On January 27, the Washington Post reported that the Department of Defense plans to expand its “Cyber Command,” a force dedicated to defending U.S. computer systems, by a factor of five, from 900 to 4,900 members. Although a formal announcement had not been made, Pentagon sources indicated that an increase in numbers was not the only change on the agenda. The Cyber Command would also undergo a shift in focus, with the new structure adding acknowledged offensive capabilities to a command that had previously been characterized as exclusively defensive.
According to the leaked report on which the story was based, the new Cyber Command will have three components: "'National mission forces,' to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security; 'combat mission forces' to help commanders abroad plan and execute attacks or other offensive operations; and 'cyber protection forces' to fortify the Defense Department's networks."
The Post’s article elaborated on concerns that the Cyber Command was overly entwined with the National Security Agency, raising issues regarding the roles of the military and the intelligence agency, especially when those roles touched on domestic matters.
Those are not the only concerns being raised in the security sector. A January 29 article in CSO Magazine touched on some additional issues that may interest our readers.
The first of those issues is the dearth of appropriate personnel, a problem that will not be solved by adding money and people to the system, according to Joe Weiss, Applied Control Systems Managing Partner. Weiss sees great vulnerabilities in industrial control systems (ICS), and he does not believe that IT personnel generally have an adequate understanding of how those systems work.
To complicate matters, we lack the tools to determine the cause of ICS failures. “There are minimal cyber forensics for control systems,” Weiss told CSO. "We need people who are both control-system and cyber experts, or at least willing to work together, and there aren't enough of those."
In a similar vein, the founder of the Cyber Security Forum Initiative’s Cyber Warfare Division, Paul de Souza, told CSO, "The main problem in the U.S. is to find cleared cyber operations professionals with full spectrum – exploitation-offense-defense – hands-on experience."
The experts interviewed by CSO also shared concerns about the new offensive potential of the Cyber Command. They pointed out that there is too much opportunity for deception when evaluating the source of an attack. Given that ability to deceive, they were skeptical of government assurances of a material improvement in our ability to identify the true source of an attack.
Gary McGraw, known as a champion of systems that are built to be secure from the start, emphasized the continuing importance of that approach and made note of another issue. In this context, he said, mistakes have serious consequences and are all too easy to make. Once made, speed of execution makes them impossible to correct. Referring to an inadvertent attack on the wrong systems, McGraw said, “It happens so fast, you can’t say ‘Oops.’”
Weiss provided a further note of caution with respect to a program that makes industrial control systems “fair game” on the world stage. He points out that systems are in use in countries that are not necessarily friends of the United States and that only around 20 vendors supply those systems worldwide. The systems work well for their intended purposes, he said, but they are vulnerable. “Security was not part of their design,” he told CSO. “If you start making them fair game, we’re in a lot of trouble – not just here but all over.”