Who Will Deliver Actionable Cybersecurity Solutions?

In his first public appearance, Gen. Keith Alexander, the head of the US Cyber Command and Director of National Security Agency, stated that DoD was lacking situational awareness - simply, knowing what systems' hackers were doing.  

The lack of situational awareness means that key defense IT systems remain exposed to sabotage. With 7 million DoD computers linked by means of 15,000 networks there are unauthorized probes of 250,000 times per hour. Such events are discovered only after the fact and often never.

The cybersecurity dangers are clear and present. What is the government doing to address such threats?

The US Government Accountability Office (GAO-10-466) has just published a report on the current status of cybersecurity research & development. The GAO findings reveal an unsatisfactory proliferation of efforts, which are marginally funded.

The following organizations were identified as dealing with cyber defenses:

President's Council of Advisors on Science and Technology;

President's Information Technology Advisory Committee;

National Security Council;

Cybersecurity Office/U.S. Cybersecurity Coordinator;

Office of the Director of National Intelligence;

Office of Management and Budget;

Office of Science and Technology Policy;

National Science and Technology Council;

Committee on Technology;

Subcommittee on Networking and Information Technology;

National Coordination Office of Networking;

Senior Steering Group for Cyber Security;

Cyber security and Information Assurance Interagency Working Group;

Special Cyber Operations Research and Engineering Group;

OSD Research and Engineering Directorate;

Office of Naval Research;

Army Research Laboratory;

Air Force Research Laboratory;

Defense Advanced Research Projects Agency;

National Security Agency;

Department of Energy Cybersecurity Research;

National Institute for Science and Technology;

Department of Homeland Security;

Institute for Information Infrastructure Protection.

In addition to the government-managed R&D dealing with cybersecurity there are at least another dozen private sector organizations funding similar efforts.

The chances are remote that any of the above institutions will solve general Alexander's problems in the foreseeable future. In addition to the continuation of policy-level discussions, that rarely produce actionable solutions, the DoD should meanwhile concentrate on how to overcome the vulnerabilities of its porous networks and computers. DoD spends over $33 billion/year of IT for managing the sources of its risky networks. DoD should concentrate immediately on the security of its presently installed computer applications. This can be achieved only through the adoption of much safer cloud computing designs.  How to do will be discussed in follow-on blogs.

SUMMARY

There is no question that the existing institutions will have to continue de-conflicting and re-focusing the activities of their research and development cybersecurity efforts. Meanwhile, on a more actionable level, the migration to a more secure cloud environment should proceed at an accelerated pace.