AFCEA TechNet Europe: Confronting Hard Truths About Military Cyber Budget Priorities

I was honored to attend and speak at AFCEA’s TechNet Europe last week in Paris. Among the keynotes were Ms. Claude-France Arnould, Chief Executive, European Defence Agency, Lieutenant General Wolfgang Wosolsobe, Director General, EU Military Staff and Mr. Bruce Schneier, world-renowned cyber security expert and CTO, Co3 Systems.

For his part, Bruce reiterated that both the loss of control of our data (to the cloud) and how we access our data (tablets and phones) impact our security. At Palo Alto Networks, this is a key part of our value proposition for governments around the world, and why we need to make visibility of all that’s happening on our networks an urgent priority. Militaries worldwide must “modernize” their cyber plans to keep up with our changing networks. We can’t put off an updated cyber security plan while we wait for the world to stabilize, hoping we can “come back” to the topic of cyber when there’s just a little more time.

I participated in a panel covering Modern Cyber Defence and whether it requires “built-in security.” My fellow panelist, Mr. Wolfgang Röhrig, Programme Manager & Project Officer for Cyber Defence at the European Defence Agency, emphasized many of my same points about the importance of securing SCADA systems and provided an overview of the EDA’s Cyber Defense Research Agenda.

While neither Bruce nor Wolfgang accept the name cyber “war” to depict our current state, agreeing on the term “war” vs “conflict” is the least of our concerns – how you prepare for them should be the subject at hand. We are in the midst of some level of conflict in cyber, yet we are not preparing as if we are. That’s not to diminish the many non-cyber conflicts globally. But to put cyber budget and planning on the backburner in lieu of the urgency of these other conflicts as if kinetic or physical actions are the only possibilities, is naïve.

Any soldier, airman or sailor going into any conflict – regardless of size – works hard to be well prepared. They understand their area of operations and their adversary movements, and they train to prepare for their actions – both defensive and offensive. Yet, too often, we allow our network and cyber teams to remain in conflict over who owns security as if children arguing in a playground. We’re still largely ignoring our SCADA systems, waiting for more budget or for someone higher up the org chart to make it a priority.

Based on what I’m hearing, we’re still not effectively segmenting our networks to ensure resilience against an adversary that will get in and try to move laterally as swiftly as they can. And we know the adversary is not only after sensitive data but also seeks to disrupt communications. We know that SCADA protocol-specific threats exist, so why, with so much evidence at hand, is there not a sense of urgency for cyber?

These were among my points during my presentation at AFCEA TechNet Europe this past week where leaders from across Europe and U.S. military came together to discuss these topics and more. I was not alone raising many of these issues. We all agree they’re important. For my part, I left the audience with examples of best practices they can use now but which will require more work to implement:

• Be alert to all indicators of compromise to thwart any step in the kill chain*
• Know what applications, content and users are on your network 24x7
  • Be as creative as the adversary: Block or tightly control unknown traffic
  • Customized or modified traffic is highly correlated with threats
• Establish legitimate application use with leadership; tie applications to users
• Establish positive controls and monitor unknown communications
• “Decrypt and inspect” plan for select applications
  • Determine applications using SSL (& assess your Heartbleed exposure)
  • Look for malicious activity
  • Hone in on common sharing apps
• Eliminate the risk, eliminate free lateral movement throughout the organization
  • Microsegment, including data center and VMs
• Treat ICS/SCADA differently and lock down all but short list of protocols
• Tie users to applications with centralized policies across a segmented architecture
  • Particularly important for mobility and tactical forces
  • Consider all connected devices -- the Internet of Things for military
• Cultivate a cyber battle-ready workforce
  • Be all part of the same mission
  • Understand the differences between IT and OT
  • Understand dynamics of different networks, and work together for common security goals even though priorities and implementation may differ

I also suggested to AFCEA leadership that we consider active tabletop exercises – using unclassified data – at future events, moving from presentations and hallway conversations to truly testing what we do and do not know about the cyber readiness of our military’s networks, be it the IT or SCADA networks.

My thanks as always to Maj Gen Treche (ret), AFCEA EMEA Chair, and all of the AFCEA leadership for their hospitality and leadership in bringing the collective parties together to advance these important topics.

I left the AFCEA TechNet show to join my colleagues in Barcelona for our annual EMEA Channel Partner conference. It was refreshing to discuss with our channel partners who are actively working with industry to secure their SCADA and ICS systems for water supplies, manufacturing plants, oil and gas operations and more throughout Europe and the Middle East. Now how do we get our world’s militaries to do the same?