are below:

• SharePoint as a Service – “We are currently migrating Headquarters and United States Citizenship and Immigration Services (USCIS) users to our secure collaboration program.”
• Development and Test as a Service – “Establishing development and test offerings in the cloud will have tremendous positive impact on DHS. Currently, DHS has multiple development environments spread across the department and industry locations.”
• Infrastructure as a Service – “Complementary to the Development and Test as a Service offering is our Infrastructure as a Service offering to provide virtualized production services, including operating systems, network, and storage, that is consistent with new industry standards.”
• Workplace as a Service – “We are working closely with the Department’s other line-of-business chiefs to modernize how DHS employees work. This offering will provide robust virtual desktop, remote access, and other mobile services over the next 24 months.”
• Project Server as a Service – “This offering will provide a robust project management platform to publish project schedules that can more easily be shared across offices, divisions, and components.”
• Authentication as a Service – “This service eliminated the need for duplicative authentication services, while significantly enhancing the department’s information sharing needs.”
• Case and Relationship Management as a Service – “This offering, leveraging Enterprise License Agreements (ELAs), will better enable CRM and case workflows across DHS.”
• Business Intelligence as a Service – “The department will leverage this current offering to enhance transparency into departmental programming and expenditures. By the end of FY12, we expect the department will have visibility to information sources across the investment lifecycle, including IT, financial, human resources, asset management, and other information sources.”

You may also like -

The Cloud and CybersecurityFedCyber.com Cybersecurity Summit on Wednesday, September 28Storm Clouds on the Horizon?Live from the Gov 2.0 Expo - Finding Value in the CloudMyths and realities of cloud securityDHS CIO describes ‘aggressive stance’ on cloud migrationsCrucialPointLLCWhat You Need To Know About FedRAMPCrucialPointLLCIs the Healthcare Industry on Life Support Without the Cloud?CrucialPointLLCAgencies using cloud to de-clutter IT systemsCrucialPointLLCHomeland Security To Move Websites To CloudCrucialPointLLC

On 12 May 2011 the Obama Administration unveiled its cybersecurity legislative proposal.

The entire proposal is available for your review at this link: cybersecurity legislative proposal. But I most strongly recommend you read the context provided by the government’s Cybersecurity Coordinator and Special Assistant to the President Howard Schmidt first. Howard provided a clear introduction to this legislation that includes a framework that will make the details easy to remember. The three thrusts to remember are that this proposal will:

1. Help safeguard personal data and the right to know when your data has been compromised
2. Help protect national security by addressing threats to infrastrucure
3. Help protect federal systems while creating stronger privacy and civil liberties protections that keep pace with technology.

That is a very short introduction to well thought out legislative proposal. Please dig deeper and read both Howard’s blog entry and the draft legislation. I have read it all, and I strongly support these very positive measures. Like many others who track these issues, I would have supported a package that did even more, but the fact is we have to move out now and this package of draft legislation is fantastic and deserves our support now. I would like to see it immediately passed and then we can all collectively work on ideas for future enhancements.

For more please start with Howard’s blog post here: http://www.whitehouse.gov/blog/2011/05/12/administration-unveils-its-cybersecurity-legislative-proposal

The meat of his post is copied below:

The Administration Unveils its Cybersecurity Legislative Proposal

Posted by Howard A. Schmidt on May 12, 2011 at 02:00 PM EDT

Today I am happy to announce that the Administration has transmitted a cybersecurity legislative proposal to Capitol Hill in response to Congress’ call for assistance on how best to address the cybersecurity needs of our Nation.  This is a milestone in our national effort to ensure secure and reliable networks for Americans, businesses, and government; fundamentally, this proposal strikes a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cybersecurity.  Just as importantly, it does so while providing a robust framework to protect civil liberties and privacy.

When the President released his Cyberspace Policy Review (pdf) almost two years ago, he declared cyberspace as a key strategic asset for the United States and its security just as vital.  This legislative proposal is the latest achievement in the steady stream of progress we are making in securing cyberspace and completes another near-term action item (pdf) identified in the Cyberspace Policy Review.

The Administration proposal helps safeguard your personal data and enhances your right to know when it has been compromised. In addition to educating you on how to protect yourself from cyber threats with the Stop. Think. Connect. campaign, we believe organizations should inform you when your sensitive personal information may have been compromised.  This notice not only helps you to protect yourself against harms like identity theft, but also incentivizes organizations to have better data security in the first place.  Today, our country has a patchwork of 47 state notification laws.  Our proposal simplifies and strengthens this reporting requirement and reaches all Americans.

