Advanced persistent threats require a new dynamic of defense
The cyber threat is as real and advanced as ever, and with the military as a high-value target, governance for defending cyberspace must be determined as soon as possible.
Whether it’s an unknowing employee inadvertently opening a phishing e-mail, a rogue actor revealing internal vulnerabilities or a crop of hacktivists wreaking havoc with denials of service, the new advanced persistent threat has many faces and requires a multipronged approach.
That approach includes elements such as intelligence, governance and strategic planning on the part of the public and private sectors, a panel of experts said today at 1105 Media’s Defense Systems Summit in Arlington, Va.
Related coverage:
Learning lessons from Stuxnet before it's too late
More news from the Defense Systems Summit
“It’s a hard problem to solve because how do you predict a denial-of-service attack?” said Barry Hensley, vice president of the Counter Threat Unit at Dell SecureWorks. “We see advanced threats every day targeting intellectual property, mergers and acquisitions.... It’s critical to nation-states and to the future of business.”
At the Defense Department, there are plenty of directives and guidance, but the problem is implementing better action faster — and taking the cyber threat as seriously as traditional types, said retired Lt. Gen. Jeffrey Sorenson, a partner at A.T. Kearney and former Army CIO.
“It may take a Pearl Harbor or a 9/11 cyberattack for people to get serious about this,” Sorenson said. “We have to be able to do forensics in minutes and hours, not weeks and days.”
On the military side of the equation, much of the threat remains uncertain.
“Is it an issue of scale — in the Army, 1.2 million users — or is it an issue of processes?” Sorenson asked.
Gary McAlum, senior vice president and chief security officer at USAA, agreed that complexities within DOD, including interdependencies, complicate the threat.
“DOD is an enterprise of little enterprises. There is no end-to-end visibility,” McAlum said, adding that strong, clear governance will be necessary to achieve scale.
The pervasive use of IT in modern defense also contributes to the dangers of the cyber threat and heightens the military as a target.
“The Army is a particularly high-value target because, for the first time, everything we do, including weapons systems, IT is embedded inside,” said Daniel Bradford, deputy to the commander and senior technical director/chief engineer at the Army Network Enterprise Technology Command. “Our adversaries know they can’t take us on militarily, so they’re taking us on through [technology]. Whenever you diffuse command and control into the trenches, that’s a fragment you can’t control, and it becomes a target.”
Still, the military’s role in securing national interests in cyberspace isn’t yet well-defined, another aspect that increases vulnerability, said Scott Jasper, a lecturer at the Naval Postgraduate School. He noted that defining the military’s role is a precursor to defining an attack, and that’s something that requires consideration of Article 51 provisions and the laws of armed conflict and how they relate to cyber warfare.
“The military is in a tough spot in looking at these civilian infrastructures and applying the laws of armed conflict,” Jasper said.
It’s an issue that requires a fast resolution, Sorenson added.
“The persistent conflict in the cyber world today is just as real as anything,” he said. “You can have all the tools you want, but without the governance process, you can’t do anything with [them].”