See, through the eyes of three tested industry veterans, what the nature of today’s cybersecurity realities are and what government should be doing about them.

q1 How has the nature of cybersecurity threats changed in the past few years? How do you see them changing over the next 3-5 years? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

Clearly we’ve seen some of the more advanced intrusion tactics and techniques aimed at the military and defense industrial based targets spilling over into the broader industry. And we’re seeing these advanced techniques being used by less sophisticated attackers, be they mercenaries for hire, organized crime, or hacktivists.

We’re also beginning to see the development of more destructive capabilities. It’s one thing for an intruder to maintain persistent access to a network and steal information, but it’s a completely different threat to get into a network in order to change or destroy information and systems.

Our concern is that, somewhat like a nuclear arms race, one of those advanced cyber weapons is one day going to get into the wrong hands, intentionally or not, and do real damage.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systems

Cybersecurity threats have become much more organized and industrialized. There’s been an entire ecosytem that’s been established around the industrialization of cyber threats. It’s almost become a service offering and, as the real and perceived value of cyber targets increases, we’re seeing a corresponding increase in the investment being made in new and innovative cyber threats.

Over the next 3-5 years cloud computing will establish itself but, while clouds have advantages, they’re also going to become huge targets. Once you centralize all your key assets and resources you paint a big, red bullseye on them.

We’re also seeing mobile devices become more prevalent as general purpose computing platforms, and the security for those has lagged. Threats will specifically target mobile devices in the future, so you are going to see a significant thrust to counter them.
And there’ll be more social engineering attacks. So you are going to see more emphasis on automated solutions for those, and how to tie them into overall threat mitigation activities.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

There is more of a focus by adversaries on targeted intrusions with specific goals. Years ago, the adversary wasn’t as focused about what they wanted, so they would compromise a system, poke around to find what was valuable, and get out. Today, they are very purposeful. Over the next few years, I think we’ll see that evolving even more, as they spend more time learning about targets before an intrusion instead of just looking for vulnerabilities to get in.

Another trend is these intrusions look like normal traffic, which makes it harder to identify. We as an industry have to get away from relying on identifying signatures of malicious traffic or files, and towards more of a behavior or intelligence-based indicators approach.

But the largest challenge is not so much the technology the adversaries are creating and using, as much as the operational organization and the execution they now bring to intrusions. What organizations have traditionally done, which has been focusing on technology answers with point solutions, is certainly not going to help them in the future.

q2 How would you rate the understanding of the nature of these threats by government organizations? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

Priorities across the government are varied. Some are focused on criminal cyber threats, others on threats from advanced nation states.

But, as far as understanding the importance of the issues, it’s trending in the right direction. Some of the federal regulatory changes that require a certain amount of spending on cybersecurity resources are helping. However, it’s one thing for people to understand they are being attacked daily, it’s another to realize those attacks are regularly successful.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systems

It’s a mixed bag. The awareness is definitely increasing simply through osmosis, given some of the big news stories recently and the emphasis being placed on this topic within government. But it’s still embryonic in terms of the understanding of what the real threat entails. It’s still too focused on compliance, static metrics and traditional security controls and not as much on the dynamic defense and the active command and control of the enterprise based on detected threats and malicious behavior.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

Most people on the front lines doing security operations get it, but depending on the risk maturity of their organization, others up the chain may not. So, many of the technical leadership are content with checking the boxes to say security controls are present, but not validating their effectiveness based on their organizational risks.

I found that the higher up in an agency the leadership understands their role in managing risk, particularly the risk of IT to their organization or mission, the more effective they have been in finding a way to secure it.

q3 What are some of the biggest challenges the government faces over the next couple of years in tackling cybersecurity? Are these more technical in nature, or cultural? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

The biggest challenge is the lack of qualified information security professionals. Without the right people, more technology won’t do much good.

The second is the need for government direction and policy, and an understanding of who in government does what. Only when that is clear will government be coordinated enough to successfully respond to a Hurricane Katrina type of cyber event. We must invest in R&D to defend against the attacks we are seeing now, not to mention future threats that aren’t being addressed by some of the common off-the-shelf (COTS) security software. It used to be that COTS could handle 90 percent of the threats. Today it is more like 60 percent and the gap is widening.

