U.S. Cyber Commander: Threats Are Relentless, Education Is The Key11:27 AM EST Wed. Nov. 07, 2012
One of the federal government's top security officers told government and private sector representatives Wednesday that working together to tackle cybersecurity is no longer a nice-to-have, but a necessity.
And that's true regardless of who's in the White House, said Gen. Keith B. Alexander, Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service.
"We can defend this space. But we're stuck at the starting line figuring out how we're going to do this," Alexander said in a morning keynote at the Symantec Government Symposium in Washington, D.C., Tuesday. "That's going to be the push you see from the administration and Congress, and should be the push from business and the American people. We all have these devices. We all benefit by having secure devices that our children and grandchildren can get on and call from securely."
[Related: Top 10 Strategies To Avoid Phishing Attacks]
It was a familiar refrain to kick off the annual Symantec industry gathering, but as Alexander described it, cybersecurity threats to core infrastructure in everything from U.S. banking institutions to electrical grids are dramatic, relentless and only getting bigger in sophistication and volume.
"Everybody's getting hit. Everybody's being exploited," Alexander told attendees, listing major attacks from the past two years such as those of security intelligence firm Stratfor, integrator giant Lockheed Martin and security vendor RSA. "Intellectual property is the biggest theft."
Alexander also mentioned a run of recent cyberattacks to hit Wall Street firms -- including attacks on some 50,000 accounts from over the summer -- and said that what emerged from analysis of those attacks was that distributed denial of service (DDoS) threats are going to continue to be some 10 to 20 times greater in size and scope than in the past.
Count Alexander among those who believes the government and the private sector can solve these problems in concert, and create both a stronger security infrastructure while protecting citizens' privacy.
"I don't see this as 'either/or,' I see this as 'and,' " Alexander said.
The way cyberspace is organized now involves Internet service providers, anti-virus vendors, sector-specific agencies and government regulators. Addressing gaps in that topology is fundamental, Alexander said, but so is educating workers at every stage.
"The biggest problem is education," Alexander said. "Most people do not technically understand the network."
The Department of Defense has 15,000 enclaves, but how does the government ensure each of those can patch and fix systems to mitigate cyberthreats in a uniform way? Alexander gave the example of a defense contractor receiving a patch from an anti-virus vendor but who runs out of time during the course of his or her workday to apply that patch.
"Say the guy says, 'I don't have time, I'll do it in the morning.' Well, the adversary got in that night on got on three systems. The next morning it was patched. Too late. You just patched him in there," Alexnader said. "He got onto 10,000 systems, all because they were late doing one patch."
The urgency level is much higher now that IT resources are distributed, Alexander said, noting the explosion of mobile device usage in both the public and private sectors.
"We need a defensible architecture," he said. "Thin, virtual cloud [computing] is key to our success in a couple of areas for DoD. We have a lot of mobile users. Securing mobile users is key to that future."
Alexander reiterated several times that above all, government and industry stakeholders must collaborate.
"We spend a lot of time talking about what we should do when we should do it," Alexander said. "We're going to wander around until something bad happens and then we will react and come up with the wrong solution. While we have the time, we need to be in the room together and educate people on the solution."
Alexander described the work government does with industry and also software communities such as open-source developers as a "Tom Sawyer" approach to collaboration.
"You're going to help us paint that fence," Alexander said.
PUBLISHED NOV. 7, 2012