Invisible Enemies

A pipeline held hostage by ransomware. An online attempt to poison a city’s water supply. Massive breaches of bank databases and other sensitive information. Armies of trolls spreading truth-tinged misinformation and conspiracies to sway elections.

Governments, corporations, and individuals cannot keep up with the constant attacks from malevolent keyboard cowboys, most seeking quick riches, a few merely malicious. And then there are the Chinese, Russians, North Koreans, Iranians and non-state actors whose objective is to destabilize whole societies.

The pandemic has opened a pandora’s box of vulnerabilities as millions of government and private sector employees re-deployed to home and began logging in to their office networks via personal laptops and even mobile phones… many with lax or no security safeguards.

This has led, in turn, to calls to accelerate application of the “zero trust” concept of sectioning a network and limiting users’ data access to need-to-know. “I think we are at one of these inflection points here”, acting US DoD CIO John Sherman said recently. “Our current approaches are not going to take us into the future here.”

The SolarWinds breach, by which Russian hackers infiltrated networks through a software supply chain, has motivated government IT officials to treat everyone like an outsider, hence zero trust. (Seems to be the case with many things these days.)

Federal Chief Information Security Officer Chris DeRusha said zero-trust security concepts are “rooted in three core principles – verifying every user, validating every device, and then within that, limiting access to intelligence. This is obviously a shift away from the prior trust model that assumed if a user has a firewall, then you know they can be trusted, and obviously this isn’t bearing out. So we’ve got to move to this new model that assumes everyone and everything is untrustworthy until we prove otherwise.”

Like it or not, legitimate users will be forced to become more cybersecurity conscious. Or you’ll be blocked into time-out until a surly admin deigns to reset your password… and your find-the-bicycles captcha… and your one-time SMS code.

Following cyber-attacks that reduced two hospitals to “all paper”, French president Emmanuel Macron in February heralded a 1.6-billion euro plan to strengthen the security of sensitive systems and called for “1,000 cyber fighters by 2025”.

The cyber-warriors may not be so easy to come by. An Information Systems Security Association survey shows a global cyber workforce shortage in both public and private sectors. And 45% of cybersecurity professionals in North America, Europe, Asia, and Latin America believed the cyber workforce shortage has worsened during the last few years. The International Information System Security Certification Consortium estimates the US cyber workforce needs to expand by 62% while the global cyber workforce needs to increase by 145%.

“I think the divide between the need is growing compared to what we’re able to fulfill. I’m not sure we’re closing the gap, and time is ticking for us to do so,” said LtGen Dennis Crall, CIO of the Joint Staff, during a recent hearing before the US Senate Armed Services Subcommittee on Personnel. “I’m not absolutely certain” the military will be able to get “the right talent delivered at the right time”.

As the US military moves closer to its Joint All-Domain Command and Control (JADC2) concept to connect sensors from all of the military services into a single network, LtGen Crall is justifiably concerned: “We have not onboarded the very capabilities we need to employ: machine learning, autonomy, artificial intelligence, a real cloud-based environment, pushing that processing to the tactical edge and a reformed network.”

With a spread-thin cyber force, it is imperative that commanders understand the skills and weaknesses of their personnel, to accurately measure and maintain team and mission readiness, and that’s what the pending “Cyber Innovation Challenge 4” contract tranche of US Cyber Command’s Persistent Cyber Training Environment (PCTE) hopes to reveal in detail.

The two major areas of CIC4 are “cyber mission force assessment, which is improving our ability to assess our training of the force, and traffic generation, increasing the realism of operating [in] the internet,” LtGen Stephen Fogarty, commander of Army Cyber Command, told a virtual industry day audience.

“The speed with which [JADC2] is going to require us to operate is going to have a level of human-machine interface we’ve never had before,” LtGen Crall expressed. “And it’s hard for me to believe that the force we’re looking at today is necessarily rightly aligned to that new mission set.”