Cybersecurity

Cyber strategy: 'We know what to do, now we need people to do it'

Shutterstock image: pieces of the puzzle.

Although federal cybersecurity officials say things look promising in defending against threats to critical infrastructure, they also warn the cyberworld's mutability remains a constant challenge for defenders.

"We're putting the pieces of the puzzle together to crack the problem," Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, said in a keynote speech at the second annual Cybersecurity Summit sponsored by the Association for Federal Information Resources Management and the U.S. Cyber Challenge.

With the National Institute of Standards and Technology's information sharing framework, the White House's February executive order on information sharing, and burgeoning security activities among critical infrastructure providers, the pieces are in place to respond to the growing cyber threat, according to Ozment.

Those initiatives provide best practices for industry, while allowing them to form cross-industry groups to discuss and share threat information. And legislative proposals from the White House, unveiled in January, would facilitate cybersecurity information sharing between the private sector and government. That proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security's National Cybersecurity and Communications Integration Center, which would then share it in near-real-time with relevant federal agencies.

Private-sector-developed and operated Information Sharing and Analysis Organizations (ISAOs) and Information Sharing and Analysis Centers (ISACs) are also key to the process, Ozment added, and increasing use of machine-to-machine alert capabilities are moving forward as well.

The cyber defense community has taken coordinated aim at the problem after some fits and starts, according to Ozment "We know what to do, now we need people to do it," he said referring to chronic shortages of employees with cyber skills in government and private industry. The AFFIRM event was aimed at discussing that shortage and how to mitigate it.

David Bray, CIO at the Federal Communications Commission and a 2015 Eisenhower Fellow working on global perspectives on the "Internet-of-Everything," said in remarks following Ozment's that the one constant with the Internet and cyber security is change.

Speaking not as FCC CIO but as a knowledgeable observer of cybersecurity, Bray said fundamental flaws in how the Internet was constructed years ago, including the use of TCP/IP protocol, as well as an increasingly heavy reliance on industrial control and other machine to machine communications systems that weren't designed with security in mind, could prove to be the Achilles heel of cyber defense.

The TCP/IP protocol was the Internet's original language and was developed at a time when cyber threats were a vague concern at most.

Internet-facing industrial control systems are an increasingly attractive target. "The threats with industrial control systems are even greater than with TCP/IP," he said.

To help mitigate those threats, Bray said, cyber defenders have to adjust. Cyber defenses should focus on behavior rather than just signatures of intruders. Recognizing certain aberrant behaviors can go a long way with cyber threats that either happen in slow motion over a long period of time to mask the activity, or at blinding speed.

However, with exponentially increasing cyberattacks and constant probing by cyber criminals on a rapidly expanding number of devices and systems, Bray said there is growing realization that a static response by CIOs and IT managers won't work. "We're at a tipping point," he said. CIOs and CEOs are realizing that there is an inherent risk in using the Internet and that trying to mitigate every possible threat is useless and counterproductive. A new attitude has to take hold.

"We don't assume the world is always safe," Bray said. "When you go to a restaurant, there are no armed guards outside the restaurant. Someone could plow a car into it and blow it up," but that doesn't stop us from going to restaurants. "We have to manage the risk."

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.