[liberationtech] West Point Senior Conference on Cyber Security, 3-5 Jun 2012 - CONFERENCE REPORT
Yosem Companys
companys at stanford.edu
Fri Sep 14 10:56:41 PDT 2012
SENIOR CONFERENCE XLIX
America's Prosperity and Security in a Networked World: Challenges and
Prospects
West Point, New York
3-5 June 2012
Conference Report
The United States Military Academy (USMA) Senior Conference is an annual
event run by the Department of Social Sciences on behalf of the
Superintendent, USMA. The conference provides a forum for distinguished
representatives--from the private sector, government, academia, the
think-tank community, and the joint military services--to discuss topics of
national security importance.
This year's Senior Conference, the forty-ninth gathering, examined the
implications of the dependence of the United States on cyberspace. The
conference consisted of six plenary sessions and four keynote addresses.
All presentations and subsequent discussions occurred on a
not-forattribution basis. For this reason, this summary report outlines
main ideas expressed during the event, but does not attribute these ideas
to specific individuals or organizations. The one exception is the
opening keynote address. Since Senator Sheldon Whitehouse publicly
released
the text of his opening remarks, his speech is included here in its
entirety in Appendix A.
We would like to thank all of the individuals who participated in the
conference (whose names are listed at Appendix B) for their insight,
participation, and active involvement in addressing the challenging issues
of cyberspace. Additionally, the conference was made possible through
a partnership with U.S. Cyber Command and by the generous support of the
USMA Association of Graduates.
This Conference Report was prepared under the direction of Colonel Suzanne
Nielsen, the Academy Professor responsible for the coordination and
execution of the conference and was edited by LTC Jon Brickey, who also
coordinated the team of expert rapporteurs, which included MAJ Brian
Babcock-Lumish, Mr. Steven Bloom, MAJ Charlie Faint, and Mr. Gabriel
Koehler-Derrick. The opinions expressed in this report reflect the notes
taken by the authors and not necessarily the position of the United States
Military Academy, U.S. Cyber Command, or any other government agency.
MICHAEL J. MEESE, Ph.D.
Colonel, U.S. Army
Professor and Head,
Department of Social Sciences
U.S. Military Academy
Executive Summary
This conference was premised on the idea that the United States, as a
society and as a government, has not fully addressed the fundamental issues
stemming from the country's dependence on cyberspace. Increased
cybersecurity is vital to protecting America's national security interests,
critical infrastructure, and intellectual property (IP). The fundamental
goal should be to enable the country to continue to enjoy the tremendous
social, economic, and other gains that cyberspace has made possible, while
lowering the associated risks.
Adversaries ranging from foreign state actors to corporate spies continue
to exploit vulnerabilities in U.S. networks, systems, and practices. With
millions of dollars worth of IP, vital national resources such as power
grids and banking systems, and design plans for the latest military defense
equipment at risk every day, conference participants recognized that it is
critical to the country that all stakeholder communities, public and
private, work as a team to understand the problems involved and find
solutions.
Conference attendees addressed the role of government in protecting public
and private cyber infrastructure, the role of private sector entities in
protecting their own assets, and the challenges and benefits of
public-private partnerships. The participants also discussed the economic
consequences of cyber vulnerabilities and suggested possible ways to impede
malicious activity, prevent loss of data and IP, and mitigate the
consequences of security failures.
Some of the main themes throughout the conference related to:
- the importance of education and training;
- the need to strengthen information sharing;
- the challenges of obtaining cybersecurity legislation and improving
governance;
- the requirement for government-industry-academic partnerships;
- the fundamental importance of protecting privacy and civil liberties;
and
- the desirability of taking a risk management approach in dealing with
security challenges.
The participants in the conference also agreed on the need to raise public
awareness to build support for public and private sector efforts to enhance
cybersecurity. To ensure support for improved security, it is important
that members of the public gain a better understanding of cyber
threats, current vulnerabilities, possible consequences of security
breaches, and their roles in better protecting themselves and the country
in cyberspace.
Keynote Addresses
Opening Address: Hon. Sheldon Whitehouse, U.S Senator for Rhode Island
Lunchtime Address: Hon. Ashton Carter, Deputy Secretary of Defense
Second Evening Address: Mr. Wes Bush, Chief Executive Officer and
President, Northrop Grumman Corporation
Concluding Address: General Keith Alexander, Commander, Cyber Command, and
Director, National Security Agency / Chief, Central Security Service
Discussion:
The keynote speakers helped to frame conference plenary sessions by
discussing cybersecurity challenges and the prospects for mitigating risk
from a variety of perspectives, including: lawmaker, senior government
policymaker, private industry executive, and military commander. Their
comments and the resulting discussions revealed key cybersecurity
challenges in the areas of public awareness, education, standards,
defensible architectures, and governance. Managing risk and addressing
these challenges will require partnerships across government, industry, and
academia. The American public is a key stakeholder and is both part of the
challenge and an integral player in the development and implementation of
needed solutions.
This conference on cybersecurity was timely given the constantly growing
number and sophistication of cyber threats. The resulting breaches are
increasingly reaching the headlines of the country's major newspapers, even
as many incidents still go unreported. Cyber threats are posed by a wide
range of actors, including national intelligence services, armed forces,
hacktivists, cybercriminals, and terrorists. It is appropriate to assume
that these threat actors have penetrated just about every organization to
some degree. The number and seriousness of the cyber threats facing the
country begs the question of whether the United States is adequately
responding.
The potential consequences of cyber attacks are profound. The Stuxnet worm,
which targeted industrial control systems, demonstrated the ability of
cyber capabilities to leap the grid, and leave virtual space to cause
destruction in physical infrastructure. Senior policymakers and other
national security experts have warned that a larger, more robust attack on
the electric grid or other critical infrastructure in the United States
could become a cyber Pearl Harbor. Malicious cyber activities against U.S.
defense agencies and military services, as well as the supporting defense
industrial base (DIB), have the potential to affect U.S. strategic
influence and military security.
Other consequences of malicious activities in cyberspace are less
spectacular and yet may combine to achieve as much significance as a
single, catastrophic event. At the present time, it seems more likely that
the country and its businesses will suffer a -- death by a thousand cuts
--numerous compromises and losses -- rather than a single, dramatic incident
that has the impact of a cyber Pearl Harbor. Individuals and corporations
are subject to massive amounts of fraud and IP theft. The 2011 Norton
Cybercrime Report, for example, calculates the cost of global cybercrime
alone as $114 billion per year. Some analysts and policymakers have argued
that cyber activities used to collect economic information and technology
from U.S. targets, together with online piracy, have put the United States
on the losing end of the largest illicit transfer of wealth in the history
of mankind.
While experts may disagree on the severity of malicious cyber activities
and their potential consequences, few dispute the pervasive nature of
current vulnerabilities in networks and systems. These vulnerabilities
stem from a combination of human, technical, and policy causes, and they
pose significant cybersecurity challenges.
A first challenge is the need to raise cybersecurity awareness and to
improve the education and training of cybersecurity professionals across
government and the private sector. The public is generally unaware of the
severity of the cyber threat. Businesses often decline to reveal that they
have been victimized for fear that doing so will scare customers and
investors, encourage competitors, and draw unwelcome attention from
regulators. At the same time, many businesses do not even know that they
have been breached. The government exacerbates the public awareness
problem through extensive classification of information relating to
cybersecurity. Some information must be classified in order to remain
useful since an adversary can easily adapt when made aware, for example,
that a specific malware tool has been compromised. However, more needs to
be done to provide information to the public. Compounding the problems of
awareness, education, and training is the fact that information sharing
across organizational lines can be challenging, whether these lines are
between private sector entities, government departments and agencies, or
across the public-private divide. These challenges stem primarily from
policy limitations, competing business interests, fears of financial
liability, and civil liberties concerns.