That’s why we started the Northrop Grumman Cybersecurity Research Consortium, a unique partnership with three world-class universities – Carnegie Mellon, MIT, and Purdue – that are addressing the cybersecurity challenges of the future. We are also making major R&D investments in modeling and simulation, situational awareness, and cloud security.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

I think they are both, though I think cultural is going to be the toughest nut to crack, balancing the need for access to information and for openness with the need to promote responsibility within the user community. You are only as good as your weakest link, so teaching people the culture of what it means to be stewards within the cyber domain is going to be a huge challenge.

Technically there are big mountains to climb as well, primarily in getting the community at large to rally around standards that promote interoperability and the real time sharing of threat activity. There’s an enormous amount of innovation going on out there, and a myriad of widgets and tools have been developed to solve point cybersecurity needs. Getting these to talk with each other, and providing some sort of open architecture and framework in which these tools can work together, is the biggest challenge.

The information assurance community is accelerating towards standards for cybersecurity. The question is, how quickly will these standards be adopted and operationalized across the broad community?

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

Technology is always the easy part, which unfortunately is why it’s always the first solution that’s thrown at a problem. But the real challenge is the people and process side. Getting qualified people who are trained and understand their role, and then having a process for them to manage the risk and do their job effectively, takes commitment.

There is leadership who really get it, but may not be able to execute very well because of the technical or political environment they are in. Some government leaders understand the changing threat and what they need to do, but are challenged in being able to implement comprehensive solutions quickly.

With the right people and process, we can move away from a technology-driven approach to managing threats and towards a more risk based approach. The same is true with identification and remediation of intrusions. It’s not just about identifying that there is a compromise, but understanding the extent and what the adversary’s intent is.

q4 Congress has proposed a rewrite of FISMA to better reflect cybersecurity concerns. Is this really necessary? What do you see as the major issues that need to be tackled? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

Yes! One of the biggest issues with FISMA and the systems they certify is that they are secure on day-one, but when audited again, they become progressively less so. Over time, new applications are loaded, configurations change and vulnerabilities open up. A much more rigorous and cost-effective solution is needed.

Continuous monitoring is the right direction. It’s more cost effective than many other approaches and a better verification of an agency’s security. Offerings like the Justice Department’s Cyber Security Assessment and Management Program, developed by Northrop Grumman, provides agencies a holistic Certification & Accreditation approach.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

The Federal Information Security Management Act (FISMA) as it was written nearly 10 years ago was a good step forward in promoting security standards and guidelines. It established some compliance and metrics so we could report on security. Now, given the dynamic environment of cybersecurity threats, we have to go to the next phase of how we monitor the effectiveness of cybersecurity measures. How do we dynamically defend ourselves, as opposed to statically defending based on ‘cyber hygiene’ like firewalls and virus protection software? Then how do we measure that to see how effective it is?

We have to get out of the check-the-box mode that the current FISMA has promoted. Now we need to get into that closed loop measurement process where we actually can see the change in security posture and dynamically assess the effectiveness of controls and changes. Start managing security on a day-to-day basis.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

Yes, looking at FISMA is very necessary because, in its current state, it hasn’t really been effective in reducing security compromises up to this point. It implemented and promoted a checkbox security mentality, taking a snapshot in time as to whether an agency has certain controls in place. It doesn’t help with determining if those controls are effective, or if they are the correct ones to protect the mission.

What’s needed instead is a more tailored, risk-based approach that will stress understanding the risk to the mission, to the organization, and to the users. It should provide the process of evaluating the security plan and controls to help reduce those risks, a continuous compliance model to get away from the snapshot approach and, finally, auditing to make sure they are effective and appropriate.

q5 How well is the government’s procurement process geared to the needs of cybersecurity? What, if anything, needs to change and why? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

Last year, the government issued FAR and DFAR regulations that added several cybersecurity provisions, which was a positive step. Our concern now is how this will flow through the supply chain. For large systems integrators like Northrop Grumman, we can afford to build security into the program and we recognize that secure systems are critical to the quality of our products. But the second, third and fourth tier companies don’t have the cybersecurity teams or budgets to allow for that. This is a real problem.

