Closing the net on cyber attacks – Q&A with former Pentagon Information Security Chief Robert Lentz
Governments, the military and defence contractors are being targeted by increasingly sophisticated cyber threats. Berenice Baker talks to Robert Lentz, the Pentagon's former Chief Information Security Officer, about the changing nature of these attacks and how it could take a devastating 'cyber 9/11' before cyber security is taken seriously.
Coming from a background in the US National Security Agency, Robert Lentz took over the position as Chief Information Assurance Officer for the Pentagon in November 2000, a role that is now known as the Chief Information Security Officer (CISO).
He became the first Deputy Assistant Secretary for Cyber, acting as the Department of Defense (DoD) representative to the White House during the formation of the US national cyber initiative policies. From 2000 to late 2009, Lentz's office was responsible for formulating DoD cyber policies and influencing the establishment of national policies as it became a national agenda item.
Berenice Baker: How have you seen cyber attacks against the military and the government change since you became CISO?
Robert Lentz: We have connected more and more of the DoD to the internet and interconnected more internal departments, meaning the attack surface has increased.
As we've seen in our daily lives, the cyber threat has evolved from casual hackers interested in public recognition and excitement to a combination of criminal activity and cyber espionage.
This has grown exponentially to what we're now beginning to see as an alarming increase in cyber criminal activity and the very real possibility of cyber terrorism.
BB: Would you say that cyber terrorism is one of the biggest current threats to the US military and defence industry?
RL: I think it is a bigger threat to the national security establishment, in as much as cyber terrorists aren't necessarily as interested in waging asymmetric warfare against the military as they are against softer targets. These include the critical infrastructure sectors such as energy, banking and transportation sectors.
But I think the military is equally if not more concerned about the increasing capability of rogue nation states to wage warfare on the internet, in the same way that Al Qaeda waged asymmetric war against the US military in the form of IED attacks and the like.
BB: What sophisticated new forms of attack are you seeing?
RL: Spear phishing is one of the tools the more sophisticated attackers have in their tool box for conducting espionage, cyber terrorism or criminal activities.
Official-looking emails make the average user feel comfortable, luring them to enter personal information on fake websites to further escalate their attack methods. They can also contain malware that automatically invades your network and enable them to steal information.
BB: Aside from the human factor, is there also a technology gap in that normal security systems don't protect against the latest forms of attack?
RL: When I was in the DoD we made a huge investment in reaching out to the private sector to get them to focus on those areas.
We realised that developing government-built solutions in cyber space is not necessarily an effective way of going about business as you can't afford the same time frame as procuring tanks, airplanes, ships and armaments.
With technology moving so fast, we asked Silicon Valley and academia to come up with the most innovative solutions to deal with these targeted advance persistent threats including spear phishing.
We're starting to see more advanced technologies become available thanks to the imagination, ingenuity and agility of small companies.
BB: Do you think the military and the government can learn from other areas in the private sector, such as banks, that have their own security challenges?
RL: Right after 9/11 we realised the fragility of our financial sector, Wall Street in particular, could have had a devastating effect on the global economy and that was back when the global economy was fairly stable. We also realised that cyber criminals are very interested in going after the financial sector because it has such an interlocking influence on world stability.
The larger banks have worked very closely with the National Security Establishment to better understand the best tactics, techniques and procedures to use in cyber space. They have their own set of experts who have risen to the occasion, some of whom left to work as private sector consultants to the government enabling the financial sector to work closely with the DoD in times of investing and taking cyber defence very seriously.
BB: Defence contractors also hold government military information themselves and the industry has been the subject of a number of recent high-profile attacks. Should contractors work with the military to ensure the security of their data?
RL: Clearly. A recent MacAfee report, called Revealed: Operation Shady RAT, pointed out the obvious - it wasn't necessarily a big secret that there's been espionage going on against the global defence industrial base for years. The DoD set up an initiative called the Defence Industrial Base Initiative which began the process of getting the US Government to work closely with our defence contractors to share technologies, procedures and threat and vulnerability information to help protect their network, just as well as we protect the DoD networks.
That process is underway, but we're just at the tip of the iceberg, covering 10% at best in terms of helping to protect our defence contractors and helping to protect our other critical information infrastructures.
BB: Is there a case for a Nato joint policy between its member states?
RL: I think there is. I was at a Nato conference recently and I get the sense they are beginning to understand that they must have a more collective position relative to cyber defence and a strong commitment among senior leadership.
It's going to be a challenge to move fast enough in terms of procurements and unifying operations, but I believe there is a sea change. Nato is realising that, to be successful in terms of military operations around the world, we must have a corresponding information infrastructure which is much more sophisticated.
BB: How do you see cyber attacks evolving and how can governments and the military stay one step ahead?
RL: Unfortunately it takes a 'cyber 9/11' or cyber Pearl Harbour to make governments take cyber security seriously enough.
If you look at the denial of service attack in South Korea that occurred nine months ago, it shook the government to shift gears in terms of investment in cyber because they now understand how fragile they are to threats in their region.
Progress is going to be slow until there is an attack against a country's cyber infrastructure, or a control system that damages the London Underground, an Air Traffic Control System, a nuclear power plant or other critical infrastructure. That could happen in the next three to four years.
Only at that point will a national defence authority for cyber security be formed that's sufficiently empowered through parliamentary regulations. The government will then commit to work towards a tighter partnership with, if not control over, the critical infrastructure sectors which our governments and our people depend on.