It helps protect our national security by addressing threats to our power grids, water systems, and other critical infrastructure. These systems are the backbone of our modern economy; many are privately owned, but all merit our support in protecting them.  The Administration proposal advances the security of our increasingly “wired” critical infrastructure, strengthens the criminal penalties for hacking into the systems that control these vital resources, and clarifies the ability of companies and the government to voluntarily share information about cybersecurity threats and incidents in a privacy-protective manner.  This is behavior we want and need to promote.

It helps the U.S. government protect our federal networks, while creating stronger privacy and civil liberties protections that keep pace with technology.  Since our Federal systems are under constant pressure by hackers, criminals and other threats, the government needs better tools to detect and prevent those threats.  Part of cybersecurity is about finding malicious programs, and stopping their spread before they have any impact.  This proposal allows the Department of Homeland Security (DHS) to implement intrusion detection and prevention systems that can help speed our response to these incidents.  The Administration proposal also designs a framework for protecting privacy and civil liberties that includes new oversight, reporting requirements, and annual certification to ensure that cybersecurity technologies are used for their intended purpose and nothing more.

The Administration’s proposal is one of a number of important steps we are taking towards achieving better cybersecurity.  We look forward to working with Congress as it moves forward on this issue.  Together, with a shared responsibility to enhance online safety and security, we can ensure cyberspace continues to be an area defined by growth and innovation.

• Read the fact sheet (pdf).
• Read about the Administration’s Cybersecurity Accomplishments (pdf).
• Read the text of the legislative proposal.

Howard A. Schmidt is the Cybersecurity Coordinator and Special Assistant to the President

Related articles

• White House Releases Cybersecurity Plans (informationweek.com)
• W.H. brings cybersecurity plan to Hill (politico.com)
• The Administration Unveils its Cybersecurity Legislative Proposal (whitehouse.gov)
• White House Set To Unveil Cyber Security Plan: Sources (huffingtonpost.com)
• Two Themes from Obama’s Cybersecurity Proposal: Private Auditors and Immunity (emptywheel.firedoglake.com)
• AP sources: White House set to unveil cyber plan (seattletimes.nwsource.com)
• White House to unveil cybersecurity proposal (theglobeandmail.com)

You may also like -

Announcing the FedCyber.com Government-Industry Computer Security SummitMature Models for Healthy and Resilient Cyber SystemsSpecial Summary: Enterprise security storiesFederal R&D PrioritiesGovSec conference is March 29-31 2011Obama Appoints Privacy Board MembersBob GourleyDeputy cyber coordinator leaving the White HouseCrucialPointLLCCybersecurity Receives Emphasis In State Of The Union AddressCrucialPointLLCGuardians of the Grid: Agencies Unite to Bulk Up Utility CybersecurityCrucialPointLLCWhite House, Congress Renew Cybersecurity PushCrucialPointLLC

In February 2011 we reported on a Department of Homeland Security research agenda for cyber security, providing the opinion that this was “the most mature research agenda on the topic of cyber security.” That research agenda is fantastic and should help shape the future cyber ecosystem in very positive ways.

Now in March 2011, DHS has produced another significant, positive, virtuous document on the topic of Cybersecurity that deserves the attention of leaders, planners and technologists from across the country. They have given us a white paper titled “Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action.” This paper flows from discussion, dialog and workshops that collegially fleshed out concepts. It is well worth a read and should help us all move towards a better IT environment.

Things I liked about this paper:

• It is collegial. It is not about “command and control,” it is about vision and collaboration.
• It uses relevant models for complex systems like modern IT. Relevant models, like those based on life, can really help in our understanding of how to design for success.
• It is well written, so it is easy to follow and fast to read
• It focuses on the most critical threats, in my opinion. With no hype or hyperbole, it spells out clearly what the threat is and why we must rise to mitigate it.
• It articulates “Resiliency,” an important emerging way of descirbing the state we need in IT that realizes attacks will always be with us.
• It simply describes and moves out on concepts of healthy devices, strong authentication, automation, and interoperability.

I hope that has been enough to grab your interest. I think the authors would like your review and would appreciate your feedback. They are clearly writers and thinkers with open minds, and the document contains contact information you can use to connect with them.