Another concern is making sure the procurement regulations are flexible enough not to lock in certain vendors, technologies or techniques. They need to drive a best-in-industry approach to delivering secure systems to customers in a cost effective manner.

Most acquisition executives and program professionals have historically not dealt with cybersecurity as a critical item in the selection process. Training, education and awareness are needed. That’s very important!

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

Many agencies are starting to realize that they cannot live with a process that takes six, 12 or even 18 months cradle-to-grave and react to threats that pop up every 30, 60 or 90 days.

There are some models government agencies could effectively incorporate. An upcoming program out of the Air Force called Agile Cyber Technology, for example, is primarily focused on how the Air Force can quickly prove new technologies and integrate them into proof of concepts so they can be rapidly deployed.

In terms of contracting, there needs to be the ability to quickly turn them around in that 30 to 90 day period. And we need cybersecurity to be an embedded part of the thinking on these contracts, in terms of how these contracts are managed from that dynamic cybersecurity perspective.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

This is a huge problem. Many programs don’t consider their organizational responsibility for cybersecurity, so they defer to minimum requirements when developing an RFP. There’s no consideration for the interconnectivity of systems, sharing of data, and the changing threats, and the procurement process hasn’t evolved to accommodate this.

I see agencies asking for the same security requirements they have for the past five years. So, it becomes a struggle for companies such as ours to suggest how to build security into a proposal due to cost.

There should be a cybersecurity component in every single RFP. Every organization should have its security team be a part of every acquisition to identify the risk profile in the service or product that is being acquired, and what it will take to manage those risks. We need security integrated into the procurement early. It’s much tougher and more expensive to bolt it on after implementation.

q6 One of the key weaknesses that has been identified is the lack of trained cybersecurity professionals in government. Do you agree? What, if anything, can be done to mitigate this? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

The lack of trained cybersecurity professionals is alarming. Building tomorrow’s workforce is a passion of mine. I recently joined the National Board of Information Security Examiners, a not-for-profit focused on solving this very dilemma.

Engaging industry and government with academia is critical. We need to encourage the next generation to pursue this field and, since the likelihood of a Sputnik-like event that will generate an influx to this profession is slim, we’ll need to find other ways.

In the near-term, U.S. Cyber Command and DHS are rotating in trained professionals, or people they can train up. This is a start, but more collaboration is needed and a comprehensive human capital plan should be developed to align with our nation’s future goals.

At Northrop Grumman, we’re committed to grooming the next generation of cyber professionals. Programs like CyberPatriot III, in which we serve as presenting sponsor, our Cybersecurity Research Consortium, our newly launched Cyber Academy, and our engagement with universities nationwide are all ways that we’re creating energy around the cybersecurity profession.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

We need more professionals who can perform true cybersecurity analytics. People who can take various sources of information and sensor data and actually ascertain the nature of an attack and what the appropriate response should be.

More standardization of training – along the lines of what the information assurance community has done with Certified Information Systems Security Professionals – would bridge the gap between general purpose IT security professionals and these cyber analysts. And then a separate government career path should be created to show people how they can progress from being an IT security practitioner to a cyber analyst. That would go a long way.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

Yes, we do have a lack of trained professionals, but cybersecurity professionals are specialists within their own specialty. So, it’s not a talent management path that scales like traditional staff positions. It’s more like a pyramid, with very few high-end cybersecurity professionals who are experts in the appropriate skills for a particular need.

We need a lot of people coming in at the bottom who can work themselves up this pyramid. Today, the problem is that all of us – government, contractors, and other commercial industries – are competing for the same people.

Government needs to have a good career path for cybersecurity professionals, and it needs to find a way to pay them appropriately, perhaps with special incentives to bring them in.

q7 What are some of the unique abilities that your company brings to this space? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

At Northrop Grumman, we set ourselves apart by continually evolving a full spectrum view of cyberspace operations, bringing together the exploitative, defensive and offensive tactics and capabilities toward that one end goal of cybersecurity.

