Cyber command in urgent need of strategy, military leaders say
At the same time, the increasing complexity of cyberspace and ongoing workforce issues remain pressing challenges, adding urgency, military leaders said, for the new command to articulate its strategy soon.
Military leaders from the Army, Navy, Air Force and Marine Corps expect the Defense Department’s new unified Cyber Command to rationalize military cybersecurity efforts.
However, at the same time, the increasing complexity of cyberspace and ongoing workforce issues remain pressing challenges, adding urgency, they said, for the new command to articulate its strategy soon.
“We made conscious decision a year ago, knowing Cybercomm was coming, to [ensure the Army’s] direction was in sync with expected plans — and wait for the guidance,” said Maj. Gen. Gregory Schumacher, the Army's assistant deputy chief of staff.
“Now that [the Cyber Command] is here, my sense is now is the right time to move forward,” Schumacher added. But he cautioned it will be important to “get guidance from Cyber Command” soon, in terms of “what are the definitions, what are the forces and the structure, and not get ahead of that and create more confusion.”
Schumacher, speaking at a cybersecurity conference held in Washington by the D.C. chapter of the Armed Forces Communications and Electronics Association June 25, noted that cyberspace has become a complex operating environment that requires increasingly sophisticated skills.
He described the environment as one with many layers — beginning at the individual level and moving through the cyber-persona layer, the network layer, a physical layer, and a geographic layer. It’s further complicated by the fact that a single site can be accessed by multiple users; or one individual can have multiple domains.
“We see cyber cuts across geographic domains, and raises the question of what kind of forces do we preset,” he said.
At the same time, it’s important to recognize that changes in the military’s network defenses can give away important operating clues to U.S. adversaries, said Maj. Gen. David Senty, acting vice commander, Air Force Cyberspace Command (Provisional), and commander, Air Force Network Operations, Barksdale Air Force Base.
“Network operations today [need to be] approached differently,” Senthy said. “When we make a network change, what are we telling our adversaries? And what might they conclude we’re changing? Everything we do, I want to know what fingerprints we’ve left,” he said.
Sentry, along with U.S. Navy Rear Adm. (Select) Sean Filipowski, raised the need to improve the cyber skills of the military’s workforce.
“We have two skills sets we’re looking for — expeditionary combat skills and cyber skills,” Sentry said. “It’s a jump ball whether we combine them, or they will remain separate.”
“We consider every sailor who touches a computer is a cyber-warfare (specialist),” said Filipowski, director, Computer Network Operations of the Naval Network Warfare Command.
“We need to have instantaneous visibility into our networks and a common operational picture,” he added.
“What keeps me up at night,” said Ray Letteer, representing the U.S. Marine Corps, “are poor browser and SQL database configurations.” he said. “My blue teams that do operational tests keep finding issues,” he said, pointing to peer-to-peer operating systems, people failing to follow policies, and the reliance on passwords as some of the many ways systems are easily breached.
“Phishing is becoming more sophisticated,” said Letteer, who heads the Marine Corps’ Information Assurance Division in the Office of the Director, C4/DON Deputy Chief Information Officer.
“But I’m really concerned with this rush to social networking,” he said. “I’m not convinced of it yet. I know how easy it is to gather information. We appreciate its importance for recruiting, but on the operational end, it has many risks,” he warned.
Letteer also argued that the use of advanced auditing tools as a means of defending military networks was little more than “perfume on a pig.”
“The implementation of cyber security is more than tools and boxes. The tools are useless without the people. Try as we might, we are all going to be subject to a user error in judgment,” he said. “That’s were accountability comes in. We have to be more comfortable to apply punishments with recalcitrant individuals who ignore the concerns and become a risk to my network,” he said.
Defining the skills and requirements to combat cyber threats will be an important first step for the new Cybercom, said Schumacher, even before the command tackles how to deal with reported shortages in cyber security experts.
Cyber Command will need to “articulate and define the skill sets--including some joint skill sets,” he said. “But they need to articulate specific mission skill sets as well, before we determine how many of what we need,” he said. What is actually required “is still fuzzy,” he said.
The panel's moderator, Lt. Gen. Harry Raduege (retired), co-chair of the CSIS Commission on Cybersecurity for the 44th Presidency, and chairman, Deloitte Center for Network Innovation, noted that the commission has been asked to prepare a Phase 2 plan for President Barack Obama’s Cyber Security Policy initiative, announced May 29.