By Geoff Fein
Tackling the complexities of cyber security requires more than good technology. It requires an understanding of economic and legal issues as well as developing a theoretical framework for cyberspace, according to a top industry official.
“This is not purely a technical issue. This is not just about patching some piece of software because a virus could get into it otherwise,” Robert Brammer, Northrop Grumman [NOC] Information Systems sector vice president and chief technology officer, recently told Defense Daily.
“The most important problem we face right now is the lack of people educated and trained on the various dimensions of this problem,” he added. “Without enough people who really get it in some sense and are in a position to do something about it, then all of the rest of the stuff is just theoretically.”
One issue is the difficulty in gauging return on investment (ROI) when it comes to technologies. For example, if a company is spending money on security, how they measure ROI, Brammer said. “That doesn’t necessarily generate revenue and profit directly, but a failure of security can cause you to lose money.”
“But we don’t have a good way of valuing security yet,” Brammer added. “That is one of the reasons why this area is lagging.”
There are also issues at the national level with various security products, he added. “There are no analogs of consumer product safety legislation for cyber security.”
If a consumer buys a software product and reads the fine print on the license agreement, they’ll see the vendor isn’t responsible for anything, Brammer noted. “In fact, most of them want to get their customers to fix the problems and they call that beta test.”
“In other industries, somebody sells you a product and it has a defect. There are product recalls, but the software industry will send out a patch and maybe that will fix it,” he said. “It’s an entirely different model which I think is indicative of how new these concepts are. We really don’t have a legal framework that captures much of this.”
In fact, Brammer pointed out that in some countries, hacking into a network isn’t even illegal. “They don’t have laws that address this at all.”
Another issue that needs to be better understood is how to improve situational awareness in cyberspace, Brammer said.
That challenge hasn’t been lost on the military as service personnel look to make improving situational awareness in cyberspace a priority.
Two weeks after being confirmed to head up the new United States Cyber Command, Army Gen. Keith Alexander told attendees at a briefing at the Center for Strategic and International Studies in Washington that developing better situational awareness over the military’s computing networks is one of his primary challenges.
The military faces a dangerous combination of known and unknown vulnerabilities, strong adversary capabilities, and weak situational awareness, he said early last month.
Thus, Alexander’s short-term to-do list in the military realm is to help define requirements for improving situational awareness of networks used in war zones (Defense Daily, June 4).
Those same concerns were echoed by a panel of military officials discussing the services’ approach to cyber security at Defense Daily‘s Cyber Security Summit June 11.
As the services work to establish full operational capability this fall for their newly established cyber commands, achieving real-time situational awareness of threats to their respective computer and information networks remains a key challenge, the panel of Air Force, Army and Navy cyber officials said (Defense Daily, June 15).
“It is a very overloaded term. It depends on what situation you want to be aware of and who is it that wants to be aware,” Brammer said.
For example, a network administrator wants situational awareness of the traffic on his network to see if there are any problems, Brammer said. “He tries to maintain situational awareness of that environment.”
A theater command has a much larger purview, but at the same time the level of detail needed is not the same as a network administrator, he added. “You need a different type of awareness.”
Then there is the situational awareness needed by the secretary of defense and the president.
“Those are all legitimate requirements and all very difficult problems,” Brammer added.
It’s more and more difficult to figure out what are the right questions to ask and to aggregate all of the information from all the various sensors and people involved who have to sift through an enormous amount of information, Brammer said.
“We have research in all of these areas particularly at the higher levels of situational awareness–how do you filter out unnecessary level of detail? How do you get to critical decisions? It’s all about decision and support enabling courses of action,” he said.
In the real-time area, Northrop Grumman has some research going on in real-time forensics, Brammer noted.
“Can I figure out what is going out at a level of detail that at least allows me to take some kind of action to mitigate the effects or at least minimize the damage if not eliminate it all together,” he asked. “Cyber security very much wants to go to a real-time aperture, but because of the complexity and volumes of information this is not an easy thing to do.”
Visualizing cyber space is something the government and industry don’t know how to do very well yet, Brammer said. “It’s a much more abstract notion.
“It’s not like you can look at a terrain map and get a good feel of what the terrain looks like,” he said. “Cyber space is a much more abstract thing and these notions are not anywhere close to being as well developed as of a lot of other areas of science and engineering.”