Image: Roman Sigaev

The Stuxnet worm does not seem to have impacted any systems in the United States, according to a Department of Defense official

Greg Schaffer, assistant secretary for cybersecurity and communications at DHS, told reporters the complex malware demonstrates the plethora of increasingly sophisticated cyber threats.

“It was a very tiered, very complex, very sophisticated virus,” he told the Defense Writers Group, according to AFP. “It was looking for specific kinds of software and very special implementations within that software.”

Schaffer said Stuxnet “focused on specific software implementations and those software implementations did exist in some U.S .infrastructure so there was the potential for some U.S. infrastructure to be impacted at some level.”

“There was some risk because those software packages exist within the U.S. ecosystem, but it’s not clear that there’s any particular process that is in the United States that would have triggered the software,” he said.

Stuxnet has divided security experts into two camps, exemplified by SRA International‘s Adam Meyers dismissing the near-mythical ”game-changing” status of the virus, to Symantec’s Dean Turner claiming the malware was a milestone in many ways, including its use of four zero-day exploits.  

It is currently unclear who created the worm, but speculations range from Siemens insiders to state-sponsored saboteurs.

Greg Schaffer

The United States must be aware and focused on combating the threats in cyberspace, a DHS official told members of the House Committee on Homeland Security.

“As a nation, it is essential that we are aware of, and focused on, the cyber threat,” Greg Schaffer, assistant secretary at the Office of Cybersecurity and Communications at DHS, told committee members June 16. “Threats are becoming more targeted, more sophisticated and more numerous.”

The Department of Homeland Security is currently responsible for helping civilian agencies and departments to secure unclassified networks. DHS works closely with industry and government players to provide cyber protection for the critical infrastructure, according to Schaffer.

In order to meet the growing cyber threat, DHS is looking to expand its base of skilled cybersecurity professionals.

“We are moving aggressively to build a world-class cybersecurity team,” Schaffer said.

“We have identified three key priorities that enable and establish a ‘systems-of-systems’ approach encompassing the people, processes and technologies needed to create a front line of defense and grow the nation’s capacity to respond to new and emerging threats,” he added.

DHS is also responsible for informing the general public regarding the threats in cyberspace. Teamwork is essential to the cyber mission, so getting all players involved both in government and the private sector is vital, Schaffer said.

“Simply put, the cybersecurity mission cannot be accomplished by any one agency or even solely within the federal realm,” he said. “It requires teamwork and coordination across all sectors because it touches every aspect of our lives.”

DHS actively collaborates with the military, Intelligence Community, government and private sector to examine possible vulnerabilities and active threats that target the nation’s critical infrastructure.

“None of this is possible, however, without a comprehensive understanding of federal executive branch civilian networks from an enterprise perspective,” Schaffer said.

He also discussed two major initiatives, EINSTEIN 2 and 3. The EINSTEIN 2 program is currently deployed at 11 departments and agencies and is providing “on average, visibility into more than 278,000 indicators of potentially malicious activity per month,” Schaffer said.

“We are currently working with the private sector, the National Security Agency and a wide range of other federal partners to test the technology for the third phase of EINSTEIN,” he added.

DHS is also focused on expanding its messaging of creating a cyber-aware culture throughout the nation.

“We need to develop a cybersecurity culture that realizes that everyone – government, corporate or private – has a vested stake in all aspects of cybersecurity,” Schaffer said. “DHS is committed to working collaboratively with our public, private, academic and interagency partners to ensure that the cyber elements of our nation’s critical infrastructure are secure.”

The field of cybersecurity is becoming increasingly relevant to discussions on national security.

President Barack Obama placed cybersecurity in the forefront of his national security policy. In his speech May 29, 2009, Obama stated: “From now on, our digital infrastructure…will be treated as they should be: as a strategic security asset. Protecting this infrastructure will be a national security priority.”

And Dennis Blair, director of national intelligence, announced recently cybersecurity was one of the major focuses of the Intelligence Community in the coming years.

