You are here: Home Blog BreakingPoint Labs Blog Four Critical Priorities for USCYBERCOM

Four Critical Priorities for USCYBERCOM

UPDATE: Be sure to attend our Cyber Security webcast and check out our cyber security testing capabilities and our resiliency testing paper.

"Cyberspace and its associated technologies offer unprecedented opportunities to the United States and are vital to our Nation's security and, by extension, to all aspects of military operations. Yet our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security."

--Secretary of Defense, Robert Gates

During most of the past year, military and cybersecurity experts have been calling for the creation of a cyber command within the Department of Defense (DoD). On June 23rd Secretary Robert Gates' memorandum established U.S. Cyber Command (USCYBERCOM) to address the current risks and "secure freedom of action in cyberspace". The announcement was met with much fanfare from the defense community, but simply announcing USCYBERCOM is the easy part. Actually building the command center is the real challenge.

The next step is to deliver a USCYBERCOM implementation plan for approval by September 1, 2009 and there is much speculation about what will be included in the plan. What are the top priorities for securing our nation's private and public cyber infrastructure? Who or what are the greatest threats? Which approach offers the greatest protection? How will the various departments and countries work together? 

During a week in which we witnessed one of the more high profile cyber attacks against government networks, I set out to get answers to those questions. It became clear that there are at least four top priorities for USCYBERCOM to consider before the September 1st deadline:

  1. Establish buy-in throughout government agencies to ensure they are working together.
  2. Properly define the USCYBERCOM mission including establishing a set of manageable priorities.
  3. Identify and prioritize network vulnerabilities while establishing a set of security standards.
  4. Create a cyber SWAT team to act as first responders in the event of an attack and to deploy measures to thwart escalating attacks.

1) Secure Buy-In for USCYBERCOM

Creating buy-in throughout government agencies has for decades been the single biggest threat to our nation's security. This is why, before USCYBERCOM can establish themselves and their initiatives, it must establish intra-government support to ensure various government agencies are working together, not against one another. This support is a critical factor in getting USCYBERCOM up and running, and will be necessary for the success of the cyber SWAT team (#4 on the list).

Ken Pappas, the Vice President of Marketing and Security Strategist for Top Layer Security, has spoken with many government groups about this challenge and believes that the most difficult objective for USCYBERCOM is not implementing security measures, but rather gaining support and trust of all agencies that will be affected by this. This is why Pappas proposes USCYBERCOM's first objective should be to win the support of all agencies and have them become stakeholders in the plan, as well as the execution, monitoring and success of the new command.

Securing buy-in for USCYBERCOM is certainly already underway through meetings with DHS, NSA, intelligence agencies, the military branches and more. Together, these groups will establish a "state of the cyber union", helping to determine what is already happening, where different parts fit and what elements are the most important. Working together now towards buy-in leads to a clear picture of what is needed and helps define the mission for USCYBERCOM.

2) Establish USCYBERCOM's Mission and Priorities

Avi Deitcher, the founder of Atomic Inc., recognizes the importance of establishing a clear vision, because without it USCYBERCOM will fail, "In the words of Frederick the Great, he who defends everything, defends nothing." It is imperative that USCYBERCOM properly defines their mission and within that mission outline the priorities of the command.

The challenge, of course, is that a main priority to DHS might not be priority number one for DoD. Certainly some of this will be resolved through the buy-in phase, but there will be issues no matter how coordinated different agencies become. A critical part of establishing the mission will be the people who are chosen to lead USCYBERCOM in the trenches. In fact Pappas argues that people are the key to the success of the mission, "First selecting the right people to undertake this task should come before anything else. Then comes the vision, then strategy on how to execute, then funding."

People are going to be a key element for USCYBERCOM but without a clear mission these people will be set up to fail and the set goals will not be achieved. Pappas continued, "What is the goal? I don't think anyone has figured this out yet. Hence a vision needs to be made and bought in. What are we protecting and from who?". With the vision, mission, and people in place it will be time to identify exactly what needs protecting.

3) Identify Network Vulnerabilities and Set Security Standards

During the buy-in phase there will be knowledge gathered to identify network vulnerabilities, but that will merely scratch the surface. Creating a clear picture of all network vulnerabilities will help USCYBERCOM set priorities. Fortunately, this is an area where the government can use technology. Resiliency testing provides a first step in identifying the weak spots within a network by hitting devices with realistic application traffic, up-to-date security attacks and line-rate throughput. Testing in this manner reveals the flaws of network equipment, even taking into consideration DDoS attacks, botnets, application fuzzing and more.

Once you perform this level of testing, priorities will become readily apparent. Additionally, resiliency testing of new equipment to be deployed sets a "cyber security standard".  There are so many different networks and disparate security initiatives to protect these networks that the "cracks" may be quite large, any testing standard introduced helps create a safety net under those cracks in the system.

Mixing in a standard, within an overlapping set of cyber security initiatives, is smart strategy, for net-centric defense and beyond. Mr. Pappas notes, "If this [seperate agency cyber security initiatives] is how it is starting out, then each agency is going to have its own mini cyber command and disparate systems once more. This is common within US Government agencies. One of the good things that comes out of this however is that the hackers cannot use the same tactics to gain access to ALL agencies. So following a 'standard' for all agencies might not be a bad strategy."

Having each government network uphold to a baseline set of standards will be important in order to act across these networks during an attack. If each have met a set of security standards USCYBERCOM will have an easier time responding to and preventing attacks. Knowing that each piece of equipment has been resiliency tested, under approved standards, will immediately tell USCYBERCOM, or any cyber security initiative, where the potential holes live, how to route services so they come back up faster and allow them to respond quickly enough to avoid permanent damage to any net-centric infrastructure. As the government takes the lead in setting standards to improve the resiliency of network equipment, private enterprise will benefit by having access to far more resilient, high performance equipment. 

4) Create a Cyber SWAT Team

Once buy-in, vision, priorities and standards have been established, it is now important to act quickly in establishing a team of first responders in the event of a massive cyber attack. Mr. Deitcher was clear what he would advise, a crisis center, "Put in place a team that coordinates a response to all attacks and breaches. It is acceptable, and may even be preferable, that each department and/or area has its own team with its own priorities. However, when an attack does come in, it is crucial that a central "SWAT" team be apprised of it."

This becomes increasingly important, as Deitcher points out, when an attack occurs on a government agency that might not have the necessary cyber security expertise but needs to stop the attack and prevent it from hitting other agencies. USCYBERCOM, if built correctly, can certainly be a center point for this cyber SWAT team, helping to monitor for attacks and taking actions, across departments, when an attack occurs. Additionally if resiliency testing standards have been applied USCYBERCOM can more quickly respond and end any attack.

Conclusion

USCYBERCOM has an enormous challenge ahead of them and here we have only provided four of the most important recommendations. However, at the end of the day, this still all comes back to people, as most things do when you are talking about network security. This fact struck home while talking with Mr. Deitcher, who succinctly stated that the most pertinent cyber threat to the United States today is incompetence.

USCYBERCOM can help eliminate and shore up this threat of incompetence by establishing buy-in throughout the government, establishing a clear vision, identifying vulnerabilities through resiliency testing and creating a cyber SWAT team. It will be interesting to see what is presented to Secretary Gates in just eight weeks.

Posted by Kyle Flaherty (2009/07/09)
0 comments | Tags: USCYBERCOM // cybersecurity // resiliency testing //