Paris '07 Workshop
Cyber-Security: Challenges for Industry
Mr. Tim Bloechl
Mr. Tim Bloechl (center), Microsoft Executive Director, World-wide Public Safety and National Security, with U.S. Assistant Secretary of Defense John Grimes (left) and NATO's Lieutenant General Ulrich Wolf (right).
"...we do not have adequate laws,
regulations, and policies in place to deal with cyber-attacks.
Clearly, this needs to be improved both nationally and internationally so that
cyber criminals cannot take free advantage of the vulnerabilities of the Internet,
steal our money, take our identity..."
I would like to follow up on the insights raised by Defence Minister Aaviksoo. When the cyber attacks occurred against Estonia, the NATO cyber-defense workshop was taking place at our headquarters in Redmond, Washington. Very quickly, the NATO nations and the NATO membership were talking about the incident, sharing ideas on how to counter it, and, from there, a plan of response developed. It is a testament to NATO that the member states had the vision to create this kind of a capability several years ago and to develop it to the point where they have a very active cyber-defense center in Mons today. It is a very effective center and is continuing to improve.
When I look at such operational examples from the standpoint of a former war planner and intelligence officer, I think in terms of things like offense, defense, deception, psyops, and intelligence gathering. I think there are enemies out there right now conducting reconnaissance and surveillance of our military networks, and this tells me we are technically in a state of cyber-war today. It is a peacetime cyber-war, but it could very quickly turn into an active war once more traditional hostilities occur.
I think industry has a very important role to play in this state of cyber war. Industry is the provider of capabilities, many new technologies, and innovation that we can take advantage of. At the same time, because we have these capabilities, we accrue new types of risk. Industry must take a role in helping to mitigate this risk and must work very closely with military, government, intelligence, and other types of organizations and the critical infrastructures they protect in order to help counter some of the security threats described at this workshop.
I believe industry's role can be summed up in terms of five key components, which I call the five "P's:" policies, partnerships, programs, processes, and people. Let me explain each one of them.
One of the things we have identified in our discussions is that we do not have adequate laws, regulations, and policies in place to deal with cyber-attacks. Clearly, this needs to be improved both nationally and internationally so cyber criminals cannot take free advantage of the vulnerabilities of the Internet, steal our money, take our identity, and in general do bad things to us. Some activities are underway to improve the situation but we are not there yet and work remains to be done.
We generally adhere to some policies or international standards that are in place today. They attempt to identify software vulnerabilities and get them fixed in order to ensure that the software on our military networks is adequately secure. One such standard is Common Criteria. If you are not familiar with it, it is a standard adhered to by many countries and used to ensure that software placed on our military and government networks satisfy some degree of evaluation. In our view the Common Criteria methodology is out of date; it is too cumbersome and expensive a process; It does not keep pace with technological change; and it does not significantly reduce today's vulnerabilities. A replacement for Common Criteria is something I think we need to take on as an issue internationally. We need to find a better standard so we can properly assess the technology we place on our networks and do it more effectively, efficiently, and quickly.
If you think about it, in the government and the military, when you buy something you typically hold on to it for a long time. But the IT world does not move slowly. For example, think about the IT devices you have in your hands today and then think back five years ago to what you had then. The amount of change is amazing. Clearly we have to take a look at government procurement cycles and work together as a team to figure out ways to speed up the system to allow for more flexibility in the world of rapid IT change. If flexibility and adaptability are built into the procurement system, you will be able to take advantage of new IT capabilities and not be stuck with legacy systems and their inherent vulnerabilities down the road.
There is a huge amount of pirated software in use today around the world. In fact, I would venture to say that some of you at this workshop have pirated software on your home or office systems and may not even know it. Pirated software is dangerous as often additional code is added, as well as back doors and other malicious capabilities, leaving you more vulnerable. Such vulnerabilities are inherently dangerous for military operations. To defeat this problem, we need policies and trade laws to deter the use of pirated software and we also need to build in capabilities in the software development life cycle to help us identify pirated copies so we can reduce the use of such software.
Industry needs to develop four levels of partnership: with military/government; with law enforcement; with critical infrastructure owners; and with other industry partners and competitors. Such partnerships should help improve the products we develop, ensure they are designed to better meet military and government needs and standards, and to reduce some of the challenges mentioned earlier.
First, as I just mentioned, is the partnership with military and government organizations. We have one with NATO right now, as well as with many other customers, which allow us to jointly look at product road maps to see how we can work together to identify where technology is headed in the future and to plan together how we can insert new technology once it is available for use. Also, we are sharing Information about computer vulnerabilities, techniques, processes, and procedures, as well as how to work together when a cyber crisis occurs. Finally, we are discussing how to respond to such crisis situations and how we can effectively team to mitigate the threats we jointly face.
Another level of partnership should be with law enforcement. Clearly, there is an awful lot of illegal or potentially dangerous activity out there: for example, a lot of cyber-crime, exploitation of children on the Internet, and other disgusting activities. Therefore, it is critical for industry to work with law enforcement to help reduce the evil side of the Internet. Of course, this cooperation leads back to a point I made earlier--we need to put laws in place to make such acts illegal or industry and law enforcement will face a much harder battle.
