2 June 2015

NSA boss joins West Point cyber discussion



WEST POINT, N.Y. — Before visiting with the newly created Army Cyber Institute last year, Mark McLaughlin — chairman, president and CEO of Palo Alto Networks — hadn't been back to West Point since his 1988 graduation.

But after meeting with ACI staffers and cadets on their contribution to the service's cyber mission, he made plans to return. And bring friends.

"We have to get this interaction going — public-private, private-public," said McLaughlin. "There are a lot of academy alumni running around that are paying a lot of attention to this cyber thing. If what you want to do as the ACI, or what the DoD wants to do on a broader basis with all the academies together, is to work with industry somehow, there's a tremendous amount of affinity for the mission from folks who've graduated from the academies who are now in positions to assist you.

"So, why don't we have a meeting? And here we are."

Thursday's Inaugural Joint Service Academies Cyber Security Summit provided a forum for the ACI, along with representatives from the Air Force, Coast Guard and Naval academies, to present their programs to an alumni-filled audience. Representatives of Citigroup, General Electric, Goldman Sachs and other companies also participated, as did public-sector cyber leaders from the FBI, Homeland Security Department and other agencies.

That type of cross-sector information sharing was stressed by Adm. Michael Rogers, head of U.S. Cyber Command and the National Security Agency, in his keynote remarks.

"The key to success," he told the group, "is going to be our ability to bring this together as a partnership."

Working across public-private lines was one tactic offered to address some national cyber concerns brought up by Rodgers, who also discussed other problem areas for those in and out of uniform:

Public-sector training: While many companies cycle through cybersecurity and information-officer personnel every two to five years, Rogers said the federal staff can remain in place for up to three decades. "If we're going to keep the same workforce," he asked, "how are we going to keep them relevant?" 
Internal threats: "Every one of those individuals on a keyboard represents a vulnerability," he said, adding that a strong "cultural ethos" was necessary throughout DoD and NSA. 
Post-hack actions: Rogers helmed 10th Fleet, the Navy's top cyber agency, when an Iran-sponsored attack succeeded in accessing the Navy-Marine Corps Intranet in late 2013. "One of my takeaways from that was that we have focused a lot of time on how to stop people from getting in, but perhaps we need to spend more time thinking about what are we going to do when, despite all our best efforts, individuals penetrate our networks?" 

Rogers did not take questions from the media, and the summit's breakout sessions were not open to the press. While much of the inaugural event centered on introducing academy efforts to graduates and others, there was some work to be done — or at least to begin.

"We want to start the conversations on the commonly shared problems," said Fernando Maymi, ACI deputy director and assistant professor at West Point. "What is the relationship between the private and the public sector? At what point is [a cybersecurity issue] an internal issue, when do you involve law enforcement, and when does it grow into an issue that potentially could touch on a military response?

"Companies are taken through that spectrum fairly quickly, as evidenced by the Sony event. ... That is an area that hasn't been explored as carefully as it ought to be."

The environment for such talks may offer opportunities not yielded by similar industry conferences, said McLaughlin, who also serves as chairman of the National Security Telecommunications Advisory Committee.

"The service academies are really educational in nature," he said. "This is not a vendor-driven sales pitch. It is not a venue where people are just going to talk about the problem. Again."

No comments: