Too often enemy cyber attackers are thought of as being more capable and better prepared than they probably are and while there is always the chance of a catastrophic cyber event there needs to be a better understanding of cyber risks and vulnerabilities to strengthen cyber security and obtain a greater return on security investments, according to a Navy information official.
“I would not stand here today and tell you we’re never going to have a Cyber 9/11,” Capt. John Zimmerman, deputy chief information officer for the Naval Sea Systems Command, said at sister publication Defense Daily’s annual Open Architecture conference on Nov. 4. “But what I worry about today is the sort of thinking that captures the cyber mania, ‘Be afraid, be very, very afraid.’ I really think that we’re not going to make progress until we can really understand the various probabilities of various risks.”
However, assessing and understanding levels of risk “is extremely hard,” Zimmerman said. He said he has seen many “experiments” that demonstrate vulnerabilities in military systems but it’s usually the case of “I give you free access to my system and you have the drawings, yes you can do a lot of things.”
Zimmerman said that once an adversary is introduced into the risk equation, it changes how risk might be understood. For example, he said, there is a “high risk” that an adversary would steal information. On the other hand, he said it’s a different level of risk when think about whether an adversary would steal information in peacetime and “take over a combat system and cause damage,” because that is an unlikely scenario given this would be an “act of war.”
“Bottom line, risk management is hard and I think we need to do real work in this area,” Zimmerman said.
Zimmerman is a former submarine commander who said he thinks “more about combat systems [and] less about land-based networks” when it comes to cyber culture within the Defense Department.
Zimmerman also said that the Defense Department needs to talk more about “cyber value” given the amount of time, resources and costs put into the paperwork, accreditation and certifications related to information assurance and cyber security that often times results in little to nothing gained. He cited an example where one of NAVSEA’s warfare centers examined the cyber accreditation and certification process for 43 systems and said it took 18 months at a cost of $3.5 million and in the end every system was accredited and only one “minor technical issue” that had to be fixed.
“A lot of Navy work,” he said. “I don’t think much value.”
There are also too many broad policy recommendations that “come down from upon high” that are ultimately waived after spending time and resources, Zimmerman said, adding “we’re living in waiver hell.”
Zimmerman said “They don’t have expertise in my combat systems. And so you put out the policy, it says, ‘By God you’ve got to do this with all your systems.’ And we say, ‘it really doesn’t make sense.’ There’s discussions and paperwork back and forth and back and forth and six months later we get the waiver to let us continue doing our job. We’re wasting a lot of time there.”
Another area that needs wringing out is best practices, Zimmerman said. He said he is a believer in best practices but that often times there is no evidence that something “being recommended has actually been practiced” and there is always the question of “Do we know it actually does provide some return on investment.”
A lot of times a certain best practice that is being promulgated is something that works for a land-based system but has nothing to do with a combat system, Zimmerman said. For example, the crew on a submarine is fairly well known and it might not make sense to authenticate everyone on the vessel’s network.
“So we can work on that but I would think how much money is it going to cost, how much time is it going to take, and is it that great of value in the various different circumstances?” Zimmerman said.
Open architecture approaches will be important in solving cyber security challenges, particularly in terms of bringing value and speed to obtaining solutions, Zimmerman said.
“We can’t have individual programs solving individual cyber problems all on their own and re-learning these lessons over and over,” he said. “We need community learning to make the best of this. We’ve got to be faster.”
Zimmerman said good architectures can help “constrain” system behavior so that even if cyber hackers can get inside a system they can’t take control of it. For example, he said, diesel generators on Navy submarines have mechanical flywheels that at certain revolutions per minute the fuel cox is tripped and it won’t spin anymore.
“That’s the sort of thing that I think that we could do with well designed architectures,” Zimmerman said.