Because industry faces a wide range of threats, cybersecurity experts need
to develop and apply collective knowledge on risk management, just as
industry has in other areas such as financial risk, product liability risk,
employee safety risk, and environmental contamination risk. However, for
much of corporate America, this has not yet happened with regard to
cybersecurity. In addition, even those sectors that have a relatively
sophisticated appreciation of cyber threats and have made progress in
thinking through the associated risk management challenges (like the
defense industrial base (DIB)), are seeking a costeffective approach to
cyber security that cannot and will not protect against a major
catastrophe. If this is the case, there is an undeniable role for the U.S.
government in helping to determine and to meet an acceptable level of risk
for the society as a whole.
To lay the groundwork for improved partnerships, it will be important to
educate the American people on the importance of cybersecurity and the need
to take steady, well-thought out steps to address today's significant and
growing challenges. Although some argue that it will take the equivalent of
a cyber Pearl Harbor to make progress possible, the policies adopted under
such conditions are less likely to balance overall U.S. values and
interests over the long term than policies that are the result of careful
deliberation prior to an actual crisis. The development of carefully
considered policies and practices in advance of a serious incident may
prevent both the devastating consequences of a future attack as well as
the consequences of less carefully scrutinized approaches developed in the
wake of a national crisis.
Members of Congress understand the need for legislation to address
cybersecurity challenges, though they disagree on the specifics. Congress
has been working on the Cybersecurity Public Awareness Act, which would
help ensure that Americans properly understand the scale of the cyber
threats facing the country.
There is also draft legislation addressing several education and training
issues. Unfortunately, there is no consensus yet on two key pieces of
legislation, both of which address a broad array of cybersecurity issues,
including education and training: the Secure IT Act and the Cybersecurity
Act of 2012. Although legislation could have a positive impact, even if it
is successfully passed and signed into law, it cannot solve all the
problems.
Industry also has a role to play in enhancing its own cybersecurity.
Private sector entities should work to improve their understanding of high
probability events, such as the theft of IP, disruption of
business operations, and loss of customer confidence, so they can form risk
mitigation strategies. One caveat for industry is that all of this has to
be in the context of cost effectiveness, since businesses must make
profits to survive and no business can insure against all risks.
Therefore, industry efforts to increase education and training must focus
on cost-effective risk management. This involves variables that are
intrinsically difficult to estimate and to calculate. However, a broad
understanding that this is the approach that private sector entities must
adopt can help foster communication and shared expectations across
the public-private divide.
A second major challenge relates to the development, promulgation, and
enforcement of enhanced cybersecurity standards. Different stakeholders
hold varying views about the merits of additional cybersecurity standards
or regulations. One perspective is that a government agency should
promulgate a gold standard, developed in collaboration with industry, and
have the authority to enforce this standard.
Another perspective, which generally receives greater support from within
the private sector, is that industry should develop its own cybersecurity
standards, in coordination with government agencies, which would ideally
also draw on the best available thought in academia. Advocates of this view
usually argue that standards, incentives, and government-industry
collaboration should all be part of the solution, which must also take cost
effectiveness into account and be able to move rapidly--likely more
rapidly than a coordinated government-approved solution. As an additional
complicating factor, the issue of standards becomes a very complex
challenge for global enterprises that need to operate in accordance with
the standards and regulatory regimes of multiple government jurisdictions.
Government regulation raises concerns among a number of stakeholders,
especially since the lead organization--the Department of Homeland Security
(DHS)--is fairly new and is responsible for a very broad portfolio of
security challenges. While it is appropriate for DHS to have the lead, the
Department of Defense (DoD) has a significant role to play in providing
support, mainly because it has been the recipient of the majority of the
government's investment in cybersecurity capabilities to date. The
FBI, which must bring its law enforcement and counterintelligence
authorities to bear, is an additional essential partner.
As indicated above, legislation that offers appropriate incentives to
improve cybersecurity and enables information sharing--even in the absence
of new, mandatory standards--could play a salutary role. The government
also has a vital role to play in bringing other instruments of national
power to bear, to include diplomacy. A useful approach may be to launch an
initiative with a core of close partners, such as the United Kingdom,
Canada, Australia, and New Zealand, to develop international standards
for cybersecurity and then seek to expand from there.
A third important challenge relates to the need to build and maintain more
defensible networks and systems. Cybersecurity experts in the public and
private sectors, and increasingly non-technical organizational leaders at
the executive level, realize that cyber security threats are evolving and
escalating rapidly. Security vulnerabilities are most troubling in the case
of companies that operate critical infrastructure such as the electric
grid, dams, and the servers that process financial transactions.
These companies are clear targets and their operations affect public
safety. While most companies accept at least a degree of responsibility for
the protection of their own networks, it not clear that they are capable of
providing themselves with robust security. This may be due, in part, to a
gap in cybersecurity awareness, knowledge, and capabilities, but this
situation also stems from the fact that existing economic incentives are
not sufficient--in many cases--to generate adequate cybersecurity. This is a
classic example of market failure and an opportunity for government to
assist. An additional factor is that the most capable actors in cyberspace
are states and, as a general rule, individual companies expect
assistance from the government in protecting themselves from malicious
actors supported by state resources.
A fourth challenge is the need for effective coordination among the U.S.
government entities with various roles and responsibilities relating to the
protection of U.S. interests and values in cyberspace.
Currently, responsibility for the various domains of the Internet is
distributed across multiple agencies. For example, DoD has the lead for
military and national security networks, the Federal Bureau
of Investigation (FBI) has the lead for law enforcement and
counterintelligence, and DHS has the lead for the rest of the government's
networks and for orchestrating coordination with private sector
critical infrastructure providers. Since there is no single government
department or agency in charge, efforts to protect the country require
extensive coordination and collaboration. Faced with malicious actors
who lack such organizational constraints, or who may seek to exploit them,
it is imperative that there be extensive coordination and collaboration
among U.S. government departments and agencies to enable an integrated
response.
The DoD has significant capabilities and is growing capacity to not only
protect its own networks, but also to assist with securing other domains in
defense of the nation. To understand DoD's role in the defense of non-DoD
networks, it may be helpful to think of how it assists with airline
security, which has three layers of protection. Layer 1, based on the
intelligence system, is the active search for threats.
Layer 2 consists of no-fly lists, screenings, and physical security
measures, like Air Marshalls and hardened cockpit doors. Finally, layer 3
is the last-ditch effort to shoot down a hijacked commercial airliner, if
there is enough warning, before it is used in a deadly attack such as those
seen on 9/11. In the cyber domain, DoD already contributes to (or is
working on) the first and third layers, but not the
second layer--screenings, physical security measures, and intelligence on
network users--which are beyond DoD's control or responsibility. However,
in support of DHS and through a variety of public-private partnerships, the
DoD and intelligence community are exploring ways to contribute to the
second layer of defense.
In terms of cybersecurity governance, there are prospects for improvement
in three areas: overall roles and responsibilities, law enforcement, and
military response policies. Draft legislation offers solutions
for clarifying responsibilities and assigning authorities across government
agencies commensurate with their missions and expertise. Current draft
legislation also acknowledges the need to protect the civil liberties and
privacy of citizens and commercial enterprises. Beyond legislation, it may
be time for a fundamental rethinking of America's law enforcement approach
to malicious cyber activities. In addition to increasing the level of
resources devoted to this challenge, it may be necessary to consider
organizational restructuring. Key stakeholders should be discussing
whether cybercrime should have a dedicated investigatory agency akin to the
Drug Enforcement Agency or Alcohol, Tobacco, and Firearms, particularly
given the exceptional complexity of the technical, international, legal,
and inter-agency aspects of cyber investigations. Finally, during the past
couple of years the DoD has made progress in establishing capabilities and
an integrated approach to cyberspace operations with the establishment
of U.S. Cyber Command and service component commands, though important
issues still remain, such as rules of engagement in cyberspace.
In many ways, the aforementioned cybersecurity challenges and prospects for
addressing them are intertwined: action in any single area affects the
others. Therefore, it will take a concerted and
coordinated effort in all sectors of American society to improve
cybersecurity. Current draft legislation aims to increase public awareness,
harden critical infrastructure systems, improve information sharing, reform
security practices at federal agencies, and support cyber research and
development. Legislation is necessary, but even if passed, it will be only
part of the answer. Industry must apply its knowledge of risk management
to address high probability events and develop cybersecurity standards; at
the same time, government has to establish a coherent approach with clear
authorities and responsibilities and work with industry in the development
of standards. There is much work to be done, and only a team approach
can be effective in meeting the challenge.
Session 1: Characteristics of Cyberspace
Panelists:
- Mr. John Stankey, Chief Strategy Officer and Group President, AT&T
- Gen (Ret) Michael Hayden, Principal, Chertoff Group, Former Director
Central Intelligence Agency, and Former Director, National Security Agency
- Dr. Vinton Cerf, Vice President and Chief Internet Evangelist, Google
- Mr. Alan Paller, Director of Research, SANS Institute
Moderator: Colonel Suzanne Nielsen
Guiding Questions for Session One:
- What is cyberspace?
- What are cyber threats and how serious are they?
- Why is it difficult to protect cyberspace? Can it be done?
Discussion:
The first session explored the characteristics of cyberspace from different
perspectives: practitioner, policymaker, educator, and consumer.
Cyberspace is a complex, fragile, and ever-changing ecosystem.
America is growing more dependent on it with each passing day, while at the
same time, threats continue to increase in sophistication and volume.
Active participation by a variety of key stakeholders will be essential in
addressing this challenge.
When seeking to understand the nature of threats in the cyber domain, it is
valuable to think in terms of both the actors and the acts. State actors
are the top threat. The United States and China are two examples of very
capable state actors in cyberspace. Criminal gangs are second on the list;
these guns for hire primarily come from China, Russia, and Eastern Europe.
Finally, hacktivists, anarchists, and even juvenile delinquents (in some
cases) make up the bottom threat tier. As the capabilities of state actors
increase over time, the skills and tools they develop trickle down to
criminals and hacktivists. As a result of this process--and due to the
existence of a market for exploitation capabilities--the sophistication of
the tools available to even relatively unsophisticated threat actors
continues to increase.
In fact, increasingly capable hacker tools are readily available to be
downloaded for free from the Internet. Unfortunately, a threat actor does
not necessarily have to be extremely capable to be effective.
Against relatively undefended networks, even amateur hackers can be
successful.
In thinking through the nature of the acts, there can be a tendency to
describe any malicious event or act as a cyber attack, but it is
appropriate to use more specific terms. Computer network exploitation
(CNE) comprises most of the activity today; this is unauthorized access
that may or may not result in the stealing of data. Espionage and IP theft
are examples of CNE activities. Just about every state with cyber skills
is conducting CNE today; however, there is a small group of (primarily
English-speaking) countries that self-limit their activities in this area
to avoid violations of civil liberties. In contrast, computer
network attack (CNA) is an activity designed to delay, degrade, disrupt, or
destroy information or systems in or through cyberspace, including critical
infrastructure. The Stuxnet incident was a game-changing event in that it
demonstrated the ability of digital --ones and zeroes|| to cause damage in
the physical world.
In addition to the severity of the threat, protecting cyberspace is a
daunting task due to three other reasons. First, the infrastructure of
cyberspace and the applications that rely on it have not historically been
designed with security as a primary concern and are constantly changing.
New capabilities--such as the rapid expansion in the use of mobile devices
or the creation of new versions of software--lead to new sources of
vulnerability. Second, cyber training, education, and overall awareness
are lacking across the board. In many cases, individual citizens and even
businesses do not take basic measures to protect themselves and when they
are the victims of malicious activity, they may not even realize that they
have been compromised. A third reason cyberspace is difficult to protect is
that the market does not necessarily provide adequate incentives for
investments in cybersecurity.
An effective response to these challenges will require participation from
actors across government, industry, and academia. The architecture problem
may be one of the hardest to address because the current architecture was
not designed for current and future demands. The domain name system is
not hardened and the global supply chain that supports hardware and
software development creates additional vulnerabilities. Improvements to
cyber training, education, and overall awareness will require a
strategic investment. One way to incentivize young Americans to learn
cyber skills is through cyber competitions, something China has done
successfully. An example of a successful U.S. initiative in the area
of education is the National Security Agency's (NSA) Cyber Center of
Excellence program. In collaboration with participating universities and
colleges, NSA is helping to foster the development of the knowledge and
skills required in the future cyber workforce.
Finally, overcoming the challenge of inadequate market incentives may
require regulation. Though Americans often have more faith in private
sector and market-based solutions, this may be a classic case of market
failure. Most participants in the conference agreed that any additional
regulations that are intended to improve cybersecurity should be developed
in close coordination with the affected private sector entities and must
contain provisions that are able to keep pace with the ever-changing,
fragile terrain of cyberspace. Other participants, doubtful that new
regulatory regimes could achieve their intended purposes, argued that the
best approach would be to assist the market by enhancing incentives for
private sector entities to improve their own security and by fostering
information exchanges among key stakeholders.
Session 2: The Role of the U.S. Government in Cyberspace
Panelists:
- Hon. Jim Langevin, U.S. Representative from Rhode Island
- VADM (Ret) John M. (Mike) McConnell, Vice Chairman, Booz Allen
Hamilton; Former Director, National Security Agency; Former Director of
National Intelligence
- Mr. Jeff Moss, Founder and Director, Black Hat, Member, Homeland
Security Advisory Council
- Ms. Marcia Hofmann, Senior Staff Attorney, Electronic Frontier
Foundation
- Mr. O. Sami Saydjari, President and Founder, Cyber Defense Agency
Moderator: COL Greg Conti
Guiding Questions for Session Two
- What role should the U.S. government play in protecting public safety,
prosperity, and national security in cyberspace?
- How should we think about privacy and civil liberties in the era of
Facebook?
Discussion:
The American public expects the U.S. government to defend the country from
external threats, protect public safety, and promote prosperity. These
expectations are also relevant in cyberspace; however, since the domain is
relatively new and the public's knowledge is nascent, debates concerning
policies, laws, and strategies are just taking shape in the field and
across the broader society. As these debates take place and governance
frameworks evolve, privacy and civil liberties should and must remain
central considerations.
Although democratic deliberation is vital and can be expected to take time,
the security risks and challenges are already here. Therefore, it is
vitally important to find an appropriate way to enable the government to
respond quickly in the event of a crisis. A near-term crisis is most
likely to be the product of an attack on critical infrastructure, such as
the systems that support the provision of energy, transportation, or
financial services. Planning for such an attack warrants the highest level
of attention.
Many argue that the enormous losses of IP currently being experienced by
American businesses have become an actual threat to U.S. national security
that must be addressed.
There is a broad understanding that success in better securing the cyber
realm requires cooperation between the private sector and the government,
with a special emphasis on the critical importance of information sharing.
These efforts are necessitated by the fact that the field is evolving too
rapidly and the incentive structures are insufficient for the private
sector alone to shoulder the burden, even though current liability laws
place the vast majority of legal responsibilities on their shoulders
(particularly the financial sector). Additionally, the talent pool for the
cyber realm is underdeveloped, and both government and the private sector
would benefit enormously from efforts to enhance education in
this increasingly important field.
