Getting the military’s cyber forces to focus more on the most serious threats to U.S. national security means getting away from a whack-a-mole-like strategy now used to find and remove malware in the system, officials from Google and Lockheed told a crowd of soldiers Wednesday.
Most of what cyber soldiers deal with is malware living in a system that can be exploited by an enemy, according to Jim Young, U.S. Army Account Executive for Google Enterprise Transformation.
It’s a common problem, but one that should not happen, he said at the last panel session at the Association of the U.S. Army’s annual conference in Washington D.C.
“This notion that persistent malware can stay on your machine should not happen,” he said. “The technology is out there today to erase it, or not make it an attack factor. So I encourage you … to start looking at opportunities that fundamentally change how you probe cyber security. Do not do incremental. It will not get you where you need to be.”
Charles Croom, vice president of Cyber Security Solutions for Lockheed Martin Information Systems & Global Services, called it the “80/20 cyber rule.”
“It’s a rule of thumb that says, ‘hey, if I implemented everything I knew how to do today [to stop the malware] I could take 80 percent of my threats off the table, and then I could focus on this advance persistent threat of 20 percent.”
No one has developed such an all-in-one package yet, but the Defense Advanced Research Projects Agency – DARPA – has issued proposals intended to find solutions, Croom said.
The only way to do it is to automate these solutions, he said, whether they are patching, vulnerability assessment, or remediation. These steps now are all done successfully by individual soldiers, but are done again and again as they keep cropping up, he said.
“The only way we’re going to [fix it] is through automation. We’ve got to get people out of the loop and automate what we know how to do,” he said.
The problem is that it is a multi-platform, multi-device world across “monstrous enterprises that are globally connected,” he said.
“We can’t even get our configuration management down to knowing what’s on the network, who is on the network,” Bryant said.
Networks should be automatically and constantly scanned to identify exactly what and who is on them at any time, and looking for changes to software and hardware; it can be done at the speed of light, Croom said.
And when an unauthorized change is found or weakness or an intrusion is detected, the solution should be instant and automatic, as well.
“When you know there’s an issue on your network you ought to be able to close most of them with machines,” he said. “These are repetitive things that have to be done and most of it can be done by machines. And then you save the manpower for the high-end intellectual issues, the threat you’ve never seen before, that is unique and requires some intelligence.”