Managed Risk Best Way to Deal with Cyber Threats: Panel
Managing cybersecurity risk is the more appropriate approach than seeking to make systems risk-free, according to a cyber industry panel held Monday at the 28th National Space Symposium being held this week in Colorado Springs.
Representatives from Lockheed Martin, Raytheon, Boeing, General Dynamics and Northrop Grumman spoke about their experiences with government and how effective cybersecurity systems are.
“Cybersecurity is an economic question. We just don’t do it for doing’s sake; you’ve got to look at a return on investment for doing it,” said Charles Croom, Jr., a retired United States Air Force lieutenant-general who is currently a vice-president in Lockheed Martin’s information systems and global services division.
As cybersecurity should be a managed risk, he said he was encouraged by the participation of insurance companies in the industry, as they treat it economically. We are traditionally used to these companies giving discounts for houses that have burglar alarms and similar systems, he said, and he called for similar systems to be available on the cybersecurity side.
With a bi-partisan cybersecurity bill before the United States House of Representatives – the Cyber Intelligence Sharing and Protection Act – it will be important for cybersecurity companies and the government to best hammer out how to work together.
The bill includes authority for the United States government to share classified cyber information with companies so that the two sides can best collaborate to combat threats.
The act is causing concern from consumers already wary after the controversial Stop Online Piracy Act (SOPA) and its sister bill Protect Online IP Act (PIPA) were put on hold under massive industry protest, since it has provisions such as allowing the government to access e-mails and other personal correspondence. On the other hand, it provides a potential framework for companies and the government to work on threats, right from the source.
Several issues are facing future agreements with industry – a squeeze on defense budgets, a balance between information sharing and information security, and how best to structure competitions to be available to both large integrators and smaller firms.
The typical threat to defense infrastructure is a small-scale operation, such as a single user on a laptop being determined to hack into the network, panel members said. The situation, they added, evolves daily and requires constant vigilance.
“Our threats and our enemies do not wait for a five-year acquisition cycle. They are changing their threats daily, and we need to be able to respond in that rapid environment,” said Christina Kuhn, Northrop Grumman Information Systems’ vice-president of security and information operations in its cyber intelligence division.
But agility also requires adaptability on the part of industry, the panelists said. Sometimes industry protests for nominal reasons causes an expensive investigation that doesn’t accomplish that much, resulting in resources deployed on investigations rather than countering threats, Lt.-Gen. Croom said.
Systems industry providers also need to be adapt at handling different levels of security for many users, with a resilient architecture that not only protects from threats but helps manage intruders if they do manage to hack in, said a Raytheon Intelligence and Information Systems representative.
“We need to have government and industry participants that understand how to think like an attacker so you can be a good defender,” said Steve Hawkins, the company’s vice-president of information security solutions.
Education was among the solutions these industry representatives posed to the attendees, both within schools and once cyberintelligence professionals reach their respective companies.
The best knowledge will come through collaboration, these panelists said. Of course, the challenge is to overcome the difficulty of sharing information securely, and to encourage companies to collaborate in situations where they do not want to give corporate information out lightly.