While there is an almost universal acknowledgement among experts of the
increasing challenges posed by cyber threats, there is also concern that
this awareness is not present in broad swathes of American society. This
has led to inertia, particularly in the legal realm, where a false paradigm
perpetuates the added concern that liberty and privacy are diametrically
opposed. There are numerous examples of how these two key values are not
necessarily irreconcilable. Unfortunately, as long as the public debate
is conducted in these terms it will remain difficult--especially for the
government--to take action. It is important to change the terms of the
debate by acknowledging that both of these values can be pursued in a
mutually reinforcing manner.
On a more micro level there are specific recommendations about achievable
outcomes that could be realized relatively quickly to improve America's
capabilities should a cyber attack occur. The U.S. government has a unique
role to play in facilitating, through legislation as well as other
mechanisms, significant improvements that could bolster the country's
cybersecurity posture. As an example, the government could do more to
facilitate interactions of security researchers and the companies
whose products they probe for vulnerabilities. Frequently these
researchers are hesitant to come forward with a newly-discovered
vulnerability, fearing some form of retaliation or legal action by the
company involved.
By working as a trusted agent, the government can act as interlocutor,
facilitating relations between these two important sets of actors.
In addition, the U.S. government could improve cybersecurity through other
means such as: mandating a certain level of encryption for crucial sites;
developing a right to be forgotten rule; and outlining the circumstances
under which a compromised computer could be denied service by an Internet
service provider. Even simply developing protocols in the case of
emergency and deploying alternative communications equipment to key players
would significantly increase the capacity of the overall system to
withstand or mitigate some sort of sustained attack. As an example, the
distribution of satellite phones to key facilities and government offices
would be invaluable if a cyber attack destroyed or disabled normal
communication channels.
Session 3: The Role of the Private Sector in Cybersecurity
Panelists:
- Mr. Mark Weatherford, Deputy Under Secretary for Cybersecurity,
National Protection & Programs Directorate, Department of Homeland Security
- Mr. Shawn Henry, former Executive Assistant Director of the Criminal,
Cyber, Response, and Services Branch, Federal Bureau of Investigation
- LTG (Ret) Steven Boutelle, Vice President, Global Government Solutions
Group of CISCO Systems
- Mr. Marc Gordon, former Enterprise Chief Information Officer, Bank of
America
- Mr. Robert Rose, Executive Vice President, Thomson Reuters
Moderator: Dr. Scott Silverstone
Guiding Questions for Session Three:
- What is the role of the private sector in creating a more secure
cyberspace?
- What do Americans need to understand about cyber security and what is
the best way to foster public understanding?
Discussion:
Since the private sector owns the majority of the infrastructure of
cyberspace, it has an undeniably important role in protecting it and making
it more secure for the future. One major contribution that the private
sector can make is to foster cybersecurity awareness and understanding for
executives, employees, partners, and customers. Americans in general lack
awareness of cybersecurity threats, vulnerabilities, and the possible
consequences of malicious cyber activity. This lack of awareness also
exists among chief executives and boards of directors--the people primarily
responsible for making risk decisions for the businesses that drive the
economy. Other roles for the private sector include:
establishing cybersecurity standards, protecting networks, developing
metrics, sharing threat and vulnerability information, and communicating
concerns with the executive and legislative branches of government.
The frequency, nature, scope, and complexity of cybersecurity threats and
vulnerabilities today are growing at an accelerated rate. Keeping up with
cybersecurity challenges is a daunting task for even the most informed.
This is especially a challenge for many corporate chief executives, who
have a natural tendency to focus on their shareholders and who may regard
cybersecurity issues as nuisances or distractions. In addition, members of
corporate boards generally do not have much understanding of cybersecurity
issues. One way to redress this is to demonstrate the consequences of
cyber insecurity to executives and increase awareness of potential costs to
the firm. Another way to increase awareness within a firm is to conduct
exercises and tests to identify gaps in employee cybersecurity training
and awareness. During one such test, a major U.S. financial company found
that 60% of its senior executives and 30% of its information technology
staff were susceptible to spear phishing attacks, which are simple social
engineering exploits that succeed when victims open emails and click on
tempting links. Though an important first step, correcting internal
cybersecurity awareness shortcomings is only part of an effective approach.
Firms must also reach out to educate partners and customers because many
security measures are only as strong as the weakest link.
Another key role for the private sector is in establishing cybersecurity
standards. Some are calling for government-imposed cybersecurity standards,
much like the financial accounting standards implemented through
Sarbanes-Oxley Law. Unless the private sector works together and provides
recommendations, it may receive a single --one size fits all|| solution.
This is likely to be less than ideal, since private entities within
different sectors often have different security needs and specialized
knowledge about them. The ideal scenario may be one in which meaningful and
effective standards are developed sector by sector through extensive
public-private collaboration.
There is general agreement that private industries have some responsibility
for protecting their cyber resources. No enterprise should assume the
government or some other organization will protect its networks, including
the data and the architecture. Each company has to invest in providing the
resources for its own protection. Many companies also still need to
develop processes that better balance security concerns with desires for
improvements in functionality and ease of access. The provision
of cybersecurity must be viewed as a continuous process, not a one-time
event (relevant only, for example, when the information technology
department installs a new device).
With the exception of the financial sector, most companies lack useful
metrics to measure cybersecurity.
To correct this deficiency, private sector enterprises should develop and
share a number of metrics. One common metric in industry is risk, which is
normally assessed to result from a combination of threat, vulnerability,
and consequences. Another useful metric may be the time between a breach
and discovery, which too often can extend to months or years. A third
useful metric may be the cost to remediate a breach, which can easily run
in the millions of dollars per incident. Finally, the cost of lost IP is
also an important metric, despite different methodologies used for
calculations of the dollar value of IP and the uncertainties that can be
associated with determining this figure. Sometimes the loss of IP can have
an extreme impact; in several recent incidents, businesses lost such
critical IP due to cyber theft that they had to close. Industry is in the
best position to develop metrics based on information important to
senior executives for making critical operational and investment decisions.
Yet another role for the private sector is sharing threat and vulnerability
information within industry and with government and academia when possible.
Information sharing is a hot, sometimes divisive topic because sharing data
raises potential liability concerns. Industry should use existing
knowledge sharing groups, such as one of the critical infrastructure
Information Sharing and Analysis Centers (ISACs), or create new ones as
necessary to share information on topics such as threats, vulnerabilities,
and processes.
When possible, industry should also share with government agencies to
provide greater situational awareness for all sectors and to support law
enforcement actions against malicious actors--even if they are outside U.S.
jurisdiction. Finally, industry should share with academia to ensure
access to recent, relevant data for researchers and students to expand
knowledge and theory for all to benefit.
Along with other stakeholders in the debate pertaining to cybersecurity
legislation, the private sector has a lot on the line. Even if the
legislation succeeds in passing and its measures are beneficial in
the aggregate, individual firms may face new financial burdens associated
with increased requirements or regulations. Therefore, it is imperative
for private sector entities to effectively communicate their concerns to
the executive and legislative branches of government. Active engagement is
essential to shape pending legislation so that the interests of all key
stakeholders are fully considered and the legislation has the greatest
prospect of raising the country's security posture with the fewest
possible negative second- and third-order effects.
Growing cybersecurity threats require a holistic response by the private
sector, though the private sector alone cannot be expected to solve the
nation's cybersecurity problems. Though greater collaboration
in addressing threats, vulnerabilities, and best practices among industry
competitors is encouraged, government has a role when cyber insecurity
presents itself as a market failure or externality. However, the private
sector must act now and take a leadership role if the government is
unwilling or unable to lead in addressing the rising cybersecurity risk.
Cybersecurity is not an achievable end-state, but rather a journey which
entails continual adaptation to a changing environment.
