Cyber Solutions Depend on Partnerships, Official Says

By Lisa Daniel
American Forces Press Service

July 8, 2010 - Defense Department officials are reaching throughout government and the private sector to lay the framework for long-term solutions in computer network security, the department's head of cyber policy said today.

Defense leaders have recognized the importance of cybersecurity, as noted in the Quadrennial Defense Review, by creating U.S. Cyber Command as a separate entity to handle the evolving issues around network security, Robert J. Butler, deputy assistant secretary of defense for cyber policy, said as part of a panel of speakers at a cybersecurity symposium sponsored by the Washington chapter of the Armed Forces Communications and Electronics Association.

AFCEA is a nonprofit membership association serving the military, government, industry and academia as a forum for advancing professional knowledge and relationships in communications, information technology, intelligence, and global security.

Solutions to managing cybersecurity demand the full partnership of the public and private sectors, Butler said, adding that private-sector Internet service providers are at the core of decisions about privacy versus security and technical know-how.

"You can't just do it with the federal sector," Butler said. "You have to have the ISPs and others who really understand the networks involved."

Retired Air Force Gen. Ronald E. Keys, a senior advisor at the Bipartisan Policy Center and a former commander of Air Combat Command, moderated the panel. He said the department had to stand up Cyber Command to coordinate both security and network capacity issues.

"The biggest issue in the military was we didn't know who the hell was on our networks" due to the massive numbers of military, civilian employee and contractor users, Keys said. He added that when a subordinate command within Air Combat Command became infected with a virus, he had the unit removed from the network until the problem was resolved. Such a shutdown isn't possible when private companies hold the authority, he noted.

"If I go to an ISP to kick someone off, and they do it, then they get sued," Keys said. "The question becomes how do we strip the proprietary and customer concerns off the information so we can share it?

"This thing is the Wild West out there," he added. "It's pick your dysfunction: government bureaucracy or the proprietary and profit motive."

Army Brig. Gen. John Davis, Cyber Command's director of current operations was on the panel. He said military leaders have to stay abreast of threats outside the department, since 90 percent of the department's networks run through private domains.

"We need to be cognizant about what's going on out there, because it has a direct effect on us," he said. "We are all connected in this business."

Education and awareness of cybersecurity issues are critical, Butler said, through training scenarios such as the government's "Cyber Shockwave" exercise held in February. A video synopsis of the exercise, shown at the symposium, depicted senior U.S. national security leaders reacting to an ongoing, large-scale cyber attack that left some 20 million Americans without cell phone use, and the eastern half of the country without electricity. Internet connectivity slowed to a crawl, disabling airlines, air traffic control, media outlets – nearly everything.

The meltdown purportedly was traced to a "bot," or virus attack, initiated from a smart phone in Russia. With senior leaders discussing the situation on a cable news network, the attorney general in the scenario said U.S. law did not give authority to quarantine cell phones, from which the virus was spreading. "We are in a solid, military response role," the scenario's homeland security secretary said.

Navy Rear Adm. Michael A. Brown, deputy assistant secretary for cybersecurity at the Homeland Security Department, said the success of Cyber Command rests on the Homeland Security Department's ability to provide security capabilities and capacity.

"We just cannot wait for an event to occur before we know how we're going to operate," Brown said. "The vast majority of our capabilities and capacity rests in the private sector."

Davis underscored the importance of cybersecurity to the military, noting Cyber Command is working to improve its ability to catch potential threats earlier.

"There is a lot at risk in the balance between being able to operate and connect with each other and our understanding of the vulnerabilities out there, and the growing threats.