International Affairs Forum: You had a long and diverse career in military intelligence. Where do cyber security and intelligence work dovetail?
Terry Roberts: I take this from a much broader perspective and look at it as the overall cyber environment. The cyber environment is all those missions and functions that we perform; it is all the people who are living, working, and socializing in that operational space. All mission sets are now conducted within and are a part of cyberspace. So the cyber arena is a key area for knowing our adversaries, knowing their capabilities and intentions, and protecting our cyber environment. That’s how I believe they interrelate.
IA-Forum On October 1st, Deputy Defense Secretary Lynn noted that the DOD faces many cyber threats “from teenage hackers, to organized crime networks, to attacks by foreign intelligence services.” From your vantage point, having recently left a senior position in Navy intelligence, what are the two or three most important issues concerning cyber security vis-à-vis the DOD?
Roberts: I’ve thought a lot about this one over the last couple of years. There are two important issues that should be considered. First, I believe that DOD military and civilian leadership need to embrace the idea that today’s cyber environment is the most revolutionary change to our civil and military defense since the nuclear age. I don’t mean to say that in a reactionary way. I actually believe it has even greater implications because it impacts everything that we do, both inside and outside of the military. Many of us who are of the baby boomer generation – which includes much of today’s leadership – need to realize it’s our operational imperative and we just don’t get it. Second, there needs to be a focus on educating our leadership that ignoring today’s cyber environment would be the greatest threat to our operational capabilities and our national security today, other than nuclear and biological warfare.
IA-Forum Do you think that new leaders coming up in their 20s, 30s and 40s in the military do get it?
Roberts: I think they get it at a tactical level. But they need and they are looking for the leadership, the vision, and the operational framework to work within. There are some leaders who get it but they are in the minority. So the question becomes what and how do we need to educate the leadership. Education forums can include seminars, senior-level forums and panels. We need to use and leverage these venues to promote dialog and discussions with our government leaders. When you look back to the nuclear age and you see all of the discussions, venues, strategies, brainstorming, and engagements with academia worldwide, it was a decade or two processes. I believe we need to use the same approach now with cyber.
IA-Forum So I assume that you would look at President Obama’s formal cyber security review this past spring as sort of a top-down leadership way to keep this thing moving forward.
Roberts: Absolutely. The three major venues that I’m familiar with are the Comprehensive National Cyber Initiative (CNCI) that Melissa Hathaway led; the cyberspace policy that the President introduced in May; and, Congress’ cyber security commission now in its second phase. All of that encourages great cross-interagency cooperation and a high-level, driven vision.
IA-Forum The DOD has begun sharing intelligence on cyber threats with some of its largest contractors, and in turn they’ve shared their security breaches with the DOD – this is in the “Defense Industrial Base” (DIB) initiative. This hardens some of the contractor networks, but surely it missed some of the other smaller contractors and subcontractors?
Roberts: The SEI’s CEO, Paul Nielson, is a member of the DIB and he believes that it’s a critically important pilot program and I agree completely. There is definitely a recognition that smaller contractors and subcontractors are equally at risk and we need absolutely need to broaden the effort. But they needed to start somewhere to build it; essentially trying out the processes, building the trust and setting up a battle rhythm so to speak. Then we can start on the next level. One of the next venues that was recently brought up is the INSA [Intelligence and National Security Alliance]. INSA recently published a white paper called “Addressing Cyber Security Through A Public/Private Partnership, An Analysis of Existing Models”. It focuses on that sense of urgency, on the development of a private/public formal partnership that’s broader and inclusive of DOD and all industry. It’s a model that provides a comprehensive approach which provides a platform for the mutual benefit of showing that we need to focus on ‘net safety.’ This is very similar to the axioms in the aviation safety and electric reliability forums. This is not an area where DOD needs to drives all the innovation. This is an area where the commercial sector owns most of the infrastructure on which we rely. It really has to be between DOD and the larger group.
IA-Forum Now, is seems that cyber warfare has become another tool in a military arsenal, ours and others, and information networks are a new virtual battlefield. According to a 2008 report, China’s cyber capabilities are outstripping the U.S.’s to the point that the US cannot detect a Chinese cyber attack or intrusion. Yet on October 1st, Deputy Defense Secretary Lynn said that DOD must cooperate with nations around the globe. So how do we deal with trading partners who may likely also be virtually attacking us?
Roberts: I think you have to approach each area in its own arena. We will always be competitors, and this is with the greater partnerships around the world, and at times, we may find ourselves as adversaries, and maybe not even in a state-to-state way. With China or any other adversary, it really doesn’t matter; this is a global threat arena. We have to know how to deal in that global threat arena and keep things separate, like our economic relationships, and then concentrate in the work the cyber threat arena in its totality. But it isn’t just a Chinese issue. There are a lot of other adversaries out there with even greater, more cutting-edge capabilities than we’ve seen from China.
IA-Forum What scenario do you imagine in which a cyber attack could occur or escalate that would justify a military response?
Roberts: While, I can’t walk through the national command authority logic train, I can explain why I am involved and passionate about cyber assurance and cyber security. I know what can happen. I visited Singapore and many other places worldwide and I can understand how an attack on a port authority’s net and infrastructure can cause problems. If a port authority can’t operate, if you need to shut down that port where 50% of the world’s trade is going through, you can have a huge impact. Long Beach was closed for a few days because of strikes; billions of dollars were lost. If a port can’t operate, then it can be a huge international economic issue and that’s just one microcosm of what could occur.
IA-Forum The Secretary of Defense is about to announce a DOD policy on the use of social networking services [SNS] for military personnel. A DefenseLink article in August listed some of the risks of using SNS, such as violations of operational security, network vulnerability, and bandwidth drain. Yet the Chief of Naval Operations recently said that sailors were using social networking tools for operational tasks, such as command and control. With your expertise in communications technologies, software and architectures, what’s the real risk in the military’s use of SNS?
Roberts: When you become a member of the civilian or military team in the U.S. government, you are in a position of trust and sometimes there are varying levels of trust, confidence, and insight that you’re provided. You always know that by joining a team you therefore have to limit some of your personal life and personal interaction. And the more sensitive a position you’re in, the more limitations there may be. Ten to 15 years ago, when I was in the Navy, I first gained insight into adversaries going on our open source lines to track where our commanding officers lived and who was in their command. You can imagine how much more sophisticated it’s gotten today. When you join the government or the military, there has to be some limitations on what you can put out for our adversaries to exploit.
IA-Forum In 2007, the Navy created an expeditionary intelligence command whose mission was to provide tactical force protection, indications and warning intelligence, enabling commanders to conduct missions across the full spectrum of expeditionary and major combat operations. How might that kind of unit be involved in cyber warfare?
Roberts: With a wireless environment, and with the capabilities that we have on both the commercial and the military side, a cyber-enabled adversary has all the tools of the trade in play. Why would you kill an adversary if you could disable their C2 [command and control] or their power source or their re-supply, or discern their intentions by exploiting their C2? You would want to use all of those tools at your fingertips, which are quickly being able to go into almost any arena.
IA-Forum Government Executive and other sources have talked about the Navy combining the functions, personnel and resources of separate intelligence and communication networks into one large information dominance unit, which will create the Navy Cyber Command, which I believe is the 10th Fleet. The goal is to better equip, man and train the Navy in the 21st century. How do you think this new unit will be an improvement?
Roberts: Having been a member of the intelligence community, I believe one of their key strategies will be their decision advantage. That is what can we provide and deliver today to both our commanders and our operators in the field. It really doesn’t make sense to have your networks not operationalized and not leveraged. We need to ensure that we are providing decision advantage down to the tactical level. This kind of aligned and unified focus makes a lot of sense. Where it’s going to eventually go and how comprehensive it’s going to become, vis-à-vis the other commanders and their sphere, is still yet to be worked out, but I think it’s the right first step.