The New New Internet has compiled a list of 10 Cybersecurity Game Changers to Watch. Spanning government and think tanks, these individuals will have a significant impact on the discussions and policies surrounding cybersecurity in the United States in 2010.

Lt. Gen. Keith Alexander of NSA

As the director of the National Security Agency, Lt. Gen. Keith Alexander commands the largest government agency focused on cyber issues. In a speech before the House Armed Services Committee, Alexander stated “Cyberspace is a uniquely complex domain absolutely vital to the nation,” and “Maintaining freedom of action in cyberspace in the 21st century is … inherent to U.S. interests.” The agency has a history of tension with technology developments in the private sector and how Alexander handles some of those issues will greatly influence the role the private sector is able to play in securing cyberspace. Nevertheless, it is clear Alexander recognizes the central role the private sector must play in securing the national infrastructure in cyberspace.

Robert Carey of the Navy

In his post as chief information officer, Robert Carey serves as the point person for IT management and technology for the Department of the Navy. He ensures that all new systems and services work with current systems and serve the direction and needs of the Navy. Carey also posts monthly on his blog on IT and security-related issues as they pertain to the Navy and DoD. According to Carey, his office works closely with DoD entities to help secure cyberspace. Carey stays at the forefront of current debates related to cybersecurity and continues to be an accessible voice in the government. His informative and plain language connections are critical to following and navigating the inner workings and thoughts regarding cybersecurity in the government realm.

Melissa Hathaway

Despite having resigned in August 2009 from the post of acting senior director of cyberspace, Melissa Hathaway continues to be a leader in calling for improved cybersecurity to strengthen the nation’s critical infrastructure. As acting director, Hathaway headed the White House’s 60-Day Cyberspace Policy Review that called for increased cooperation between the government and the private sector to develop sound strategies for securing the critical infrastructure in cyberspace. Hathaway remains a key player in the debate, and recently spoke at the ArcSight Protect 09 conference. During her speech, Hathaway outlined the increasing bipartisan support for cybersecurity while also pointing to a number of issues that still need to be addressed. Based on her work in two administrations, Hathaway is now a national figure and possesses a platform for pushing the cyber debate in her areas of interest. Her wealth of experience and insight will continue to be sought by government and private sector alike as both look to provide better security in cyberspace.

Vivek Kundra of the White House

In the position of the federal chief information officer, Vivek Kundra oversees the $70 billion budget for information technology and is tasked with ensuring government interoperability of IT systems. Kundra recently pushed the movement of government systems into cloud computing (apps.gov) and believes the government can and should play an integral role in leading technology innovation. This extends to cybersecurity, where Kundra believes the federal government must look beyond its traditional narrow focus on cybersecurity in the government space and extend that focus into the private sector as well. He is also on the search committee for the position of “cyber czar.” He will be a driving and vocal voice in the role the government will play in securing government-related information throughout cyberspace.

Robert Lentz of DoD

Robert Lentz serves as the chief information assurance officer for the DoD, where he coordinates information assurance programs across the department. In a recent interview conducted by ExecutiveBiz, Lentz outlined the main areas of focus for cybersecurity at the DOD. Lentz stated “the goal is to work with industry…” and build private-government partnerships to help secure cyberspace. He also believes industry needs to focus on “user-friendly, adaptive technologies,” common specifications, and long-term research. Lentz’s ability to effectively build a partnership with the private sector will have a significant impact on contractor support for DoD cybersecurity.

Jim Lewis of CSIS

As far as Washington think tanks run, the Center for Strategic and International Studies is one of the premier discussants on policy issues involving national security. Since becoming a senior fellow at CSIS in 2001, Jim Lewis has been an active voice in the discussions surrounding cybersecurity and his expertise is sough by government and private sector alike. Lewis has testified before the House Homeland Security Subcommittee on Emerging Threats and Cyber Security and served as the project director for the CSIS Commission on Cybersecurity for the 44th Presidency, which was well received by the government and private sector alike. In interviews with ExecutiveBiz, Lewis has highlighted the role the private sector can play in securing cyberspace and that ultimately the coordination of cybersecurity must come from the White House. No matter what the future direction of cybersecurity is, Lewis will clearly be a central voice in the debate.