Our decades-long expertise cuts across every sector: intelligence, defense, civil, commercial and state and local. We have demonstrated our ability to integrate disparate networks of all levels of classification into effectively managed cyber systems, focused on the mission of the enterprise.

Our relationships with major universities and customers ensure that cooperative R&D is at the top of our agenda. We have a large number of programs in play that are focused on solving the various pieces of the cybersecurity problem. These include our robust federated cyber test ranges in the U.S. and the U.K., where we adapt technologies to address the evolving threats and use those environments to help educate our customers.

Underpinning these efforts is our workforce. We have more than 1800 Certified Information Systems Security Professionals. We provide rotational opportunities across programs as well to diversify employees and bring ‘best of breed’ solutions to our customer space. We are also extremely focused on continuous training and grooming the next generation because that endeavor is pivotal to our future success.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

It’s our long history in the government space and the unique technologies and capabilities we bring, either through those we have developed inside the company or through the trusted partnerships we’ve formed to deliver holistic enterprise security management capabilities.

For many years, we’ve provided the tools and integrated systems to manage security infrastructure and assets for DoD and intelligence community customers. We’re uniquely positioned to extend these solutions with additional cyber defense capabilities, and now we’re taking these tools and solutions into new markets, both in the federal space and private industry.

The other unique thing we bring is the ability to harvest and leverage mature tools and capabilities in the command and control space. The biggest gap our customers have in the cyber domain is the ability to develop actionable intelligence from the enormous amount of cyber sensor data they have at their disposal. We have a number of unique tools and capabilities that have been applied to solve this problem within the battle management space that we can bring to bear on this problem.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

We understand the nature of our customer’s missions because we’ve been supporting their agencies for years. We provide a lot of R&D on new technologies, and test ways of integrating them securely. We are part of a cybersecurity alliance with over a dozen of the leading cybersecurity vendors, and we work with these companies to integrate unique solutions to solve our customers’ hard problems.

We provide a lot of technologies for aeronautical, space, IT, and other technology, and our customers demand trust in each of these platforms. We have a strong central cyber security team to assist all of our business units to bake-in security, so our customers don’t have to worry if our platforms are secure.

We also are leaders in our industry in combating advanced persistent threats. By leveraging an intelligence-driven approach to understanding cyber adversaries, we can help organizations mature their ability to defend against these growing sophisticated threats.

q8 Observers complain about the lack of cooperation among agencies. Do you agree with this? What, if anything, do you think they should be doing differently? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

In nearly 19 years on both the government and industry side, I believe we are in the best place we’ve ever been regarding coordination and cooperation.

With the stand up of U.S. Cyber Command and the leadership developing on the civilian side, be it in the DHS or the NSA, collaboration is beginning to create the right dialogue and to leverage capabilities more broadly.

Going forward, there are some things that can be done. For example, there are very grey legal waters about who can take what actions and when. Legal authorities need to be established and understood broadly to make faster progress. More importantly, there is no Maginot Line dividing the Internet. Success will require an international approach and I’m beginning to see dialogue between countries focused on a common understanding that our economies are heavily dependent upon maintaining a safe and secure cyber world.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

I think the general consensus is that cybersecurity threats need to be addressed within a community and as a community, and agencies are starting to realize that they have to effectively share information about the threats and risks they see and what they’ve done about them. If they want to get the efficiencies and economies they need to improve their overall security posture, they can’t fight the fight all by themselves. There’s just too much front to cover.

They need to continue focusing and rallying around activities sponsored by the National Institute of Standards and Technology (NIST), to foster private and public partnerships, and to emphasize cybersecurity as part of collaboration and cooperation across those partnerships. I think that’s critical.

Also, they should consider setting up an organic, secure, central information repository that folks can share and collaborate through without fear of losing control of their data. That will be critical, also.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

Agencies cooperate when they need to. Within the defense-industrial base (DIB) we have tremendous cooperation with federal agencies and contractors, because no one organization can see the whole picture of an adversary’s cyber campaign. Information sharing is critical to our success. When we work together, we get a better understanding of our adversary to help us focus our protections, and prioritize our remediation to better manage risks.

