By Geoff Fein
One of the most pressing needs the nation faces is the need to secure cyberspace and to protect the country’s cyber systems and infrastructure, whether it be in the government, military or civilian domains, according to a top Bush administration official.
The issue of protecting America’s cyber infrastructure is not solely a federal responsibility, Michael Chertoff, head of the Department of Homeland Security (DHS), told attendees at a recent Armed Forces Communications and Electronics Association conference on cyber security. “And it’s not exclusively a private sector responsibility.”
“Because of the way we network across cyberspace, because most of the assets and people involved are not within the government…we have to address this problem in partnership,” he said last week at the Washington, D.C., event. “We have to use a network to protect a network.”
In the last year or two, there have been some dramatic illustrations of the dangers of cyber attacks, cyber theft, and identity theft using the ability to penetrate cyberspace, Chertoff said.
“This has underscored that more of our assets, more of our economy that resides in the virtual domain, the more important it is to protect that domain,” he added.
Among the more serious threats, globally, have been the denial of service attacks on Estonia that resulted in a short-term shutdown of the Estonian government, and the wave of denial of service attacks on Georgia that preceeded the conflict between Russia and Georgia, Chertoff pointed out.
“Our experts at USCERT (United States Computer Emergency Readiness Team) worked with Estonia to rebuild that system. That was an illustration of what a nation state can experience when there are cyber attacks,” Chertoff said.
In August, the Secret Service brought down the largest prosecution of identity theft in history of the nation, Chertoff said.
The case involved a ring that stole approximately 40 million credit card numbers by capturing the numbers as they were moving over wireless networks between major retailers.
“This was a cyber attack. The design here was a not a denial of service attack, but to steal valuable economic information,” he said.
To deal with the issue of cyber security, President Bush earlier this year launched a comprehensive national cyber initiative, Chertoff noted.
“Under the president’s initiative DHS has lead responsibility to protect federal civilian domains and networks, and synchronize all the federal networks to make sure we are all coordinated together, as well as begin the process of working with the private sector to configure cyber in a way that meets the particular needs of each of the 18 principal sectors of the U.S. economy,” he added.
The core elements of the initiative require establishing front lines of defense to reduce current vulnerabilities and prevent intrusion to make sure that the effort is defending against the full-spectrum of threats.
“We have to look end-to-end at the entire architecture to make sure we are, in fact, protecting ourselves adequately,” Chertoff said.
Last, there will need to be a focus on educating the future generation of cyber professionals, and to spurring the development of leap-ahead technologies to protect cyber assets in the future, he added.
Chertoff added that it is important these efforts are not seen as attempts by the government to get a big foot into the private sector or have a massive federal presence on the Internet as some other countries have sought to do in policing it. “That is not the approach we are proposing here.”
Creating front line defense will require reducing that number of trusted Internet connections so that the government can get a handle on the flow of traffic that is coming in and out of the federal government domain, Chertoff said.
“That means, as well, we have to increase our capabilities at US CERT and across the entire government–department and agency networks–to make sure we have watch standers 24/7 so we can have a prompt response when we detect something,” he said. “And we need to coordinate across the interagency process through the National Cyber Security Center, which has just begun to be stood up, to make sure that we have a kind of shared or federated activity or coordination between the military, intelligence, and civilian domains.”
The effort will also require the continual improvement of intrusion detection systems, Chertoff added.
The government currently has Einstein in place now. In its original form, Einstein was not a real-time intrusion detection system, Chertoff noted.
Einstein 2.0, which is being deployed at this point, is a real time system, he added. “We use passive sensors to protect [against] malicious code…and protocol-based signatures in real-time so that we can give real-time notice of warning rather than the forensic analysis after the attack has occurred.
“Finally, we are looking at the development of Einstein 3.0, which would be the next step. It would be a prevention capability that would actually block as well as warn, in the government domains,” Chertoff said.
It is also important to emphasize the need to protect the global supply chain, he added.
“In the global environment…the global supply chain…quality assurance and integrity assurance is going to become an increasing challenge, again, as closing one of the doors to a threat,” Chertoff said.
Maybe most important is the need to engage the private sector in cooperation, Chertoff said.
“We need to identify long-term and short-term objectives, and with the cross sector cyber security working group we have set up, we need to facilitate information sharing back and forth,” he said. “We need to know what threats [the private sector] are seeing. [The private sector] needs to know what we are seeing, what we can release to you, perhaps in a somewhat refined form that you can use in order to secure your systems better.”
But Chertoff warned any effort by the federal government to mandate cyber security on the private sector would be met by a backlash. He expects there will be incentives to get companies to install security measures on their systems.
“I think the market will be ready, willing, and able to work with us in this effort. But there will be some people who don’t want to do that and I don’t want to tell people that they have to opt into this system,” Chertoff said. “If you are so concerned about the government that you want to keep your system away from the government, I think you should be entitled to do so. Obviously, you have to live with the consequences.”