Lt. Gen. William Lord of Air Force

As the chief of warfighting integration and chief information officer in the Office of the Secretary of the Air Force, Lt. Gen. William Lord is a firm believer in the centrality of cyberspace to the future of warfare. Lord controls an operating budget of approximately $17 billion, and his five directorates and two agencies include civilians, military personnel, and contractors. He is responsible for integrating and networking the Air Forces combat capabilities and developing a coherent policy on information and communications throughout the Air Force. Lord recently discussed the need for a flexible command structure in cybersecurity and that the Air Force needs to move toward acquiring needed technologies quicker to remain competitive in cyberspace. His guidance and leadership will have a significant impact on the direction of cybersecurity for the Air Force.

Phil Reitinger of DHS

As part of his responsibilities as the Director of the National Cybersecurity Center at DHS, Phil Reitinger recognizes the central role that skilled people, ie IT professionals, will play in the effort to secure cyberspace. He places a high premium on forming and solidifying effective partnerships between the government and the private sector. In an interview with InformationWeek, Reitinger stated he “want[s] to build cybersecurity into the DNA of the infrastructure,…businesses,…[and]…government entities.” Reitinger’s role at the Cybersecurity Center will have a significant impact on government-private partnerships to secure cyberspace. If Reitinger follows through on his proposed efforts, his participation will help to increase the security of critical infrastructure in cyberspace.

Greg Schaffer of DHS

As the assistant secretary for cybersecurity and communications, Greg Schaffer is responsible for effectively partnering the public and private sectors, along with the international community, to secure the U.S. cyber infrastructure. In an interview with Federal News Radio, Schaffer highlighted the necessity of being as transparent as possible while maintaining security. His approach will greatly influence the role of the private sector in the national cybersecurity effort. In a recent discussion with Federal Executive Forum, Schaffer stated that one of his key goals was “working with the public and the private sector to advance cybersecurity interests.” Schaffer’s coordination with the private sector could be a driving factor in helping to secure the dot-com space in the coming years.

Edward Seidel of National Science Foundation

A trained astro-physicist and professor at Louisiana State University, Edward Seidel took over the post of director of the Office of Cyberinfrastructure at NSF from Dan Atkins, who has moved to the University of Michigan. As director, Seidel oversees the process of providing grants to researchers studying information technology in an effort to provide top of the line cyber-infrastructure systems. As such, he sits in a position that is central to driving innovative thinking and advances in cybersecurity. NSF has provided research grants to a number of research centers, including the University of Texas San Antonio and University of Maryland, both of whom made the Top 10 University list compiled by The New New Internet. Seidel is a key figure in helping to expand research and education efforts on cybersecurity in the future.

Tell us what you think: Whom would you add to the list of Cybersecurity Game Changers to Watch?

“When I [was] with the Justice Department 10 years ago, cybersecurity was thought of as a silo. It has since become horizontal…That adjustment from a vertical to a horizontal is difficult and requires a lot of people to change their minds. A lot of what gets represented as infighting is simply the growth pains in making that normal adjustment. A lot…gets articulated as infighting when it’s not.”

Schaffer goes on to address America’s evolving cyber certification program, US-CERT, and its evolving standards and goals.  He emphasizes that increased cyber situational awareness through programs like Einstein III are essential to preserving civil liberties, rather than threats to them.

“US-CERT will continue to evolve. We obviously want to continue to grow our partnerships with the various departments and agencies that are our clients in this space, as well as the private sector… The goal is to leverage the additional data … that comes through the deployment of … tools, whether it’s the IDS/IPS solutions, … Einstein, those technologies are going to lead to better situational awareness.”

And situational awareness ”…can then be leveraged to defend the networks that are so important to our economic growth, the protection of our citizens, the protection of privacy, the protection of our civil liberties.”