Session 4: Collaboration Across the Public-Private Divide
Panelists:
- Ms. Patricia Hoffman, Assistant Secretary for Electricity Delivery and
Energy Reliability, Department of Energy
- Mrs. Anne Neuberger, Special Assistant to the Director for the
Enduring Security Framework, National Security Agency
- Dr. Gregory Rattray, CEO and Founding Partner, Delta Risk LLC
- Dr. Phyllis Schneck, VP and Chief Technology Officer, Global Public
Sector, McAfee, Inc.
Moderator: COL Mike Meese
Guiding Questions for Session Four:
- Under what circumstances are public-private partnerships effective in
achieving their goals?
- What are the public-private partnerships most needed in the cyber
realm?
Discussion:
This panel of government and industry leaders in the field focused on
questions of when and under what circumstances public-private partnerships
are effective, as well as which partnerships are most required in the cyber
realm. There are legal and political constraints on public-private
partnerships in the United States that do not necessarily exist in other
countries. In addition, global enterprises may be challenged
to participate in public-private partnerships with one government when they
need good relations with many in order to operate. Despite these
challenges, however, there have been successes in collaboration in
both public-private and private-private collaborative arrangements.
One important characteristic of cyberspace that can affect the nature of
required public-private collaboration is speed. When it comes to efforts
to protect cyberspace in near-real time, efforts must take into account the
fact that needed response times are so fast that human beings lack the
capacity to respond. So, while some collaborative efforts relating to
cyberspace can be accomplished through human-to-human interaction, adequate
defenses must also provide for some automation of information sharing and
incident response. In other words, to defeat malicious activity in
cyberspace, defenders need to achieve at network speed what the human body
does biologically: mitigate a harmful entrant without having seen it
before, and be immune and stronger thereafter. For such collaborative
arrangements to be created and to be successful there must be transparency,
close working relationships, and substantial trust among all involved
parties.
There are also a number of analogies between cybersecurity and other policy
challenges that may illuminate constructive approaches. One such analogy
compares the challenges of cybersecurity with those of public health. Just
as the protection of public health requires a variety of approaches, to
include individual immunizations, appropriate public policy, and
international collaboration, cybersecurity may require a similar
combination of individual responsibility, an appropriate policy framework
at the national level, and international collaboration. In addition,
despite these measures, health problems are expected to arise. Planning
must take into account the inevitable need to respond to outbreaks of
diseases, as well as the importance of minimizing their spread and impact.
The challenges of mitigation and restoration are also ones that must be
addressed in the cyber realm.
While it is misleading to think that there is a single, best
one-size-fits-all approach to public-private partnerships, and wrong to
view the private sector as a monolith, there are successful examples of
recent collaboration from which it is possible to learn. Many of the
recurring challenges of public-private partnerships can be addressed by
carefully selecting and designing the most appropriate model at the outset.
These models must take into account the nature of the goals of all
parties, the degree of alignment of private and public motivations, the
degree of collaboration desired or required, and the associated roles of
the public and private participants.
One way for the government to collaborate with private industry is to work
with select businesses through sector consortiums--like the ISACs for
transportation, finance, telecommunications, etc.--grouped into voluntary
partnerships based on specific goals: general information sharing,
targeted information sharing, or collective responses to network-based
threats. This framework avoids the one-size-fits-all approach and provides
more specific objectives to the various working groups.
As best practices are developed and shared, it is also important for
Americans to look abroad. There may be policies and procedures already in
use in other countries that may usefully inform effective practices and
relationships in the United States.
Session 5: Economic Consequences of Cyber Insecurity
Panelists:
- Mr. Dmitri Alperovitch, Co-Founder & CTO, CrowdStrike Inc.
- Dr. Richard Cooper, Maurits C. Boas Professor of International
Economics, Harvard University
- Mr. Sean Kanuck, National Intelligence Officer for Cyber Issues,
National Intelligence Council
- Mr. Christopher Kubasik, President and Chief Operating Officer,
Lockheed Martin Corporation
Moderator: LTC David Lyle
Guiding Questions for Session Five:
- How should we think about the economic costs of cyber insecurity?
- What is the best way to minimize these costs?
Discussion:
Few businesses have been able to assess fully the potential economic
consequences of cyber insecurity, with the exception of some in the
financial sector and the companies that are already out of business due to
security breaches. However, American companies are now participants in an
ongoing cyber conflict in which the actions of nation-state actors and
criminals are undercutting the foundation on which the long-term
competiveness of the U.S. economy rests.
The cumulative damage caused by steady intrusions and data losses that
companies are experiencing is difficult to calculate; the full costs may
not be known for years. Despite uncertainties, however, business leaders
need information now to make informed decisions on ways to minimize these
costs.
Perhaps the area in which it is easiest to attach a dollar figure to the
costs of cyber insecurity is online theft from financial institutions. The
financial sector measures these losses and makes business decisions based
on the data, which is plentiful and increasing daily. Besides the
direct loss of money, however, there are four additional types of economic
costs of cyber insecurity that should be considered: the cost to clean up
infected systems, the value of stolen IP, the cost of negative public
relations, and the cost of data integrity uncertainty. All of these types
of costs should be considered when evaluating the consequences of a single
incident. For example, in the case of cyber espionage, the total cost to a
victim company may equal the value of stolen IP, plus the cost to remove
malware from corporate devices and networks, plus the economic costs
that can stem from negative public relations. Though the potential costs
are high, it can be difficult for security experts to influence management
decisions regarding cyber security improvements due to many uncertainties
associated with measuring each of these items.
The expenses associated with recovery from an intrusion, including the time
it takes technicians to remove malware from devices across an infected
network, can be substantial. Depending on the size of an organization, the
cost can range from thousands to millions of dollars. As an
example, the 2000 I Love You virus indiscriminately wreaked havoc on
networks around the world. In 2009, estimates of damage from this virus
ranged from $950 million to over $15 billion globally.
Significant costs also may stem from the compromise of proprietary
technologies or other forms of IP. Technology transfer, legal and illegal,
has historically been an important element of economic development,
including that of the United States. The extraction of such information
through cyberspace is merely the most recent manifestation of this
historical phenomenon.
Estimating the amount of money lost through such transfers is fraught with
difficulty. The cost may vary from nothing at all (if the acquirer does
not use the compromised technology in any way) to undermining the entire
market for a new product. In a modern information
economy, innovation--along with the timely and reliable conversion of
digital data into actionable knowledge--leads to comparative advantage. The
loss of IP through compromise in cyberspace may reduce gains from
investment in innovation and ultimately cause a firm to lose out
to competitors that do not bear the research and development costs.
Two additional types of costs relate to reputation and data integrity, both
of which can be difficult to assess and to trace to the firm's bottom line.
A security incident may produce negative public relations that may result
in lost business revenue or lower stock prices. The mere revelation of an
incident, even if there is no direct impact on customer services or
expenditures, may cause customers to lose confidence in the people,
processes, and technologies of a company, resulting in loss of business to
the victim firm. In addition, uncertainty about data integrity also
imposes difficult-to-calculate costs. In an information economy, data is
king and analytics drive key business decisions; therefore, bad information
may lead to misallocation of resources and loss in revenue. If a business
suffers a cyber attack on data integrity, it may lose confidence in its
data, and eventually, its ability to make sound decisions.
Unfortunately, there is no cybersecurity silver bullet. No single act will
eliminate cyber insecurity, as the threat is mounting and growing more
complex by the day. There are, however, at least four actions industry and
government organizations can perform as part of overall cybersecurity risk
management programs to minimize costs. First, organizations need to
improve their ability to safeguard IP. This is no easy task, but the
adoption of established best practices, such as the SANS Research Institute
20 critical security controls list, can help. Better network and data
protection may also require significant investments in people, processes,
and technology.
The second way to minimize costs is related to the first: enabling
business resiliency.
Organizations must learn to deal with threats once they identify breaches
and plan to continue to operate in the face of malicious cyber activity,
even as they respond to prevent further intrusions and mitigate the damage.
