General Chilton on the Cyber Fight
A friend of mine defending .mil pointed me towards this article by Wyatt Cash: Cyber chief argues for new approaches. The "cyber chief" in question is Air Force General Kevin Chilton, a 1976 USAFA graduate and the first astronaut to achieve four stars. I'd like to share several excerpts:
The military’s commander of U.S. Strategic Command in charge of cyberspace, Air Force Gen. Kevin Chilton, warned that the underlying challenges and costs of operating in cyberspace often go unrecognized. And he proposed several measures to improve the security of the military’s non-classified networks.
“The hardest thing we’re challenged to do in cyberspace,” said Chilton, isn’t defending against cyberattacks. It is “operating the net under attack...”
“People talk about defending or exploiting cyberspace, but we don’t talk much about operating it if it’s under attack,” Chilton said. “It’s not easy work. And it’s not work to be taken on by amateurs.”
Chilton argued that many of the incidents that are billed as cyberattacks are more accurately just old-fashioned espionage — people looking for information who don’t necessarily represent military threats.
At the same time, the “exfiltration of data is huge” and is cause for concern, he said...
“Every time we have a problem or a virus is loaded, or someone comes in and takes over systems administration of a computer or a server, we have to take that system offline, scrub it, and sometimes throw it away. Guess what: That ain’t free,” said Chilton.
“We’re trying to get our arms around how much this is costing us every time someone breaks into our NIPRNet [unclassified but sensitive Internet protocol router network]. Some estimates are around $100 million a year; some people think that figure is low,” Chilton said...
Another step, which Chilton detailed with reporters after his presentation, would involve investing more heavily on sensor technology to filter and monitor data traffic. That would not only improve awareness and response times but ease the mounting burden of forensic work, Chilton said.
Chilton also proposed making “the operation and the defense of our network, the commander’s business,” arguing for commanders to hold people more accountable when network incidents occur.
Looking ahead, Chilton stressed the importance of increasing the number of people who are trained and equipped in the workings of cyberspace to be ready for attacks during a time of war.
“Like in any other domain, we need to train like we’re going to fight, and we’re in the fight every day already,” he said.
I am very interested in the cost question. I devised a "debt" scenario at work to describe this problem. It's common to try to justify a security program (product, process, and/or person) using loss avoidance terminology. However, not all of the losses one seeks to avoid will in fact be avoided. Speaking strictly from a system integrity point of view (to simplify this dicussion), each system that is compromised incurs a future cost. Again radically simplified, the most basic cost involves rebuilding the system from scratch (if one acts conservatively).
General Chilton undoubtedly wants to know how much that one process costs. Imagine that you defer that cost by not detecting and responding to the intrusion. Perhaps the intruder is stealthy. Perhaps you detect the attack but cannot respond for a variety of reasons (see Getting the Job Done). The longer the intrusion remains active, I would argue, the more debt one builds.
This should be easy to justify in a theoretical sense. For example, the longer an intrusion persists:
I'm sure you could imagine other problems with having persistent intruders. For budget justification purposes, it would be helpful to quantify this financially. Perhaps it would be possible for teams who have spent money on outside IR consulting to reason backwards from the final bill to create a rough estimate of these costs?
I bet the $100 million figure is for clean-up costs alone. It doesn't factor the cost of the damage caused by an adversary power knowing how to detect American submarines in the Taiwan Strait, or knowing how to fool missiles fired by American jets, or any other costs in lives and hardware associated with a future battle with an enemy well-versed in American military technology.
Overall, it's great to see this much attention at the four-star level.
The military’s commander of U.S. Strategic Command in charge of cyberspace, Air Force Gen. Kevin Chilton, warned that the underlying challenges and costs of operating in cyberspace often go unrecognized. And he proposed several measures to improve the security of the military’s non-classified networks.
“The hardest thing we’re challenged to do in cyberspace,” said Chilton, isn’t defending against cyberattacks. It is “operating the net under attack...”
“People talk about defending or exploiting cyberspace, but we don’t talk much about operating it if it’s under attack,” Chilton said. “It’s not easy work. And it’s not work to be taken on by amateurs.”
Chilton argued that many of the incidents that are billed as cyberattacks are more accurately just old-fashioned espionage — people looking for information who don’t necessarily represent military threats.
At the same time, the “exfiltration of data is huge” and is cause for concern, he said...
“Every time we have a problem or a virus is loaded, or someone comes in and takes over systems administration of a computer or a server, we have to take that system offline, scrub it, and sometimes throw it away. Guess what: That ain’t free,” said Chilton.
“We’re trying to get our arms around how much this is costing us every time someone breaks into our NIPRNet [unclassified but sensitive Internet protocol router network]. Some estimates are around $100 million a year; some people think that figure is low,” Chilton said...
Another step, which Chilton detailed with reporters after his presentation, would involve investing more heavily on sensor technology to filter and monitor data traffic. That would not only improve awareness and response times but ease the mounting burden of forensic work, Chilton said.
Chilton also proposed making “the operation and the defense of our network, the commander’s business,” arguing for commanders to hold people more accountable when network incidents occur.
Looking ahead, Chilton stressed the importance of increasing the number of people who are trained and equipped in the workings of cyberspace to be ready for attacks during a time of war.
“Like in any other domain, we need to train like we’re going to fight, and we’re in the fight every day already,” he said.
I am very interested in the cost question. I devised a "debt" scenario at work to describe this problem. It's common to try to justify a security program (product, process, and/or person) using loss avoidance terminology. However, not all of the losses one seeks to avoid will in fact be avoided. Speaking strictly from a system integrity point of view (to simplify this dicussion), each system that is compromised incurs a future cost. Again radically simplified, the most basic cost involves rebuilding the system from scratch (if one acts conservatively).
General Chilton undoubtedly wants to know how much that one process costs. Imagine that you defer that cost by not detecting and responding to the intrusion. Perhaps the intruder is stealthy. Perhaps you detect the attack but cannot respond for a variety of reasons (see Getting the Job Done). The longer the intrusion remains active, I would argue, the more debt one builds.
This should be easy to justify in a theoretical sense. For example, the longer an intrusion persists:
- The greater the likelihood the intruder finds and steals, alters or destroys something of value on the system
- The greater the likelihood the intruder will identify a way to compromise other systems
- The greater the likelihood that relevant log files from the beginning of the intrusion will expire
- The more difficult it could become for the IR team to determine the scope of the intrusion
- The more entrenched the intruder could become as he learns the inner workings of the victim's security and administration processes
I'm sure you could imagine other problems with having persistent intruders. For budget justification purposes, it would be helpful to quantify this financially. Perhaps it would be possible for teams who have spent money on outside IR consulting to reason backwards from the final bill to create a rough estimate of these costs?
I bet the $100 million figure is for clean-up costs alone. It doesn't factor the cost of the damage caused by an adversary power knowing how to detect American submarines in the Taiwan Strait, or knowing how to fool missiles fired by American jets, or any other costs in lives and hardware associated with a future battle with an enemy well-versed in American military technology.
Overall, it's great to see this much attention at the four-star level.
Comments
All the more reason though, to proceed with proactive defense models (scalable MLS), than just monitoring, detection and remediation.