Army Gen. Keith Alexander, the head of the U.S. military's Cyber Command and National Security Agency, painted a bleak picture with mounting challenges to the Defense Department's and nation's IT systems.
"In framing my comments on our progress at Cyber Command, I have to begin by noting a worrisome fact: cyberspace is becoming more dangerous," Alexander said in testimony delivered to the House Armed Services Subcommittee on Emerging Threats and Capabilities.
At that same hearing on President Obama's $37 billion Defense Department IT budget request, which includes $3.4 billion for IT security, DoD Chief Information Officer Teresa Takai said the department will employ a two-prong approach - securing the perimeter as well as the data - as information and services are moved to standardized cloud computing platforms. "We're going to be able to better protect as we get more standardized," Takai said.
Data Center Consolidation
DoD's cloud initiative is part of the department's consolidation of data centers, from more than 770 to about 655 in less than two years. "Core data centers will be used for information services and applications that must be available broadly across DoD, and for the department's outward-facing applications and services required for interaction with industry and the public," the CIO said. "These will, in fact, become the initial DoD cloud computing instantiation."
As DoD fortifies its cloud offerings, Takai recognizes breaches will occur. "We need to be able to protect at the information level," she said. "That is why we're focusing very much on identity management so we know who is in the cloud. And, we're also linking that to what information that particular individual has access. It's really both of those that gives us assurance so that as we move to that kind of an architecture, we will be able to better protect our information."
Alexander concurred: "The IT infrastructure of the future - the STIn (Security Technical Implementation) virtual cloud environment - will make it a much more defensible architecture. I think that's the key to the future."
Anxiety over Cyber Destruction
Addressing the cyberthreats the nation faces, Alexander characterized them as three-fold:
- Exploitation, such as the theft of intellectual property;
- Disruption, such as the distributed denial of service attacks that disabled government IT in Estonia and neighboring nations;
- Destruction. "What we're concerned about is shifting from exploitation to disruptive attacks to destructive attacks," Alexander said. "Those attacks that could destroy equipment are on the horizon and we have to be prepared for them."
It's not that advancements haven't been made in cyber protection over the past year since the military stood up the Cyber Command. Alexander said organizations are better in identifying botnets, although he quickly added that didn't mean the computing environment is getting safer. "Now," the four-star general said, "the more sophisticated cyber criminals are shifting toward stealthier, targeted thefts of sensitive data they can sell ... targeting (organizations) with similar malware, often spread by clever phishing e-mails that hit an information security system at its weakest point - the user."
Subcommittee Chairman Mac Thornberry, the Texas Republican who leads House cybersecurity efforts, lamented the deteriorating security in cyberspace. "Despite the successes of Cyber Command over the past year, which I do not discount, it still seems to me that the dangers to our nation in cyberspace are growing faster than our ability to protect the country," he said.
The panel's ranking Democrat, Jim Langevin of Rhode Island, said that despite increased awareness of cyber vulnerabilities, many in the public and Congress don't fully recognize the potential for damage posed by a breached or disrupted network.
Social Media Can Cause Damage
Alexander said it's not just bold attacks on critical IT infrastructure that worries him; social media and mobile devices present additional security challenges. "Real and potential adversaries can and do learn a great deal about our personnel, procedures and deployments by monitoring the use that our people make of popular social media," he said. "As our military goes wireless, these threats to our weapons systems, communications, databases and personnel demand attention."
And though hacktivists' threats aren't as perilous as those of criminal gangs and nation states - more "chaotic and perhaps exaggerated in the media," as Alexander puts it - the actions of groups such as Anonymous and LulzSec prove troublesome. "The work of preventing those effects from disrupting DoD information systems does draw attention and resources," he said.
IT Security Skills Shortage
Alexander suggested that the nation's prosperity and security are threatened by a critical shortage of IT security skills and personnel. At the DoD, Alexander said efforts to build a cybersecurity workforce will require adoption of a single standard. He said the DoD is reviewing recruitment and incentive programs to build and retain the "best of the best cyber defenders," and is working to standardize, track and manage the training needed for all cyber personnel.
"In order to achieve our goals in this area by 2014," he said, "we must build a skilled force capable of full-spectrum cyber operations across a continuum of threats. We also need to build our workforce at Cyber Command and the service cyber components so that, in extremis, we have the capability to defend the nation in cyberspace."