That’s easier for the DIB, because we are all dealing with a common threat. Elsewhere in the government, there are different viewpoints and different risks. Civilian agencies perhaps see cybersecurity more as something to meet compliance or combat cyber crime, whereas the military views it as espionage or cyberwar.

How well organizations share security data depends on the maturity of their security program. If you don’t know what threats you have, or if you are even compromised, you don’t have anything to share and won’t know what to do with information you gain from sharing.

q9 What do you think will be the effect of the DOD’s new Cyber Command on overall cybersecurity? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

One of the historical challenges surrounding cybersecurity has been the fragmented technical systems and stove-piped organizations which governed cybersecurity, but lacked the structure needed to be effective.

U.S. Cyber Command is standing up to proactively unify DoD’s approach to cybersecurity and foster close ties with DHS, NSA and DISA. This will bring the collective talents and experience of those agencies into the solution set.

The overall effect will be better cybersecurity requirements from U.S. Cyber Command to the services, better prepared – and equipped – cyber forces, and an overall elevation of the DoD‘s ability to fight and win in cyberspace.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

It’s difficult to predict the result of any new initiative, but I think it has the potential to have a tremendous effect, both directly and indirectly. The acknowledgement of cyber as a domain that needs to be managed, monitored and secured is going to be the biggest impact of Cyber Command.

Some of the advanced tools that the Cyber Command is going to need could spawn new technologies, capabilities and solutions that might eventually ripple out to other agencies, as well as commercial enterprises. It could be a catalyst for new technologies and new capabilities, as well as the heightened awareness of the needs of the cyber domain.

There are going to be some tough issues that need to be sorted out in terms of ownership and charters. Those are being debated now. But I think that’s healthy, because it’s a discussion we need to have. And, once it’s over, we’ll be better for it.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

I wish I knew, though I think it will be interesting to track.

Cyber Command is specifically for the Defense Department but, even in the DOD, they have the Navy, Army and Air Force all doing their own thing with cyber. Potentially, it could bring consistency and a good fusion point for cybersecurity activity they can share, which is a struggle for any large global organization. Or, it could end up being too prescriptive and get a lot of push back from the services.

For now, we’re just watching.

q10 How should we view cyberwar in relation to cybersecurity? Are they the same thing? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

Absolutely not! We have not seen a real cyberwar capability yet. We’ve seen signs with Egypt, Estonia and others of denial of service in a very large way, but I don’t know I’d call that cyberwar. Consistent with the JCS Joint terminology for Cyberspace Operations, cyber warfare is military operations conducted to deny an opposing force the effective use of cyberspace weapons and systems in a conflict.

Now, it’s true that many countries are building a cyber capability and, in some cases, may already be laying the groundwork for it. I think it’s important that we focus on that. Whoever has the best understanding of these networks, how they interrelate and where the weaknesses are will be in the best position in the event of a war.

It’s true to say we are in a very tough cyber competition with other countries today. We are the wealthiest country with the greatest technology, so it stands to reason we are the biggest target for those who want to steal it to subsidize their own R&D. They can’t compete with us on land, sea and air, but cyberspace is the soft underbelly. But that’s not part of some evil plot. It seems pretty straightforward to me that others would be doing that to close the gap.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

Cyberwar is an overblown term. It’s used more to evoke emotion. It is a threat, but I don’t believe it’s something we’re involved in today. We’re in cyber counter punch mode, I’d say, where cybersecurity is really what we’re focused on.

It has raised consciousness about cyber threats, and it has raised the level of the dialog. If you look at it just from the perspective of warfare, I’m not sure you are going to make the same investment that you would from a purely cybersecurity perspective.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

No. I really don’t like the term cyberwar. When we write articles or papers we don’t even like using the word “attack,” and we certainly don’t use cyberwar, because war is a very specific term related to an attack by a nation state. Adversaries could be non-state actors, hacktivists, or cybercriminals. And attribution is very important in cybersecurity in order to know how to respond appropriately.

Cybersecurity is about managing the risk to an organization’s business or mission, and then making sure its IT systems are trusted to do what they are expected to do to assure this success.

q11 What does the spread of new technologies such as cloud computing and social media mean for cybersecurity? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

People are getting excited about cloud computing and rightfully so; it can significantly reduce capital costs, and over time it can do a lot to improve efficiency and performance. Just last month, the White House released its cloud computing strategy so, clearly, the government is embracing this approach.

