On Monday, November 2, 2009, J.B. "Gib" Godwin, vice president of Cybersecurity and Systems Integration for Northrop Grumman's Information Systems sector, addressed the 24th Annual Armed Forces Communications and Electronics Association (AFCEA) Conference and Exposition in Honolulu, Hawaii. Below are his delivered remarks and his presentation.
- View his Presentation (PDF - 7.0 MB)
- Read Related Company News Release
- Northrop Grumman's Cybersecurity Capabilities
CyberSecurity: Its Acquisition and Environment
Good morning. Thanks for coming today, and thanks on behalf of Northrop Grumman for the opportunity to participate in this seminar.
In particular, my goal is to address:
- The rapid evolution of the Cyberthreat
- Our growing vulnerability
- Elements of a response
- The role of the acquisition process and
- Northrop Grumman’s expertise and the leadership it is bringing to meeting the cyberchallenge.
I’m also looking forward to sharing a scenario that will bring home several of these points.
So fasten your seatbelts and let’s go.
It may seem that cybersecurity has only emerged as a major issue over the last few years. But it’s actually been on the nation’s radar screen for a generation - since the dawn of the personal computers and connectivity.
Believe it or not, it’s been 26 years since the subject actually burst on to the public consciousness with the movie “War Games” – in which a very young Matthew Broderick plays a young games player who accidentally hacks into the Pentagon and pushes the U.S. to the brink of nuclear war.
Since then, cyber-conflict has been a favorite Hollywood theme. But as you all know, the cyberthreat to America is not a figment of Hollywood’s imagination – and it’s anything but a game. The U.S. is under assault 24/7/365 – and the cost both to our economy and our national security are, and in the words of the Center for Strategic and International Studies, “unacceptable.”
In fact, you may not know this, but the President – who last spring received a 40-page report laying out the cyberthreat and making recommendations for a coordinated public-private response – declared October “Cyber Security Awareness Month.”
As Maxwell Smart used to say, we “missed it by that much.”
Nevertheless, this seminar couldn’t be more timely. Because the cyberthreat is real and it’s now – and we are finally embarking on a national conversation about how to address it, not to mention contract and pay for it.
My fellow panelists and I are going to cover from a number of perspectives today, but again, I want to discuss for a moment just how real and how now the cyberthreat is - in a way that I hope will provide a platform for our discussion of the cyber-security acquisition process.
Specifically, the cyberthreat – which has been estimated in some quarters to be a one trillion dollar a year problem – is getting bigger – faster – and smarter every minute of every day.
The president of our Information Systems sector has pointed out that the massive scale of today’s cyber attacks place them on the level of warfare.
In fact, we experienced a 152 percent increase in the number of cyber attacks on the U.S. government in 2007 alone – and a 55% rise in intrusions on military networks.
As a result, each and every day there are an estimated 360 million probes directed at Pentagon computers, looking for vulnerabilities. That comes out to more than 4,000 every single second.
Symantec tells us that there are now more than 9.4 million distinct bot-infected computers - computers that have been infiltrated and enslaved as platforms for remote cyberattacks – and that more than 75,000 of them are active on an average day.
As an example of how they can be deployed, a coordinated attack on government networks earlier this year involved nearly 170,000 zombie computers in 74 countries - consuming between 20 to 40 gigabytes of bandwidth per second. It managed to hit virtually every major Federal agency, including the White House. And that was considered a relatively MINOR attack.
It wouldn’t be an exaggeration to submit that if this is war – and it is – we are up against the largest standing army in history. An army made up of everyone from teens to thieves to terrorists to territorial nations.
One look at this chart (slide 7) will tell you what I mean when I say that the cyberthreat is moving faster. In a single year, the number of malicious code threats extant grew 265 percent. More than 2,800 new codes were produced every day last year.
When you consider that it takes codewriters months at a time to analyze these codes and produce and distribute patches for them, you can imagine the degree of vulnerability.
And of course, the threat is getting smarter. I’ve represented some of the key ways intruders are targeting systems – including highly sensitive systems – today. The diagram on the lower left represents the classic distributed denial of service attack, where thousands of bots are employed to overwhelm a server and slow or interrupt its performance.
A key development here is the growing ability of these botnets – once identified and interrupted – to go underground and reconstitute themselves using other computers. At the same time, the probes I discussed earlier are also getting smarter and more sophisticated. Their tools are increasingly automated and become smarter as they are defended against - they are becoming adaptive.
How smart are these probes? Our team conducted an experiment in which they simply took a computer with the most robust commercial security software available, connected it to the Internet and did nothing. It took just four hours for probes to begin, and within two weeks the computer was taken over by a server in Canada, which was in turn run by another server in Singapore, which was in turn controlled by another server that could not be traced. The computer was used by parties unknown to attack another computer in Poland.
By the way – the going market price to acquire access to a such a bot? As low as 4 cents, according to Symantec.
Why are everyone from teens to thieves to terrorists to nation states pursuing cyber warfare?
For kids, it’s about fun – the challenge of getting through.
The biggest reason, though, is profit. As Willie Sutton said, he robbed banks because that’s where the money is. It’s no wonder that three-quarters of all attacks still target financial institutions.
But another major reason is information – which in turn can be used to attack financial targets, but also to compromise our national security.
And of course, the attack in and of itself serves a purpose. Every dollar of the billions we are devoting to cybersecurity is drained from our economy or other areas of national security. Every minute we are distracted is a minute away from productive activities. In essence, they are already succeeding at cyberterrorism.
Most important for our purposes, nation-states – and terrorists as well – are seeking the power to disrupt our defense forces, damage our infrastructure and interrupt commerce in order to destroy our way of life and gain military advantage.
I don’t know how many of you are old enough to remember the quote from the cartoon character Pogo that I’ve included here. Its message was stated in another context, but it applies to us in cyber security as well: We have met the enemy, and he is also us.
I’m in the business of information systems for defense. But it’s clear that those same sophisticated information systems that have given us an enormous advantage militarily also have opened up a new avenue of attack, against both our defense and civilian infrastructures.
Gaps and overlaps in our systems – the failure to integrate – also heightens our vulnerability. Integrated systems like we have in some our forces see and defend against a problem once. Others provide thousands of targets for that same probe.
Multiplicities of networks and software also mean multiplicities of vulnerabilities that can be attacked by malware.
The openness of our democratic culture also provides more freedom to roam around the Internet and enter into personal and business networks and systems.
And of course, the biggest area where we are our own worst enemy is the casual manner in which many of the people in our organizations treat security. Like a chain with the weakest link or an army with the slowest soldier, our security systems are only as strong as most careless or clueless employee.
So before we start talking about solutions, let’s do a reality check. Because this threat is so big and so fast-moving and so sophisticated that it’s impossible even to refer to a “solution.” It’s about “solutions” and even “responses.”
The fact is that this problem is so big that we won’t catch everyone or even near everyone – just as even the best store security won’t catch every shoplifter.
The resources on the other side are so numerous and so distributed that the cost of defense is many times the cost of attack.
Plus, any thought of deterrence, as in conventional warfare, presents a challenge. It’s hard to deter an enemy you can’t see – and with economic loss or mere inconvenience frequently involved, as opposed to physical harm, it’s hard to gauge a proportional response to an “attack.”
Finally, we can talk about getting ahead of the problem, but truthfully we’ll usually be a step behind. The change in technology, personnel and sources of attack is taking place far faster than we stay up with. We’ll frequently be in response mode.
So what are some elements of the response to the cyberthreat?
Well, a 24/7/365 assault calls for 24/7/365 vigilance. We need to have systems and personnel who are on guard every second of every minute of every day.
Second, we have to prioritize and lock up the valuables. Wal-Mart is locking up the iPods, not the dog food. We have to harden the targets that matter most, beginning, frankly, with us, our national security resources – we’re certainly not dog food – and moving downward into vital public services and financial networks.
Finally, we need to close ranks, pool resources and standardize systems and responses as a “coalition of the willing.” That will require us to work with our amigos, our partners and our allies – but in many cases, also our competitors and adversaries. By so doing, we’ll reduce our areas of vulnerability, cut down on duplicative efforts and provide each other the benefit of our knowledge.
Let’s move on to what’s needed to back up and power that response. We’ll need resources that are equal to the threat.
We’ll need bigger. It’s taken an investment in the hundreds of billions of dollars in cybersecurity so far, and keeping us safe will ultimately cost hundreds of billions more.
We’ll need “faster” – the phrase you are hearing is “speed of need.” As new threats arise at a moment’s notice, if not faster, we’ll need the ability to rush resources to create solutions.
