Cybersecurity

Cyber strategy: 'We know what to do, now we need people to do it'

Shutterstock image: pieces of the puzzle.

Although federal cybersecurity officials say things look promising in defending against threats to critical infrastructure, they also warn the cyberworld's mutability remains a constant challenge for defenders.

"We're putting the pieces of the puzzle together to crack the problem," Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, said in a keynote speech at the second annual Cybersecurity Summit sponsored by the Association for Federal Information Resources Management and the U.S. Cyber Challenge.

With the National Institute of Standards and Technology's information sharing framework, the White House's February executive order on information sharing, and burgeoning security activities among critical infrastructure providers, the pieces are in place to respond to the growing cyber threat, according to Ozment.

Those initiatives provide best practices for industry, while allowing them to form cross-industry groups to discuss and share threat information. And legislative proposals from the White House, unveiled in January, would facilitate cybersecurity information sharing between the private sector and government. That proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security's National Cybersecurity and Communications Integration Center, which would then share it in near-real-time with relevant federal agencies.

Private-sector-developed and operated Information Sharing and Analysis Organizations (ISAOs) and Information Sharing and Analysis Centers (ISACs) are also key to the process, Ozment added, and increasing use of machine-to-machine alert capabilities are moving forward as well.

The cyber defense community has taken coordinated aim at the problem after some fits and starts, according to Ozment "We know what to do, now we need people to do it," he said referring to chronic shortages of employees with cyber skills in government and private industry. The AFFIRM event was aimed at discussing that shortage and how to mitigate it.

David Bray, CIO at the Federal Communications Commission and a 2015 Eisenhower Fellow working on global perspectives on the "Internet-of-Everything," said in remarks following Ozment's that the one constant with the Internet and cyber security is change.

Speaking not as FCC CIO but as a knowledgeable observer of cybersecurity, Bray said fundamental flaws in how the Internet was constructed years ago, including the use of TCP/IP protocol, as well as an increasingly heavy reliance on industrial control and other machine to machine communications systems that weren't designed with security in mind, could prove to be the Achilles heel of cyber defense.

The TCP/IP protocol was the Internet's original language and was developed at a time when cyber threats were a vague concern at most.

Internet-facing industrial control systems are an increasingly attractive target. "The threats with industrial control systems are even greater than with TCP/IP," he said.

To help mitigate those threats, Bray said, cyber defenders have to adjust. Cyber defenses should focus on behavior rather than just signatures of intruders. Recognizing certain aberrant behaviors can go a long way with cyber threats that either happen in slow motion over a long period of time to mask the activity, or at blinding speed.

However, with exponentially increasing cyberattacks and constant probing by cyber criminals on a rapidly expanding number of devices and systems, Bray said there is growing realization that a static response by CIOs and IT managers won't work. "We're at a tipping point," he said. CIOs and CEOs are realizing that there is an inherent risk in using the Internet and that trying to mitigate every possible threat is useless and counterproductive. A new attitude has to take hold.

"We don't assume the world is always safe," Bray said. "When you go to a restaurant, there are no armed guards outside the restaurant. Someone could plow a car into it and blow it up," but that doesn't stop us from going to restaurants. "We have to manage the risk."

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.