You can also read context by Phil Reitinger (Deputy Under Secretary, National Protection and Programs Directorate) on the DHS blog at: http://blog.dhs.gov/2011/03/enabling-distributed-security-in.html

Related articles

• Continued Evolution of DoD Cyber Policy (ctovision.com)
• DHS Outlines Cybersecurity Strategy (informationweek.com)
• The most well thought out research agenda for cyber security I have seen to date (ctovision.com)
• DHS To Invest $40 Million On Cybersecurity Research (informationweek.com)

You may also like -

The most well thought out research agenda for cyber security I have seen to dateCongrats To Sony Corp! This is a very good moveCTO Perspectives on Cyber Security BillSecurity Innovation Network (SINET) Workshop and Showcase 25-26 October 2011CNO Part 2: Computer Network DefenseDHS cyber security operations see leadership changesCrucialPointLLCDHS’s National Cyber Security Division and Idaho National Laboratory win cybe ...CrucialPointLLCSecurity Researcher Details New SCADA BugsBob GourleyDHS disputes memo on purported railway computer breachCrucialPointLLCFormer W.H. Official: In the Event of a Cyberwar, Don’t Call DHSCrucialPointLLC

General Alexander is keeping busy at NSA/CYBERCOM

Last week, General Alexander (director of NSA and commander, USCYBERCOM) spoke at the RSA conference in San Francisco. He pointed out the the explosion of technology over the past 10 years. That users went from an average of 250MB of personal files, to over 128GB. The fact that 70% of Americans online are on Facebook – that 600M users worldwide are as well. This, mixed with the huge advances in programming (Watson and Deep Blue) lets us know that we do have the capability to protect and defend our advanced networks.

General Alexander reminded us of attacks on Estonia (2007) and Georgia (2008) as well Latvia, Lithuania, Azerbaijan and Kyrgyzstan. His concern is that some of those attacks might be used on the 15K DoD networks. These networks are scanned over 1 million times a day, yet receive 20k email attacks a month, thousands of independent network assaults. The DoD is scanning 92TB+ and 150B+ packets every day.

The biggest problem is that our public/private infrastructure is the backbone to the network. Additionally, there is a need to secure the defense industrial base. This was made certain by the USB flash drive issues in 2008. General Alexander states, ”Take combined talent and figure out how we secure the network.”  The “combined talent” is that in academia, private industry, and public servants.

The general brought up needs to have widespread cyber education. For our citizens and our civil servants (military and government). The people need to be educated on their role in cyberspace and how they can be a factor in this domain.

Lastly, General Alexander focused on how important STEM + R&D efforts will be to cyberspace dominance. STEM (Science, Technology, Engineering and Math) studies are needed to have educated work force.  R&D spending drives innovation. This ties in with his thoughts on a public/private partnership – pushing STEM + R&D needs to be done at academic, private and public levels, and must be concerted efforts.

You may also like -

Invincea Named Most Innovative Company of RSA 2011US cyber chief says cloud computing can manage serious cyber threatsCrucialPointLLCCyber attacks are becoming lethal, warns US cyber commanderCrucialPointLLC

The folks organizing the GovSec 2011 Conference and Expo have just given me a code that will give you a 10% discount when you register for their event, and they would like me to share that with you. That’s nice of them isn’t it?

I try to go to this conference every year.  When I’m lucky they ask me to speak, but the decided instead this year to have interesting speakers. Oh well. Maybe next year. But I do plan on going and taking note to share with you my friendly readers.

The event is March 29-31 in Washington DC. Highlights of the event include:

• 30+ sessions in four tracks including cybersecurity topics and training.
• Fantastic presentations on enterprise technology for security.
• Expo Keynote Speakers Admiral Thad Allen, USCG (Retired), National Incident Commander, Deepwater Horizon oil spill and Nicholas Stein, series producer of “Border Wars”
• Conference Keynote Speakers Randy Vickers, Director, United States Computer Emergency Readiness Team, National Cybersecurity Division, DHS and Greg Fowler, SAC New York Joint Terrorism Task Force, FBI
• A free expo for qualified attendees.
• Many more sessions.

Register at http://bit.ly/GovSecRegCS with code CONF24 for a 10% discount off the Conference rate.

Related articles

• Continued Evolution of DoD Cyber Policy (ctovision.com)
• The most well thought out research agenda for cyber security I have seen to date (ctovision.com)
• DHS To Invest $40 Million On Cybersecurity Research (informationweek.com)

You may also like -

US-CERT warns about security flaw affecting millions of wireless routersCrucialPointLLCIG: Justice cyber operations slow to report incidents, lacking critical infoCrucialPointLLCFBI: No evidence of water system hack destroying pumpCrucialPointLLC

The deputy secretary of Defense, the Honorable William J. Lynn III, delivered remarks at the RSA conference that captures a snapshot of DoD cyber policies.

This is consistent with the continually improving path the department has been on for the last several years. I recommend a good read of the remarks and hope you share my excitement over the great work here.

I would only add that I continue to hear from practitioners of cyber security in the field that far more work is required, especially work in training and educating the middle and upper management of the Services. There is a great deal of hard work left to do. So, my recommendation: read the remarks delivered by the DepSecDef, but if you have ideas on how to continually enhance security and cyber threat awareness find ways to get them to DoD. Security related technologies remain critically important but also key are ways to teach at scale. Maybe the big need now is new ways to do automated computer based training that are not the old clunky industrial age computer based training programs currently in use. We need some way of really projecting threat and security info into the brains of senior and middle management and if the answer is that we should do more of the same maybe that isn’t the right answer. If you have thoughts there please share them.

But please do so after a review of current DoD policies, they are really looking up. There is a great deal we should be proud of here.

The following is from: http://www.defense.gov/Speeches/Speech.aspx?SpeechID=1535

Remarks on Cyber at the RSA Conference

As Delivered by William J. Lynn, III, San Francisco, California, Tuesday, February 15, 2011

Thank you again to RSA for recognizing the Defense Department’s contributions to cyber policy.

This is without question the most technically sophisticated audience I have addressed.  So it is with some reservation that I stand before you today.

When it comes to information technology, I am of an “in-between” age.  I am not too old to have shunned technology altogether.  I use a computer, a blackberry, even an iPad.  But I lack the intuitive understanding of those who have grown up in the digital age.  In other words, I have no idea how these devices actually work.  I stopped my education at being able to program my VCR.

Fortunately, the young men and women who make up most of our military are much more adept than me.  They, like you, are digital natives.  And the information technologies that they operate have revolutionized how the military organizes, trains, and fights.  Information technologies are at the core of our most important military capabilities.  They give us the ability to navigate with accuracy, communicate with certainty, see the battlefield with clarity, and strike with precision.

But for all the wonderful capability technology enables in our military, it also introduces enormous vulnerabilities.  We learned the hard way in 2008 when a foreign intelligence agency used a thumb drive to penetrate our classified computer systems—something we thought was impossible.  It was our worst fear: a rogue program operating silently on our system, poised to deliver operational plans into the hands of an enemy.

Unfortunately, the cyber threat continues to mature, posing dangers to our security that far exceeds the 2008 breach of our classified systems.

Today I want to discuss the development of the cyber threat, how that threat might manifest itself, and, finally, how we—government and industry—can work together to keep America safe in the digital age.

To date, the most prevalent cyber threat has been exploitation of our networks.  By that, I mean the theft of information and data from both government and commercial networks.  On the government side, foreign intelligence services have ex-filtrated military plans and weapons systems designs.  Commercially, valuable source code and intellectual property has likewise been stolen from business and universities.  The recent intrusions in the oil and gas sector and at NASDAQ join those that occurred at Google as further, troubling instances of a widespread and serious phenomenon.

This kind of cyber exploitation does not have the dramatic impact of a conventional military attack.  But over the long term it has a deeply corrosive effect.  It blunts our edge in military technology and saps our competitiveness in the global economy.

More recently, a second threat has emerged—and that is disruption of our networks.  This is where an adversary seeks to deny or degrade the use of an important government or commercial network.  This happened in the denial of service attacks against Estonia in 2007 and Georgia in 2008.  And it occurred when the hacker group Anonymous targeted eBay and Paypal.  The effect is usually reversible.  But the resulting economic damage and loss of confidence may not be.

To this point, the disruptive attacks we have seen are relatively unsophisticated in nature, short in duration, and narrow in scope.  In the future, more capable adversaries could potentially immobilize networks on an even wider scale, for longer periods of time.

The third and most dangerous cyber threat is destruction, where cyber tools are used to cause physical damage. This development—which marks a strategic shift in the cyber threat—is only just emerging. But when you look at what tools are available, it is clear that this capability exists.  It is possible to imagine attacks on military networks or critical infrastructure—like our transportation system and energy sector—that cause severe economic damage, physical destruction, or even loss of life.

Of course, it is possible that destructive cyber attacks will never be launched.  Regrettably, however, few weapons in the history of warfare, once created, have gone unused.  For this reason, we must have the capability to defend against the full range of cyber threats.  This is indeed the goal of the Defense Department’s new cyber strategy, and it is why we are pursuing that strategy with such urgency.

Our cyber strategy recognizes that we are in the midst of a strategic shift in the cyber threat.  The threat is moving up a ladder of escalation, from exploitation to disruption to destruction.  As this threat continues to mature, there are several ways it may materialize.

Today, the highest levels of cyber capabilities reside in nation-states.  Thus far, nation-states have primarily deployed their capabilities to exploit adversaries’ networks, rather than to disrupt or destroy them.  More than 100 foreign intelligence agencies have attempted intrusions on our networks, but these intrusions are largely limited to exploitation.  Although we cannot dismiss the threat of a rogue state lashing out, most nations have no more interest in conducting a destructive cyber attack against us than they do a conventional military attack.  The risk for them is too great.  Our military power provides a strong deterrent.

