New strategies from the White House and Pentagon lay the foundation for federal cybersecurity going forward. Both — released around the same time — center on common themes that will help agencies address ever-evolving threats.
Senior members of the Intelligence and National Security Alliance (INSA) are impressed with the policy and how in sync the two proposals seem.
“The national strategy talks more about domestic issues and the DoD strategy is more about the military part, but the nesting of the strategies together, I think that’s powerful,” Jim Keffer, director of cyber at Lockheed Martin and Vice Chairman of the Intelligence and National Security Alliance’s Cyber Council said on Cybersecurity Month. “From that we can build plans, campaigns across the federal government and within DoD in this new cyber arena.”
Both Keffer and Larry Hanauer, vice president of policy at INSA, highlighted key initiatives in both plans for deterring hostile actors that could potentially attack critical infrastructure. The need to focus on the area has become even more important as other countries and actors continue to find ways to infiltrate networks, Hanauer said.
He said everyone knows about the attempts by Russia and Iran to introduce malware and other viruses to the networks and operating systems of water treatment plans and other critical infrastructure. But that is only one example. The threat is not just to government and business networks, but also those in private homes.
“Those are significant threats to our domestic security. They have the potential to affect the health and safety of Americans throughout the country. And so they may seem like homeland security threats, but they’re really national security threats,” Hanauer told Jason Miller. “The need for infrastructure operators to work closely with the federal government to protect those systems is really critical.”
And as technology continues to evolve, the cyber threats will too. In a way, the deterrence piece of the strategy gives the U.S. government the chance to fight back. Keffer said this is a welcome asset, as economic sanctions and FBI indictments can only go so far.
He said these new plans of action will help send a clear message to potential attackers that cyber threats will be deterred in cyberspace, and consequences will result.
The strategies do not give outlined details on what the U.S. will do in response, but it does open the conversation as to what the government is willing to do. President Trump and the military agencies will then have more flexibility to use the appropriate tools at their disposal should the need arise.
Understanding an attack
INSA is focused on bringing together industry and government in unique ways to promote private-public collaboration in the intelligence, national security and homeland security spaces. The organization recently put together a table-top exercise simulating potential crises and responses.
“We wanted to assess the effectiveness of these mechanisms to assess what would work well during the crisis and what wouldn’t,” Hanauer said. “We wanted to evaluate the coordination between government organizations at all levels — federal, state, local — as well as private infrastructure operators across sectors who might not be used to working with each other.”
The exercise involved 70 people including cybersecurity and public affairs experts, contractors from both infrastructure sectors and workers from all levels of government. The men said the lessons from these exercises helped them identify elements of what any response to a cyber incident would involve.
What is the first step? Understanding an attack and being able to attribute it is key. This can help public and private actors better predict where future attacks may come from and what they will look like. The next action is to contain the attack.
“The infrastructure operators who were targeted and then also the state and local officials would work to take some swift action to take the affected systems offline, and then to reduce the number of people in the affected area if that’s possible,” Hanauer said.
Once the threat has been deterred or resolved, then steps can be taken to get services back online and inform the public and those involved. Partnerships are key in the space, Keffer said, and the exercise proved just how challenging they can be between the public and private sectors due to interests.
The federal government is focused on finding the attacker, predicting future attacks and collecting the information they need to develop a response. On the other side, stakeholders in the private sector are more interested in getting their services restored.
“Just dealing with those very different core interests is a challenge when you get all those actors at the same table together and they need to figure out what do we do and do we do first,” Hanauer said.
In its report following the exercise, INSA highlighted the importance of transparency and information-sharing between stakeholders.
“A cyber attack on critical infrastructure can have a cascading impact on multiple sectors across multiple jurisdictions, providing little time to contain and mitigate damage and prevent any follow-on attacks,” the report said. “It is vital to establish trusted relationships among key stakeholders before a crisis hits.”
There are a number of information-sharing platforms the public and private sector can utilize. Some examples Hanauer provided are state intelligence fusion centers, as well as intelligence-sharing and analysis centers.
One hurdle to turning these new strategies from talk into action is the deficiency of cyber-talent. Federal agencies are working hard to develop and sustain a workforce will embrace new cyber challenges.
“I’d like to see us as a nation get down into increasing the base … getting children from kindergarten through 12th grade interested in not only cybersecurity, but science, technology, engineering, math and logistics,” Keffer said. “That’s where we can grow the base. It’s not going to be an immediate overnight fix, but we’ll fix it in the long term.”