DoD Mulls Defending Key Private IT SystemsMaking Einstein 2, Einstein 3 Available to Key IT Operators
In a speech at the Strategic Command Cyber Symposium in Omaha, Neb., on Wednesday, Defense Deputy Secretary William Lynn III also outlined a major shift in DoD's approach to cybersecurity that includes drastically reducing the time to deploy IT security systems and the increased use of sophisticated technology tools to support the smaller-than-needed Defense cybersecurity workforce of the future.
Lynn said the Defense Department is mulling using the Einstein 2 intrusion detection and Einstein 3 intrusion prevention systems developed by the Department of Homeland Security to help secure critical systems such as finance and utility operated by the private sector.
"For the dot-com world, could we create a secure architecture that lets private parties opt in to the protections afforded by active defenses?" Lynn asked. "In this way protection would be voluntary. Operators of critical infrastructure could opt in to a government-sponsored security regime. Individual users who do not want to enroll could stay in the wild wild west of the unprotected Internet."
This type of approach for "secure.com" - as Lynn puts it - could build on the collaboration between DoD and the defense industry. "It could offer an important gateway to ensure our nation's critical infrastructure is protected from cyber attacks," he said.
James Lewis, senior fellow at the Center for Strategic and International Studies, a public policy group, compared Einstein 2 to a 1999 Mustang with a bit of rust. "For some companies it isn't a big deal," Lewis told the Associated Press. "But for others who haven't done much (to secure their networks) it would be a good idea."
Einstein 2 is in place in at least 11 of the 21 government agencies that police their own networks, according to the AP. The other 89 federal agencies will go through one of four major technology contractors for the Einstein monitoring. Einstein 3 is in a trial phase.
DHS, however, is hesitant to endorse a program as the one posed by Lynn, at least for now. "DHS and DOD are working together to secure our respective portions of government networks, and we are relying on private sector and government technical expertise to address those requirements," a DHS official said in an e-mail message. "We expect that experience will provide valuable lessons on ways in which critical infrastructure can be protected."
To defend its own systems, Lynn said DoD is establishing a task force he will head to significantly reduce the time to deploy IT to defend its systems. He said it takes an average of 81 months - nearly seven years - from when an IT program is first funded to when it becomes operational. Accounting for Moore's Law - in which computing power doubles every 18 to 24 months - systems are delivered four to five generations behind the state of the art. Apple, by comparison, developed the iPhone in 24 months. "That is less time than it would take us to prepare and defend a budget and receive congressional approval for it," Lynn said. "Steve Jobs gets an iPhone. We get a budget. It's not an acceptable trade. ... We need to match the acquisition process to the technology development cycle. In IT, this means 12 to 36 months cycles, not seven or eight years."
To do that, DoD will rely on incremental development and testing rather than trying to deploy large complex systems in one "big bang." "To achieve speed, we must be willing to sacrifice or defer some customization," Lynn said. "Making use of established standards, and open modular platforms, is of paramount importance."
Lynn said it was unrealistic that the Defense Department can recruit a sufficient number of IT security specialists to secure its systems, so it must rely on automated systems, sensors and artificial intelligence to "multiply the value of the trained cyber professionals we have."
"Over the next 20 years, there is little doubt that China or India will train more computer scientists than we will," he said. "We will not be able to keep up. Demographics work against us. If our cyber advantage is predicated solely upon amassing trained cyber professionals, we will lose."
That's something Lynn said he doesn't expect to happen.