The next level of partnership is with critical infrastructure owners. Industry needs to work to improve cyber security with all the different layers of critical infrastructure, including areas such as power generation, telecommunications, banking and finance, and transportation. In their own right, each of these infrastructures is very important to the way we work every day, and when you look at them from a military operational perspective they are extremely critical because most militaries cannot operate without them. So it is important to establish this type of relationship with critical infrastructure owners early, to keep the relationship current, and to keep it strong.
Industry to Industry
To some degree, there are representatives of companies at this workshop who are competitors to Microsoft. Where cyber-defense is concerned, industry has to come together regardless of competition and work to help defeat the threats we jointly face and affect us all. We welcome such industry cooperation and discussion.
I would like to mention a couple of programs which industry and government organizations should consider sharing information or intelligence on the cyber threat. One is a government security program in which vendors open up their source code to government and military organizations to prove to them there are no hidden backdoors within the software; to show the software being put on their system is effective; to validate the software has gone through very careful screening; and to give government the option of providing feedback to help improve the software before it is delivered. Another program might be a security cooperation program, with established mechanisms between industry, military organizations, and governments for sharing information on software vulnerabilities. One could also share open source threat information under such a program. I would recommend we consider such programs to improve our cyber security readiness and operations across NATO.
My good friend Bob Lentz used to say, "We need to bake in security, not brush it on after the fact." I think it is very important that we bake in security capabilities in the software development life cycle, and we are very focused now on doing just that in industry. In fact, we use a program called the Security Development Lifecycle, which we are continuing to refine and improve, including Red Team attacks against the software to identify vulnerabilities and fix them; to conduct penetration tests; and to put the software through many other checks before the software ships and becomes a product on the market.
Regarding migration from legacy systems to new IT, we know that some of these older military systems have major problems but you are stuck operating with them as change does not happen overnight. Industry needs to work with you to conduct some degree of technical refresh of these systems, and to make sure they are interoperable with new IT, and integrate adequate security to keep up with present threats. "Defense in Depth" is the term applied to the type of security referred to here--a system to ensure that security practices and procedures work from the hand-held device to the desktop or laptop all the way back to the network and the back-end systems. Effective Defense in Depth requires various types of security capabilities are built into operational networks and all the hardware and software maintained on them. This is clearly a process for government, software vendors, hardware producers, and others involved to work on together to build a safer and more secure net.
Research and Development
R&D to improve products and processes, and to come up with new ways to do things, is extremely important in our mutual business. Technology has such a huge impact on society today. Change is rapid. Everyone wants the newest gadget or device and our soldiers, sailors, airmen and marines expect to have these great IT capabilities. They also expect us to deliver even better capabilities so they can stay one step ahead of their adversaries. We have some challenges to overcome. For example, we must look at requirements like cross-domain sharing, or the ability to improve sharing information across top-secret or secret level networks in cases where everyone may have the same clearance level, but not equal need-to-know. We have overcome some of the challenges to build and deploy an effective cross domain environment but more work needs to be done. Also, there is no solution today for multi-level security--the ability to move information back and forth seamlessly between unclassified, secret, and top-secret levels. When we find that answer, I think we will save an awful lot of money and also have a much more secure system to support military operations.
My last P is People! Leadership is key here: effective cyber defense is not just the world of the CIO and J6, but also the world of commanders and CEOs, J3s, J2s and Security Officers. Leaders must understand that today's cyber-operations are an inherent part of military operations and have an increasingly important impact on success or failure. Education and awareness are critical. We have to build cyber warfare related information into our training programs, and industry should work with the military to conduct exercises which help our people plan for cyber attack, mitigate against the risk, and respond to a problem when one occurs.
The last point I want to talk about here is the use of services personnel--highly trained software experts embedded within our military organizations. When I served with Joint Task Force-Computer Network Defense in the U.S. military, the organization was one-third military, one-third government/civilian, and one-third contractor. During these years I learned it is very important to embed IT service capabilities right in your units. You need to have as part of the organizational structure people who have a deep understanding of the technical capabilities of software, the way we use it to communicate, and the security methods we need to impose to protect our IT infrastructures. The result is a much more effective operational network and these experts often help us find new and exciting ways to improve operational techniques and procedures.
I believe that if we focus on these five Ps in our cyber defense activities, our activities will be pretty effective and this operational effectiveness should lead to a sixth P: Power. Information is extremely important to our command and control processes. If we can gather and share the right information using the IT systems and capabilities available today, and if we can make those systems secure, we have the opportunity to turn this information into knowledge--and knowledge is power. This is what commanders at all levels need. They need to have the best possible situational awareness to improve their ability to command and control. The only way they will be able to do this on the modern battlefield is to have an IT system they can trust and that they are 100% sure will work all the time. Effective cyber defense to lessen the effects of today's cyber war is an essential element for ensuring that our commanders achieve the Power offered by todays information technology.