3Qs: Fortifying the country’s mainframe

Assistant professor and cybersecurity expert Wil Robertson explains the growing threat of hackers targeting American military and infrastructure. Photo by Dreamstime.

Last week, The Wash­ington Post reported the Pen­tagon has pro­posed that mil­i­tary cyber­spe­cial­ists be per­mitted to take action out­side of its net­works to defend crit­ical U.S. com­puter sys­tems that con­trol such resources as power sta­tions and water-treatment plants. The report indi­cated the pro­posal was under review as part of a revi­sion of the military’s standing rules of engage­ment. We asked Wil Robertson, an assis­tant pro­fessor with dual appoint­ments in the Col­lege of Com­puter and Infor­ma­tion Sci­ence and the Col­lege of Engi­neering, to explain the new and evolving chal­lenges in cyberde­fense and what this pro­posal, if adopted, could mean for national cybersecurity.

What would the adoption of this Pentagon proposal mean for national security, and is there any precedent for this?

The Depart­ment of Defense cre­ated the U.S. Cyber Com­mand (CYBERCOM) in 2009 to orga­nize the defense of the nation’s mil­i­tary com­puter net­works, and addi­tion­ally to con­duct so-called “full-spectrum mil­i­tary cyber­space oper­a­tions” — in other words, to attack adver­saries on the Internet and else­where in order to achieve spe­cific mil­i­tary goals. So, CYBERCOM has had from its begin­ning a man­date to develop offen­sive capa­bil­i­ties. But these capa­bil­i­ties have hereto­fore been restricted to lim­ited instances where their use has been autho­rized in sup­port of spe­cific mis­sion objectives.

What is novel about this latest devel­op­ment is the Pentagon’s push to modify the standing rules of engage­ment — which serve as guide­lines for how CYBERCOM can inde­pen­dently react to sce­narios such as attacks by for­eign powers or inde­pen­dent actors on mil­i­tary assets — to allow for an offen­sive response to neu­tralize a per­ceived threat. While it is accepted that the major powers already unof­fi­cially engage in cyber­op­er­a­tions against each other to one degree or another, this pro­posal would set a sig­nif­i­cant new prece­dent in making offen­sive counter-operations a part of offi­cial standing U.S. policy.

How much of a threat do cyberattacks pose against the United States? What areas are targeted the most and which are the most vulnerable to attack?

Cyber­at­tacks against mil­i­tary assets have been an unfor­tu­nate reality for some time. The DoD doesn’t pub­licly dis­close sta­tis­tics on the number or severity of breaches, but it is known that for­eign actors have con­ducted long-running, tar­geted cam­paigns to pen­e­trate both U.S. mil­i­tary net­works and net­works belonging to U.S. mil­i­tary con­trac­tors in order to gain access to clas­si­fied information.

But there has also been rising con­cern in the past few years sur­rounding the vul­ner­a­bility of indus­trial con­trol sys­tems for national crit­ical infra­struc­ture, including tar­gets such as the power-generation and –dis­tri­b­u­tion grid, water supply, transit sys­tems and more. An increasing body of aca­d­emic research has demon­strated the poten­tial for cat­a­strophic attacks against sys­tems that were never meant to be exposed to the Internet and, as such, do not include basic, nec­es­sary safe­guards that pro­tect other net­worked sys­tems from attack.

And actual attacks — such as the pen­e­tra­tion of a Spring­field, Ill., water plant last fall that lead to a crit­ical equip­ment failure — hint at the dev­as­ta­tion that could ensue from a well-executed, large-scale oper­a­tion against our nation’s infra­struc­ture. At the CCIS Sys­tems Secu­rity Lab at North­eastern, part of our focus involves researching prac­tical methods for securing our crit­ical systems.

How have the duties of CYBERCOM expanded in the past, and in what way could this division of the military continue to grow?

CYBERCOM is a rel­a­tively new orga­ni­za­tion, and its role in the national defense is still evolving. While it is cur­rently tasked with oper­ating solely in the mil­i­tary domain, there is con­cern that it could even­tu­ally eclipse orga­ni­za­tions such as the Depart­ment of Home­land Secu­rity and FBI, which are cur­rently respon­sible for the civilian sphere.

It is very likely that the organization’s size and man­date will expand. The devel­op­ment and recruit­ment of a new gen­er­a­tion of cyber­se­cu­rity experts is a top pri­ority at both DoD and DHS. And com­ments by senior Pen­tagon offi­cials indi­cate that the pro­posed amend­ments to CYBERCOM’s rules of engage­ment are but part of a larger, long-term ini­tia­tive to increase CYBERCOM’s ability to better respond to evolving, future threats.