So even though nation-states are the most capable actors, they are the least likely to initiate a catastrophic attack in current circumstances.  We nevertheless must prepare for the likelihood that cyber attacks will be part of any future conventional conflict.  We need cyber capabilities that will allow us to defend against the most skilled nation-state.

Of greater concern in the near term is the accidental release of toxic malware.  A destructive tool could inadvertently escape its creator and be let loose “in the wild.”  Certain types of malware can propagate worldwide in minutes.  The accidental spread of toxic malware may not cause as much damage as a pre-meditated attack, but it could nevertheless be a potential source of disruption for critical networks.  We have to take the accidental release scenario seriously.  To prevent something as trivial as a thumb drive stuck in the wrong computer from having a calamitous effect on the global economy, we need defenses that can stop toxic malware.

Perhaps the greatest concern in our judgment is a terrorist group that gains the level of disruptive and destructive capability currently possessed by nation-states.  Al Qaeda, which has vowed to unleash cyber attacks, has not yet done so.  But it is possible for a terrorist group to develop cyber attack tools on their own or to buy them on the black market.  As you know better than I, a couple dozen talented programmers wearing flip-flops and drinking Red Bull can do a lot of damage.  And with few tangible assets to lose in a confrontation, terrorists groups are difficult to deter.  We have to assume that if they have the means to strike, they will do so.

We stand at an important juncture in the development of cyber threats.  More destructive tools are being developed, but have not yet been used.  And the most malicious actors have not yet laid their hands on the most harmful capabilities.  But this situation will not hold forever.  Terrorist organizations or rogue states could obtain and use destructive cyber capabilities.  We need to develop stronger defenses before this occurs.  We have a window of opportunity—of uncertain length—in which to gird our networks against more perilous threats.

The Defense Department is moving aggressively to counter this evolving threat.  Over the past two years, we have deployed specialized active defenses to protect military networks.  We have established the U.S. Cyber Command to operate and defend our networks.  We have begun discussions with our allies on implementing shared cyber defenses.  And we are in the final stages of review of a comprehensive cyber strategy, called Cyber 3.0.

That strategy is based on five pillars.

First, the Defense Department has formally recognized cyberspace as a new domain of warfare—like land, air, sea and space.  Treating cyberspace as a domain means that the military needs to operate and defend its networks, which is why we established U.S. Cyber Command.   It also means that the military services need to organize, train, and equip forces to perform cyber missions.  Each of the services has recently created organizations to do just that.  In short, to maintain our national security, our military must be as capable in this new domain as it is in the more traditional domains.

Second, we have equipped our networks with active defenses.  It is not adequate to rely on passive defenses that employ only after-the-fact detection and notification.  We have developed and now employ a more dynamic approach to cyber defense.  Active defenses operate at network speed, using sensors, software, and signatures derived from intelligence to detect and stop malicious code before it succeeds.  Because sophisticated intrusions will not always be caught at the boundary, active defense also enables us to hunt on our own networks and to cordon and deflect malicious software.  Although no network will ever be 100 percent secure, active defenses have significantly enhanced the security of the .mil domain.

Third, we must ensure that the critical infrastructure on which our military relies is also protected.  The threats we face in cyberspace target much more than military systems.  Cyber intruders have already probed many government networks, our electrical grid, and our financial system.  Secure military networks will matter little if the power grid goes down or the rest of government stops functioning—which is why the Department of Homeland Security’s cyber mission is so crucial.

Secretary Napolitano spoke here last year about her Department’s efforts to protect the .com and .gov domains.  I am pleased to follow her this year to discuss how the military provides support to DHS in the cyber domain.

During a natural disaster, like a hurricane, military troops and helicopters are often used by FEMA to help deliver relief.  In a similar vein, the military’s cyber capabilities will be available to civilian leaders to help protect the networks that support government operations and critical infrastructure.  As with all cases of military support to civilian authorities, these resources will be under civilian control and used according to civil laws.

This is why we established a formal partnership with DHS in October 2010.  Through pilot programs like Einstein 3, military technologies—including active defenses—are being used by DHS to secure government networks.  We have also established a joint planning capability and exchange of personnel—including in our cyber watch centers.  These initiatives substantially enhance the federal government’s ability to confront cyber threats.

Fourth, we are building collective defenses with our allies.   Just as our air defenses are linked to those of our allies to provide warning of aerial attack, so too can we cooperatively monitor our computer networks for cyber intrusions.

