[Infowarrior] - Cyber Chief Issues Call For Action -- Not More Talk; Alexander Outlines Who Does What

[Richard Forno]

AOL Defense
November 8, 2012

Cyber Chief Issues Call For Action -- Not More Talk; Alexander Outlines Who
Does What

By Henry Kenyon and Wyatt Kash

http://defense.aol.com/2012/11/08/cyber-chief-issues-call-for-action-not-more-talk-alexander-o/

WASHINGTON: The nation's top military cyber commander offered his version of
how government and military agencies are likely to work together when
America suffers cyber attacks, and warned that industry needs to take a
greater role.

"We have laid out lanes of the road," Gen. Keith Alexander, commander of
Cyber Command and director of the National Security Agency said, sketching
them out in broad terms for an audience of security professionals yesterday
at a symposium sponsored by Symantec here.

The issue, he said, is "when and what does the Department of Homeland
Security, the FBI, U.S. Cyber Command, and NSA do to defend the country from
cyber attacks."

According to Alexander:

The NSA would be responsible for foreign intelligence and detecting enemies
overseas while Cyber Command would be called in if there was a direct cyber
attack on U.S. infrastructure, Alexander said.

DHS would take the lead domestically, setting standards and regulations to
follow, and serving as first responder, said Alexander.

Most importantly, the process must be transparent and it must be headed by a
civilian agency such as the DHS. "They are the public face," he said. "This
is a job for all of us, and we need to help DHS get there," he said.

The FBI, meanwhile, would be responsible investigations and in particular
the issue of attribution, which remains one of the thorniest aspects of
responding to cyber attacks.

Those roles, and the tangle of authority issues behind them, appear to be
falling into place after years of discussion about the best ways to tie
together all of the different civilian and military agencies to handle a
crisis in cyberspace.

But Alexander also stressed the importance for industry, government and even
the Defense Department to take more robust steps to develop "defensible
architectures" in order to secure their networks.

Virtually every major corporation in America, and around the world –
"Everybody is getting hit" – by cyber exploitations, Alexander told the
audience. And he warned that the attacks are becoming "not only disruptive,
but destructive."

Alexander noted the difficulties the Defense Department has in protecting
its own networks. The Pentagon currently has some 15,000 network enclaves,
each with its own equipment and administrators. Even with an ongoing
consolidation efforts, the sheer size of the organization means that there
are plenty of chinks in its armor.

"The DoD network is not defensible, per se," he stated soberly. "We are
defending it," but the number of separate systems makes it practically
impossible to keep every system up to date.

Too much time has been spent talking not only about how to make computer
networks safer, and what roles the government, the military and industry
should play in countering the rise of cyber crime, intellectual property
theft and the growing threat of attacks on the nation's infrastructure, said
Alexander.

If proper security measures aren't in place, a major attack, such as the one
that disabled thousands of computers inside Saudi Arabia's national oil
company, would not only result in large scale damage, but could
inadvertently result in governments to react -- and probably do the wrong
thing, he said.

Because most of the country's computer and communications infrastructure is
privately owned, much of the responsibility for protection lies with the
commercial sector. Although some sectors such, as finance, have very good
security, most companies don't follow basic security measures, either out of
ignorance or uncertainty, Alexander said. This opens vast parts of the
economy to attack.

Alexander pointed to the SANS 20 Critical Security Controls, developed by a
consortium of security organizations, including NSA, US Cert, the Defense
Department and the Center for Strategic and Internal Studies. Those
standards, said Alexander, should be a minimum that corporations and
critical infrastructure providers should have in place, he said. Then
resources could be concentrated on the gaps determined hackers look to
exploit.

Recent attempts to craft comprehensive legislation to require corporations
to follow basic, agreed-upon cyber security measures have met resistance,
most notably from the Chamber of Commerce, which is afraid of costly and
intrusive federal regulations and requirements.

Stymied, the White House is readying an Executive Order establishing a
voluntary program that firms, such as power companies, can join to share
critical information with the government in case they are attached.
Congressional staffers at the conference said that politics were a major
reason for holding up cybersecurity legislation and with the election over,
there should be few roadblocks next year. Others have urged the Office of
Management and Budget to take greater action with agencies.

Alexander recently reached out to the business community and in his speech
today he stressed that the public and private sectors must work together to
secure the national infrastructure.

There has been some progress on the government side of things. Alexander
noted that there is a focus on several critical areas: people, command and
control, defensible architectures and authority. Intelligence organizations
like the NSA work hard to attract the best and brightest to man its cyber
operations branches. The government is also putting a lot of effort into
retaining and training them.

One potential solution is to adopt a virtual cloud model supporting many
mobile users, Alexander said. But instead of just developing these
technologies in-house, the government needs to reach out to the software
development community.

For example, he noted that the NSA developed Accumulo, a cloud-based system
with a real-time security layer. The agency then put the software out to the
open source community to improve it. Alexander calls this the "Tom Sawyer"
method-getting lots of other developers to help work on a problem like Mark
Twain's character getting help to paint a fence.


---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.