3Qs: Fortifying the country’s mainframe by Matt Collette August 15, 2012 Share Facebook LinkedIn Twitter [media-credit name=”Photo by Christopher Huang” align=”alignleft” width=”150″][/media-credit]Last week, The Washington Post reported the Pentagon has proposed that military cyberspecialists be permitted to take action outside of its networks to defend critical U.S. computer systems that control such resources as power stations and water-treatment plants. The report indicated the proposal was under review as part of a revision of the military’s standing rules of engagement. We asked Wil Robertson, an assistant professor with dual appointments in the College of Computer and Information Science and the College of Engineering, to explain the new and evolving challenges in cyberdefense and what this proposal, if adopted, could mean for national cybersecurity. What would the adoption of this Pentagon proposal mean for national security, and is there any precedent for this? The Department of Defense created the U.S. Cyber Command (CYBERCOM) in 2009 to organize the defense of the nation’s military computer networks, and additionally to conduct so-called “full-spectrum military cyberspace operations” — in other words, to attack adversaries on the Internet and elsewhere in order to achieve specific military goals. So, CYBERCOM has had from its beginning a mandate to develop offensive capabilities. But these capabilities have heretofore been restricted to limited instances where their use has been authorized in support of specific mission objectives. What is novel about this latest development is the Pentagon’s push to modify the standing rules of engagement — which serve as guidelines for how CYBERCOM can independently react to scenarios such as attacks by foreign powers or independent actors on military assets — to allow for an offensive response to neutralize a perceived threat. While it is accepted that the major powers already unofficially engage in cyberoperations against each other to one degree or another, this proposal would set a significant new precedent in making offensive counter-operations a part of official standing U.S. policy. How much of a threat do cyberattacks pose against the United States? What areas are targeted the most and which are the most vulnerable to attack? Cyberattacks against military assets have been an unfortunate reality for some time. The DoD doesn’t publicly disclose statistics on the number or severity of breaches, but it is known that foreign actors have conducted long-running, targeted campaigns to penetrate both U.S. military networks and networks belonging to U.S. military contractors in order to gain access to classified information. But there has also been rising concern in the past few years surrounding the vulnerability of industrial control systems for national critical infrastructure, including targets such as the power-generation and -distribution grid, water supply, transit systems and more. An increasing body of academic research has demonstrated the potential for catastrophic attacks against systems that were never meant to be exposed to the Internet and, as such, do not include basic, necessary safeguards that protect other networked systems from attack. And actual attacks — such as the penetration of a Springfield, Ill., water plant last fall that lead to a critical equipment failure — hint at the devastation that could ensue from a well-executed, large-scale operation against our nation’s infrastructure. At the CCIS Systems Security Lab at Northeastern, part of our focus involves researching practical methods for securing our critical systems. How have the duties of CYBERCOM expanded in the past, and in what way could this division of the military continue to grow? CYBERCOM is a relatively new organization, and its role in the national defense is still evolving. While it is currently tasked with operating solely in the military domain, there is concern that it could eventually eclipse organizations such as the Department of Homeland Security and FBI, which are currently responsible for the civilian sphere. It is very likely that the organization’s size and mandate will expand. The development and recruitment of a new generation of cybersecurity experts is a top priority at both DoD and DHS. And comments by senior Pentagon officials indicate that the proposed amendments to CYBERCOM’s rules of engagement are but part of a larger, long-term initiative to increase CYBERCOM’s ability to better respond to evolving, future threats.