recommended reading

Op-ed: Hagel's Gospel on Defending Networks

Defense Department

When Defense Secretary Chuck Hagel’s plane landed at Joint Base Pearl Harbor-Hickam in Honolulu in late May on his way to meet with leaders of the U.S. Pacific Command he met with troops and warned of one of the United States’ greatest enemies: hackers. He preached about the need for a “rules of the road” gospel covering all cyber activities -- especially when it comes to threats from China. 

“Cyber threats are real,” he said. “They’re terribly dangerous.”

May was a sobering month in terms of cybersecurity.

After The Washington Post reported Chinese hacking attacks on an extraordinary range of weapons systems, Defense Department officials took the equally extraordinary step of saying the Pentagon has full confidence that U.S. weapons programs are “secure and reliable.” But, the article noted, a 2012 Senate Armed Services Committee investigation that found as many as 1 million individual counterfeit parts are embedded in military aircraft.

The Post article also cited chilling revelations from an analysis by the Defense Science Board, a group of civilian advisers to the Pentagon. The board concluded the Defense Department has hardened its networks and large prime contractors are moving in that direction under Pentagon guidance, but subcontractors in the supply chain have not taken the necessary steps to detect and protect. These smaller suppliers have found defensive measures are “increasingly expensive and decreasingly effective,” the report said.

Even if subcontractors shore up network security, what are other nations and their defense contractors doing to protect their data?

Earlier in May, the Defense Department sent a report to Congress saying the Chinese government appeared to be using cyber espionage to modernize its military.

If that were not enough, the Commission on the Theft of American Intellectual Property cited China as the world’s largest source of proprietary data theft in a report by retired Adm. Dennis C. Blair, former director of national intelligence, and Jon M. Huntsman Jr., former ambassador to China, the panel's co-chairmen.  

“Nearly every U.S. business sector -- advanced materials, electronics, pharmaceuticals and biotech, chemicals, aerospace, heavy equipment, autos, home products, software and defense systems -- has experienced massive theft and illicit reproduction,” Blair and Huntsman said in an op-ed the day before the report was released. “So far, our national response to this crisis has been weak and disjointed.”

The U.S. government is certainly throwing taxpayer dollars into cyber initiatives.

The Pentagon is seeking $4.7 billion in its fiscal 2014 budget request to “defend networks, degrade adversary cyber capabilities and support defense of national infrastructure.” Defense officials have pledged to work more closely with civil authorities and internally with the National Security Agency and Cyber Command, which is pushing to elevate its status to that of a combatant command.

The $800 million increase in cyber budgeting will go largely to train and develop 40 mission teams, 25 direct support teams and 68 protection teams to assist the Homeland Security Department in securing federal and critical commercial systems by 2016, according to budget documents.

How it is all going to work is another thing.

“You can’t defend everything,” even inside the Pentagon, Franklin Kendall, a former undersecretary of Defense, told attendees at a recent Joint Warfighting Symposium in Virginia Beach, Va., who said the emphasis has been on building offensive cyber capabilities, which has implications in the private sector as well. 

Collateral damage is the biggest challenge, Vice Adm. Robert Parker, the Coast Guard’s Atlantic Area commander, said at the symposium. “You just don’t know what happens downstream when the military goes on the offensive,” he said.

More intriguingly, Parker raised the issue of whether the armed services should “have a role in escorting data” in a 21st century version of the World War II convoys carrying materiel and troops to Europe. He said that is a possible niche that Homeland Security, which includes the Coast Guard, and Cyber Command could develop.

A far more perplexing debate is surfacing in the private sector, according to Kendall. “Should a company have the right to self-defense?” he asked, raising the question of how far organizations should go to defend themselves. This is the murkiest quandary hiding in a swamp of risks.

The intellectual property commission warned against retaliation against hackers in the private sector, even if companies are attempting to take back what is rightfully theirs.  “An action against a hacker designed to recover a stolen information file or to degrade or damage the computer system of a hacker might degrade or damage the computer or network of an innocent third party,” Blair and Huntsman said in their report.

During his stop in Hawaii, Hagel said: “Another very important component to this is our allies and our partners, because we live in a world -- and you all know this -- where one country's just not big enough, strong enough, good enough, wealthy enough to handle it all. We can't do it, especially cyber. And cyber is one of those quiet, deadly, insidious unknowns you can't see, it's in the ether. It's not one big navy sailing into a port or one big army crossing a border or squadrons of fighter planes crossing a border. This is a very difficult, but real and dangerous threat. And there's no higher priority for our country than this issue.”

On his way to the NATO ministerial meeting in Brussels and in Singapore, where he met with Chinese military officials, the Defense chief pledged to make cyber his highest priority. President Obama also raised cyber espionage issues with Chinese President Xi Jinping during their recent talks in California.

Engaging the Chinese is a start. Working with allies, hardening networks and passing laws qualifying who can do what and when in cyberspace also are essential. Such initiatives will lead to those critical rules of the road, but getting there will not be easy.

John Grady, retired director of communications for the Association of the United States Army, writes about defense and national security.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.