On October 8th, 2019, I attended a small seminar on cyber intelligence hosted by the Armed Forces Communications and Electronics Association (AFCEA) at the Hawaii Convention Center. My NCOIC and I, both Army Signaleers, made the early drive down for a chance to network over breakfast and learn about an ever-evolving field that continues to grow at an exponential rate. The goal of this seminar was to highlight cyber threats and the intelligence behind it, specifically in the Pacific region of the world.
The keynote speak was Rear Admiral Keven E. Lunday, the Commander of the 14th Coast Guard District and the former Commander of Coast Guard Cyber Command. The other panelists were Ken Sorenson, Assistant U.S. Attorney and Chief of the National Security Division in Hawaii, representing the U.S. Department of Justice, Kryi Bye-Nagel, the Special Advisor to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), Gerald Galloway, Chief of Cybersecurity at the National Security Agency in Hawaii, Commander John Bridges, the J2 lead for Cyberspace operations, Task Force Pacific, Navy Intelligence Operations Command, Fleet Cyber Command, and Vince Hoang, the Chief Information Security Officer for the State of Hawaii.
RADM Lunday opened the discussion by providing a general overview of cyber intelligence and threats. He described three principles of that he believes are paramount to the success of cyber operations: people over technology, challenge assumptions, and broaden perspectives. He then continued to define cyberspace in three bands: the physical, logical, and cyber persona. The physical band is anything you can touch, the cables, computers, and people that physically interact with cyberspace. The logical band is where all the data created in the physical band reside. The cyber persona is the representation of the physical layer within cyberspace. It is the “who” we are in cyberspace. Ambiguity and fluidity increase when moving from the physical to the cyber persona band. With these bands in mind, RADM Lunday explained two trends that exist within cyberspace: convergence and acceleration. Convergence is the gap between the physical and logical band decreasing. Society has moved from large, room-sized mainframe computers, to the personal computer, to mobile devices, to wearables, and, eventually, embedded devices. With the advent of the Internet of Things, technology permeates everything that we do at nearly every point of our lives. Our physical being is translated into data in near real-time. Acceleration of the advancement of technology is simply a truth, with concepts like Moore’s Law and the increasing levels of data produced every day. These two things, convergence and acceleration, have allowed the wide spread access of technology. However, society has not managed the risk associated with this access and growth. The miscalculation of risk associated with technology and cyberspace has changed the United States view on the world. It has challenged the notion of unequivocal U.S. supremacy in every domain. RADM Lunday highlights that things are changing to catch up to these risks. The Department of Homeland Security has created the Cybersecurity and Infrastructure Protection Agency that has equal importance to agencies like FEMA. U.S. Cyber Command is in its second year of existence. General Paul Nakasone, Commander of U.S. Cyber Command and the Director of the National Security Agency, has pushed for persistent engagement with the enemies of the United States in the Cyber domain and defending forward. The NSA has created the Cybersecurity Directorate, whose mission is the prevention and eradication of threats to national security systems and the Defense Industrial Base. Highlights of some of the activities of USCYBERCOM is the cooperation of the Department of Defense and Department of Homeland Security to provide election security to the systems in place during the 2018 election cycle. USCYBERCOM and the NSA have worked diligently with the FBI to arrest and prosecute criminals utilizing the cyber domain. Within the Indo-Pacific area, RADM Lundy describes the area as the “center of gravity” for strategic competition. With adversaries like China and North Korea, members of the Pacific Island nations have turned to the U.S. for support in increasing the value of cybersecurity within their current security plans.
Ken Sorenson followed RADM Lunday who put it best, “Everything is cyber.” An attorney focusing on National Security, he described how criminals committing vastly different crimes are using cyberspace to conduct and hide their crimes. His district handles more espionage cases than any other district in the United States, detailing two cases where individuals stole and sold secrets to foreign adversaries. He did note, however, the cyber is both a blessing and a curse. While criminals have an immense platform by which to perpetrate their crimes, law enforcement used the cyber domain to track, collect intelligence, arrest, and ultimately indict these criminals. I took the opportunity to ask him how U.S. Army Criminal Investigation Command can work to use cyberspace and work with the Department of Justice to put more bad guys away. His answer was to communicate early and communicate often. By sharing intelligence quickly and disseminating this information to those that need it, Army CID can use cyberspace to its advantage in conducting its mission.
