20 August 2015

Military Cybersecurity: Evolution Is The Only Business Model That Makes Sense

AUG 17, 2015

Opinions expressed by Forbes Contributors are their own.

In 1932, British Prime Minister Stanley Baldwin evoked fear throughout Europe when he warned Parliament that “the bomber will always get through.” Baldwin couldn’t imagine a technology that would blunt the danger posed by air power, and thus he argued any defense was futile. The apprehension his remarks engendered made it easier for Hitler to cow the West into appeasement. But by the time Baldwin made his bleak forecast, scientists in several nations were well on their way to developing radar — the technology that would make effective air defense feasible.

As Deputy Secretary of Defense Robert Work has observed, America’s military today finds itself in a similar state to that prevailing during the interwar years. New technologies are proliferating at a rapid pace, creating unprecedented challenges and opportunities at the same time. The most important such technologies are those centering on digital computing and the internet. Initially, there was great optimism that these new tools could transform the world in America’s image. Now the mood has shifted to one of profound pessimism as extremists of every stripe embrace the digital revolution and U.S. networks come under continuous attack from intruders.

I recently heard former National Security Agency head General Keith Alexander observe with regard to cyber threats that, “in my experience, the offense always won.” In other words, when it comes to cybersecurity, the bomber will always get through. A casual observer of news coverage on the subject could be excused for sharing General Alexander’s pessimism. It seems as though every facet of our economy, society and security structure is vulnerable to hackers, and we are powerless to prevent their exploits.

However, the truth of the matter is that over 99% of cyber attacks fail if defenders have implemented basic security measures, and even in the case of so-called “advanced persistent threats,” the success of intruders is usually traceable to endpoints in the network that weren’t configured to the latest security standards, or users who weren’t adequately trained. The most sophisticated firewalls in the world aren’t going to save you if you’re dumb enough to open an email from Nigeria congratulating you on the inheritance that awaits transmittal of your banking information. Early forensics on the most recent penetration of Pentagon networks appears to point to such poor network “hygiene” as a key enabler of the attack.

Which brings me to the Host Based Security System, the joint force’s main system for securing its networks. HBSS was initially implemented in 2006 and mandated for installation on all military networks, both classified and unclassified, in 2007. It’s basically a suite of commercial off-the-shelf software developed by Intel Security (formerly McAfee) that has been continuously updated as new threats and networking options appeared. After eight years of use on military networks, it’s probably the most complete cybersecurity system that the federal government operates. (Intel and several of its competitors in the federal cyber market contribute to my think tank).


Seven million networked devices — and counting. (Image: Wikimedia/David Gleason)

Kellogg School of ManagementVoice:Don't Take Risk -- Eliminate It

The Defense Information Systems Agency that oversees HBSS has recently commenced the laborious process of searching for new approaches to military cybersecurity. The defense department wants to fashion a “joint information environment” that replaces its current, balkanized collection of networks with an integrated architecture affording visibility and situational awareness across the entire enterprise. That is a tall order, as my colleague Dan Goure explains in a forthcoming report:

Today there are more than seven million devices on DoD networks; tomorrow there will be many more. The use of mobile devices is becoming commonplace, even on the battlefield. Like the private sector, DoD is moving to the Cloud. The Internet of Things is coming to DoD too. New devices, network technologies and applications inevitably introduce new security risks.

As this passage implies, the cybersecurity challenge the Pentagon faces is largely of its own making. Although the vast majority of cyber attacks can be categorized into only a handful of types (root kits, trojan horses, etc.), it is increasingly difficult to keep up with all the various devices defense personnel are using to access military networks. When you factor in the extreme variability in cyber training and awareness that millions of network users exhibit, it’s hard to imagine that determined adversaries can be kept out of the networks. So in addition to building firewalls, the Pentagon agency needs to give a lot of thought to how the damage caused by intruders can be isolated, mitigated and reversed.

I don’t envy DISA for the challenges it faces. However, I do have one bedrock conviction about what approach will work best in keeping up with new threats and technologies. The only approach that makes sense is to evolve the existing system, on which the government has already spent half a billion dollars installing software and training users. The notion that HBSS can be replaced with something better is a fiscal and technological fantasy doomed to collapse under the weight of its own complexity. When you have a system that has proven itself over eight years of increasingly diverse technology and attacks, you don’t just throw it out — you grow it to cover all the emerging endpoints in your network.

That doesn’t mean it shouldn’t be modified. HBSS has been modified continuously in response to changing conditions. In the next iteration, it probably needs to incorporate greater automation to reduce the training burden on users who frequently rotate between jobs. Sticking with HBSS also doesn’t mean relying on one company to provide all the necessary functions. Although Intel’s ePolicy Orchestrator will probably remain the core management mechanism, there are dozens of software applications available from other providers that might fruitfully be integrated into an evolved version of the system. So of course it has to be an open architecture.

But the core values of centralization, scalability, configuration control and end-to-end visibility have to be upheld, even as security is extended to the Cloud, to the Internet of Things, and to the tactical edge where bandwidth is scarce and patching vulnerabilities is not the top thing on users’ minds. An evolved version of HBSS is much more likely to meet these needs than wholesale implementation of some untested new architecture that must be installed at millions of endpoints and explained to hundreds of thousands of users.

Thomas Kuhn wrote in The Structure of Scientific Revolutions that key questions sometimes so dominate debate among practitioners in a community that they embrace a new paradigm seeming to offer answers — even though it leaves previously settled questions open to renewed debate. That is not the way to improve military cybersecurity. Like the evolution of the human brain, we need to stick with what worked for basic functions, and then build out to achieve new levels of performance. The breakthrough model doesn’t work with something as complicated and multifaceted as cybersecurity. Even the “discovery” of radar in the 1930s, a seeming breakthrough, was in fact the result of decades of work that culminated in a new application.

No comments: