U.S. still lacks some basic essentials for cyber defense

Despite creating new organizations and creating a framework for cyber operations, the U.S. government has not yet established a national strategy or fully defined roles and responsibilities for managing events in cyberspace. The government and the private sectors have to work together to defend critical infrastructure and to foster greater education and awareness of cybersecurity issues, said retired Air Force Lt. Gen. Charles Croom, vice president of cybersecurity solutions at Lockheed Martin Corp.

Speaking Jan. 25 at the Network Enabled Operations conference in Arlington, Va., Croom relied on his extensive experience in the network security field (his last Air Force post was as director of the Defense Information Systems Agency) to highlight technology trends and related cyber threats that appeared in 2010. These included the growth of social networking, the use of personal electronic devices in offices, the rise of WikiLeaks and similar types of occurrences, privacy concerns, cloud computing, malware creation, hacktivisim and social engineering.

Yet while all of these things were changing the cyber environment, Croom noted that private companies actually cut investment into maturing cybersecurity processes, background checks on personnel, and security for portable devices. One excuse cited by the private sector has been the poor economic climate of recent years, which has caused many firms to cut back on security functions. This is a mistake, he said.

Croom backed up this argument with a quick list of major cyber breeches of private firms in 2010. These included Google seeking government help after it detected an intrusion into its networks, the highly specialized Stuxnet worm that disabled centerfuges and industrial equipment in the Iranian nuclear program, and the Buckshot Yankee event that consisted of malware infected flash drives affecting classified and unclassified Defense Department networks.

Another factor this year was the WikiLeaks release of state department diplomatic information. Croom said that WikiLeaks lead to a spike in protest hacktivism, with pro- and anti-WikiLeaks groups attacking each other’s websites.

Using the U.S. and Iranian governments as examples, Croom said that the costs of not being secure can have major implications to national policy and security. He noted that 48 percent of data breeches in organizations were caused by insiders, and business partners were responsible for another 11 percent.

Cyberattacks also shared some commonalities. Croom explained that 85 percent of reported cyberattacks were not very complex or difficult to carry out, 61 percent of these incidents were reported by a third party, and in 86 percent of all incidents the victims had the evidence in their log files.

Despite the threats, there is no clear policy in the U.S. government for how to proceed, although a decision on a course of action will be made this year. Croom noted that there are a variety of points of view in the federal and private sectors, ranging from the belief that the nation is currently in a cyber war to the argument that there is no real threat in cyberspace. He stressed the need for more binding international agreements and cooperation to deal with cyber crime and noted that all of the pundits and thought leaders on cyberspace—no matter their particular views—stated that public-private partnerships are necessary to protect critical infrastructure such as electric utilities.

However, while the DOD has been very good at creating the U.S. Cyber Command, individual service cyberspace commands and classifying roles and missions, Croom said that it has yet to develop a clear strategy for cyberspace operations. He also noted that while Cyber Command is officially operational, it lacks funds, talent and leadership.

Croom said that fundamental jurisdictional issues remain to be resolved: Who is in charge during a cyberattack, what is the operational plan, and are there clear roles and responsibilities set down? Until these can be answered coherently, U.S. government cyber policy will be muddled, he said.

In the interim, Croom proposed one solution to some cyberattacks—empower the internet service providers. He noted that every ISP can detect botnets and go after them by shutting off service. However, ISPs do not do this for fear of liability. There is a case here to give ISPs protection to allow them to act, he said.

One possibility is an international agreement to eliminate botnets. Because cyberspace touches on a variety of national and corporate sovereignty issues, Croom recommended taking small steps with specifically targeted treaties and agreements. In the mean time, he said that while the military is slow in developing a strategy it has tremendous resources and it, through the government, should reach out to form quiet partnerships with the private sector. For its part, there is a need for educating industry personnel about cybersecurity and related threats. Croom said that the private sector should put more effort into working with universities to identify needs and develop standards and policies.