The fifth pillar of our strategy is to marshal our country’s vast technological and human resources to ensure the United States retains its preeminent capabilities in cyberspace, as it does in other domains.  I want to spend the remainder of my time discussing this aspect of the strategy and its implications for private industry.

Cyber 3.0 is an important milestone for our Department.  But even if we execute it flawlessly, the fact is that the government cannot protect our nation alone.  Cyber defense is not a military mission, like defending our airspace, where the sole responsibility lies with the military.  The overwhelming percentage of our nation’s critical infrastructure—including the internet itself—is largely in private hands.  It is going to take a public-private partnership to secure our networks.

To be successful, I believe we need to pursue several avenues of industry-government cooperation.

The first is information sharing.  Telecommunications providers have unparalleled visibility into global networks.  They can detect attacks transiting their systems, and in many cases alert customers.  Often, they have the best operational capacity to respond.

We are working with key technology and defense companies to exchange information that improves cyber security practices and capabilities.  Senior executives now meet regularly with top officials from the Department of Defense, Department of Homeland Security, and the Director of National Intelligence.  This public-private partnership, called the Enduring Security Framework, not only helps identify vulnerabilities.  It also mobilizes government and industry expertise to address security risks before harm is done.

The second avenue of public-private cooperation involves working to reverse the current advantage held by intruders seeking to penetrate networks.

The internet was designed to be open, transparent, and interoperable.  It was designed to ensure the broad flow of information and the easy introduction of new technology.  Security and identity management were secondary objectives in system design.  These structural properties have endowed the internet with undeniable dynamism.  But they have also given attackers a built-in advantage.

You can see just how significant this advantage is by comparing anti-virus software to the malware it attempts to defeat.  Sophisticated anti-virus suites now run on about ten million lines of code.  This is up from one million lines ten years ago.  Yet malware written with as little as 125 lines of code has remained able to penetrate anti-virus software across this same period.

Because of this imbalance between offense and defense, we need the scientific community to help strengthen our network architecture.  We must embed higher levels of security and authentication in hardware, operating systems, and network protocols.  The National Strategy for Trusted Identities in Cyberspace, a White House initiative, will lay one building block of this more secure future.  Our digital infrastructure will not change overnight, but over the course of a generation we have a real opportunity to engineer our way out of some of the most problematic vulnerabilities of today’s technology.

To help spur this effort, the Department of Defense will add half a billion dollars in new research funds for cyber technologies, with a focus on areas like cloud computing, virtualization, and encrypted processing.  Through our “Cyber Accelerator” pilot, we are also providing seed capital for companies to develop dual-use technologies that serve our cyber security needs.

Of course, it is not enough just to develop innovative cyber technologies.  We must also accelerate the introduction of them inside the Department.

It currently takes the Pentagon 81 months to field a new computer system.  The iPhone was developed in just 24 months.  That is less time than it takes us to prepare a budget and receive Congressional approval for it.  This means I get permission to start a project at the same time Steve Jobs is talking on his new iPhone.  It’s not a fair trade.  We have to close this gap.  Silicon Valley can help us.

Today I am announcing our intent to expand the Information Technology Exchange Program.  This program, whose pilot is just getting underway, will allow for the exchange of IT and cyber security personnel between government and industry.  We want senior IT managers in the Department to incorporate more commercial practices.  And we want seasoned industry professionals to experience first-hand the unique challenges we face at DoD.   As we expand participation I hope many of you consider applying.  The Department, and the nation, need your expertise.

I am also announcing a program to better utilize cyber expertise within the National Guard and Reserve.  Our Department has many soldiers, sailors, airman, and marines who work in the civilian IT world, and who continue to serve their country in the National Guard or Reserves.  To make better and more systematic use of their specialized skills, we will increase the number of Guard and Reserve units that have a dedicated cyber mission.

A third and more challenging avenue of industry-government cooperation is how to extend the high level of protection afforded by active defenses to private networks that operate infrastructure crucial to our military and our economy.

Because of our intelligence capabilities, government has a deep and unique awareness of certain cyber threats.  This classified “threat-based” information, and the technology we have developed to employ it in network defense, can significantly increase the effectiveness of cyber security practices that industry is already carrying out.

We already share unclassified threat information on a limited scale with defense companies whose networks contain sensitive information.  How to share classified signatures and the technology to employ them across the full range of industrial sectors that support the military and underpin the economy is a pressing policy question.  Owners and operators of critical infrastructure could benefit from the protections that active defenses provide.  We have the technology and know-how to apply them in a civilian context.  The real challenge at this point is developing the legal and policy framework to do so.

It is clear that securing our networks will require unprecedented industry and government cooperation.  With the threats we face, working together is not only a national imperative.  It is also one of the great technical challenges of our time.

