The overall objective of the this task was to architect and implement a capability that will enable automated parsing, normalization, extraction, aggregation, filtering and then detection of attack patterns based on log and log like data in near real time depending on local network settings. We call this the Audit Data Extraction Utility (ADEU).
Cyberterrorism is an attractive option for foreign-born and domestic terrorists who value its anonymity, potential to inflict massive damage, psychological impact and media appeal. As a new, more computer-savvy generation of terrorists comes of age, the threat of cyber-terror attack is likely to increase.
Global-scale identity management concerns identifying and authenticating entities such as people, hardware devices, distributed sensors and actuators, and software applications when accessing critical information technology (IT) systems from anywhere. The term global-scale is intended to emphasize the pervasive nature of identities and implies the existence of identities in federated systems that may be beyond the control of any single organization. This does not imply universal access or a single identity for all purposes, which would be inherently dangerous. In this context, global-scale identity management encompasses the establishment of identities, management of credentials, oversight and accountability, scalable revocation, establishment and enforcement of relevant policies, and resolution of potential conflicts. To whatever extent it can be automated, it must be administratively manageable and psychologically acceptable to users. It must, of course, also be embedded in trustworthy systems and be integrally related to authentication mechanisms and authorization systems, such as access controls. It also necessarily involves the trustworthy binding of identities and credentials. It is much broader than just identifying known individuals. It must scale to enormous numbers of users, computer systems, hardware platforms and components, computer programs and processes, and other entities.
The U.S. Army Training and Doctrine Command’s assessment of the future operational environment highlights the importance of all aspects of information on the future battlefield. Army forces operate in and among human populations, facing hybrid threats that are innovative, networked, and technologically-savvy. These threats capitalize on emerging technologies to establish and maintain a cultural and social advantage; leveraging these new capabilities for command and control, recruiting, coordinating logistics, raising funds, and propagandizing their message. To operate effectively in this emerging environment, the Army must realign its information “Aim Point.” Army leaders and Soldiers must possess an in-depth understanding of how to leverage information-based capabilities to gain and maintain situational awareness. Understanding how to fight for and leverage the power of information, while denying the adversary’s ability to do the same, will be increasingly critical to success on the future battlefield.
▼Never before has it been possible for one person to potentially affect an entire Nation‟s security.
▼In 1999 (10 years ago), two Chinese Colonels published a book called “Unrestricted Warfare” that advocated “not fighting” the U.S. directly, but “understanding and employing the principle of asymmetry correctly to allow us [the Chinese] always to find and exploit an enemy’s soft spots.”
▼The idea that a less-capable foe can take on a militarily superior opponent also aligns with the views of the ancient Chinese general, Sun Tzu. In his book “The Art of War,” the strategist advocates stealth, deceptionand indirect attackto overcome a stronger opponent in battle.
Cyber Threat Branch Responsibilities
• Execute the responsibilities created by the Homeland Security Act of 2002:
– Access, receive, and analyze law enforcement, intelligence, and other information from federal, state, and local agencies and private sector entities to:
• Identify and assess the nature and scope of terrorist threats
• Detect and identify threats to the United States
• Understand threats in light of actual and potential vulnerabilities
– Carry out comprehensive assessments to determine the risk posed by terrorist attacks
• Outreach plays a critical role in the mission
– The CTB provides threat briefings and teleconferences to:
• Sector Coordinating Councils
• Government Coordinating Councils
• Key industry associations
“ In the near future, information warfare will control the form and future of war…Our sights must not be fixed on the fire-power of the industrial age; rather, they must be trained on the information warfare of the information age. ”
–Major General Wang Pufeng, Peoples Liberation Army, China
The National Cyber Security Division (NCSD) United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security (DHS) and the public and private sectors. Established in 2003 to protect the nation’s internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation. The organization interacts with federal agencies, state and local governments, industry professionals, and others to improve information sharing and incident response coordination and to reduce cyber threats and vulnerabilities.
Since 2005, GAO has reported that DHS has yet to comprehensively satisfy its key cybersecurity responsibilities, including those related to establishing effective partnerships with the private sector. Shortcomings exist in key areas that are essential for DHS to address in order to fully implement its cybersecurity responsibilities (see table). DHS has since developed and implemented certain capabilities, but still has not fully satisfied aspects of these responsibilities and needs to take further action to enhance the public/private partnerships needed to adequately protect cyber critical infrastructure. GAO has also previously reported on significant security weaknesses in systems supporting two of the department’s programs, one that tracks foreign nationals entering and exiting the United States, and one for matching airline passenger information against terrorist watch-list records. DHS has corrected information security weaknesses for systems supporting the terrorist watch-list, but needs to take additional actions to mitigate vulnerabilities associated with systems tracking foreign nationals.
The President directed a 60-day, comprehensive, “clean-slate” review to assess U.S. policies and structures for cybersecurity. Cybersecurity policy includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. The scope does not include other information and communications policy unrelated to national security or securing the infrastructure. The review team of government cybersecurity experts engaged and received input from a broad cross-section of industry, academia, the civil liberties and privacy communities, State governments, international partners, and the Legislative and Executive Branches. This paper summarizes the review team’s conclusions and outlines the beginning of the way forward towards a reliable, resilient, trustworthy digital infrastructure for the future.
Cyberspace and its associated technologies offer unprecedented opportunities to the United States and are vital to our Nation’s security and, by extension, to all aspects of military operations. Yet our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security. To address this risk effectively and to sccure freedom of action in cyberspace, the Department of Defense requires a command that posscsses the required technical capability and remains fbcused on the integration or cyberspace operations. Further, this command must be capable or synchronizing wartIghting effects across the global security environment as well as providing support to civil authorities and intemnational partners.