Cyber threats: We don’t know what we don’t know
“As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.”
— Defense Secretary Donald Rumsfeld, Feb. 12, 2002
Rumsfeld was known for his little ditties and there is a lot of room to question his wisdom on any number of things, but when it comes to the Unknown, he knew what he was talking about. And this pretty well describes the challenges facing contractors when they try to devise protection for U.S. government and private sector network systems that can be attacked via the Internet.
On July 4, as America celebrated its independence, one of the largest attacks against U.S. defense and defense contractor networks occurred.
Reports identified the culprits as China and North Korea. North Korea didn’t deny the accusation, as far as I know, but given the high tensions between the U.S. and the Hermit Kingdom, it wouldn’t be surprising if it did hack our networks; or it may wish to give the impression it did even if it didn’t. Ever sensitive, China immediately denied it was involved, but given China’s history of defense and industrial espionage, few believed it.
More recently there was a denial-of-service (DoS) attack on, of all things, Twitter and Facebook, social networks that wouldn’t appear at first glance to be obvious targets for a hack attack. But Tim McKnight, vice president and chief information security officer at Northrop Grumman Information Systems, said it was a serious event that has broad ramifications. It is reminiscent of the 1994 DoS attack against Amazon and an indication that there hasn’t been a lot of progress since then in preventing more DoS attacks. The Twitter and Facebook attacks demonstrate the ability to control commercial systems, McKnight said, but he cautioned that such an attack could be a diversionary effort or a trial run.
McKnight said the bigger threats right now are espionage and theft of intellectual property, the focus for the last 10 years. Companies and the government are also preparing for cyber attacks on stock exchanges.
“We are starting to see more signs of a cyberwarfare capability with Estonia and Georgia attacks where cyber is being used as a precursor to a battlefield attack,” McKnight said.
Although President Barack Obama has elevated cybersecurity to a national priority, and contractors are likewise expanding their efforts to provide it, McKnight believes it will take a disaster of a huge scale to truly get the attention of decision makers and the funding to make real progress.
Transforming Obama’s rhetoric to action through a balky and cranky Congress preoccupied with scoring political points on high-profile health care reform or economic issues will be difficult. Those issues resonate with voters more than an esoteric cyber-something that many might confuse with “Star Trek’s” Borgs. Getting the public’s — and Congress’ — attention may take what one corporate cyber official describes as a Hurricane Katrina or Pearl Harbor event: a cyber attack that shuts down the stock markets for an extended period or disrupts the international banking system along the lines of the feared millennium disruption that, fortunately, never occurred.
While both sides of the aisle in Congress seem content to engage in partisan wrangling, government agencies and the armed forces are alert to the dangers of hack attacks and are trying to do what they can with limited funding. So are industry leaders such as Northrop Grumman, Boeing, Lockheed Martin and Raytheon, which are among those actively engaged in devising security systems, creating cyberwarfare simulation centers and even creating educational programs to catch up, meet the current need and the future threats.
The task is enormous. Intuitively, whenever the words “the government” are involved, we know it’s big. Just how big is illustrated by Lockheed Martin as it describes the scope at just the Defense Department: There are 15,000 networks, 5 million users, 50 agencies within the Pentagon and150,000 leased circuits and satellite systems for global reach, said Charles Croom, vice president of cybersecurity solutions for Lockheed Martin Information Systems & Global Services.
Cybersecurity tasks don’t stop within the U.S. borders. U.S. ships at sea, troops abroad and U.S. facilities on foreign soil all require protection. The sheer volume of attacks on government systems increased exponentially, from 6 million in 2006 to more than 300 million in 2008, noted Dan Allen, sector vice president and general manager of Northrop Grumman’s Intelligence Systems Division.
Boeing Integrated Defense Systems works with the U.S. intelligence agencies, the Defense Department and the Homeland Security Department. Barbara Fast, the company’s vice president of cyber solutions, said the scope and importance of cybersecurity often transcend the fierce competition that traditionally exists among Boeing, Northrop Grumman, Lockheed Martin and Raytheon.
Fast said that after taking her job she learned the “endearing term ‘competimates,’” reflecting that one day the companies are competitors and the next day they become teammates in developing cybersecurity solutions. There is, she said, a sense of urgency among companies to be a part of the solution.