The big concern is the maturity of cloud computing. One of the challenges is making it secure enough for the federal government and for the defense industrial base or any highly regulated industry. I think you can, but, because it’s so immature, you don’t have many customers for it and there are very limited security options and configurations to adopt.

Last December, Northrop Grumman unveiled its new approach to building a secure architecture in a hybrid cloud to keep data safe. Over time we’ll see private clouds going up; in fact we’re starting to see that now. We’re going to see classified clouds for certain communities. It’s a challenge, but it’s one that, with maturity and time, will solve itself.

Social media has tremendous tools, but the challenge is how to defend communities that look to social media to freely share information and ideas. The bad actors are trying to take advantage of that. A lot of the targeting of private sector and government agency employees is occurring because of social networking.

On the flip side, it provides a tremendous advantage. Frankly, it’s the best way for my team to be accountable for each other and reach our potential as a group. It improves engagement within a team. Awareness, training and education are the keys to making sure your employees are safe and secure while using these environments and still gaining their benefit.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

Along with the benefits of cloud computing come new threats. If you aggregate all of the keys to the kingdom, then those key resources become one, big inviting target. It will change the cost/benefit ratio for attackers significantly. We’ll need to be prepared to challenge that, because it will increase the investment that attackers are prepared to make and that will spawn more and more innovation on their part.

It does provide some advantages for the defenders. Given the fact that they don’t have as much key information out in devices on the edge of the network, because everything is consolidated in the cloud, means they can keep more effective control of that information. It limits the attack surface, to some degree, but again it also creates a much higher value target for our adversaries.

Social media simply provides the opportunity to combine cyber attacks with social engineering. It gives more tools for the hacker to create new, novel and more complex attacks. It provides that wealth of social engineering opportunities that can be exploited both by holistic cyber threats and by the pure cyber attack. When you combine the two, it can be pretty daunting.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

It generally means there are new attack vectors that adversaries can use. Historically, every time there’s a new technology introduced into an environment we tend to focus on implementing the technology first and securing it later.

With cloud computing I’m happy to see that there’s been a lot of discussion and concern about security right from the start. However, each organization needs to understand the cloud’s risk to them. What is its purpose in the organization, who is using it, what kind of data is handled through it, and is it an availability risk or a confidentiality risk? What am I trying to protect and from what?

Social media is a little different, because this vector is against people. That’s security considered more from a social engineering standpoint. This capability allows people to publicly interact with folks around the globe, so rogue individuals or organizations have the opportunity to entice a victim to click on a link that could would infect their machine, or to disclose information.

To combat this takes education. Users may not consider the dangers of cloud or social media, particularly as people come to expect these services will always be there. Younger people come into the workforce using social media as the primary way they communicate. So, organizations must make sure users are educated about the risks.

q12 Much has been made of the development of the Stuxnet worm. Is this a tipping point for cybersecurity, as some have described it? What impact, if any, will it have on the current debate over cybersecurity? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

Stuxnet is just one example of some of the gaping holes that are out there that can be exploited fairly easily, in this case through someone using a thumb drive, although later versions of the Stuxnet malware had several ways of spreading and didn’t rely entirely on USB sticks.

The software is of varying quality, with the best parts showing good knowledge of the Siemens products and using multiple zero-day vulnerabilities. However, if the people using Stuxnet had been really good, we would not be talking about it. They would have done a better job on concealment.

But I do think Stuxnet was a wake-up call that nation states can, and probably are, targeting certain systems or businesses to exploit. Stuxnet shows a far more sophisticated approach to malware than others that I have seen. It will likely serve as a model for some future malware developments.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

I don’t know if I’d characterize it as a tipping point. I would, however, call it a major and significant milestone in the history of cybersecurity, in that it raised the awareness of a broader cross section of the population to what is truly possible. It also showed the significance of the threat. So I’d say it was definitely an inflection point.

That said, I don’t think professionals in the space have been surprised that Stuxnet came off. I think everyone realized it was a possibility and that it was actually highly likely.