The Department of Defense is moving aggressively to protect our own networks and to support civil authorities as they defend our nation’s digital infrastructure.  Over the longer term, we must develop technology that reverses the present advantage held by those seeking to steal our secrets and cause us harm.

My hope is that by working together, we can replicate the success achieved over ten years ago, by the partnership between government and industry to address Y2K in advance of the year 2000.

The challenge we face today in cyber security is similar in several respects.  It is global in scope.  It involves nearly everything digital.  And it will require government working with industry at all levels.

But unlike Y2K, we now face malicious, adaptive actors, bent on harm, rather than inanimate computer code written without the millennium in mind.

In Y2K, we also had a known deadline to focus the nation’s attention and resources.

We have a deadline in today’s effort as well—preventing a destructive cyber attack.  We just don’t know when it is.

My sincere hope is that we can solve this problem before an incident happens, rather than needing an incident to get it solved.

With Y2K, we succeeded.  Our response was so well managed, and so effective, it left people wondering whether there was ever a problem at all.

That brings me to what you can do.

In the cyber domain, soldiers are not the only ones on the front lines.  Scientists, engineers, and innovators are too, including all the companies represented here today.

Whether by developing more secure technologies in labs and start-ups or by serving in our cyber workforce yourselves, there is an opportunity for each of us to lay our hands on the wheel of innovation, and to spin it faster and with greater purpose.

A keystroke can travel twice around the world to devastating effect in 300 milliseconds—literally the blink of an eye.  But if we harness the knowledge in industry to the resources in government, we can create defenses that act even faster.

Throughout American history, at moments of great challenge and crisis, industry and the private sector have stood up, partnered with government, and developed the capabilities to keep our country safe.  The incredible technologies that have resulted—including the internet itself—have made our military the most effective fighting force in the world, and our economy the most advanced of any nation.

I’m confident that, just like generation of innovators and pioneers before you, your talents, your expertise, your vision, can help keep our nation strong and prosperous for generations to come.

Thank you very much

Related articles

• Attend FedScoop CyberSecurity Summit (ctovision.com)
• RSA: Government sees changes in cyber attacks (v3.co.uk)
• DoD, NATO Huddle On Cybersecurity (informationweek.com)
• Gates Boosts Cash to Darpa for Cyber Tech Research (wired.com)
• RSA Conference 2011 Award Winners Announced! (365.rsaconference.com)
• Revising Information Operations Policy at the Department of Defense (mountainrunner.us)

You may also like -

Deputy Secretary of Defense Lynn: Cyber Strategy’s Thrust is DefensiveJTF-CND to JTF-CNO to JTF-GNO to CybercomDefense Intelligence Information Enterprise Conference 6-9 June 20112010 DoDIIS Worldwide ConferenceFedCyber.com Cybersecurity Summit on Wednesday, September 28Evolving Approaches to Cyber ThreatsBob GourleyLeadership changes in DoD IT, logistics, cyberCrucialPointLLCPentagon, DHS Probe Expanding Sharing of Cyber Threat Intel with ContractorsCrucialPointLLCPentagon CIO’s Tech Revamp: 4 PrioritiesCrucialPointLLCCyber Conflict Studies Association History ContestBob Gourley

Opinion: the most mature research agenda on the topic of cyber security is the one established by our nation’s Department of Homeland Security.

I’m keeping an open mind, and would love to learn of other cyber security research agenda’s that might be as well defined. But I have to tell you I have seen research programs associated with cyber for years and this one is impressive.

The details of the topic areas of this research activity are embedded in a Broad Area Announcement (BAA) posted on FedBizOpps. The PDF of the announcement is located here: http://ctovision.com/wp-content/uploads/2011/02/Cyber_Security_BAA_11-02-2.pdf

You can also find info on this research agenda at:

https://baa2.st.dhs.gov/portal/BAA/

A summary of the agenda is pasted below for your review, but please visit review the details on the DHS site and at FedBizOpps for more info. And, if you know of any researcher who has an ability to contribute to the cyber mission needs outlined in this BAA, please get word of the BAA to the researcher. Our nation needs research into these topics, and it looks like DHS may be making some funding available for research into these topics.

I’d also recommend the DHS S&T Topics for Cyber Research by reviewed by computer science students and teachers.  They should also be considered by IT firms large and small, even if the firms are not planning on responding to the DHS announcement.  Anyone doing any research on cyber anywhere would benefit from a review of this agenda, I believe.

