View From the Hill
Written by Rep. Jeff Miller
CRITICAL JUNCTURE FOR SECURITY
Public-private cooperation and fostering innovation
should remain the focus in cybersecurity.
This potential new command will have to interact with the soon-to-be-established White House “cyberczar,” and there will most certainly be challenges as these new entities grow and interact. Despite the challenges, the United States must continue to exploit the advantages of IT and networked operations because the network is such a critical component to land, sea, air and space operations.
The consensus among all policymakers seems to be that time is of the essence, and that our shared challenges cannot be allowed to slow us down and make us more vulnerable. In order to move forward quickly, however, it is crucial to reflect on the recent history of cyberwarfare. Thoughtful reflection guides me to realize that enhanced public and private collaboration while fostering innovation is the key to our continued defense. The government is responsible for this defense, but innovation from the private sector will be key to ensuring this endeavor is successful. The attacks on our nation’s cyber-infrastructure grow more frequent and more devastating. In April, it was widely reported that the Joint Strike Fighter program may have been hacked by cyber criminals, and last November an attack on the Pentagon’s networks took down as many as 1,500 computers. The attacks damaged networks in U.S. Central Command, and highlighted the potential impact on our continuing military operations in Iraq and Afghanistan. In Georgia last year, reports of malicious cyber-activity preceded the Russian military’s incursion into the Ossetia and Abkhazia regions, underscoring the potential to combine cyber attacks with military objectives.
As a nation, we must now ask ourselves some tough questions: How well can we determine the origin of attacks when most come through unaware parties; when do attacks reach the threshold of terrorism, warfare or crime; and what is the most appropriate response for the nation and the international community? Cyber-rules of engagement, doctrine, organization and training will all be different than their kinetic warfare kin.
The IT systems we need for today and tomorrow must be developed and acquired—with the knowledge that they will enter a highly contested and highly integrated network. This network did not evolve overnight, and it is important to consider how we got here. NETWORK-CENTRIC REVOLUTION
The Information Revolution dramatically changed how we do business as a nation but has also significantly impacted how we provide for the common defense. As the technology fueled a revolution in military affairs over the past two decades, DoD developed a significant number of people, facilities and capabilities to combat the growing threat.
In the 1990s, DoD finally gave this revolution a name, network-centric warfare, which later changed to networkcentric operations to provide a more nuanced view of how these technologies were being utilized. We now see the rise of cyberterrorism and cybercrime as a transnational business. Cyber-attacks from individuals and countries targeting economic, political and military organizations will increase in the future and pose a severe threat to U.S. national security. In fact, given our increasing reliance on a “connected world,” from governmental functions to private citizens’ online banking, we need to seriously consider what constitutes national security and critical infrastructure as it relates to cyberspace.
Already, every major defense acquisition program today—from Future Combat Systems to the F-35—has some level of IT in the system. We are and will continue to be a net-centric force, because it is an enabler and force multiplier. It provides increased efficiency and capabilities in a cost-effective manner. Finally, it enables better decision-making and results in fiscal responsibility. As the department evolves, management of IT across the federal government becomes of paramount importance.
The House Armed Services Committee held a hearing last year to explore the full range of approaches to cyber security that support network-centric operations. Cybersecurity is a poorly defined term, but clearly it encompasses three broad areas: computer network defense, computer network exploitation and computer network attack. As technologies change, these distinctions may blur, but for now they provide a simple way to view the full spectrum of activities in cyberspace.
As DoD continues to suffer cyber attacks, it is investing significant resources in information assurance and network defense to ensure system confidentiality, integrity and availability. IA provides the means by which cyber threats are countered and enables the systems to provide protected, continuous and dependable services in support of warfighting and business mission areas. The proliferation of IT devices of all sorts, especially wireless and mobile units, all provide excellent capabilities and savings, but also increase our vulnerabilities.
During another congressional hearing last year, we listened to testimony on the administration’s new interagency Comprehensive National Cybersecurity Initiative (CNCI). As a result of our hearings and additional research, Congress took many actions in last year’s defense authorization to enhance cybersecurity. We recognized that cybervulnerabilities come not only from connecting to the Internet, but also from hardware vulnerabilities, and we closely examined trusted defense systems.
There is growing concern that major manufacturing for many mission-critical devices, such as routers, switches and workstations, has moved offshore, primarily to Asia. The inherent risks associated with procuring electronic components that have been designed, fabricated, tested or packaged in unsecure facilities abroad demand a well-planned and -structured response.
Given this, we asked the secretary of defense to look at the vulnerabilities in the supply chain of electronic components and assess methods to verify a level of trust. In today’s environment, we do not have the ability to protect everything we have. I would like to see us at least have a system in place where our most important assets are highly trusted.
One of the largest and most difficult challenges is arriving at a basic strategy for the nation to address cyberthreats. We saw the first steps toward this with the 2003 National Strategy to Secure Cyberspace by President Bush, and in 2008 the CNCI. While this initiative is aimed primarily at improving the ability of the Department of Homeland Security and other federal agencies to protect against and determine future threats, we need to refine the government’s efforts.
As we move forward, I believe we should take heed of the many good recommendations contained in a recent Government Accountability Office report on key improvements to the National Cybersecurity Strategy and in the bipartisan report on Securing Cyberspace for the 44th Presidency. I am also looking forward to reviewing the conclusions of the Obama administration’s recently completed 60-day review of cybersecurity under the direction of Melissa Hathaway.
INDUSTRY ROLE
With those reports in mind, we should focus on covering the nation and securing our most critical resources first. To accomplish this monumental task, Congress and the administration must work to ensure that a strong relationship exists between the government and industry.
More broadly, we must ask ourselves what role industry should have in cyber security. For the most part, the current acquisition process has created a situation where technology comes from industry and requirements come from government, but these are often separate actions with limited coordination. I believe that enhanced collaboration between government and industry is the best way to move forward. I want to make sure neither gets excluded from the decision-making process as national policy is developed around these important issues. Because I recognize that innovation propels this nation ahead, I am a firm believer that we in Congress need to focus on encouraging innovative leadership and rewarding success.
During recent congressional oversight of the Navy’s Next Generation Enterprise Network, I found that the innovation in industry is again providing a solution in the area of information assurance. Those responsible for implementing or operating a system often run into a situation where they must justify their own security capability and level of assurance.
Instead, starting with our large and critical systems, a separation of duty should be considered for each system. With this separation, a group of unbiased personnel can be tasked with continuous testing and best thinking to either pace or stay ahead of the threat.
The government’s collaboration with private companies aiding in IA work, and maintaining the capability to design and manufacture critical hardware and software products within the U.S., will lead to the development of an overarching cyber defense plan. Artificial government-imposed security requirements will simply not keep pace with the model I have just described.
We are at a crucial juncture with regards to cyber-issues and cyber security. As a member of the House Armed Services Committee and the House Permanent Select Committee on Intelligence, I am keenly aware of the threats to our national security, both foreign and domestic. Therefore, I hope we move quickly, but prudently, forward on a national cybersecurity plan that appreciates the collaboration between the government and private industry, and encourages innovation. ♦
Rep. Jeff Miller, R-Fla., serves on the House Armed Services Committee, Permanent Select Committee on Intelligence and Committee on Veterans Affairs.
