Cyber attacks threaten agency missions, experts say

A variety of existing measures could significantly improve the security of government information technology systems in the next two years, but agencies must look at IT security vulnerabilities as a threat to agency missions, not just their networks, if needed security improvements are to be made, experts said at a cyber security conference in Washington this week.

The scope and sophistication of attacks on public and private networks continues to escalate at alarming rates, said Melissa Hathaway, senior advisor and cyber coordination executive for the Director of National Intelligence.

“We’re facing the dangerous combination of known and unknown vulnerabilities, strong adversary capabilities and we have weak situational awareness,” Hathaway said, speaking at a conference on cyber space challenges held by the Armed Forces Electronics and Communications Association. Insider threats to government networks, in part from phishing schemes and other unauthorized access, have increased 52 percent during the past 18 months, she said.

“We’re at an inflection point,” she said, noting that at least the attention being devoted to cyber attacks has resulted in a new level of public and private sector cooperation and support for finding ways to combat the problem. But “we have a long way to go,” Hathaway said in developing greater situational awareness, defending against attacks, managing risks in the global supply chain, educating the public, and working with the private sector to improve deterrence.

Many of the solutions already exist, said Bob Gourley, chief technology officer of Crucial Point LLC.

“We can improve security by two orders of magnitude within the next 24 months,” he said, referring to the number of network intrusions, by doing a better job with identity management, authentication, insider threat modeling and analysis, digital rights management, and speeding up collaborative efforts.

At the same time, Gourley acknowledged that the need for standards and that cumbersome procurement processes represent significant hurdles that still must be overcome.

The real risk of not moving faster on security matters goes beyond the government’s networks, said Mischel Kwon, director of operations for the U.S. Computer Emergency Readiness Team at the Department of Homeland Security.

“We use technology differently than we did five years ago — even two years ago,” she said. “It’s an integral part of our mission. With that change, [so have] the attacks changed. We need to think of them not as attacks on our systems but attacks on our missions,” she said.

Kwon stressed the importance of developing new tools, new tactics and new techniques “to detect, to mitigate, and then reflect” on the nature of the attacks. “We need to think about what information assurance changes” and changes in policy and technology we need to support a “complete feed back loop” otherwise “we will continue to play whack-a-mole” with network intruders.

Civilian agencies, more broadly, also need to follow the types of procedures commonly used by the defense and intelligence communities for protecting their computer networks, particularly as information sharing becomes more essential to government operations, said Lt. Gen. Keith Alexander, director of the National Security Agency.

“We have to get the same processes and procedures into Homeland Security and other agencies, so they know their [network systems] are secure; and when those [networks] touch Defense, we know they're secure," he said.

At the same time, much also needs to be done between the public and private sector, said Bob Lentz, deputy assistant secretary of Defense for information and identity assurance.

“If I had a scorecard on public-private partnerships, there wouldn’t be very high scores,” he said.

He itemized several areas where improvements are needed. One is the need for research and development of leap-ahead types of technologies. Another is the need to establish more thorough standards, protocols and specifications, even if it means that industry must sacrifice a certain amount of proprietary work. He also said more work must be done to improve the acquisition process in government, which he described as “broken.” Additional efforts must also be made in improving the architecture of systems.

“People really understand we’ve got to work together, we can’t just try to work together,” he said.