Summary from the DHS S&T website:

Summaries of these task areas:

Related articles

• Attend FedScoop CyberSecurity Summit (ctovision.com)
• Federal Cyber Security: Missions, Initiatives, Opportunities and Risks (ctovision.com)
• Ponemon Institute Cost of Cyber Crime Study (ctovision.com)
• DHS To Invest $40 Million On Cybersecurity Research (informationweek.com)
• DHS Offers $40M For Top Cybersecurity Research (yro.slashdot.org)
• ENISA smartphone cyber security report (marienfeldt.wordpress.com)

You may also like -

Mature Models for Healthy and Resilient Cyber SystemsWhat is the Cyber Conflict Studies Association?GovSec conference is March 29-31 2011The FedCyber.com Cyber Security SummitDeputy Secretary of Defense Lynn: Cyber Strategy’s Thrust is DefensiveDARPA’s Cyber Fast Track Adds Agility to Research FundingCrucialPointLLCCyber Conflict Studies Association History ContestCrucialPointLLCEvolving Approaches to Cyber ThreatsBob GourleyFormer W.H. Official: In the Event of a Cyberwar, Don’t Call DHSCrucialPointLLCZafesoft: Next Generation Content SecurityCTOvision.com

Forbes ran a nice piece on In-Q-Tel.  The article is worth reading in its entirety.  Here is a link: Startups Backed By The CIA.

The In-Q-Tel mission is to identify, adapt and deliver innovative technology solutions to support the missions of the Central Intelligence Agency and the broader US Intelligence Community, including the Department of Homeland Security.

As a teaser till you get around to the article, here is a list of companies in the order written about there, including a short bullet of their capability and a hot-link to their site:

• Cleversafe – Smart way to save your data in the cloud. Clever and Safe.
• AdaptivEnergy – Capture energy from vibrations.
• Qynergy – New battery technology.
• Infinite Power Solutions – Thin-film batteries to power RFID.
• ThingMagic – Advanced RFID solutions.
• GainSpan – WiFi enablement.
• Image Tree Corp – Figure out what is growing on the earth.
• Fortius One – Advanced, easy geospatial.
• Geosemble – Map people, places, things using data from RSS feeds and tweets.
• LensVector – Taking moving parts out of cameras.
• 3VR – Video analytics.
• Recorded Future – Gain knowledge of the future by looking for events mentioned on the net.
• Visible Technologies – Analysis.
• FMS – Analysis.
• StreamBase – Capture and analyze data in stream.
• Destineer Studios – Advanced immersive environments.
• Sonitus Medical – hear from your teeth.
• Basis Technology – Search in multi-language.

(These technologies (and others) are also listed on the CTOvision.com Disruptive IT list).

Congrats to all the companies mentioned here for the great write-up in Forbes.  And congrats to forward thinkers in the intelligence community for creating a structure that enables quicker discovery of technologies of interest to your mission.  This is a win-win-win.  A win for the intelligence community, a win for companies involved, and a win for national security.

Related articles

• Startups Backed By The CIA (forbes.com)
• How the C.I.A. Perfects its Social Media Monitoring Technologies (blogs.forbes.com)
• CIA Invests In Cloud, Web Analytics Startups (informationweek.com)
• CIA Invests In Anti-Cybercrime Startup (yro.slashdot.org)
• Who is A Big Fan of ArcSight? The CIA (blogs.wsj.com)
• Cleversafe Raises $31.4 Million From Motorola, VC Firms And … The CIA? (techcrunch.com)

You may also like -

CIA Invests In Semantic Search, Wireless NetworkingCrucialPointLLCDisruptive Technology of the Week – Republic WirelessBob Gourley

I am so proud to be associated with Twiki.  Some of the personal reasons I enjoy working with them is an ability to interact with and learn from their CEO Jitendra Kavathekar (@JeetKavathekar) and their founder Peter Thoeny (@peterthoeny).  Both are enthusiastic teacher/leader/thinkers.  I also appreciate the opportunity to work with members of the advisory board they have established.  Rod Beckstrom (@RodBeckstrom), Dion Hinchcliffe (@dhinchcliffe) and Bob Flores (@bobflores) are good, enjoyable, mission-focused folks.

But Twiki is about far more than good technology and enjoyable technologists.  It is about a new ability to serve some very important missions in industry, academia and government and many important missions that span across all those domains.

Which is why I’m particularly excited about word of Twiki winning the Disaster Management Initiative (DMI) award for Gov2.0 solutions.  It is proof that there is something very important going on here.

Here is more about this award:

You may also like -

Nominations Solicited for the 2011 Government Big Data Solutions AwardCrucialPointLLCTwiki: Get Work Done!CrucialPointLLCNomination Period Underway for the 2011 Government Big Data Solutions AwardCrucialPointLLC