|
When the Army, industry and local governments team up in
"live-fire" cyber exercises, the results are mutually
beneficial, said Col. Andrew O. Hall.
Hall, director
of Army Cyber Institute, and other cyber experts spoke at an
Association of the U.S. Army-sponsored forum on cyber
issues, December 13, 2017.
The reason that robust
exercises are beneficial, he said, is that gaps in cyber
defense become apparent and leaders of these communities
learn what actions they must take to defend themselves.
In turn, lessons learned help the Army to better
understand how to defend all the networks, which are all
vital to national security, he continued.
A good
example of this collaboration, Hall said, is the Jack
Voltaic cybersecurity exercise. In 2016, the exercise
brought together representatives from the Army and critical
infrastructure sectors in New York City including finance,
energy, telecommunications, emergency management, and city
government to respond to a two-day simulated cyber-attack
against the city.
|
When the Army, industry and local governments team up in "live-fire" cyber exercises, the results are mutually beneficial, said Col. Andrew O. Hall, director of the Army Cyber Institute. (U.S. Army photo illustration by Peggy Frierson,
December 2017)
|
Participants were also invited to West Point, where they
got a crack at using ACI's cyber simulation center, he
added. ACI published a report describing the methodology of
the exercise, results, and possible improvements so that
other cities may replicate or build upon the exercise.
Natasha Cohen, director, Cyber Policy and Client
Strategy, BlueVoyant, pointed to
several case studies that show a variety of ways that the military
can partner with the private sector and local government to address
the diverse nature of the threat, which she said is growing in part
because of the proliferation of hacking tools that enable relatively
low-skilled users to conduct operations against a variety of
targets.
In 2015, the Maryland National Guard responded to
real-world, distributed denial-of-service attacks in Baltimore, she
said. DDoS attacks occur when multiple computer systems become
infected, essentially shutting down targeted systems, in this case,
the state of Maryland's.
The Guard was able to download tools
that malicious actors had used and figured out how to defend against
it, she said.
Although the incident ended before the Guard
was able to share those findings with the targeted organizations,
the experience did help to work through the legalities of such
action and set the stage for assistance in the future, she said.
While the threat to organizations can be real, not every
industry has the resources to conduct some of the more expensive
security operations such as penetration testing, Cohen said,
explaining that "pentesting" involves an David Vergunized, simulated
attack on a network to evaluate its security.
In 2016, the
National Guard conducted a pentest on the Snohomish County Public
Utility District network in Washington state, said Cohen.
The
Guard was specifically trained in supervisory control and data
acquisition, or SCADA, and industrial control systems, and was able
to highlight a number of areas for improvement in the public
utility, she said, noting that SCADA is a control system
architecture involving critical services such as electricity,
natural gas and transportation.
This agreement between the
Guard and utility took two years to put together and hasn't so far
been replicated, unfortunately, she said. "If the lessons learned
from this experience could be shared and implemented across other
states, it might provide a win-win for both sides -- training for
the Guard and testing for critical infrastructure systems."
When a cyberattack occurs on a civilian organization, there is a
need to surge outside resources to defend against it, Cohen said.
Oftentimes, those surge forces, be they military, government or
private-sector, are unfamiliar with how the organization does
business, the security tools it uses and so on, so they cannot bring
the right tactics, techniques and procedures to bear.
Arizona
succeeded in attacking this problem by creating a hub for
collaborative cyber information-sharing in a neutral environment of
trust where partners from industry, academia, law enforcement and
intelligence come together, she said, citing the non-profit Arizona
Cyber Threat Response Alliance, Inc., or ACTRA, which has led that
effort.
Hall lauded the collaborative efforts which Cohen
cited, and said that ACI is working with the Command and General
Staff College at Fort Leavenworth, Kansas, to create a common cyber
language that will facilitate information-sharing among cyber and
non-cyber personnel, since many terms can seem cryptic to laymen.
At this time, the 780th Military Intelligence Brigade is testing
this common-language concept at the National Training Center at Fort
Irwin, California, and is working to train the next generation of
leaders in being more fluent in the cyber domain.
Tyson B.
Meadors, director for Cybersecurity Policy, National Security
Council, said it's often difficult to surge cyber defenders because
there's a shortage of about 300,000 cybersecurity professionals in
the U.S. workforce. Small and mid-sized companies might not even
have a cybersecurity expert on staff.
That's why
public-private partnerships and exercises are so important to
bridging this gap, he said.
One framework for surging cyber
defenses that could be utilized regionally or nationally, Meadors
said, is the Defense Support of Civil David Vergunities. DSCA was
originally designed as a natural-disaster-response framework for
inserting the Guard.
Reaction time has traditionally been
measured in days, he said. However, a cyberattack on critical U.S.
infrastructure would need to be dealt with in hours, since "we're
going to lose all sorts of services at once."
Modifying DSCA
to include cyberattacks, he said, "is a policy tweak that needs to
be examined."
Cohen concluded that relations between the
military and industry regarding cooperative cybersecurity measures
will need to be based on trust and good relationships.
The
private sector does not like to give away their own security
vulnerabilities, she said, but at the same time, they need
actionable intelligence that the military or government might be
able to provide.
By U.S. Army David Vergun
Army News Service
Copyright 2018
Comment on this article |
