By Cheryl Pellerin
DoD News, Defense Media Activity
WASHINGTON, March 6, 2015 – Over five years of U.S. Cyber
Command operations, global movement of threat activity through cyberspace has
blurred roles and relationships among government agencies, as well as between
the public and private sectors and the real and virtual worlds, the Cybercom
commander told a House panel.
Navy Adm. Michael S. Rogers testified March 4 before the
House Armed Services Committee on cyber operations and improving the military’s
cybersecurity posture.
“There is no Department of Defense solution to our
cybersecurity dilemmas,” Roger said in written testimony. “The global movement
of threat activity in and through cyberspace blurs the U.S. government’s
traditional understanding of how to address domestic and foreign military,
criminal and intelligence activities.”
Similarly, he said, the public and private sectors need each
other’s help.
Responding to Cyber Attacks
“The U.S. government, the states and the private sector
can’t defend their information systems on their own against the most powerful
cyber forces,” the admiral said.
“We saw in the recent hack of Sony Pictures Entertainment that
we have to be prepared to respond to cyber attacks with concerted actions
across the whole of government,” he added, “using our nation’s unique insights
and complete range of capabilities in cooperation with the private sector.”
Cyberspace is more than a challenging environment, Rogers
said.
“It is now part of virtually everything we in the U.S.
military do in all domains of the battle space and each of our lines of
effort,” he said. “There is hardly any meaningful distinction to be made now
between events in cyberspace and events in the physical world, as they are so
tightly linked.”
Cybercom is growing and operating at the same time, he said,
performing many tasks across a diverse and complex mission set.
Guarding DoD Networks
Three years ago, the command lacked capacity, Rogers said.
Today, new teams are guarding DoD networks and are prepared to help combatant
commands deny freedom of maneuver to adversaries in cyberspace, he added.
Cybercom’s Cyber Mission Force, or CMF, was formed to turn
strategy and plans into operational outcomes, the admiral said.
“With continued support from Congress, the administration
and the department,” Rogers said, “Cybercom and its service cyber components
are now about halfway through the force build for the CMF, [and] many of its
teams are generating capability today.”
He added, “We have a target of about 6,200 personnel in 133
teams, with the majority achieving at least initial operational capability by
the end of fiscal year 2016.”
Cybercom has been normalizing its operations in cyberspace,
he said, to provide an operational outlook and attitude to running the
department’s 7 million networked devices and 15,000 network enclaves.
Implementing the Joint Information Environment
The department’s legacy architecture, created during times
when security was not a core design element, is being transitioned to a more
secure and streamlined architecture that is part of what ultimately will be the
Joint Information Environment, or JIE.
“While the JIE is being implemented,” Rogers said, “our
concerns about our legacy architecture collectively have spurred the formation
of our new Joint Force Headquarters to defend the department’s information
networks.”
The Joint Force Headquarters recently achieved initial
operational capability, the admiral added, working at the Defense Information
Systems Agency under Rogers’ operational control at Cybercom. Its mission is to
oversee the day-to-day operation of DoD networks, he added, “and mount an
active defense of them, securing their key cyber terrain and being prepared to
neutralize any adversary who manages to bypass their perimeter defenses.”
Managing Risk
“It gets us closer to being able to manage risk on a
systemwide basis across DoD,” Rogers added, “balancing warfighter needs for
access to data and capabilities while maintaining the overall security of the
enterprise.”
The admiral said the new headquarters is a stopgap measure
while the department migrates its systems to a cloud architecture that’s more
secure and facilitates data sharing across the enterprise.
As network security has advanced, so has the maturity of the
cyber force, which has gained what Rogers called priceless experience in
cyberspace operations.
“That experience has given us something even more valuable
-- insight into how force is and can be employed in cyberspace. We have had the
equivalent of a close-in fight with an adversary that taught us how to maneuver
and gain the initiative that means the difference between victory and defeat,”
he explained.
Every Conflict Has a Cyber Dimension
Such insight is increasingly urgent, because every conflict
in the world has a cyber dimension, the admiral said, adding that the command
sees patterns in cyber hostilities that indicate four main trends:
-- Autocratic governments that view the open Internet as a
lethal threat to their regimes;
-- Ongoing campaigns to steal intellectual property;
-- Disruptions by a range of actors that range from
denial-of-service attacks and network traffic manipulation to the use of
destructive malware; and
-- States that develop capabilities and attain system access
for potential hostilities, perhaps with the idea of enhancing deterrence or as
a beachhead for future cyber sabotage.
“We believe potential adversaries might be leaving cyber
fingerprints on our critical infrastructure, partly to convey a message that
our homeland is at risk if tensions ever escalate toward military conflict,”
Rogers said.
Heartbleed and Shellshock
For instance, he told the House panel, “I can tell you in
some detail how Cybercom and our military partners dealt with the Heartbleed
and Shellshock vulnerabilities that emerged last year.”
The Heartbleed Bug is a serious vulnerability that allows
attackers to steal information, usually encrypted, that’s used to secure the
Internet for applications such as Web, e-mail and instant messaging, among
others. Attackers can eavesdrop on communications, steal data directly from the
services and users, and impersonate services and users.
Shellshock is a vulnerability that gives attackers the
ability to run remote commands on a system.
The admiral said these serious flaws inadvertently were left
in the software that millions of computers and networks in many nations depend
on.
Responsible developers discovered both security holes,
Rogers said. They kept their findings quiet and worked with trusted colleagues
to develop software patches that system administrators could use to get a jump
on those who read the same vulnerability announcements and devised ways to
identify and exploit unpatched computers, he said.
Checking for Vulnerabilities
“We at Cybercom and [the National Security Agency] learned
of Heartbleed and Shellshock at the same time that everyone else did,” the
admiral said.
Military networks are probed for vulnerabilities thousands
of times an hour, he added, so it wasn’t long before they detected new probes
checking their websites and systems for vulnerabilities.
“By this point, our mission partners had devised ways to
filter such probes before they touched our systems,” Rogers explained. “We were
sheltered while we pushed out patches across DoD networks and monitored
implementation,” directing administrators to start with the most vulnerable
systems.
“Thanks to the efforts we have made in recent years, our
responses … were comparatively quick, thorough and effective, and in both cases
they helped inform corresponding efforts on the civilian side of the federal
government,” the admiral added.
“We also know that other countries, including potential
adversaries, struggled to cope with the Heartbleed and Shellshock
vulnerabilities,” he noted.
Cyber Military Capabilities
Rogers said this operational approach must be built in many
more places.
“The nation’s government and critical infrastructure
networks are at risk as well,” he said, “and we are finding that computer
security is really an enterprisewide project.”
The admiral added, “We in the U.S. government and DoD must
continue learning and developing new skills and techniques … [and] the nation
must continue to commit time, effort and resources to building cyber military
capabilities.”
Posts
No comments:
Post a Comment