Cyber strategy: 'We know what to do, now we need people to do it'

Although federal cybersecurity officials say things look promising in defending against threats to critical infrastructure, they also warn the cyberworld's mutability remains a constant challenge for defenders.

"We're putting the pieces of the puzzle together to crack the problem," Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, said in a keynote speech at the second annual Cybersecurity Summit sponsored by the Association for Federal Information Resources Management and the U.S. Cyber Challenge.

With the National Institute of Standards and Technology's information sharing framework, the White House's February executive order on information sharing, and burgeoning security activities among critical infrastructure providers, the pieces are in place to respond to the growing cyber threat, according to Ozment.

Those initiatives provide best practices for industry, while allowing them to form cross-industry groups to discuss and share threat information. And legislative proposals from the White House, unveiled in January, would facilitate cybersecurity information sharing between the private sector and government. That proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security's National Cybersecurity and Communications Integration Center, which would then share it in near-real-time with relevant federal agencies.

Private-sector-developed and operated Information Sharing and Analysis Organizations (ISAOs) and Information Sharing and Analysis Centers (ISACs) are also key to the process, Ozment added, and increasing use of machine-to-machine alert capabilities are moving forward as well.

The cyber defense community has taken coordinated aim at the problem after some fits and starts, according to Ozment "We know what to do, now we need people to do it," he said referring to chronic shortages of employees with cyber skills in government and private industry. The AFFIRM event was aimed at discussing that shortage and how to mitigate it.

David Bray, CIO at the Federal Communications Commission and a 2015 Eisenhower Fellow working on global perspectives on the "Internet-of-Everything," said in remarks following Ozment's that the one constant with the Internet and cyber security is change.

Speaking not as FCC CIO but as a knowledgeable observer of cybersecurity, Bray said fundamental flaws in how the Internet was constructed years ago, including the use of TCP/IP protocol, as well as an increasingly heavy reliance on industrial control and other machine to machine communications systems that weren't designed with security in mind, could prove to be the Achilles heel of cyber defense.

The TCP/IP protocol was the Internet's original language and was developed at a time when cyber threats were a vague concern at most.

Internet-facing industrial control systems are an increasingly attractive target. "The threats with industrial control systems are even greater than with TCP/IP," he said.

To help mitigate those threats, Bray said, cyber defenders have to adjust. Cyber defenses should focus on behavior rather than just signatures of intruders. Recognizing certain aberrant behaviors can go a long way with cyber threats that either happen in slow motion over a long period of time to mask the activity, or at blinding speed.

However, with exponentially increasing cyberattacks and constant probing by cyber criminals on a rapidly expanding number of devices and systems, Bray said there is growing realization that a static response by CIOs and IT managers won't work. "We're at a tipping point," he said. CIOs and CEOs are realizing that there is an inherent risk in using the Internet and that trying to mitigate every possible threat is useless and counterproductive. A new attitude has to take hold.

"We don't assume the world is always safe," Bray said. "When you go to a restaurant, there are no armed guards outside the restaurant. Someone could plow a car into it and blow it up," but that doesn't stop us from going to restaurants. "We have to manage the risk."