By Geoff Fein

The most pressing cyber security issue facing the defense industry is a near existential threat from state-sponsored foreign intelligence services who have the capability to tap into company networks, accessing sensitive intellectual property, according to a report from the Internet Security Alliance (ISA)

A network breach has long-term negative implications for national security, the report added.

Last month, the non-profit ISA issued its 44-page cyber security policy recommendations for the incoming Obama administration.

The report, entitled The Cyber Security Social Contract Policy Recommendations for the Obama Administration and 111th Congress, examines the challenges and obstacles to implementing cyber security and what the government might do to help foster cyber security in the private sector.

“The current technologies are woefully inadequate. They can deter the average script kiddie, but provide little defense against foreign state sponsored attacks and espionage, which represent 5 percent of the threat responsible for some of the most serious damage,” according to the study. “Signature-based intrusion detection, firewalls, and anti-virus technologies are all deployed, but they do little to identify or prevent more sophisticated adversaries.”

The single greatest vulnerability in the cyber world is insider incursions, Larry Clinton, president of ISA, told Defense Daily in a recent interview.

“Some people estimate that as many as a third to half of cyber incursions are not people hacking in to the system, it’s somebody who already has keys to the system,” he said. “Either a disgruntled employee, or a plant sometimes, or sloppy employees who do unsafe things and leave networks open to outsiders.”

According to the report, most “defense company information security professionals, faced with limited budgets and junior personnel, are locked in a reactive defensive posture. This position allows for little more than signature-based perimeter monitoring and-if detected-malware eradication as an operating paradigm against professional foreign intelligence operations tasked with penetrating, surveying, and exfiltrating specific sets of information.”

This is not a problem any single company can address, the report noted. Companies can invest a great deal of time and money to treat the symptoms (detect and respond to incidents), but only the international Internet community can begin to address the problem.

ISA listed a number of steps the government can take to assist the defense industry in improving cyber security in the short- and long-term. Among them are:

  • Provide more timely support from U.S. counterintelligence agencies when they identify ongoing foreign intelligence collection operations or other criminal activity;
  • Provide incentives for the private development of promising technologies that move the community away from outdated signature-based detection modalities and instead focus on powerful combinations of sophisticated behavior analysis and change detection for enhanced anomaly identification;
  • Identify the best technologies and protocols and then drive government networks towards them;
  • Focus on technologies or strategies that allow defense companies to shift from a passive, forensics-based defense to an active posture incorporating real time intelligence updates that anticipate the adversaries’ targets and tactics;
  • Provide greater research incentives for next generation behavior-based technologies. If the government invests in game changing technologies and provides incentives for the market to invest in them, DIB members can raise the bar on cyber defense technologies; and
  • Leverage innovation centers such as the Defense Advanced Research Projects Agency, the Intelligence Advanced Research Projects Agency, and In-Q-Tel to provide research and development funds, expertise, and incentives for technology development to make defense industry networks a hard target for the adversary.

Clinton said the government needs to understand that whether they like it or not, they must engage much more affirmatively with the private sector.

“The security of our nation’s electronic infrastructure is in private hands, no two ways about that,” he said. The government could go in and take over the airports in an emergency, but you can’t go in and take over the Internet. The only way to do this is by constructively engaging the private sector.”

And developing strong federal mandates on cyber security won’t do much good either, Clinton added, because this is an international issue. “Even if you passed a great regulation, let’s assume you could, it doesn’t work.”

“What it would do is increase U.S. costs, drive capitol offshore–which is bad for the economy and frankly bad for security–it would create a brain drain in security as we drove industries offshore to increasingly become more non-U.S. based,” Clinton said. “We need a system wide, risk management, private sector-involved system.”

While hacking or cyber attacks on Defense Department (DoD) sites is a daily occurrence, Clinton noted that some folks are bypassing the Pentagon and large defense firms and going after sub vendors.

“Some of the nefarious people…they are attacking subcontractors of the major defense contractors, and through them getting to the Pentagon,” he said. “The systems all interact, so you need a full system wide solution.”

Cyber security is a serious national issue, he added. Information and technology are being stolen, nation states are using these systems to disrupt other countries, and last month DoD divulged it was the focus of a serious cyber attack.

“And as we move into the next generation of warfare, virtually everybody in the field is going to have a cyber component,” Clinton pointed out. “Government needs to realize there is a serious national problem. It’s not being solved now. We have to figure out how to fix it, how to fix it completely, and how to fix it quickly.”

That’s why ISA is recommending to the Obama administration a Cyber Security Social Contract to deal with the issue.

The social contract ISA is proposing is based on the agreement between government and the utilities in the early 20th century, which had the goal of providing universal phone, power and light service to Americans, the report said.

“The necessary infrastructure improvements, technical and otherwise, can be addressed through incentives for private investment while the cyber related consumer protection items (SPAM-personal identity) are addressed by regulation,” according to the report.

Cyber security cannot be provided directly by the government, the report noted.

“As with utility service, many companies do an excellent job with information security as required by their business plans. As with public utility service, the inherent market incentives are insufficient to provide the breadth of security required by the public’s compelling national economic and security interests,” the report said. “Since a voluntary system will not provide adequate market incentives to accommodate the public interest, and due to the global nature of the Internet, a federally mandated system will not work either. A social contract wherein government provides incentives for the private sector to make cyber security investments that are not justified by current business plans is a pragmatic alternative.”