Imagine a cyber-attack that disables an electricity distribution center. What's the role of the U.S. military, government or the utility company in defending and retaliating? That's a question on the mind of Army Col. Gregory Conti.
Conti is director of the Army Cyber Institute at West Point, which is taking a multidisciplinary approach to develop ways to safeguard the American armed forces, government and society.
Who's responsible for what? Conti, in seeking an answer to that question, says limits exist on the roles performed by the military, government and industry in protecting cyberspace. "The law is unsettled in those areas, and we need to help define what the boundaries are," he says.
The institute is assembling a cadre of experts from a variety of fields - security, information technology, psychology and law, for instance - as well as various sectors - the military, government and financial services, to name a few - to not only help define cyberdefense responsibilities but also to tackle other problems, such as developing IT security skills within the military.
In an interview with Information Security Media Group, Conti also discusses:
- Prospects of the military establishing a cyber service branch on par with the Air Force, Army and Navy, an idea he championed in a 2009 article (see New Cyber Warfare Branch Proposed);
- Creating a career path for cybersecurity specialists in the military; and
- Ramping up of the 2-year-old Army Cyber Institute.
Conti earned two graduate degrees in computer science, an MS at Johns Hopkins University and a Ph.D. at Georgia Institute of Technology. He also, is an associate professor of computer science at the United States Military Academy. Conti has published two books: Googling Security and Security Data Virtualization.
ERIC CHABROW: You don't want to call the Army Cyber Institute a think-tank despite it having a lot of characteristics of a think-tank, why not?
GREGORY CONTI: The phrase think-tank implies that everybody sits around smoking pipes thinking scholarly thoughts and putting out the occasional research paper. We're trying to do something more than that. We're trying to go out there and make a difference and improve the cybersecurity of the Army of the Department of Defense and the government, as well as the nation at large.
CHABROW: What exactly is the Army Cyber Institute and what are its goals?
CONTI: The Army Cyber Institute was a concept two years ago. It was to create a new innovative agile organization within the Army, but connected to the government and various communities that are essential to making our country and people around the world safe in cyberspace. It has four main focus areas; outreach, connect with the right people, build a bench of experts to advise and conduct research, and collaboratively solve problems. Also, as education is a key component of this, to help either conduct education ourselves or inform the educational programs.
CHABROW: What is the reach of your community?
CONTI: When I think about the critical national threat facing our country today, really not just our United States, I mean it is countries around the world, we're much dependent on technology. That is what keeps me awake at night; how dependent we are on technology. It's hard enough to keep working without an adversary trying to disrupt you, either to exploit, gather information, or just destroy it all together. When I think about what it is going to take to solve, no one government can solve this. To me, it's truly a team sport and we're trying to build an interdisciplinary team here that can help provide a catalyst for real solutions.
CHABROW: Explain this multidisciplinary approach that the institute is taking.
CONTI: I consider myself a technologist at heart, a computer scientist, and I want to reach for my software hammer to fix things in code. I have friends who are in the legal community, they reach for law or a policy committee. Ultimately, to get real solutions, I think it's going to be a combination of many disciplines, including technology, policy and law. For example, ethics, privacy, civil liberties and computer ethics have all proved themselves to be very important. So what should we be teaching people about cyberspace, operations and computer security in terms of ethics? Obviously math, cryptography. We found an intersection with just about every discipline. You think of phishing resistance to phishing attacks, or resistance to social engineering? In system's engineering, the idea that an attacker will probe the perimeter of a system history...if you look back there are people who specialize in history of technology and history of intelligence. There are a great many lessons that have been learned through the course of history that we can then apply to the present. The list just goes on and on and what we're trying to do is bring together those diverse teams in a powerful way that's never been done before.
CHABROW: Who is full-time on this staff and who do you bring in as experts for specific projects?
CONTI: What we're trying to do is reach beyond just the Army to create a scaffolding that other government entities would like to come in to. But as we move into the future organizations, private/ non-profits that we would like to collaborate with, ideally in residence here remotely. I look at what the Army has provided as the seed-corn to put this together, and we're looking at having 26 people on board this summer. What we're looking to do is then expand with collaboration. Twenty-six sounds like a lot, but when you have to actually carefully prioritize who we can work with, at least initially, over time we want to create the type of scaffolding that others will want to play a part in because they see value in what we're trying to accomplish, which is the cybersecurity of our country.
CHABROW: You're bringing people in from financial services. How would they work with your organization?
