Confused, dysfunctional, incoherent.
These words have been used often to describe the nation’s ever-evolving approach to cybersecurity. The White House, Defense Department, Department of Homeland Security and other agencies have gone back and forth with each other and industry about ethics, authorities and responsibilities when it comes to protecting government and private networks. The questions of who does what, when and how are still being debated.
The answers may come easier as more of those in charge head back to school for an education in information and power.
“It’s very hard for senior leaders to make policy . . . without context or understanding,” said Sam Liles, professor of cyber-integration and information operations at National Defense University’s iCollege, the largest of five schools on the Fort McNair campus in southwest Washington, D.C. “It’s hard to unite doctrine and policy when the technology is evolving so quickly.”
Military and civilian leaders often speak of deficiencies in the cybersecurity work force, primarily referring to those with enough computer prowess to serve on the front lines of network defense. Less attention has been given to the gap in knowledge that exists among the senior leadership trying to carve out policies and strategies under which the government’s “cyberwarriors” must operate.
The iCollege, also known as the Information Resources Management College, is working to fill this gap, which exists partly because the technical experts don’t often rise to leadership positions, professors said. The school offers about 200 graduate-level courses to mid- and senior-level military officers and civilian staff from the Defense Department and across the federal government.
“When you say ‘cyber’ people think security,” said Robert Childs, chancellor of the iCollege. “But it’s so much more than that.”
Leaders come here to become students of information, he said. They learn what it means to protect it, exploit it and use it as a weapon of war. In small soundproof rooms, they brainstorm big ideas about how to stop adversaries from infiltrating their computer networks, what to do about determined hackers who may have the support of an entire nation behind them and other problems that confront military and civilian leaders in the information age.
A pair of researchers from the University of South Florida recently found a noticeable knowledge gap between local government information technology professionals and their superiors while conducting a statewide survey. The results of the survey, published in the Journal of Homeland Security and Emergency Management, showed that it would probably take a serious event before municipalities redirected resources and attention to matters of cybersecurity. Critics similarly have said it may take a “digital Pearl Harbor” for the military and the rest of the federal government to develop a more effective approach to cybersecurity.
Pentagon officials have said part of the problem is those trying to come up with policies and strategies often don’t understand the nuances of cyberspace. The iCollege’s professors aim to create an environment for chief information officers, their staffs and the IT work force that will lead to clear policy and doctrine.
“Cyber is such a wicked problem,” said Air Force Capt. Rich Cespiva, a professor in cyber-integration and information operations at the iCollege. “We show them the art of the possible in terms of real-life things that can be affected by [information technology].”
Professors here deliver lessons to service members at the rank of major and above and to civilian employees at equivalent grade levels. About 70 percent of the iCollege’s enrollment comes from the Defense Department. The rest are from other agencies, including DHS, the State Department, Transportation Department and the FBI. Even departments such as Energy, Agriculture and Housing and Urban Development send officials, as well as the IRS and Congress. A smaller number of students from international and private organizations also attend classes.
The mix of perspectives is necessary, Childs said. Officials from Cyber Command are tasked with defending the dot-mil network, but DHS has responsibility for the dot-gov network. And IT and personnel are two of the biggest expenditures of any government agency, he said.
The typical class may see students attending virtually from around the world, from someone on a ship in the Pacific to acquisition personnel in Alabama. Courses also have been offered on site at U.S. Pacific Command, European Command, Central Command and Special Operations Command.
“You don’t have to be a technical expert to take the classes,” Childs said. “The things we teach here any leader needs to know.”
Some students arrive to take courses on assignment and have no clue about what they want to gain from the experience, professors said. They have heard about the hacking group
Anonymous and have seen news stories about companies having information stolen by those who infiltrate their networks. They come with this basic framework, but “they leave with a heck of a lot more,” Cespiva said.
The uninitiated interact with classmates who already have a solid understanding of the issues.
“I have some students who are cyberwarriors literally,” said Dan Kuehl, who teaches courses on cyberwarfare, cybersecurity and national security. “These are people who have been within Air Force organizations or people at U.S. Cybercom already doing this. I also have people from the State Department, people from DHS, and people who don’t know how to spell [cybersecurity].”
Occasionally, a student will know more about specific data and details than the professor. Kuehl recently turned his lecture time over to a service member whose unit actually carried out an operation the class happened to be discussing.