IA-Forum It seems there are quite a few cyber commands popping up in various levels and organizations throughout the U.S. government, e.g., a naval cyber command, the Dept. of Homeland Security, the Commerce Dept having their own internal cyber commands, also the DOD the cyber command, which goes up through STRATCOM which may have a line going to the National Security Agency. Is this going to create too much stovepiping?
Roberts: Well, anyone who owns, operates, and has responsibility for networks is going to have to perform basic ‘man, train and equip’ functions for those networks, whether on the DOD side, the civil side, or the industry side. What is important is that we set up leadership alignment, synchronization, coordination, and transparency in key functional areas, like situational awareness, indications and warning, and new threat sectors. It really becomes a matter of the roles and responsibilities that are inherent at the department and agency level, industry, company, and/or corporate level. Then establishing what truly needs to be instituted at an interagency level.
IA-Forum The Defense Advanced Research Projects Agency is putting up a “cyber range”, a model internet to actually do some tests for simulations and threats. Should the U.S. Cyber Command have offensive as well as defensive capabilities?
Roberts: I think they have to work through all the national command authority issues associated with that, but the Department of Defense side has both an offensive and defensive capability so they have to have the full gamut available to them. It has to be structured in a unique way though because it isn’t strictly always in a military sphere.
IA-Forum How can the acquisition process be streamlined to keep up with new cyber security technologies and software and hardware vulnerabilities?
Roberts: At Carnegie Mellon’s Software Engineering Institute [SEI], we have worked on this extensively because we support over 100 DOD, intelligence community, and civil major acquisition programs, many of them being system of systems, or ultra-large systems. There is a difference between major acquisition program and one that is more developmental evolutionary architecture that is evolving. The latter involves software applications and services that are continually being integrated and upgraded. There needs to be a defined difference between something that is truly a startup, major acquisition program versus a developmental or evolving network environment. For a developmental environment, we need to be more in tune with the kinds of gates and availabilities on the commercial side so that we can keep up with the commercial sector’s R&D advancements, which is where most of it is taking place. We have to have different approaches and different models. This is where the SEI is at the forefront and leading because of our work with Department of Defense.
IA-Forum When you went to this new position at SEI, as Executive Director for Acquisition Support, Cyber/Interagency, what were two or three things that were most appealing about this new job?
Roberts: First of all, I was excited about being the interagency lead for SEI which includes its CERT [community emergency response] function. I felt that there was just an incredible amount of innovative and truly groundbreaking work that was being done, but senior levels in the interagency were not aware of our work. I believed that I could connect the SEI with the right people who are making those key decisions, so that we can help them to have a positive impact. Number two was the realization that, as the world’s first CERT established in 1988, and the groundbreaking work that SEI has been doing ever since, we needed to partner more effectively with the government so that our advances would not only benefit the industry side but become a more integral part of the overall government foundational approach to cyber assurance for the next ten years. I wanted to be a part of those discussions, and hopefully some of the solutions.
IA-Forum Can you explain a little bit about what the CERT is?
Roberts: There are all different kinds of CERTs, and actually ours is broader than incident response and coordination. We develop and promote the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services. Our areas of focus include: software assurance, secure systems, organizational security, coordinated response, and education and training. We focus on research and development from the software development side. I’m not sure that people realize that 90% of all cyber vulnerabilities are the result of software weaknesses. But many don’t focus on the software side of the issue, because it’s not seen as the sexy work, or of the foundational work. The bottom line -- if organizations don’t use software standards – the SEI’s or others -- developed by the international community, then they are starting with a faulty, insecure foundation to their cyber environment.
IA-Forum So at this point are there international standards that people are adhering to or working towards?
Roberts: Yes, we [SEI] work with the international community to help establish security and software engineering standards. But there are no mechanisms in place to promote the international acceptance of those standards, unless you’re a member of one of the international associations. The SEI’s CERT program was responsible for establishing FIRST (Forum of Incident and Response Security Teams). FIRST is actually the first international CERT-focused association that has brought together many of the international CSIRTs (computer security incident response teams) and players, to work on cyber security issues, coordination, and partnerships. In addition, our CERT program was the first incident response team established in the world in 1988.
