US cyber defenses are 'treading water,' says DARPA official
(Login cwc.mgmt) Forum Owner Posted Mar 28, 2012 9:17 AM
March 21, 2012 — 1:46pm ET | By Molly Bernhart Walker
The Defense Department is "capability limited" in its defensive and offensive cyber efforts, said Acting Director of DARPA Kaigham Gabriel, in a March 20 hearing before the Senate Armed Services subcommittee on emerging threats and capabilities.
Defensively, DoD's strategy has been to layer security onto a uniform architecture, which protects against known threats but does not adapt to growing and evolving threats. And offensively, the DoD is trying to simply scale intelligence-based cyber capabilities, which falls short of adequately serving DoD's needs.
"If you find yourself in the middle of the ocean, you'd think you need to tread water to keep your head above water. But if that's the only strategy you have for getting out of the predicament, you will eventually get tired and become overwhelmed," said Gabriel.
The DoD has begun to shift investments from things that simply "buy us tactical breathing room," to aggressive programs that seek to become "convergent with the emerging threat," said Gabriel.
Funding levels proposed for fiscal 2013 should be enough to facilitate that shift in strategy, said Michael Wertheimer, director of research and development at the National Security Agency. It's not a function of budget, it's a function of approach, he said.
"We are rushing to this threat with numbers--lots of attacks. And we're trying to deploy tools and techniques to slow that and, in my view, we're not keeping enough of a strategic eye on that nation state threat, that 'division 1 [team]' that's going to come at us," said Wertheimer.
Having adequate human capital to address the strategic issues is also important. "Talent is central to this entire discussion," noted Zachary Lemnois, assistant secretary of defense for research and engineering.
But turnover at Sandia National Laboratories has the director of the information systems analysis center, James Peery, concerned. According to Peery, the retention rate of the lab's cybersecurity professionals is similar those in the private sector--with employees leaving about every 5 years.
"This is a concern," said Peery. Historically the laboratories have been asked to solve "some of the impossible problems," that require senior staff. "To get the skills to the level that government needs usually takes between 3 to 5 years. If the retention rate is around 5 years, then we have a growing problem," he added.
This year, Peery expects to lose about 10 percent of his cyber staff to industry, because some private-sector employers are offering up to 50 percent more than the wages offered by Sandia.
Gabriel said high turnover at DARPA is actually an advantage. DARPA has a history of hiring from non-traditional sources, such as the White Hat hacker community. "We have a culture where we essentially refresh every 3 to 5 years," said Gabriel.