“We’re not talking about how to fly an airplane,” Kuehl said. “We’re talking about what this stuff means in big-scale warfare.”
It’s about command and control, authorities and responsibilities, he explained. It’s about determining the proper role for the Defense Department in terms of protecting and safeguarding systems. In many ways, the Internet is a radically different domain than what the Pentagon is used to.
For example, the military defends the headquarters of a company such as Verizon in kinetic ways against the threat of other air forces. But that model doesn’t hold true in cyberspace, where the private sector is more protective of its property, in this case its networks. Still, the military depends greatly on operating within those networks and has an interest in keeping them secure, Kuehl said.
The discussion of roles is ongoing, so are the esoteric theoretical debates. Answers have been slow to emerge.
“It’s not just about using bits and parts and trons to do something,” Kuehl said. “It’s about, ‘What are you trying to do?’”
The digital battlefield is a confusing place, professors said. An all-out war on the Internet may seem like a controlled event, but that is far from the truth, they wrote in a recent paper. A scenario would most likely combine classic information operations as well as offensive tactics such as denials of service, data exfiltrations and even attacks against infrastructures. Kuehl and his students often discuss issues like what would happen when the theater of operations expands to include “patriotic hackers” — ordinary citizens and others with technical know-how who take it upon themselves to join the fight.
There are two general problems regarding information operations — one deals with policy and priority, and the other has to do with technical wizardry. Leaders must be able to play “the shadow game” and figure out what is real and what isn’t, said professor Bob Miller. He and other faculty don’t give students all of the information they would need to carry out real-world attacks, but they supply them with enough understanding to make intelligent decisions, he said.
Students do receive lessons in how to scan networks and crack passwords to explore vulnerabilities. “We show them, ‘This is how you secure it, this is how you break it,’” Liles said. But the iCollege isn’t interested in turning leaders into hackers.
“When senior leaders take our courses they are exposed to many levels of information technology — chief information officer, chief financial officer, cyber-oriented education and more,” said Jolly Sienda, spokesperson for the iCollege. “Students do not leave here knowing how to construct a dirty bomb, bring down an electrical grid system, pollute the water infrastructure and more.”
She added: “They leave here with a greater understanding and knowledge about these areas . . . and a higher level of awareness about the what-ifs and what they can do as leaders to plan, mitigate and react to situations should they occur.”
Some of those situations may involve critical infrastructure. Professors said the average person would be terrified to find out how much information on critical U.S. infrastructure is available to anyone looking for it.
Twenty years ago, a security violation meant putting a floppy disk up on a refrigerator with a magnet, said John Saunders, who teaches courses on supervisory control and data acquisition (SCADA), critical infrastructure protection and cyber. Now, in the age of Wikileaks, mobile devices and constant hacking, leaders have to understand vulnerabilities related to the banking system, the electric grid, water sources, ports and other infrastructure. Systems such as traffic lights may seem simple, but they are now hooked through network operation centers to regulate traffic flow and are therefore vulnerable to adversaries.
In the SCADA lab, Saunders uses a case study about a fictional placed called the Moby Industrial Facility to teach students about systems for monitoring and controlling the flow of electricity, water, gas and transportation. He also shows them a video of a Dutch hacker using an iPhone to turn off the lights in downtown skyscrapers. He reminds them that a control system failure in 2009 caused two Washington, D.C. subway trains to collide, a mishap that killed nine people.
The classroom contains models of infrastructure systems, including a water pump system and a drawbridge. The devices operate the way they would out in the real world, Saunders said as he hacked into and turned off the pump system with just a few clicks.
“It’s not really as easy as it seems, but it’s do-able,” Miller said.
Saunders said his classes attract colonels and lieutenant colonels who have been away from the keyboard for some time. He teaches them about SQL (structured query language) attacks, in which hackers use code to gain access to websites and manipulate databases. He explains the workings of programmable logic controllers, which essentially are boxes that can be conditioned to carry out specific functions for a machine or automated system. Students take field trips to gas and power companies to learn about their processes. They write papers on port security and the control systems in an F-35 Joint Strike Fighter.
Professors want leaders to take these details and begin to think about information as a projection of national power.
“There has been an increased focus on information as an element of national power rather than information as a tool,” said Dan Ryan, who teaches courses on cyberlaw, information integration and information operations.
The ultimate standard hasn’t changed since Genghis Khan.
“Whoever has the most information wins,” he said.