Take-Aways from TTC's Military Cyber Security Conference
Recently, I had the opportunity to attend a multi-day conference in the Washington, DC area on the topic of Military Cyber Security hosted by the Technology Training Corporation. The topics that were covered ranged from the nature and degree of the threat to what military and other entities are doing to address the threat currently and what is needed going forward. Throughout the conference one thing became clear – while much has been done already . . . there is much more that needs doing and time is not on our side.
As you might expect, the conference agenda included presenters from Department of Defense (DoD), the service branches, Joint Forces Command, and others, but also presenting were representatives from the Department of Homeland Security and the Intelligence Community – including the Central Intelligence Agency and National Security Administration. Finally, the roster was rounded out with some White House advisory committee members and cyber-focused think tanks, education/awareness associations and vendors. Given the breadth and pace of the agenda kudos go out to Marcus Min and the TTC staff for conducting a very well-organized event.
While listening to and talking with the presenters and other attendees, several themes emerged. A few of the key topics and take-aways include:
- Changing Perceptions of Security – The creativity, persistence and resourcefulness of those attacking the cyber infrastructure effectively means that no defenses are full-proof, or ever will be. Your infrastructure will be penetrated at some point and striving to prevent that completely is a losing battle. Agencies need to adopt a risk management perspective to be ready, respond, and recover effectively from attack. Agencies also need to embed security at multiple levels of their organizations and infrastructures, including at the data level.
- Cyber Landscape is Changing – The explosion of social media, mobile technologies, and adoption of cloud computing has fundamentally changed the threat landscape. The rate of technology change has outpaced our security policy and approaches and that is the new status quo. These technologies, as well as sensor proliferation, will continue to explode the quantity of data available for attack and exploitation.
- Offensive Capabilities – Here the theme of “a good offense is your best defense” rings true. Taking some of the tools and tradecraft (e.g. penetration testing) that have their origin in cyber defense and turning them in an outward direction toward our adversaries can be an effective approach. There are several parallels here with strong deterrence through strong offensive capabilities. Some of the challenges include maturing the military rules of engagement (ROEs) and addressing the policies and legalities on what private infrastructure owners can do to self-protect.
- Military Cyber Workforce Development – There is much to be done to effectively train and equip military and civilian personnel for cyber defense, and warfare. The tradecraft has developed organically from various directions resulting in a very fragmented and narrowly-defined concept of cyber warrior based on each service branch’s individual needs and perspective. A more uniform and collaborative definition of the necessary skills and experience is needed to effectively build the workforce of the future.
- Presidential Executive Order (EO) – While there has been quite a bit of buzz in the federal trade press about the likelihood and content of an EO the general perspective among attendees and speakers was that any such release would not likely come before the November presidential election to avoid the appearance of being blatantly political. Some were doubtful it would be issued at all, given the opinion expressed by some in press accounts that what they’ve seen from the White House lacks real teeth.
- Cyber Legislation – The flurry of cyber security bills that were introduced in this Congress – some passing the House and dying in the Senate and some introduced in the Senate but not gaining enough support to move forward – are basically dead, but some of the ideas may be revived later. It is possible, although it seems unlikely, that a bill could get picked up in the lame duck session.
- Effective Cyber Policy – Numerous presenters cautioned against any legislation, policy or EO that would take a predominantly regulatory approach to cyber and critical infrastructure protection. One of the arguments is that the rapidly changing pace of technology and the constantly morphing nature of the threat mean that any regulations instituted by Congress or the White House would be outdated even before enactment and then tie the hands of agencies and companies to effectively respond.
Since information technology permeates almost every area of our personal and shared lives it seems less like hyperbole to say that cyber security has shaped up to be one of the defining issues of our time. Its prominence in the public mindset will only increase with each incident reported in the news. Those charged with providing for the common defense see the threat and are striving to meet the challenge.