Third, organizations should advocate for legislation that supports
intelligence sharing and incident reporting to pool resources and share
costs. Finally, the fourth way to decrease cyber insecurity costs is by
increasing the potential costs that adversaries face if they penetrate U.S.
networks. This strategy involves raising the cost of cyber theft to
perpetrators in myriad ways, such as publicly exposing those responsible
(including states), imposing trade sanctions against states that pursue or
support malicious activity in cyberspace, and even employing deception by
providing misinformation to cast doubt on data validity. However,
these tactics all come with risks and costs of their own; the last of these
may be simply impossible for private businesses to adopt.
In most cases, reducing or mitigating cybersecurity risk will involve
partnerships within the private sector, between government and private
industry and, when possible, with academia and the general public. In all
cases, there will be additional costs--cybersecurity is simply a new cost
of doing business in the world today.
Session 6: The Way Ahead
Panelists:
- Ms. Catherine Allen, Chairman and CEO, The Santa Fe Group
- Hon. Michael Chertoff, Co-Founder and Managing Principal, Chertoff
Group, former Secretary,
- Department of Homeland Security
- Mr. Craig Mundie: Chief Research and Strategy Officer, Microsoft
- Mr. Bruce Potter, Chief Technologist and Co-founder of Ponte
Technologies
Moderator: COL Cindy Jebb
Guiding Questions for Session Six:
- What are public policy options in reducing the risks faced by the
United States in cyberspace?
- What private sector initiatives have promise?
Discussion:
The fast-developing field of cybersecurity presents enormous opportunities
but also significant challenges. An effective response will require new
talents and new capabilities that can only be created through innovative
public and private sector approaches.
The importance and rapidly changing nature of cyberspace will require
rethinking in numerous communities. In the military, the integration of
cyber capabilities into warfare will require a paradigm shift in terms of
operations, planning, strategy, and culture that may be comparable in some
ways to the Revolution in Military Affairs (RMA) of the 1990s. In the
private sector, even small businesses will have to become familiar with the
challenges of cybersecurity and develop strategies to address them.
In this context, it may be appropriate for the government to consider a
significant investment. One proposal is for the equivalent of a --Manhattan
Project|| for cyber. The purpose would be to bring together experts from a
variety of different backgrounds with diverse skills to address the key
challenges facing the country in the area of cybersecurity. There are also
less dramatic steps that should be taken, such as the passing of
legislation that requires improvements in the security of critical
infrastructure. Such legislation should seek to more equitably balance
liability for cyber insecurity across all who play a role in cybersecurity.
As an example, right now banks are reliant on communications systems and
equipment that can be compromised, but the banks bear the primary
responsibility for these vulnerabilities and must bear the costs when their
customers are affected.
Simultaneously, the United States must articulate a policy that increases
transparency on issues such as what the country would do, or consider
doing, if attacked, and what behaviors should be considered impermissible
in cyberspace. Such a cyber policy could enhance deterrence, and may also
enhance stability by lessening the likelihood of miscalculation on the part
of U.S. adversaries. Furthermore, the country's capability to plan and
anticipate contingencies is too often bounded by the here and now,
rather than a realistic understanding of future scenarios. This is
troubling because in the dynamic realm of cyberspace, plans that are not
made with an eye to the future will rapidly become obsolete.
In addition to preparing defenses against current threats, the United
States should be seeking to outinnovate those who seek to compromise U.S.
systems. New paradigms are needed in both government and the private sector
if the United States is to continue to enjoy the benefits of cyberspace at
a reasonable and acceptable level of risk.
Appendix A
Senator Whitehouse's Keynote Address
Full Text
Thank you for that kind introduction and for the invitation to be with you
today to discuss our nation's cybersecurity. I am very pleased to join you
at the United States Military Academy.
As a Senator for my home state of Rhode Island, I have the great privilege
of nominating young men and women to become cadets here. I am also
privileged to serve with my senior Senator Jack Reed, who is a graduate and
a member of your Board of Visitors.
I am very proud of this Military Academy for its continued excellence in
preparing the next generation of leaders for our Army and for our nation.
I'm also glad to be joined at the conference by my colleague from Rhode
Island, Jim Langevin, a renowned expert on cyber security.
This conference on cybersecurity is timely given the scale of the cyber
threats facing our country.
Consider the following expert assessments. Secretary of Defense Leon
Panetta has stated: [t]he next Pearl Harbor we confront could very well be
a cyber attack.
In a letter to Senate Majority Leader Harry Reid, former Secretary of
Homeland Security Michael Chertoff, former Defense Secretary William Perry,
former Vice Chairman of the Joint Chiefs of Staff General James Cartwright,
and others wrote that [t]he threat is only going to get worse. Inaction is
not an acceptable option.
And Secretary of Homeland Security Janet Napolitano has stated: prior to
9/11, there were all kinds of information out there that a catastrophic
attack was looming . . . . The information on a cyberattack is at that same
frequency and intensity and is bubbling at the same level, and we should
not wait for an attack in order to do something.
These threats are posed by a wide range of adversaries, including national
intelligence services and armed forces, hacktivists, cybercriminals, and
terrorists. Adding further complexity are the techniques used to compromise
our systems: remote intrusions, spear-phishing and social engineering,
physical access to networks through agents or disgruntled insiders,
wireless access, and compromised or counterfeit parts.
The consequences are profound.
A single data breach of an American company - for example a retailer or a
financial company - can result in countless Americans' credit card numbers
and sensitive personal information being sold to the highest bidder on
illegal carder forums run by international organized crime groups.
Individuals and corporations are subject to massive amounts of fraud and IP
theft. The 2011 Norton Cybercrime Report, for example, calculates the cost
of global cyber crime as $114 billion per year. A substantial part of this
enormous volume of theft is permitted, encouraged, or conducted by
foreign nations.
As former NSA Director Admiral Mike McConnell, former Secretary of Homeland
Security Chertoff, and former Deputy Secretary of Defense William Lynn
recently explained, China intends to build its economy by
intellectual-property theft rather than by innovation and investment in
research and
development.
The Office of the National Counterintelligence Executive similarly
explained that Chinese actors are the world's most active and persistent
perpetrators of economic espionage, and that Russia's intelligence services
are conducting a range of activities to collect economic information and
technology from U.S. targets.
I have argued that these attacks, together with online piracy, have put the
United States on the losing end of the largest illicit transfer of wealth
in the history of mankind.
The security company McAfee recently agreed, writing that what we have
witnessed over the past five to six years has been nothing short of a
historically unprecedented transfer of wealth.
The current Director of NSA, and Commander of U.S. Cyber Command, General
Keith Alexander, likewise agreed that we are suffering from the greatest
transfer of wealth in history. We cannot let this drain on our economy
continue.
The threat is not only financial.
The Stuxnet worm attack, which targeted particular industrial control
systems, demonstrated the ability of cyber attacks to leap the grid and
destroy physical infrastructure.
In 2008, a CIA official noted several incidents overseas where hackers were
able to disrupt, or threaten to disrupt, the power supply of foreign cities.
The compromise of government networks, for example that of the Economic
Development Agency within the Department of Commerce in February this year,
jeopardizes the mission, weakens confidence in government, compromises
privacy, and advantages foreign nations in their dealings with our country.
Cyberattacks also imperil military effectiveness. The Wall Street Journal
reported in 2009 that computer spies broke into the Pentagon's $300 billion
Joint Strike Fighter project - the Defense Department's costliest weapons
program ever. . . and were able to copy and siphon off several terabytes of
data related to design and electronics systems . . . potentially making it
easier to defend against the craft. These attacks were reported to have
originated in China.
