Protecting Government Against Cyber Crime: a Q&A

Government Executive Media Group co-hosted two recent briefings with the SANS Institute on the subjects of "Cybersecurity: The Role of Congress" and "The U.S. Navy's Cyber Fleet: Protecting America's Information." Attendees had several questions about the subjects that the speakers could not answer in their allotted time. Alan Paller, director of research at the SANS Institute, and Tim Clark, Editor at Large of Government Executive, agreed to address some of the questions.

Audience questions from "The U.S. Navy's Cyber Fleet: Protecting America's Information," featuring Vice Admiral Barry McCullough:

The organizations that pose cyber threats can be similar to terrorists, in that they are networked and highly adaptable. How can U.S. cyber organizations avoid becoming fixed bureaucracies and keep up with the rate of change in tactics and methods?

We live in a complex, bureaucratized government, and the best we can hope for is (a) development of a superior talent pool, and (b) development of clear lines of authority and a healthy culture of cooperation.

Federal agencies that fight cyber threats need to be agile and should be able to respond to threats in real time. Last week, Vice Admiral McCullough said the military lacks an adequate real-time picture of its IT networks, and he discussed the need for continuous monitoring of military networks.

Is there a need for a new service to concentrate solely on cyber operations?

No. Vice Admiral McCullough said that each of the armed services is working to develop a command that can support the Defense Department's U.S. Cyber Command. The U.S. Cyber Command will be stronger with support from, and coordination across, the services than it would be if a new service were developed.

Audience questions from "Cybersecurity: The Role of Congress," featuring Rep. Mike McCaul, R-Texas:

Is the current federal move to the cloud a good idea? Is there anything Congress should do in response?

Yes. Congress should encourage the move, while monitoring its security implications. But it is also important to keep these questions on the front burner. As Congressman McCaul said earlier this month, people lack interest in technology issues that are difficult to understand, even when those issues are vital to national security.

Federal IT experts and practitioners should constantly revisit questions about cloud security, even while transitioning their agencies to the cloud.

Who (or what government agencies) should have offensive capabilities in cyber?

Giving the secretary of Defense and the president this authority seems to make the most sense, given the similarities between cyberwar and "real" war. But there are a lot of overlapping jurisdictions in this area. And as Rep. McCaul discussed, the authority to direct offensive capabilities in cyber space won't carry real weight until that person (or those people) have budgeting authority.

How does the growing interest and use of Web 2.0 impact the ability to protect critical infrastructure?

Web 2.0 and social networking provide services that our men and women in uniform rely upon to stay connected to their families. In addition, it offers means of communications that are potentially of value to the military in other settings. The challenge is to deliver those benefits without allowing it to open new holes in our defenses. The quest for more security is being waged on two fronts: (1) building more "private" versions of the technologies that limit access to authorized people and (2) ensuring people don't use the implied trust of the social network to disclose potentially damaging information. Steady progress is being made on both fronts.

There are differences between cyber defenses and cyber warfare. Do you believe the time has come for the U.S. to "weaponize" its approach to cybersecurity?

Yes, cyber needs to be approached with the same discipline as our complex weapons systems. And it is very important to keep in mind the differences between cyberwar, cyber defense, cyber espionage, etc. as it will inform how we allocate funding and authority for cyber-related issues.