Kyri Bye-Nagel is a Special Advisor in the new Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security. Their mission is twofold: secure the federal government and civilian networks that are not owned by military agencies, i.e., almost all of them, and critical infrastructure protection. They do this with two goals in mind: defend today and secure tomorrow. CISA works to define and prioritize threats and works closely with other agencies in ensuring the protection of their assets. An example of this is working with the Department of Energy to ensure that nuclear facilities are secure and maintained. Ms. Nagel described five main efforts of CISA. The first is China, Supply Chain, and 5G. China, she says, is the biggest long term threat in cyberspace. Their aggressive advancement on the world supply chain and the advent of 5G technology has left them in a powerful position, one that CISA is looking closely at the defend against. The second effort is Election Security. CISA works closely with the FBI to ensure that the democratic process is secure and fair. They work closely with vendors and election committees to ensure that they can defend against potential interference in elections. The third priority is the physical defense of soft targets. Major internet service providers that provide services to very large geographic regions are important to defend, as they pose a significant attack vector for enemies of the United States. The fourth line of effort is federal security, which is an incredibly slow process. Very bureaucratic, but very important systems within the federal government do not keep up with the advent of technology and are susceptible to cyber threats every day. Lastly, CISA focuses on the defense of industrial control systems. The most famous attack on industrial control systems is Stuxnet, the malware that was able to infiltrate and collapse the Supervisory, Control, and Data Acquisition (SCADA) systems that ran Iranian nuclear centrifuges. CISA hopes to continue to operationalize those fives priorities to ensure national security.
Gerald Galloway is the Chief of Cybersecurity at the National Security Agency-Hawaii. He described the current state of technology as the “Internet of Threats.” Their job is to identify and eradicate cyber threats to defend the national interest and impose great cost on our attackers. The NSA works closely with other agencies, the 5 Eyes, and other countries throughout the world to accomplish its mission. Mr. Galloway says that this is necessary because our adversaries know our laws better than we do. The NSA is legally allowed to operate in what is called, “Red Space.” This space is our enemy’s networks. They also operate in the “Blue Space,” or the Department of Defense networks, where they defend assets and share intelligence. Mr. Galloway describes a third space, called, “Gray Space,” which are private and domestic networks. American adversaries understand this and will often bound between these spaces to evade the NSA. This forces the NSA to work with domestic agencies like the FBI and CISA to defend against these threats. The NSA also works with its partners to synchronize the intelligence gathered from these three spaces to achieve results. The best results, Mr. Galloway explained, are from focusing on the threat actor themselves, instead of following them down the entire trail of networks. As a traditionally background agency whose mission has been to provide intelligence to other agencies and departments, the NSA is working to create an unclassified network to increase its intelligence sharing capabilities with sister agencies. The NSA also works directly with the Defense Industrial Base, who are the corporations that build and provide weapons to the United States Military. The NSA builds the cryptography which protects the corporation’s data, builds the secure architecture and network designs, ensures compliance, and regularly conducts audits to ensure that the Defense Industrial Base is secure. And yes, Mr. Galloway knew Edward Snowden.
Commander John Bridges, the J2 for Cyberspace Operations in Task Force Pacific, focused on cyber threats within Indo-Pacom. To put it mildly, his assessment was bleak. The military has traditionally suffered from a schism between strategic and tactical cyber operations. Coupled with varying degrees of effectiveness across the services, he is wary of the risk associated with cyber operations in the Pacific. The first issue is understanding what equipment and software exists in the region. Every unpatched piece of software or outdated piece of hardware poses a risk. As a career intelligence officer, he articulates risk by describing the threat, vulnerability, and impact. He, the J2, can provide the cyber threat. However, he relies of the J6 (Signal) to provide the vulnerability and Operations to provide the impact. I asked him to elaborate on this synergy between intelligence, signal, and operations, and asked if there is a cell that focuses on these, and, if not, should there be and how far down the chain should it exist. Unfortunately, it seems that every service has a different approach. The Army is utilizing the Multi-Domain Task Force to accomplish this endeavor. He continued to describe the geographic challenges. These task forces are aligned to the service and not the region they support. It seems, from my estimation, that the military has a long way to go in defining and understanding the best way forward to tackle this problem, especially in the Pacific.
Lastly, Vince Hoang, the Chief Information Security Officer (CISO) of the State of Hawaii took a technical approach to define his endeavors. He described that the time it takes for an enemy to pivot further into your network after the initial breach is far quicker than the response time to identify that a breach has even occurred. He says that failed patching is the number one cause for breach and pivot. Within hours of commercial notification of patching, Advanced Persistent Threats (APTs) are scouring the internet for unprotected systems that they can infiltrate. Therefore, cyber hygiene is incredibly important to the safety of your systems. Mr. Hoang’s staff is comprised of six people to support the state of Hawaii. Their job is to put out small fires and utilize the federal government for big fires. Hawaii alone is attacked 43 million times a day in some shape or form in the cyber domain. Mr. Hoang describes the necessity to find the cheapest solution that provides the best value. He has assessed that secure infrastructure that is patched, vetted, and maintained is the cheapest and easiest way to prevent attack.
In conclusion, this panel of experts provided an incredible depth to the issue of cyber intelligence and threats within the Pacific Area of Responsibilities and general capabilities within the United States government. As an S6, this helps me understand the intricacies of government interdependence to defend against traditional and non-traditional enemies on a grand scale. The military has a long way to go. I believe that we can look towards other agencies and state governments for inspiration to address the many issues that plague the Cyber Domain. The issues are intertwined with service politics and responsibilities along with jurisdiction of government and non-government networks. Unfortunately, the enemy does not discriminate. This “Internet of Threats” that we must deal with is ever evolving, but the melding of great minds who are dedicated to the protection of the United States of America are working hard together to ensure our national security and build our capabilities within the Cyber Domain.