CONTI: When I think about the challenges facing our country, adversaries are able to operate in the seams between various governments organizations. It's those seams in government organizations and legal authorities that cause problems, because they're not effectively covered. There's a joke of Murphy's Laws of Combat that says that any battle will occur on the seam between two maps. What we're trying to do now is build a critical nest, build relationships that are focusing specifically on New York City because of its proximity to West Point and the financial sector in particular. In many ways, it mirrors the critical infrastructure that is at risk for the rest of the country as well, and really the rest of the world. Initially, we were participating in various industry events and bringing folks here to do the same. We're doing an analysis of the problems, because many of the problems we share are mutual. They aren't specific to the government. They are pain points that are common both in industry and across the spectrum. There are limits on the role of the Army in protecting cyberspace, and understanding what the role of private industry is in protecting cyberspace. The law is unsettled in those areas and we need to help define what the boundaries are, be a participant in that discussion.
Understanding boundaries is critical. With boundaries come the ability to assign responsibility and authority to take protected measures, or potentially offensive or defensive measures. In classic army doctrine, a commander on the battlefield has rules of engagement and the law of war, which was very well understood defining what they are allowed to do. On the map they have a unit sector that is clearly drawn out telling them what they're responsible for. They have a great deal of authority inside their unit sector. If they go outside of that, they coordinate left and right and up and down to make sure that they're operating in sync with everyone around them. Now what we have is this physical plain, and I tend to think of it in terms of a parallel playing of cyberspace. If you think of your office or government building, it has a presence in cyberspace. It quickly becomes global, so defining those boundaries of whose responsible where is critically important, but not easy.
CHABROW: Is this an issue that you'll be looking at?
CONTI: Yes, I think so. What we've been starting to look at are many time-tested techniques from classic military doctrine on how to play and win in various battles and engagements, long term and short term. What can we pull from that deep well of information, what can apply to cyberspace? That's one of the places we're starting, and one of the natural intersections is the idea of training. The training analysis of a battlefield...a bridge over a river may be key to winning a battle for either side, and applying that then to the cyberspace realm. In fact, one of my colleagues now is presenting some work to NATO on our key training in cyberspace.
CHABROW: What can we expect from the institute in the coming year?
CONTI: The Army is going through some significant transformation, in terms of how we operate in cyberspace and how we organize to defend ourselves and perform a wide spectrum of activities in cyberspace. We're looking internally to help and form how the Army organizes for the next steps, including how we create a career path for leaders and participants in the specialty area. Historically, there has not been a dedicated career path for people who did these type of activities. Now we're in the middle of trying to figure out how to create one, what it would look like, and we're taking an active role in that.
Another part of our outreach activities is to get out and start engaging other industries, both in academia and government, to then find opportunities for internships for military personnel to work in various places in industry. In the past at West Point, we've grown people that specialized in this, but more than an ad hoc process. They would show up and be interested, and we'd feed them during their four-year tech career, but a very ad hoc fashion. And the end result was positive but it wasn't delivered. It was something you could scale up. We're formalizing that to a very deliberate process called the Cyber Leader Development Program. It will allow us to ideally recruit people here at West Point, put them through a deliberate four-year program that compliments their classroom experiences with a wide range of outside the classroom activities, and then gradually release them as second lieutenants holding a Bachelor's degree into the Cyber Forces.
Evolving Cyber Components
CHABROW: How do you see the armed services evolving with cyber being an important component of the military?
CONTI: There is widespread recognition of the importance of cybersecurity and cyber operations, both as a threat in terms of, if we're not properly secure then it could be exploited by our adversaries. There is an understanding of the utility of information technology in general, how powerful an enabler it is to do what we do. And then the same thing if you think of cyber operations, offensive cyber operations, clearly there is great potential there. The larger picture then is there's widespread recognition and I see a tremendous amount of momentum. When I first wrote the paper I wasn't entirely optimistic because I knew a great deal of hopeful change would be required to help make this happen. But now that we have champions in the force that get it, that understand the problems, and it's backed up by the real world, the headlines every day, a lot of the requisite cultural change that is required is taking place. Is it perfect, is it messy sometimes, absolutely. But are we heading in the right direction, and I'd say pretty aggressively.
CHABROW: When you say heading in the right direction, are you talking about a separate military branch or restructuring of how the armed forces approach to cyber?
CONTI: I see it as a general trajectory that there are things that need to occur to help to prepare the military to operate in cyberspace. A pretty significant movements taken place, the birth of Army Cyber Command, the birth of U.S. Cyber Command, the idea of the Cyber Mission Forces. You may have read about this in the newspaper...creating dedicated teams for people looking at the IT of creating a cyber-branch inside the Army so as to appeal to infantry, armor and signal to create a specialist career field for people in this area. I think that's all very substantial. Will one day a new service emerge? In the back of my mind, I feel like it will, but that's my own personal opinion. That's probably a point in the future 20 years from now, and may only occur perhaps after a major catastrophic cyber event occurs. That's the type of trigger [it takes to] create a new organization of that magnitude. But I really see us on a trajectory where we're doing all the right things and that may be sufficient, short of creating a new service. It might not be necessary.