DOD must redesign its network defenses, cyber chief says

The rapidly changing shape of cyberspace is driving the U.S. government to change how it defends and manages its computer networks, and the Defense Department is redesigning its security systems to operate in this shifting environment.

It's predicted that by 2015 there will be twice as many devices on the Internet than people, Army Gen. Keith Alexander, commander of U.S Cyber Command and director of the National Security Agency, said at the Defense Advanced Research Projects Agency’s Cyber Colloquium in Arlington, Va., on Nov. 7. Despite the advantages provided by the proliferation of new technologies, they are rife with vulnerabilities, he said.

Over the last year, Alexander said there have been major data breaches at large private industry firms. Companies with good security recognize that they’ve been hacked, but many firms do not, he said. This theft of intellectual property is the greatest transfer of wealth in history, Alexander said.

One of the key things DOD must do to help thwart attacks on its networks is to repair its defensible network architecture. But to do so, it must move away from a static mentality that detects and reacts to incidents after they have occurred, he said.

The government’s network architectures must be redrawn and streamlined; there are 15,000 enclaves in DOD, Alexander said. This mix of networks offers Cyber Command little or no visibility into their status because there is no situational awareness in cyberspace, he said. To remedy this, organizations such as DARPA must develop autonomous technologies that can both detect intrusions in real time and put people in the loop to respond to them, he said.

Cyber Command is working on a defense industrial base pilot program with industry to help protect select defense industrial firms with more than commercial anti-virus software, and so far this effort has worked relatively well, he said. The Untied States also needs to develop a coordinated system of working with allies in cyberspace.

Because the existing DOD infrastructure is a mix of different legacy networks, moving to cloud computing makes sense, Alexander said. Cloud technology offers a variety of advantages, not only in improved security, but in streamlined services and fewer data centers, he said.

Alexander maintained that the cloud can be made more secure than the current network architecture. Industry and DARPA also can develop cheaper, more secure platforms to support networks via the cloud, he said. For example, pushing out software patches across the network is currently a cumbersome process which can be done more easily and rapidly via the cloud, he said.

The concept for this future capability was recently tested by the NSA’s move to a cloud architecture. Alexander said as part of this move, the agency is moving to a thin client system, which has reduced its overall number of desktop computers.

Virtualization also has cut the help desks at the NSA from 900 throughout the enterprise to two, Alexander said. The NSA’s data centers also have been trimmed by 25 percent. He said one of the agency’s targets is to achieve a 50 percent reduction in network administration costs and reduced network storage by 2016.

Alexander said there is no architecture for the government and industry to work together to defend their networks. “We helped create the Internet, we ought to help protect it,” he said.