The New New Internet recently sat down with Director of the Army Cyberspace Task Force Maj. Gen. Steven Smith. He spoke about the implications of social media to cybersecurity, the problem of attribution in cyberspace, identity management and how the culture of professionalism within the Armed Services is suited to tackle the problem of cybersecurity.
The New New Internet: As director of the Army Cyberspace Task Force, what exactly do your duties entail?
Smith: The Army Cyberspace Task Force was put together last April to integrate efforts across the Army staff, to provide policy oversight and guidance for Army cyberspace and cyberspace operations. This organization, very small and temporary in nature, is designed to take resources from the appropriate staff sections on the Army staff that have influence or responsibilities in cyberspace operations for the Army, then bring that under a combined effort to bring focus and attention to this important topic.
The New New Internet: What was the impetus behind standing up and creating this task force?
Smith: As the Army progresses in its expeditionary force, we realize how important the network is to all Army operations. The task force provides a focus on the Army staff, particularly for policy and procedures, so we can advise the senior decision-makers in the appropriate fashion.
The New New Internet: How is the Army looking at the issue of identity management?
Smith: I think identity management is one of the more critical aspects of the operation. To start, take a look at how the solider operates. Today when you move through operations from your home station to a training site to a power projection platform, into the field of operations, this requires multiple email addresses, multiple phone numbers, and multiple means of data storage. So the CIO of the Army, Lt. Gen. Sorenson, along with support from the PEO EIS (Program Executive Office for Enterprise Information Systems) and our 9th Signal Command , have developed and are implementing a concept we call GNEC, Global Network Enterprise Construct. As a soldier (we call this the solider story) moves through that same scenario, the solider would have one email address, one phone number, and one means of storage, regardless of where they are in the world of operations. So critical to that is knowing exactly who is on the network and what that person's authorities are. The Army has implemented Common Access Cards or CAC. The CAC contains personal data as well as biometrics data on the chip that provides us the identity of the holder of the card. So, in a sense that gives us our two-factor authentication in the Army . But along with that, the Army also participates in working groups across the Department of Defense and the federal government to help set and meet standards for sharing and compatibility. In addition, the Army works very closely with the biometrics task force on alternate or complimentary identity techniques, as this technology progresses even to thinking about facial recognition, finger tip, and iris scans. At the end of the day, the Army wants to know who is on their network and what they are authorized to do and what they are doing while they are there.
The New New Internet: A significant number of cyber attacks are due to human error, particularly with methods like spear fishing. How is the Army going to deal with this problem?
Smith: As with any aspect of the Army, it's always: training and accountability. You must provide the soldiers, the departments, and civilians and contractors the appropriate training and supervision, and then hold them accountable for their work. But if I were going to try to put that into categories, because this is a very complex question, I would do it as technology, processes and people. For technology to prevent successful cyber attacks, particularly malicious software that is attached to spear fishing, we continue to develop and implement the technology that will stop as many malicious attempts at the perimeter, so that it takes the human error out of the equation. We are constantly looking at what our sister services are doing and we collaborate liberally on a daily basis to find out what's the best technology to prevent the current and future threats. For the process in terms of how we train, we ask what is the best way to reach the young soldier, middle management, and senior management within the Army , in terms of how to better recognize the threat, and how to take the appropriate action. The bottom line up front is: it is always about the people. When you are talking about a network that may have over a million users world wide, the critical piece is how they are trained, the tools that we provide to them and how we hold them accountable so that they don't make the wrong choices.
The New New Internet: How is the Army approaching social media? It is a platform that has provided people with opportunities not only to connect, but also cyber attackers to exploit.
Smith: As with any new technology, we approach it cautiously. But social networking sites provide a tremendous opportunity for the Army to tell its story to potential soldiers, and it's a great avenue for soldiers to communicate with each other and particularly with family members“¦especially when the solider is deployed. There are some tremendous collaborative tools out there. Having said that, I think you have seen articles referencing a young Israeli soldier who compromised an operation on a social networking site. His comments were seen by a fellow soldier and the operation had to be canceled for fear that their adversaries may have also seen the social networking site. Once again, it is a balance. Our soldiers, civilians, and contractors that do great work for the Army have to make sure they understand the cause and effect of their actions on these social networking sites. If you cancel that capability, then you are closing out the Army to its citizens and business partners and tremendous collaborative tools. It always goes back to the user and the training and then the accountability for their actions.
The New New Internet: What threat to the Army’s networks worries you the most?
Smith: The threat that worries us the most is the threat we don't know about. I don't know what I don't know. This will always be a leader's biggest concern. All of the other threats that are current with zero-day exploits, insider threats, etc., are no different for the Army than they are for a bank or technology company. For those of us in this business, particularly in active defense, you are probably most concerned about the threat you don't know about.
The New New Internet: Something we have heard a lot about recently, concerned that the U.S. does not have enough skilled cyber professionals, how is the U.S. Army going to attain and attract skilled professionals in this field?
Smith: We are able to attract skilled cyber professionals because doing this type of work for the Army– in all aspects of computer network operations– is a pretty exciting field. Also, attracting and retaining quality soldiers, is what Army leaders do, top to bottom, inside out. But I think what we are providing and working towards is career opportunities for soldiers to have a very fruitful 20-25-30 year career being able to work in some pretty exciting operations within the Army in real world situations. It's rewarding knowing that their work, whatever aspect that might be, in terms of computer network operations, will have a dramatic effect on their battle buddies, and a dramatic effect on how the Army fights and wins its nation's wars. I also think that since we have been at war for nine years, there is a tremendous amount of patriotism. So you get to the young technical professional, or at any age, who wants to be in uniform, wants to do good work for his/her nation, and is able to do that in a career field that is both challenging and rewarding. That is the direction that the Army and the other services continue to work towards.
The New New Internet: One thing we learned from the recent cyber shock wave test is the problem of attribution, what is the Army doing to address this problem?
Smith: Attribution is a national issue. If an adversary does some form of malicious work against the Army , and that works, you can hold those players accountable for their actions. The difficulty is that the technology is not catching up fast enough with the requirement. So we are continuing to refine those processes and working with key vendors so that we can better pinpoint operations in this scenario.