To Improve Cyber-Security, U.S. Needs Cohesive Public-Private Partnership
For the Pentagon, which operates 15,000 networks and owns more than a million computers, the risks are huge. Though Defense systems are attacked constantly — 5,000 times per day by some accounts, and scanned millions of times per day — these digital invasions are little reported.
Banks lose millions of dollars a year from cyberintrusions. Each bank averages one million probes per month. These too, are little reported. The banks see this as a cost of doing business, and customers pay the cost in increased user fees. Manhattan District Attorney Cyrus Vance Jr. says, “The Internet is the crime scene of the 21st Century.”
For the typical PC user, the average security software package provides little insight into the true nature or danger of these attacks. And the average attack by a new virus is almost never protected by existing security software. This protection almost always comes after many computers have been infected.
For the past three decades, the Pentagon’s modernization investments have been shifting from platforms to upgrades to sensors, communications and intelligence-collection enhancements — all dependent on secure, well-functioning networks. The theory is that existing platform capabilities coupled with these “information” enhancements will provide dominant capability for U.S. forces. Adequate cyber-security is an implicit assumption to this development strategy. It is, too, a critical assumption.
NDIA member companies recently put together a white paper on the necessity to better acquire and field cyber-capabilities. The paper focused first on the problems with existing processes. Currently, responsibility is highly distributed and the acquisition is unfocused.
Multiple, overlapping policy, governance execution and reporting entities in Defense, Homeland Security, the Office of the Director of National Intelligence, the Energy Department, the Federal Energy Regulatory Commission (that promulgates requirements for the electrical grid) and other federal agencies inhibit effective cyber-protection. It is piecemeal and disjointed. The U.S. government is not taking full advantage of the investment that industry has already made in cyber-security.
There has been much capability already developed, but little emphasis has been placed on reuse and redeployment. Scant credit is given in procurements for already developed and embedded cyber-capability. Contract awards are often given for “technically compliant/lowest cost” while criteria for “best value” is less frequently encountered. State and local government entities must also be folded into a comprehensive program.
The nation must have a coherent acquisition approach, a cohesive strategy, and supporting legislation/regulation that recognizes and corrects the disconnects in organization and execution. There needs to be better integration through all government entities, laterally and vertically.
For all these reasons, there must be a much closer partnership between government and industry. This would promote a more robust understanding and definition of cyber-requirements, and a better recognition of and capitalization of the existing capability embedded in contractor developed software.
The necessity to address vulnerabilities was recently recognized by Army Gen. Keith Alexander, commander of U.S. Cyber Command. He has said the Defense Department is not only vulnerable to its own systems, but faces risks from systems owned and maintained by others that the government relies upon. “Our mission at Cyber Command includes not only the defense of our military networks, but also a role in guarding our nation’s defense industrial base,” he said. “More than 90 percent of our military’s energy is generated and distributed by the private sector and more than 80 percent of our logistics are transported by private companies.”
NDIA supports the development of a more cohesive acquisition strategy by government that encompasses a complete end-to-end solution, and that helps align R&D initiatives.
It would be helpful if legislation clearly encouraged partnerships and clearer acquisition strategies. This legislative focus should translate into federal acquisition regulations that emphasize best-value competitions. The legislation should also do more to bring the disparate elements of the federal government into a more coherent structure.
Finally, this area is ripe for more formal and rigorous education.
Interestingly, the 2011 National Defense Authorization has a section focusing on “Cyber Warfare, Cyber Security, and Related Matters.” It calls for the continuous prioritization of policies and standards under the National Institute of Standards and Technology Act. It directs the secretary of defense to develop a strategy for assuring the security of software and related applications as well as a template for acquiring tools and applications. Required elements of such strategy cover assurance, comparative assessments of offense/defense and potential adversaries, testing, infrastructure (facilities), remediation, research, innovation sharing, unproductive duplication, certification and accreditation.
By March 1, the secretary must submit a Defense Department “cyber warfare policy” report to Congress that addresses, among other elements, modeling and simulation tools to use in assurance and assessment activities. Significantly, the legislation also directs the secretary of defense to conduct, in coordination with DHS, a comparative assessment of critical infrastructure. This appears to be going in the right direction, but not all federal agencies are involved. More needs to be done.
In recognition of the issues at risk and their surpassing importance, NDIA is in the process of standing up a Cyber Division to give better industry focus to the many critical issues involved.