The intelligence community provides context to the global nature of cyber attacks, their origination and the threat levels that other government agencies cannot necessarily achieve, Fast said. This ability has to be part of a collaborative solution among the government networks and contractors, leading to the “competimate” approach.
Insider threats represent 25 percent to 40 percent of the challenges, said Steve Hawkins, vice president of information security solutions at Raytheon, which specializes in insider security. Insider security encompasses not only the spy we popularly envision for these sorts of things, but also the inadvertent and careless security breaches. Also, once an outsider successfully penetrates a network and goes undetected, the “outsider” becomes an “insider” who must be found and stopped, Hawkins said.
Raytheon developed systems that “sit” on the desktop computer and can monitor every keystroke, determine whether the computer has been disconnected from the network and whether any proprietary or secret data have been downloaded, and record all computer activity for playback.
To most unfamiliar with the special jargon of the cyberworld, cyber attack is usually associated with viruses, malware and worms. For the U.S. government, it’s far more sinister.
“First you hear the word ‘attack’ all the time — deny, destroy, destruct in Army parlance,” Croom said. “In the cyberworld, they are really doing espionage, at least with nation-states, to get information.”
The attackers are often intruders sending out scouts like an army, mapping networks and understanding where devices are and how they can get in. Once in, the probe could go undetected for hours, days, even months.
As with any attacks on computers, those on U.S. government systems are constantly changing and increasing in number. New attacks have to be identified, analyzed and the source traced — if possible — and often the intruders might not even been recognized until well after a successful entry into a network.
“We don’t know what we don’t know,” Croom said, echong Rumsfeld.
Croom said cyberwar games at Lockheed Martin and other contractors aim to find out what we don’t know. At Nellis Air Force Base in Nevada, there is a free-fire zone to allow airplanes to conduct a friendly war. The cyberwar games are based on the same concept, with offensive and defensive teams trying to breach and defend the networks.
Croom said phishing, something the consumer is familiar with, remains a huge threat to the government computers. Consumer products are “point solutions” that depend on individually automated or user-initiated updates. Lockheed Martin’s goal is to have a network automated system that is integrated with the millions of endpoints so protection is universal and consistent. “Consumer products are part of this network, adding to the complexities of integrated solutions Lockheed Martin and other systems integrators are providing the military,” he said.
Northrop Grumman’s Dan Allen, sector vice president and general manager of the Intelligence Systems Division, puts the global challenge in perspective, from the simple use of BlackBerry wireless devices to the need to protect the networks for the troops in the field.
Systems have to be fully operational and contain the threat spectrum whether at home or overseas, Allen said. Field troops during the Cold War required communications systems that had antijam features and encryption. In the modern world, these still exist, but the trend is more toward Internet Protocol-based systems.
Along with the technological challenges of cybersecurity, there is a shortfall of talent to tackle the issues. A Booz Allen Hamilton study goes into great detail about this issue.
McKnight outlines it this way: “We are not turning out the number of people we need in science, technology and math. We are seeing the best way to do that is to work with the universities. The National Science Foundation is providing funding, but this is not a Sputnik-type of event where everyone is going to run off [and work on this]. At Northrop, we’re going to universities in Small Town, USA, to grow the next generation of security thinker.
“A focused program with government money will be key to this,” Allen added. Corporations must step up. “Our country will not survive if we don’t have the competitive thought leadership we had in last 60 years. This has to be raised up to a national level, with public service announcements. This will need to be a 10- to 20-year planned effort to grow the talent.”
Alarmingly, Allen points out that China’s school curriculum includes exploitation of networks.
Raytheon is diving into supporting education even earlier, going to seventh- and eighth-grade classrooms to interest students in cybersecurity.
The underlying problem across engineering schools, Raytheon’s Hawkins said, is that there are about 225,000 graduates a year, but four years from now, 400,000 a year will be needed. In the near term, Raytheon is hiring and training software and systems engineers to specialize in cybersecurity.
“What we’ve seen is, when students hit seventh/eighth grade, they lose interest in math and sciences. We’re trying to keep that interest level up,” he said. “We’ve touched just over 700,000 students and teachers over the past several years. We have to fix this at the origin.”
Fast said Boeing is also reaching out to high school students to encourage them to pursue degrees in math, science and engineering that are necessary for cybersecurity. But Fast also said Congress, decision makers and the public need to be educated about the risks to national and economic security.
SCOTT HAMILTON is a consultant with Leeham Co. www.leeham.net.