Former Deputy Secretary of Defense Lynn likewise revealed in 2008 that the
U.S. Department of Defense suffered a significant compromise of its
military computer networks|| by a foreign intelligence agency in what
--amounted to a digital beachhead, from which data could be transferred to
servers under foreign control. This incident, according to Deputy Secretary
Lynn, was the most significant breach of U.S. military computers ever.
And in 2009, the press reported that the U.S. Navy was investigating an
unauthorized user in Iran accessing blueprints and other information for
the President's helicopter, Marine Corps One.
The scale of the cyber threats facing America begs the question whether we
are responding adequately as a nation. We are not.
One basic problem is the lack of appropriate public awareness about the
severity of the cyber threat.
Businesses consistently decline to reveal that they've been victimized, for
fear that doing so will scare customers and investors, encourage
competitors, and draw unwelcome attention from regulators. Many of them
don't even know.
When the FBI-led National Cyber Investigative Joint Task Force informs an
American corporation that it has been hacked, nine times out of ten the
corporation previously had no idea. I am glad that the Securities and
Exchange Commission, after prompting by Senator Rockefeller, myself, and
others, issued guidance covering when registered companies must disclose
breach information. But more must be done to draw back the veil of secrecy
covering cyber events in the private sector.
The government exacerbates the public awareness problem by over-classifying
information relating to cybersecurity. Jim Lewis of the Center for
Strategic and International Studies recently explained that [c]ybersecurity
. . . has a unique problem in that some of the most reliable data is
classified.
Some information must be classified, for obvious reasons, but we
nonetheless can do much better. To that end, I've been working with Senator
Jon Kyl on the Cybersecurity Public Awareness Act, which would help ensure
that Americans properly understand the scale of the cyber threats facing us.
A second significant challenge we face is the fact that the business
community alone has proven incapable of securing its own networks. There
are at least two reasons for this problem.
First, there is a gap in cybersecurity awareness. Carnegie Mellon's CyLab
recently reported that boards and senior management still are not
exercising appropriate governance over the privacy and security of their
digital assets . . . These findings are consistent with complaints by
[Chief Information Security Officers and Chief Security Officers] that they
cannot get the attention of their senior management and boards and their
budgets are inadequate . . . There is still an apparent disconnect . . . .
In recognition of this, Edison Electric Institute has begun to bring CEOs
and CIOs together, to foster better awareness of damages to the electric
grid.
The second reason is market failure; existing economic incentives are not
generating adequate cybersecurity. [T]he market place,|| former Secretary of
Homeland Security Chertoff has explained, is likely to fail in allocating
the correct amount of investment to manage risk across the breadth of
the networks on which our society relies.
An example of this type of market failure is the decision of gas, electric
power, and water utility industries to forgo implementation of a powerful
new encryption system to shield substations, pipeline compressors, and
other key infrastructure from cyberattack because of cost concerns. The
cost, it should be noted, only would have been approximately $500 per
vulnerable device.
The inadequacy of corporate defenses has been highlighted in a steady
stream of reports. FBI Director Robert Mueller recently explained there are
only two types of companies: those that have been hacked and those that
will be.
The McAfee report on the Shady RAT attacks similarly stated that it is
possible to divide the entire set of Fortune Global 2,000 firms into two
categories: those that know they've been compromised and those that don't
yet know.
And Kevin Mandia of the leading security firm Mandiant has explained: [I]n
over 90% of the cases we have responded to, Government notification was
required to alert the company that a security breach was underway. In our
last 50 incidents, he said, 48 of the victim companies learned they were
breached from the Federal Bureau of Investigation, the Department of
Defense or some other third party.
The weakness of corporate cybersecurity is most troubling in the case of
companies that operate critical infrastructure such as our electric grid,
our dams, and the servers that process our financial transactions.
These companies are clear targets, but too many are failing to meet minimum
cybersecurity standards.
Hardening those critical infrastructure targets would be an obvious
improvement.
We also should find a way to position America's most capable defenses and
countermeasures to defend our critical infrastructure.
To achieve that goal we need to define critical infrastructure, so we know
what it is and can protect it.
The NSA and other military agencies have substantial expertise that should
be leveraged in defense of critical infrastructure. This will not be easy,
however. The NSA's Defense Industrial Base pilot proved that the government
can share classified information with trusted corporations, but revealed
significant risks and limitations, particularly if the government were to
share its most sensitive information with a broad set of private companies.
By identifying critical infrastructure on which our safety and economic and
national security depend, we also define what does not qualify. That's
important because that defines where privacy concerns outweigh national
security concerns. Nobody wants government in our chat rooms, emails, or
social media; everyone understands why government should protect the
electric grid that brings power to our homes.
Government also is responsible for enforcing our criminal laws. What work
has been done has been excellent. Last year, for example, the Justice
Department and the FBI took down the Coreflood and Rustock botnets. Actions
like these should be a regular occurrence, but are not because we have
not properly scaled up our law enforcement resources.
It is time for a fundamental rethinking of our approach: both the level of
resources and the manner in which they are structured; what FBI Director
Mueller called a substantial reorientation of the Bureau.
We should be discussing whether cybercrime should have a dedicated
investigatory agency akin to the DEA or ATF, particularly given the
exceptional complexity of the technical, international, legal,
and inter-agency aspects of cyber investigations.
I am working in the Senate for legislation to harden critical
infrastructure systems, improve information sharing, reform security
practices at federal agencies, and support cyber research and development.
I am optimistic that we can come together to pass meaningful legislation in
this important area. Democrats and Republicans are working together, so
hopefully success is in sight.
Outside our legislative arena, the United States military has taken
numerous important steps to date, including recognizing cyberspace as an
operational domain, establishing a cyber strategy, standing up the U.S.
Cyber Command, and interacting more with private industry. The NSA, under
the leadership of General Alexander, is at the cutting edge of modern
cybersecurity.
The Guard, too, has adapted for cyber operations. In my home state of Rhode
Island, the Rhode Island National Guard's 102nd Network Warfare Squadron
protects DoD equipment and performs Command Cyber Readiness Inspections to
certify and accredit DoD networks at bases, deployed sites, and
forward operating locations.
Important issues still remain to be worked through; in particular, rules of
engagement in cyberspace. The rules of engagement, laws of war, and
conventions of nationhood, sovereignty, and borders in the physical world
are well-established. Clear understandings in these areas made possible the
policies of deterrence that kept the Cold War cold, by assuring enemies of
a defined and decisive response to aggression.
Similar clarity does not exist in cyberspace, in part because of
attribution problems, and in part because principles in geographic space do
not translate readily to cyber space. Without this clarity, we
cannot adequately deter cyber threats.
Issues relating to covert action are deeply classified, but at a minimum I
can say that clear executive policies and procedures, and vigilant
congressional oversight, are required.
Finally, our armed forces also must secure their supply chains from the
insertion of malicious code, backdoors, and other cyber threats. There is
good reason to be concerned. Chinese companies are actively working to
extend their reach into the international telecommunications market.
Military material often has components manufactured in China. Compromise of
the U.S. military's supply chain could damage military effectiveness.
Congress has given the Department of Defense the necessary authority, and
the Defense Department must work hard, to keep counterfeits and the
products of hostile companies out of its supply chain.
This is a long list of challenges. As our military takes them on, it would
be wise to keep in mind some historic instances in which we have had to
adapt to technological advances.
In the wake of World War I, for example, the U.S. military was skeptical
about the possibilities of air power. Deputy Chief of the Air Service -
which was then part of the U.S. Army - Brigadier General William Billy
Mitchell only began to win over skeptics by demonstrating that bombers
could sink a retired German World War I battleship, the Ostfriesland.
Field Marshal Douglas Haig, who was a British senior officer during World
War I, famously claimed after World War I that the value of the horse and
the opportunity for the horse in the future are likely to be as great as
ever. Aeroplanes and tanks are only accessories to the man and the horse,
and I feel sure that as time goes on you will find just as much use for the
horse - the well-bred horse - as you have ever done in the past.
