Pentagon hiring binge won’t guarantee more security

A Pentagon plan to hire another 4,000 cybersecurity professionals, for both defense and offense, will improve the employment and salary prospects of those with the right skills.

On that much, most cybersecurity experts agree. They are less confident, however, that it will significantly improve the nation’s security from catastrophic cyberattacks.

The plan, leaked last week to the Washington Post prior to a formal announcement, would expand the Pentagon’s cybersecurity force within the next several years by 500%, from 900 to 4,900 military and civilian personnel.

At the request of the Defense Department’s Cyber Command, it would also expand the focus of the force from largely defensive to offensive as well — a move that is highly controversial among cybersecurity experts.

Both outgoing Defense Secretary Leon Panetta and Homeland Security Secretary Janet Napolitano have warned several times in recent months of the increasing threat of a “cyber Pearl Harbor” or “cyber 9/11” from hostile nation states.

“The only question is whether we’re going to take the necessary steps like this one to deflect the impact of the attack in advance or … read about the steps we should have taken in some post-attack commission report,” William J. Lynn III, a former deputy defense secretary who has worked with the Pentagon to develop its cybersecurity strategy, told the Post.

Gary McGraw, CTO of Cigital, who has been a vocal opponent of taking the offense in cybersecurity conflicts, said neither the hiring nor its purpose is a surprise. “The Cyber Command is not new, and we knew they were doing offense. What do you think Stuxnet was?” he said, in reference to the computer worm used to attack Iranian nuclear facilities, generally acknowledged to have been launched by the U.S. and Israeli governments.

“This is just about staffing up,” he said.

The Pentagon plan is focused on having the new staff address three major vulnerabilities in the U.S., the report said. “‘National mission forces,’ to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security; ‘combat mission forces’ to help commanders abroad plan and execute attacks or other offensive operations; and ‘cyber protection forces’ to fortify the Defense Department’s networks.”

All of which are admirable goals, said Joe Weiss, managing partner of Applied Control Solutions, but without the right mix of skills, he said it may not improve security no matter how many people are hired or how much money is spent.

[See also: U.S. rattles preemptive cyberattack saber]

“I’m an engineer, so I understand how industrial control systems (ICS) work. Unfortunately, many IT people don’t,” he said. “Given the state of ICS technology, there probably will be a cyber Pearl Harbor, but we might not know it. There are minimal cyber forensics for control systems.”

Weiss added: “If a plant shuts down or blows up, you can’t hide that, but you may or may not know if cyber had anything to do with it.”

Part of the problem, he contends, is that the IT security industry focuses on malicious attacks. Of 300 industrial control system incidents, four have killed people, four nuclear plants were shut down from full power, four major “cyber-related electric outages,” and “a water company the pumped water from a Superfund site into the drinking water system.”

“But they were unintentional, so none of them had the term ‘cyber’ attached to them,” he said. “Even if something is unintentional, it’s real, and it shows vulnerabilities that can have significant consequences.”

“We need people who are both control-system and cyber experts, or at least willing to work together, and there aren’t enough of those,” he said.

Paul de Souza, founder director of the Cyber Warfare Division of the Cyber Security Forum Initiative, agrees that those with the right mix of skills are in high demand and short supply. “The main problem in the U.S. is to find cleared cyber operations professionals with full spectrum — exploitation-offense-defense — hands-on experience,” he said.

Gary McGraw, who has been delivering the “build security in” mantra for years, says it is an old problem.

“What we need is security engineering — building systems that are harder to attack,” McGraw said. “We could hire a bajillion system administrators — and we need some of those guys to configure networks and build firewalls — but what we also need are software security professionals who are going to build better systems.”

McGraw, Weiss and others say the U.S. is asking for more trouble if it goes on offense, because it is still so easy for cyber attackers to cover their tracks, or make it look like it came from an innocent party or country. “Offense is fine if you know who you’re going after, like Iran,” McGraw said. “But if you don’t know for sure who it is, it’s a problem. You have to watch out for the head fake.”

In spite of U.S. officials’ insistence that they are much better at knowing who launched an attack and from where, McGraw and others are not convinced. And if an attack is launched at the wrong organization or state, “it happens so fast, you can’t say, ‘Oops,'” McGraw said.

Weiss warns of a blowback effect. “There are maybe 20 vendors internationally for these [industrial control] systems, which are used in some countries that are not so friendly to the U.S,” he said. “They do what they were designed to do well, which is operate reliably and safely for many years. But, security was not part of their design. If you start making them fair game, we’re in a lot of trouble — not just here but all over.”