But I think you will see the sophistication of cyber threats continue to grow because of Stuxnet, which is considered one of the high water marks for sophistication. I think you’re going to see things like Stuxnet more and more because attackers, with Stuxnet as their example, will become more capable of developing something similar. Maybe not the attacks of the magnitude of Stuxnet, but similar.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

It’s certainly been a wakeup call, particularly for energy utilities, but I think it’s too harsh to call it a tipping point.

What I think is really important about Stuxnet is that it showed a new level of sophistication. There were some parts of it that were technically advanced, others not so much. But it showed the patience and the target insight of modern adversaries.

For instance, it wasn’t just a compromise of technology, but one of the victim’s incident response processes. The adversaries compromised the victims, then just sat there to watch how those organizations worked. How did they respond to incidents? Who do they go to? Where do they get their information, what people have certain roles, and so on? Further, the adversary programmed the exploits to limit their spread so they didn’t expand too far, and insure they were very, very confident about being in the right place before going to the next step.

It showed the thought and rigor that was put into a modern advanced compromise. Forgetting the technical side, which in some areas was impressive, just the operational discipline that was put into this intrusion was what I think was the wakeup call.

q13 What are some of the most promising emerging technologies that will impact cybersecurity in the future? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

Identity management is often overlooked. A large number of the attacks that are made continue to take advantage of the weakness of authentication and authorization. Our biggest investment in the past few years has been in smart card technology, which we’ve deployed for the whole company. We’re moving towards an environment that will eliminate the need for passwords within the next two years.

This approach increases the effort required by attackers to be successful.

Enhanced situational awareness capabilities are critical to improving the effectiveness of our defensive posture. You can’t manage or protect what you don’t see. Finding advanced ways to visualize massive data sets are critical to speed and execution. Our operations analysts cannot continue to review events in a line-by-line fashion.

Another technology we’re pushing for is data rights management technology. Our belief is if you can’t fully control the network, then at least put protections at the host or data level, far enough down that, if secrets are stolen, they’re useless to the criminal or spy because those rights are actually applied to the information. That’s a critical piece of our cyber defense plan.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

I attended the RSA conference in San Francisco in early 2011, and it was amazing to see the innovation and breadth of capabilities that are coming out of the private sector, specifically focused on cybersecurity. It’s overwhelming.

There’s a huge number of technologies that are baking now, and being fielded. In terms of leap ahead technologies, some of the work being done in network obfuscation, which allows customer to dynamically change how the network looks and behaves to external viewers over time I think will be a major technology that’s going to move the needle in cybersecurity.

Also such things as the Security Content Automation Protocol (SCAP), the ability to automatically ingest compliance, threat and vulnerability information in an automated fashion and to remediate against those threats based on that information. As SCAP becomes more and more integrated into commercial solutions, that too will be a major needle mover.

I also think some of the standards coming out of the Trusted Computing Group are going to have a very positive and significant impact on cybersecurity. Specifically, the value of low cost and ubiquitous hardware root of trust capabilities, coupled with the ability to measure and report the health of an endpoint in a trusted and open manner, can make an immediate and meaningful impact to reduce cyber threats.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

As far as the intelligence-based approach to cybersecurity, being able to capture more specific data. Targeted deep packet inspection technologies can capture relevant traffic and make it available for mining later. Because, if there’s some kind of event, you won’t know what data is important until you’re able to go back and correlate it to a known problem. So, being able to capture specific yet different types of data, you can quickly find what relates to what, and that is valuable.

From a network standpoint, more behavior based filtering. Instead of blocking the address to a rogue box on the Internet which is communicating with a box inside the network, I want to block “what” it is doing. For instance, blocking an address will just cause the adversary to change it, and then they are back in. But, if we block any traffic that, say, is attempting to issue control commands over an HTTP (web) channel, then it doesn’t matter where it originates. We then block a class of malicious connections, not just a single connection. This will help to be more proactive for future attempts.

From a user standpoint, I like something that will help us to be more granular with access controls to systems and data, and capture what users are doing at specific times to replay that later. Because, like I said, I don’t know what’s important data now, so I want to be able to go back and reconstruct events later if is there’s a compromise or some event of possible internal misuse.