With our nation facing ever greater cyber threats, today's U.S. military
stands at a similarly pivotal moment in the history of combat. I urge you
all to continue your good work to get off the horse, get on the plane, and
bring the military's capability for excellence to bear in this new theater
of operations.
Thank you again for the opportunity to be here with you today.
Appendix B
Senior Conference XLIX Participants
- Dr. Frank H. Akers, Jr. President and CEO, Oak Ridge Strategies Group,
Inc.
- General Keith B. Alexander, USA Commander, U.S. Cyber Command and
Director, National Security Agency/CHCSS
- Ms. Catherine Allen Chairman and CEO, Santa Fe Group
- Mr. Peter G. Allor Senior Security Strategist, IBM
- Mr. Dmitri Alperovitch Co-Founder & CTO CrowdStrike Inc.
- Dr. Annie Antón Professor of Computer Science, North Carolina State
University
- Mr. Dennis Bartko Director's Special Assistant for Cyber Chief NSA
Cyber Task Force, National Security Agency
- Lieutenant General (Ret) Steven Boutelle, USA VP, Business Development
Global Government Solutions, Cisco
- Colonel Jen Buckner, USA Cyber Fellow, National Security Agency
- Mr. Wes Bush Chairman, Chief Executive Officer, and President,
Northrop Grumman Corporation
- Hon. Ashton B. Carter Deputy Secretary of Defense
- Dr. Vinton G. Cerf Vice President and Chief Internet Evangelist, Google
- Dr. Steve Chan Prince of Wales Senior Fellow, Massachusetts Institute
of Technology
- Hon. Michael Chertoff Co-Founder and Managing Principal, The Chertoff
Group; Former Secretary, Department of Homeland Security
- Colonel Gregory Conti, USA Director, Cyber Research Center, Department
of Electrical Engineering and Computer Science, United State
Military Academy
- Dr. Richard N. Cooper Maurits C. Boas Professor of International
Economics, Harvard University
- Ms. Debra N. Diener Privacy and Identity Management Consultant
- Mr. Jerry Dixon Director of Analysis, Team Cymru
- Ms. Donna Dodson Division Chief for Computer Security Division &
Deputy Chief Cybersecurity Advisor, NIST
- Ms. Jennie Easterly Deputy for Counterterrorism Operations Signals
Intelligence Directorate, National Security Agency
- Dr. David J. Farber Distinguished Career Professor of Computer Science
and Public Policy School of Computer Science, Carnegie Mellon University
- Mr. George Gilmore Board of Directors, West Point Association of
Graduates
- Dr. Emily Goldman Combined Action Group, U.S. Cyber Command
- Mr. Marc Gordon Former Enterprise Chief Information Officer, Bank of
America
- Mr. Thomas Harvey Senior Vice President, AT&T Government Solutions
- General (Ret) Michael V. Hayden, USAF Principal, The Chertoff Group;
Former Director, Central Intelligence Agency and National Security Agency
- Mr. Shawn Henry President, CrowdStrike Services; Former Executive
Assistant Director, Criminal, Cyber, Response, and Services Branch, Federal
Bureau of Investigation
- Ms. Patricia Hoffman Assistant Secretary, Department of Energy
- Ms. Marcia Hofmann Senior Staff Attorney, Electronic Frontier
Foundation
- Dr. Mark Iken Vice President, Georgia Gwinnett College
- Colonel Cindy R. Jebb, USA Professor and Deputy Head, Department of
Social Sciences, United States Military Academy
- Mr. Sean Kanuck National Intelligence Officer for Cyber Issues,
National Intelligence Council
- Mr. Chris Kubasik President and Chief Operating Officer, Lockheed
Martin
- Mr. Paul Kurtz General Manager, Global Consulting Services,
CyberPoint International
- Congressman Jim Langevin Rhode Island
- Colonel (Ret) Jack A. LeCuyer, USA Distinguished Professor Strategic
Studies Institute, U.S. Army War College
- Mr. Richard H. Ledgett, Jr. National Intelligence Manager for Cyber
Office of the Director of National Intelligence
- Lieutenant Colonel David S. Lyle, USA Director, Office of Economic and
Manpower Analysis, Department of Social Sciences, United States Military
Academy
- Colonel (Ret) John R. Martin, USA Vice President of Security,
Occidental Petroleum
- Vice Admiral (Ret) John M. (Mike) McConnell, USN Vice Chairman, Booz
Allen Hamilton; Former Director of National Intelligence
- Colonel Michael Meese, USA Professor and Head, Department of Social
Sciences, United States Military Academy
- Brigadier General Marcela J. Monahan, USMC Assistant Deputy
Commandant, Combat Development and Integration, U.S. Marine Corps
- Mr. Jeff Moss Vice President and Chief Security Officer, ICANN
- Mr. Craig Mundie Chief Research and Strategy Officer, Microsoft Corp
- Mrs. Anne Neuberger Special Assistant to the Director, NSA, for the
Enduring Security Framework, National Security Agency
- Colonel Suzanne Nielsen, USA Director, International Relations
Program, Department of Social Sciences, United States Military Academy
- Dr. Patrick O'Shea Vice President & Chief Research Officer, University
of Maryland
- Mr. Bruce Potter Chief Technologist and Co-Founder, Ponte Technologies
- Mr. Andy Purdy Chief Cyber Security Strategist, CSC
- Dr. Greg Rattray CEO and Founding Partner, Delta Risk LLC
- Dr. Samantha Ravich Co-Chair of the National Commission for the Review
of the R&D Programs of the U.S. Intelligence Community
- Mr. Robert Rodriguez Chairman & Managing Principal, Security
Innovation Network
- Vice Admiral Michael Rogers, USN Commander, U.S. Fleet Cyber Command
- Mr. Robert Rose Executive Vice President, Thomson Reuters Inc.
- Mr. Eric Rosenbach Deputy Assistant Secretary of Defense for Cyber
Policy, Department of Defense
- Mr. Sami Saydjari President & CEO, Cyber Defense Agency
- Dr. Phyllis Schneck Vice President and Chief Technology Officer,
Global Public Sector McAfee, Inc.
- Dr. Adam Segal Senior Fellow for Counterterrorism and National
Security Studies, The Council on Foreign Relations
- Dr. Scott Silverstone Professor of International Relations, Department
of Social Sciences, United States Military Academy
- Mr. Perry Siplon Vice President, Corporate Security & Chief Security
Officer, Sprint
- Brigadier General Jeffrey Smith, USA Deputy Commanding General for
Proponency, U.S. Army Cyber Command
- Mr. John Stankey Group President and Chief Strategy Officer, AT&T Inc.
- Ms. Mary K. Sturtevant Vice President, Intelligence, Joint, and
Science & Technology Programs, Washington Operations, Lockheed Martin
- Ms. Teri Takai Chief Information Officer, Department of Defense
- Colonel (Ret) David Tohn, USA Chief of Mission Operations, CyberPoint
International
- Mr. Andy Ubel Chief Intellectual Property Counsel, Valspar Corp.
- Mr. Phil Venables Managing Director and Chief Information Security
Officer, Goldman Sachs
- Professor Matthew C. Waxman Associate Professor, Columbia Law School
- Mr. Mark Weatherford Deputy Under Secretary for Cybersecurity for the
National Protection and Programs Directorate, Department of
Homeland Security
- Captain T.J. White, USN Commander, Navy Information Operations Command
Maryland
- Senator Sheldon Whitehouse United States Senator for Rhode Island
- Mr. Mark D. Young Senior Advisor, Directorate for Plans and Policy
(J5), U.S. Cyber Command
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120914/52024700/attachment.html>
More information about the liberationtech
mailing list