IA-Forum Is it possible to create a more secure network, maybe a classified kind of network for defense contractors and power grids for instance that’s not so vulnerable as the internet and open source software are now? Maybe a second-tier internet?
Roberts: Absolutely. The SEI and others in the research community have developed many of approaches, frameworks, and models that would assist in the creation of this type of network. For instance, the SEI CERT program has developed a new resiliency and business continuity model call the Resiliency Management Model. It provides guidance for measuring the current competency of essential capabilities, setting improvement targets, and establishing plans and actions to close any gaps. Essentially, it is “baking in” assurance and security. Organizations can also Use open source software, but then you have to put it through its paces. So tools, protocols, and approaches for doing that are also research initiatives that we have developed with the community. There are a lot of things that you can do that are foundational and enduring, as opposed to only focusing on a patch, reactive kind of mentality.
IA-Forum Does it make sense to create keys and encryption to harden networks?
Roberts: I have not had the time yet to become a technical expert in this arena, but I would say that it a multi-pronged offense is always a best defense. Encryption is certainly a part of that but it is not the only solution. Encryption protects your data, but it won’t protect your network.
IA-Forum What is foremost in your mind when you hear about the increasing sophistication and capabilities of cyber attacks on U.S. military networks?
Roberts: Inevitable. Since the mid-90s, I’ve watched these attacks grow. I think when you look at it today, you realize the reason that we’re in this position is that we looked at the enabling power of the networks rather than treating the networks as a command and control capability. We needed to build in the assurance and security from the beginning. Now we are in the reactive – or band-aid approach, and that isn’t the right approach. We are truly looking at how to design things from the bottom up. The good news is that because of all that activity everyone in industry and the government are taking notice. They realize that the approaches that we’ve taken in the past are not going to be enduring and are not going to lead to solutions. Certainly the volume of malware generation development and evolution has gone up a hundred-fold over the last ten years. Therefore, traditional methodologies are not the only long-term solution. Research and development coupled with government and industry partnerships are key approaches that we need to adopt.
IA-Forum Is there anything else about SEI and your current work that you’d like to highlight regarding cyber security or assurance?
Roberts: I think the most important thing is that the SEI (and other labs) are conducting great, cutting-edge research in cyber security, software engineering, and other related areas. What the US needs, however, is a more concentrated focus on cyber. I think setting up a cyber technologies task force within DOD –perhaps across the interagency -- and partnering with industry is something that should be explored, so that our [SEI and other FFRDCs] work can be connected and enabled in support of government requirements and key government partnerships.
IA-Forum Thank you, Terry.
Terry Roberts is the Executive Director of the Acquisition Support Program (ASP)/Interagency and Cyber. Prior to holding this position, Roberts was the Deputy Director of Naval Intelligence (DDNI).
|
Comments in Chronological order (2 total comments) |
|
|
This interview of Terry Roberts, regarding essential understanding of cyberspace that impacts our entire world
and life of all people is so enlightening! The message is particularly relevant coming from the most recent Deputy Director of The United States Naval Intelligence, who knows the urgent need of developing new software engineering essential for both military and civilian defense with accelerating global communication. Thanks to The International Affairs Forum I now know and am grateful that Terry Roberts has given that mission a priority in her life through currently serving as Director of SEI, Carnegie Mellon's Software Engineering Institute.
Martha W. Longenecker |
|
This interview of Terry Roberts, regarding essential understanding of cyberspace that impacts our entire world
and life of all people is so enlightening! The message is particularly relevant coming from the most recent Deputy Director of The United States Naval Intelligence, who knows the urgent need of developing new software engineering essential for both military and civilian defense with accelerating global communication. Thanks to The International Affairs Forum I now know and am grateful that Terry Roberts has given that mission a priority in her life through currently serving as Director of SEI, Carnegie Mellon's Software Engineering Institute.
Martha W. Longenecker |
|