We can implement general solutions for known classes of problems, that would take care of a lot of the “noise” to allow us to focus on more advanced threats that look like normal traffic, which none of the current cybersecurity technology is going to pick it up.

q14 What does the private sector have to teach the government about cybersecurity? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

Teach is the wrong word. Mutually learn through collaboration and working together would be a better way to describe it.

We’ve made progress in having government understand that we care about cybersecurity as much as they do and we’ve made them aware that many companies are spending a tremendous amount of effort and money to address this risk. We share information across the private sector and with the government, and we are working cooperatively to develop future technologies. This is why our Cybersecurity Research Consortium is of such importance. By leveraging the innovative freedoms of academia partnered with industry, we can stay in front of the threats and develop game-changing technologies.

I think all the right things are happening We need to see the sharing of awareness between the federal government, intelligence agencies and private industry increase, which will help everyone get on the same page.

All of our networks are intermingled, and we’re dependent on each other to solve this problem. That’s the only way we’ll make any real strides.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

I think there are lessons to be learned about what the proper cost/benefit tradeoff is for cybersecurity. If what drives cybersecurity in the private sector from a cost/benefit perspective is understood, the government can then influence the equation so that more companies will adopt, integrate and improve cybersecurity measures.

Also, the value proposition - the economic model associated with cybersecurity – needs to be understood so that the playing field can be tilted such that companies and the private sector in general will be able to more readily adopt cybersecurity. That will, in turn, positively influence the overall state of cybersecurity in the nation.

Cybersecurity investment can’t be mandated entirely through policy without the understanding of the economic impact. But it should be an interactive give and take. Government can help educate the private sector about the threats and risks, and industry has then to educate government about the economic perspectives to try and move the bar to where industry can get more and better cybersecurity for less cost.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

I would think that there’s a lot we can share, and I’m happy to see there’s a more public/private partnership that’s starting to evolve. The pattern for what kind of partnership can evolve is evident in the commercial sector. I’ve seen the banking industry implement access controls the oil industry has used for years, or that the healthcare industry has taken advantage of availability controls from the automotive industry.

With the government, whether it’s in authentication or network resiliency or trusted systems, there are many things we can share. On the other side, the government also has really mature data classification guidelines, the idea of secret, top secret etc. Those are concepts many commercial companies haven’t been able to grasp.

The real challenge is the scale. The government is a huge entity, so you need something that would enable those commercial concepts to be developed to that scale. At Lockheed Martin, we have over 132,000 employees around the world, which is around the same size as many of our government customers. By defending our networks and testing our security practices and technology here, we can provide confidence in their scale for our customers.

q15 Where would you like to see your company five years from now in the federal cybersecurity market? View Answers

Tim McKnight
Vice President and Chief Information Security Officer, Northrop Grumman Corp.

We want to remain a recognized thought leader and trusted provider of cybersecurity services and products to the U.S. Government. We also want to be the preferred workplace for cybersecurity professionals, and continue as the leader in developing future technologies in cooperation with academia and our customers. And, we will stay focused on providing agile and innovative solutions to address the most complex cybersecurity challenges.

Bill Ross
Director, Cyber Mission
Assurance Systems,
General Dynamics C4 Systemss

I see us providing what I call standards-based enterprise security management infrastructure. Not only to meet DoD and intelligence community requirements, but also applying that same technology in a different package to critical infrastructure in other federal and state agencies, such that there’s interoperability and the ability to share information across the entire community.

I see us providing the tools not only to manage things locally, but also to manage the infrastructure and the ecosystem to effectively share information within the entire government cybersecurity space.

Rick Doten
Chief Scientist,
Cyber Security,
Lockheed Martin Information
Systems & Global Solutions

We are one of the leaders in cybersecurity, and we expect to expand that over the next five years. We’ll continue to build credibility to where cybersecurity is simply a trusted state of any platform we deliver.

We build trust into all platforms we provide our customers. We integrate security within the system life cycle of all our development, from the hardware, network, and applications.

We don’t know what the threats are going to be five years from now. But by looking at the landscape, we have a lot of good insight into how things are evolving, so we’re going to be prepared for them.