29 March 2017

Former top cyber officials: ‘Don’t stove pipe cyber’

by Mark Pomerleau

Ken Foster, a computer network analyst with the California Army National Guard Computer Network Defense Team, assists one of his fellow analysts to defend against a simulated virus attack during the 2014 Cyber Shield exercise at the National Guard Professional Education Center in North Little Rock, Ark., April 30, 2014.

With recent high-profile cyber incidents and intrusions, many are left with the idea that cyber is so special and unique that it does not fit the rational roles of international, military or civilian relations. Some top current and former officials have poured cold water on these perceptions, warning that siloing cyber is not a winning formula.

“Don’t stove pipe cyber,” Suzanne Spaulding, former undersecretary for National Protection and Programs Directorate at DHS, said March 20 at the Cybersecurity for a New America conference in Washington, hosted by the New America Foundation. “We think of cyber in stove pipes still, as if you can put it over here with all of your cyber ninjas and understand and solve the problem.”

This model does not help to understand the nature of the threat, she said, especially when trying to prioritize cyber threats as an administrator. To prioritize, one must understand consequences and consequences are not just going to be within one’s IT system, she added.

Similarly, Michael Daniel, the previous cybersecurity coordinator at the White House, expressed one of his frustrations with the idea that one must respond to cyber with cyber. People think that when hit in cyberspace, the response has to be in cyberspace and the only time one can use their cyber tools is against a cyber adversary, he said at the same conference.

“Neither of those two things are true,” he said, noting that the previous administration tried to break out of that paradigm and thinking about how to use these tools in a way that is lawful and consistent U.S. values – things like sanctions, indictments and diplomatic demarches.

Echoing that sentiment, Spaulding said one of the best ways to mitigate the damage of a significant cyber event is to have some kind of physical redundancy. It will involve plans for how an organization will mitigate the effects of a successful cyberattack and not just how they will respond and recover in IT networks.

In Ukraine, she said, following the cyberattack on their electrical grid, their cyber ninjas did not get the adversary out of the network and get the lights back on. Rather, the people who turned the lights back on in Ukraine in six hours in the dead of winter were the guys who knew how the grid was laid out and where the nodes were and went there physically to turn the switches back on, she said.

Even the top military cyber official has warned about putting “cyber” on a pedestal.

“Don’t make this thing so specialized, so unique, so different that it just gets pushed to the side,” Adm. Michael Rogers, commander of Cyber Command said in February. “That will sub-optimize our ability to execute cyber operations, and quite frankly it will minimize or at least negatively impact, in my view, the operational outcomes, which is the whole reason we’re doing this in the first place.”

Cyber is an operational domain in which the military does a variety of missions and functions, many of which are traditional, he said, adding that the military executes reconnaissance and fire and maneuver activities in cyberspace much like the branches do in the physical world.

Both Spaulding and Daniel believe that cyber must not be thought of as just one issue.

The current discussion surrounding cyber reminds Spaulding of the early days of weapons of mass destruction talks. Officials approached WMDs as if they were just one thing, she said, noting that chemical weapons are not the same as nuclear, nuclear is not the same as biological, etc. It wasn’t until the issue was broken down into these separate categories, Spaulding said, that they began to get some traction.

In the cyber realm, intellectual property theft is not the same as an attack on an industrial control system, she added. To that end, talks about creating a separate cybersecurity agency would be a mistake in Spaulding’s mind because law enforcement has a distinct mission from preparedness.

Daniel provided two initial starting points to break down the cyber problem. First, who are the actors? Broadly speaking, there are hacktivist groups who are promoting various ideologies, terrorist groups, criminal organizations that have moved into this space in a big way, then there are the nation states, he said.

A second category are the target types or cyber activity. Is it the theft of information, is it disruption or is it destructive activity, he asked, indicating these are distinct from one another.

No comments: