In this edition of The Gallery, Pam O’Neal Vice President at BreakingPoint Systems discusses the pressing need for serious action on cybersecurity in the United States.
Despite military superpower status, the United States is more vulnerable to cyber attack than any other country today with key financial, communications, and military operations networked via infrastructures riddled with vulnerabilities.
Compounding this problem is a growing cyber warrior crisis. U.S. forces are badly outnumbered by those with the means and motivation to inflict massive damage on our vulnerable infrastructures. While we in the United States study the problem, rival nations and criminal organizations invest heavily in cultivating their cyber warriors, recruiting thousands of computer-savvy soldiers tasked with developing new, more advanced techniques and attacks.
As with any matter of national security, there are overlapping factors in play that contribute to the crisis. Despite promises to the contrary, cuts to the Department of Defense budget have stripped funding for cyber readiness. Despite a national sense of urgency, time-consuming research projects have introduced unacceptable delays in real-world implementation of cyber defenses. And, despite the availability of more pragmatic solutions, impractical strategies have led to dangerously limited access to critical training grounds—or cyber ranges.
Cyber ranges are an absolute necessity both for training cyber warriors and for hardening critical infrastructures. Just as every base needs a firing range where warfighters can practice their weapons skills, every base also needs a cyber range to allow our cyber warriors to ingrain the skills they need to battle cyber enemies and develop effective responses to attack. Similarly, the only way to understand the performance, security, and stability—the resiliency—of IT infrastructures is to expose every element of them to the real-world conditions created by a cyber range.
While the cyber range concept is not new, the prevailing approach to delivering these essential environments is deeply flawed because it centers on over-engineered, custom-built environments that cannot scale. Consider this parallel: when combat teams need to test or learn how to use a weapon, they take it to a firing range and begin training. They don’t want—or need—to bring in the engineer who designed the trigger, a sales representative from the ammunition company, and a consultant from the barrel manufacturer before they can begin target practice. Yet the equivalent has been done, so far, with an approach to cyber defense that relies on multimillion-dollar contracts paid to defense contractors who design and build out their own colossal cyber ranges.
Even as the Department of Defense has been tasked to operate on leaner budgets, the Defense Advanced Research Projects Agency (DARPA) has awarded $130 million in contracts to study its National Cyber Range initiative. With a seven-year timeline for implementation and untold millions more are needed to build and operate the National Cyber Range.
This shouldn’t be surprising. It is common knowledge that complexity breeds cost and delay. Yet the approach that the military has been taking toward training cyber warriors and hardening infrastructures using conventional cyber ranges is fraught with complexity. Bolstering U.S. forces and cyber defenses against today’s threats requires a more pragmatic and scalable approach.
U.S cyber forces cannot afford to depend any longer on delayed or limited access to just a few costly, sprawling cyber ranges. It’s time to look, instead, for better answers that harness science, technology, and automation to deploy the cyber ranges U.S. military bases need to ensure defenders have the skills and weapons they need for cyber defense. A distributed network of readily deployable, automated cyber ranges will ensure that every U.S. cyber warrior has the ability to recreate, interpret, and act upon global cyber threats. More broadly, it will ensure that our military can accurately assess, strengthen, and certify both the cyber warriors defending the nation and the critical IT infrastructures that support military and civilian operations worldwide.
We no longer have the luxury to waste time and money studying this problem or building out sprawling cyber ranges. The time to shift our strategy for training U.S. cyber warriors to defend against critical threats is now.