by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : February 2016
Intelligence 20 February 2016 FCW.COM The computer scientist in charge IAD is led by computer scientist Curt Dukes. During a recent conversation in his office on the sprawling grounds of Fort Meade, Dukes described the daunting challenge his 3,000- person directorate has in training DOD’s future cybersecu- rity professionals and cleaning up major public- and private- sector hacks. After the large-scale breach of Office of Personnel Manage- ment systems that exposed personal data on some 22 million people, Dukes said IAD provided eight to 10 specialists at any given time to help with forensics. IAD staff also analyzed the hack of Sony Pictures Entertain- ment in November 2014, though Dukes said they were not actually on the film studio’s network. And IAD has recently instructed DOD and other federal agencies to swiftly patch the dangerous backdoor discovered in Juniper Networks firewalls, he added. IAD analysts have been summoned for help in every big hack in the past 18 months, Dukes said, with varying degrees of involvement in the response. If that trend holds, “we will continue to have resource pressures from that.” To conserve resources, IAD has sought to “train the train- ers.” The directorate’s employees — about 80 percent of whom come from fields such as computer science, math and engineering — train Cyber Command personnel and bring those trainees up to what Dukes said is the “NSA standard for cyber defense.” Once the students have met that standard, Cyber Command does their own in-house training. IAD trained a Cyber Command team that deployed to a U.S. military facility to analyze vulnerabilities in supervisory control and data acquisition systems there in response to growing concerns about vulnerabilities, according to Dukes. For nearly a decade, he said, IAD has been focused on weak- nesses in industrial control systems (ICS) such as the SCADA systems that underpin the power grid. In the past year or so, U.S. officials’ concerns about those vulnerabilities have become more apparent. In testimony to Congress in November 2014, Rogers predicted that a nation-state or rogue group would likely launch a major cyberattack on U.S. critical infrastructure networks before 2025. At the time, he said nation-states and other actors had done reconnaissance on U.S. critical infra- structure networks in preparation for a potential hack of control systems. That fear came to the fore recently when it was revealed that Iranian hackers had infiltrated a New York dam’s control system. Given that a control system can stay in the field for years and develop vulnerabilities as it is outpaced by newer, more secure systems, Dukes said his specialists develop “wrap- pers,” or layers of encryption, that can be overlaid on ICS command and control links. But it would save IAD significant time and money if IT vendors built such security controls into their products from the start. “It never scales for us to constantly have to go out and send cyber defense forces to actually do assessments,” Dukes said. Jekyll and Hyde NSA, of course, wants to exploit ICS weaknesses in other countries, and the agency’s Jekyll and Hyde approach to software vulnerabilities is on display in what is known as the Vulnerabilities Equities Process. Officials use the interagency tool to decide which discovered vulnerabilities to disclose to the private sector and which to hoard for exploitation by NSA or Cyber Command. Historically, NSA has revealed more than 91 percent of the vulnerabilities it has discovered, the agency said in a recent IAD analysts have been summoned for help in every big hack in the past 18 months, with varying degrees of involvement in the response. If that trend holds, “we will continue to have resource pressures from that.” IAD DIRECTOR CURT DUKES 0216fcw_016-021.indd 20 1/26/16 2:53 PM
March 15, 2016