U.S. Counts on the Cloud to Boost Cyber–Security

The cloud is a key part of the intelligence community’s IT strategy, Alexander said, because cloud computing gives defense and intelligence agencies more visibility over hackers who are trying to breach government networks.

Within the NSA and Department of Defense (DoD), there are more than 7 million pieces of IT infrastructure and systems and 15,000 different network enclaves, according to numbers provided by the general. With each enclave protected by its own firewall, network administrators have little to no insight into what is happening in isolated and segmented networks, he said.

“Collapsing the enclaves” would provide administrators with a better end-to-end view of their networks and situational awareness, said Alexander. He added that it’s not a perfect solution, but “it is more defensible.”

In a pilot program, the NSA has reduced the number of applications it is running from 5,000 to 250 cloud applications and slashed the number of help desks from 900 to 450, according to Alexander. The agency plans to keep shrinking the infrastructure to just two help desks and 20 data centers, as well as adopt more open-source software, he said, noting that the military is already using Apache Hadoop and OpenStack.

These initiatives are expected to provide savings of 30 to 50 percent in the NSA’s IT budget. They will also free up professionals to focus on cyber-defense instead of operations, according to Alexander.

“When you think about the cloud, look at what Google and Amazon are doing with the technology—it’s absolutely superb,” the general said. “We need to go from our legacy databases to the cloud.” The NSA expects to move all of its databases to a cloud environment by the end of the year.

When asked about the possibility that consolidation would make it easier to steal more assets than if they were spread across networks, Alexander said that instead of weakening network defenses, collapsing the enclaves “increases the probability of seeing an intrusion.”

The probability of having all 15,000 enclaves protected and patched is low—near zero. And if administrators can’t see within each enclave, then once the attackers get inside, they are “free to roam” without being detected, he said.

It was essential to change from static defense, one that is reactive to threats, to an “active defense,” Alexander said, likening traditional network defenses of firewalls and intrusion prevention systems to a modern-day “Maginot Line.” (This refers to a massive line of fortifications that France constructed along its border with Germany after World War I to fend off a renewed invasion. In the early days of World War II, the German army went around the Maginot Line and defeated the French army.) 

“I think that nation states, non-nation state actors and hacker groups are creating tools that are increasingly more persistent and threatening, and we have to be ready for that,” Alexander said. “So the security frameworks we are putting in place are forward-looking, based on what we are seeing.”

The advantage “is on the offense,” as the attacker needs to find just one error to get into a network and, once in, will remain there for months, he said. Cyber-defenders have to go “hunting” and find adversaries as fast as possible.

As part of that effort, the NSA is marking and tagging all its data in the cloud to make it easier to share intelligence information in almost real time. For example, commanders used cloud computing in Iraq, which allowed the military and intelligence community to quickly share and disseminate information to the troops on the front lines, according to the general.

Pentagon and intelligence agencies “must do more to protect their computer systems and coordinate with private companies to safeguard public networks” that control electrical power, banking, transportation and other critical infrastructure, Alexander said. While industry and government are making progress in protecting computer networks, “tremendous vulnerabilities” remain. In addition to recently disclosed attacks, he said, another unnamed U.S.-based company lost $1 billion worth of intellectual property to cyber-thieves in just two days.

Google, RSA Security and Lockheed Martin have some of the best security systems in the world, yet they were hacked, Alexander pointed out. “If they’re being exploited, what about the rest?” he asked.

Defense Industrial Base is a pilot program under which the DoD shares classified cyber-intelligence with the defense industry so that they can defend themselves. The program was recently extended, and more companies will be added.

The National Security Agency also shares classified malware signatures with Wall Street, Alexander said. While declining to comment on the breach at the NASDAQ stock market last year, he did say that NSA experts are working with the exchange’s IT team to beef up defenses.

The Department of Homeland Security (DHS) is also studying the Defense Industrial Base pilot to expand or copy the model to assist financial firms, power plants and other key systems, he said. Any government action in cyberspace must be led by the DHS, with regular reviews to ensure that civil liberties and privacy are protected.

The DoD released its strategy for operating in cyberspace in July, and the Joint Chiefs of Staff are currently working on a doctrine that would lay out the rules of engagement against an attack in cyberspace. After the doctrine is approved, Cyber Command will provide guidance that spells out, “Here is how we operate in cyberspace,” Alexander said.

The doctrine will define the conditions under which the military can go on the offensive and what actions it is allowed to take. Until then, the laws of land warfare and armed conflict will continue to apply to rules of engagement in cyberspace.

Key issues being considered include what constitutes a war in cyberspace and what represents a “reasonable and proportional response” to a cyber-attack, according to Alexander. It’s still unclear what the government can do to go after botnets or shut down compromised networks—and who has the authority to do so.

“Is it the FBI? Is it the NSA? Is it the military, or is it the ISPs [Internet service providers]?” Alexander asked. “Somebody can turn that device off.” These questions have to be settled by policymakers, not the DoD, he said.