And we’ll need “smarter.” We’ll need to ensure that contractors have both the capability and the flexibility to do what needs to be done to address new threats.
Unfortunately – and here’s where we get precisely on point – when it comes to “bigger,” “faster” and “smarter,” the acquisition process is none of the above.
And let me add that if anyone was about to interpret that as a harsh judgment on the hard work you do, it’s in part a self-indictment: I lived this on your side of the procurement process for 17 years. So I know what you’re up against as well as we.
Where the threat is bigger – seemingly endless in scope and growth – project budgets are fixed and limited. And acquisition budgets and priorities are increasingly battled over. Fortunately, cybersecurity appears to be a priority, but priorities also change.
Where the threat is faster, evolving at Internet speed, the contract process is glacial - and even more so, given the protest environment.
And where the cyber threat is becoming ever smarter and more sophisticated, the acquisition process is straightforward and inflexible. A contract is a contract.
Given that rather harsh assessment – which I also admit is an oversimplification – I’d like to provide some food for “re-thought,” or if you prefer, re-thinking, on the acquisition process when it comes to cybersecurity.
And I’ll start with another statement from the recent DON White Paper on the NNE – “To ensure success, defensive mechanisms must be an integral part of the design and implementation of systems and networks” – and that includes the acquisition process.
We need to be thinking about the bigger, always changing and ever-smarter nature of cybersecurity not just when we’re negotiating and writing contracts, but even before – when we’re designing projects and you’re putting out requests for proposals.
To get the right response, you need to be asking for the right capabilities.
To get the right response, you need to be building in the right flexibility.
And to ensure the maintenance of the highest level of security once it is established, you need to be taking into account the need for training and awareness on the threat.
Let’s focus first on capabilities that need to be considered at the outset of the process.
At Northrop Grumman Information Services, we’ve identified five critical criteria we think should be part of the focus in assuring that new information services are appropriately secured.
The first is Advanced Persistent Threat or APT – basically a knowledge of the threat, now and in the future. Advanced knowledge is key to focusing the response and reduce the information exposure surface through knowledge of the threat and how it leverages vulnerabilities.
The second is Protected Core Networking, which focuses on providing highly available network services by connecting independently managed, protected segments. The result is a kind of “beehive” effect, with assets within a system configured autonomously in pursuit of an understood mission.
Third is Cyber Risk Management, which is about the ability to identify how critical an asset is and to use that knowledge to quantify the size and shape of the response. Like iPods versus dog food.
Fourth is Technology Infusion, which is about the ability to select and integrate next generation technologies to ensure the highest payoff against coming threats.
Finally, there is Site Survey, which is about understanding how an organization uses its networks and identifying the right tools, processes and technologies going forward – including the right security approaches.
The second challenge is building the requisite flexibility into contracts to address rapidly evolving threats.
Frankly, that flexibility doesn’t exist – a sole source or competitive contract can’t simply morph to provide new activities in response to a changing threat.
You would think we could address that concern with an IDIQ. But just a week back I was sitting down with some of my clients, and they acknowledged that that approach isn’t working because of Organizational Conflict of Interest issues. We simply can’t afford to shut ourselves out of competitions for business that might arise because of Organizational Conflicts of Interest.
What’s needed is a partnership approach – one that allows us to work together get past the roadblocks and respond as fast as the threat develops.
One possible aspect of that approach is to provide for task order vehicles, in which multiple awardees participate in discrete task order competitions to develop responses to emerging threats.
Another approach is to call for flexible technology insertion plans that ensure the ability to adapt to future technology trends while maintaining a protective edge over current threats.
Obviously one big challenge in either of these approaches is to make contracts specific enough to ensure that enhanced responses are not underpriced.
Finally, requests for proposal need to put a premium on training and awareness activities to plug a critical vulnerability.
That training needs to take a comprehensive and continuous approach – with a progression from novice to expert and a provision for ongoing updating to stay up with the threat.
It needs to start with ensuring that provisions are made to train the trainers - empowering IT experts to become true leaders in the battle for cyberspace. And just like we want our pilots to demonstrate their ability to keep up with the state-of-the-art weaponry of the enemy, we’ll want our IT “warriors” to be able to demonstrate their proficiency in recognizing and dealing with the threat in cyberspace.
This emphasis also involves asking for employee awareness programs to ensure that, just as loose lips wouldn’t sink ships, the careless and clueless don’t sink national security enterprises.
Two of my colleagues, Dennis McCallam and Ken Brancik, have put together a white paper which focuses on these criteria and how they can be written into Section L and M of the Instructions for Proposal Preparation.
I’m not going to go into detail on their suggested language, but if you will give me a business card afterwards, I’ll be happy to email you a copy of the white paper available for your perusal and consideration.
The bottom line, once again: to get the right response against a bigger, faster, smarter threat, you need to ask for capabilities that are up with and up to the challenge, while building in the requisite flexibility as well.
All of which brings me to Northrop Grumman and what we’re doing to meet the cyberthreat. We’re starting by making sure our own house is in order. Anyplace where more than 1.5 billion cyber transactions a day occur on our network of over 10,000 servers used by some 120,000 employees is a big pond for phishing – and other cyber assaults.
So to defend those networks, we’ve made extensive investments to build a best-in-class capability – addressing the complete cybersecurity challenge across all domains including incident response, intrusion detection, vulnerability management, forensics and malware detection.
From there we export our expertise – applying our best practices to the large, enterprise-wide cybersecurity integration efforts. We have broad, deep, and long-term experience working in partnership with customers in the DoD, Civil and Intelligence communities.
Meanwhile, we’re actively engaged in public private partnership with government, industry and academia – attracting the best minds and technology our country has to pool resources and pave new ground in meeting the threat.
Speaking of best practices – just this summer, Northrop Grumman pooled its cyber experts into a cohesive, collaborative unit called the CyberSecurity Operations Center (CSOC).
The CSOC is a world-class facility that delivers the company's core security services and innovative solutions developed for the Northrop Grumman network and its customers.
Even as our analysts monitor and respond to 1.5 billion events per day occurring on our network perimeter, computer network defense experts are designing and developing security capabilities that can identify advanced threats – computer forensic examiners are collecting and analyzing evidence from digital media – intelligence operators are analyzing and reporting on internal and external threats – and a technical team is developing and deploying solutions and systems used within the CSOC. Many of these internal capabilities are even replicated in Northrop Grumman's external delivery as the Tier One security provider to multiple government agencies.
The lessons we learn from operating CSOC yield best practices that we can then deliver to our customers.
We are expanding Northrop Grumman’s Cybersecurity Solutions Center dedicated both to independent R&D on cyber-security projects and contract work for our customers. Northrop Grumman’s Cybersecurity Solutions Center includes an Internet research lab – our “Internet in a bottle” – where we can experiment in a controlled environment.
In addition, it’s difficult to manage our capabilities without the ability to test their effectiveness. We are contracted to DARPA on a project to develop a National Cyber Range where we test and analyze new concepts and technologies for countering cyber threats. Although the national cyber range won’t be operational for several years, Northrop Grumman has made significant corporate investment to build a large cyber range which is operational.
Our InfoShield program is where we take all that internal expertise and unique understanding of the field – our people, processes, tools, and technology – and incorporate them into a holistic Information Security Program for external clients.
That program encompasses the analysis of clients’ security requirements, the design, implementation and validation of a wide range of solutions, and the operation and maintenance of Information Assurance controls.
InfoShield includes our Transformational Research, Integration and Demonstration (TRIAD) network – a state-of-the-art network of 47 Laboratories in 20 locations nationwide. TRIAD enables our customers to investigate the latest technologies, test new products and innovative ideas, and validate solutions.
InfoShield also encompasses our IA Library – with more than 2500 reference items from Policies, Processes, Procedures, Regulations and White papers – which staff can access for customers via the InfoShield portal.
Since I’ve focused on the need for an emphasis on training and awareness – and in particular, to train the trainers – I felt it was also important to mention that InfoShield also includes a complete range of Cyber Warrior courses – where we train and qualify team members at various levels to be experts and leaders.
These eight courses – ranging from overview courses for non-technical officers and staff to in-depth, comprehensive courses for specialists – cover the latest computer network threats, tactics, defensive measures, and certification and accreditation processes.
And of course, we’ve pursued and are sharing with clients aggressive programs to provide training and heighten awareness of and sensitivity to cybersecurity in the general employee population. Even at Northrop Grumman, leaders in dealing with cyberthreats,, we continually need to train employees to be savvy to the simple email and other intrusions that can take down a system.
We engage in a broad range of public-private partnership activities with leading mission partners including cutting-edge academic centers, providers of commercial security products and Industry Partners.
And we also participate with our competitors, the DOD and the defense ministries of the Netherlands and the UK in the Transglobal Secure Collaboration Program, which focuses on a common framework for sharing of sensitive information in international defense and aerospace programs.
Earlier, I briefly touched on the identity management problem. You see Gib Godwin standing before you as one person – hopefully.
But online, I could have many identities. My Northrop Grumman email. A Gmail and/or Hotmail account. A Facebook or Linked-In persona. And many more.
How do you know whether all of these – or any of these – are actually Gib? Often, you can’t. And that may be the biggest problem we have in ensuring cybersecurity.
We’ve addressed at lest part of that problem at Northrop Grumman with our OneBadge smart ID. It serves for all aspects of identification – including building entry, as well as access to computers and all online accounts.
We’re in a multiyear process of badging all 120,000 Northrop Grumman employees with this smart solution.
And it’s a solid enough solution that Northrop Grumman is the first company to be able to share a trusted identity with its U.S. Department of Defense customer through secure encrypted email.
Let’s look at another aspect of the cyberthreat – the law of unintended consequences.
Defending against the scale, speed and sophistication of cyberattacks can create problems of its own.
The first is trying to fight bigger just with bigger. You see here represented a typical cybersecurity control room. It’s highly labor intensive, with many screens needed to cover all the possible areas of attack – and many, many rear ends in seats to monitor them.
That spells high costs – and every unneeded dollar drained is another victory for cyberterrorists. One unintended consequence.
The solution to that unintended consequence is not just to fight bigger with bigger, but bigger and smarter with smarter. You’ll see here a representation of the control rooms in our cybersecurity solution centers – if I showed you the real ones, I’d have to shoot you.
You see all the monitors being replaced with a few screens that tell the story in a much more comprehensive and useful way and allow us to avoid another set of unintended consequences – shooting down our own mission with the cyberattack.
This represents the various options a security team has in addressing a suspicious event – and the effects of each.
Let’s say the event is a suspicious instant message – and in fact, secure instant messages are used frequently to convey commands.
The security person has three basic options: allow the message and monitor it, redirect it or block the port that is the source of the potential malicious message.
And each option has three potential impacts: on the physical machine, on the function of the system and most critical, on the mission.
And here’s (slide 32) a representation of a smart, streamlined approach we’re testing to provide an informed response that avoids unintended consequences. You can see that it allows us to log the event and track the consequences. Here you see the impacts of option one – allowing the message – an operational impact on function and reduced effectiveness on the mission. The two monitors on the bottom left and center allow the person responding to see the geographical and system location of the impacts as well.
Here’s (slide 33) the effect of redirecting the traffic - again, an operational impact on function and reduced effectiveness of the mission.
And here (slide 34) you see the effect of blocking the message – a serious impact on the mission – the loss of Instant Messaging outside the HQ – note the flashing red dot on the geolocation – and communications between HQ and the firing range.
Fast-forward with us five hours - although it could be five minutes or five years. In that time, there will be turnover of personnel – in this case, a new shift. That person may not know of the decision made previously, but that decision will have continuing impact.
A new threat comes in to the blocked port – you can see the status in the second box from the top. Now there are three new alternatives: do nothing, open the port, or investigate other options.
Once again, the effect of all three are displayed. First, maintaining status - still a serious mission impact.
Opening the port – the same functional impact, which is new to the new shift employee, and a reduced mission impact.
And a range of other options will actually populate the screen, some with a serious mission impact.
The bottom line: smarter decision-making with real-time information about impact - and fewer personnel.
Bigger – in impact – faster – and smarter.
So to sum it up, I’d like to leave you with a few takeaways in addition to the handouts:
- The Cyberthreat is big, global, 24/7/365 – and growing rapidly in scale and sophistication
- Our openness, lack of awareness and dependence on info systems leave us vulnerable
- We need to respond in kind: “bigger, faster, smarter”
- Acquisition needs to build security into info projects – with a focus on capability, flexibility and training
- And as you’ve just seen, Northrop Grumman is leveraging our best-in-class capabilities and participating in a broad public-private partnership to help meet the threat