Preparing for the Future
The Central Region Communications Conference Takes a Global Approach to Cyber Defense
Children’s toys, refrigerators, home security alarms and traffic lights — these are just a few of the abundant internet-enabled devices present in our daily lives. While each item offers convenience to people around the world, there is a trade-off: Web-based systems and products are vulnerable to hacking.
Air-conditioning systems that cool rooms storing government computer servers can be interrupted, causing network disturbances. A doll that records voices to entertain and comfort children can record private conversations inside homes. As technology advances, so, too, do potential vulnerabilities, increasing the importance of preparing for cyber breaches.
These were among the topics discussed during U.S. Central Command’s (CENTCOM’s) Central Region Communications Conference (CRCC). Held in April 2017 near Washington, D.C., the event included participants from Bahrain, Egypt, Iraq, Jordan, Kuwait, Lebanon, Oman, Qatar, Saudi Arabia, the United Arab Emirates and the United States.
The CRCC provides a unique opportunity for military, academic, government and industry experts to gain new perspectives on national security. For three days, the conference fostered relationships among information and communications technology leaders, focusing on cyber security and cyber incident response. The relationships developed during the conference can help support regional stability and enable organizations to recover more quickly and with less damage when an incident occurs.
“I believe our best defense is to be proactive,” CENTCOM Deputy Commander Lt. Gen. Charles Brown Jr. said during the conference. He explained that each country benefits by collaborating with organizations and cyber experts worldwide.
This requires dismantling a culture of “information silos” that exists in some organizations. Doing so will help leaders make decisions based on all available information, explained U.S. Army Maj. Gen. Mitchell Kilgo, director of CENTCOM’s Command, Control, Communications and Computer Systems Directorate.
“You must understand your critical assets and their associated vulnerabilities,” Maj. Gen. Kilgo said. “You must talk about the risk to the mission and the risk to critical assets. This is important for commanders.”
In a conversation with Unipath, Dr. Khalid bin Daij Al Khalifa, director of cyber security at Bahrain’s Telecommunications Regulatory Authority, explained the value of such conferences.
“I would like to extend gratitude to the hosts, presenters, panelists, and the distinguished delegates for sharing their knowledge and experiences,” Dr. Al Khalifa said. “We can see from these discussions that we’re on a dangerous trajectory. As we continue to require greater access to the internet, and with increasing reliance on cloud, mobile services and IOT [internet of things] devices, we can expect to suffer from increasingly frequent security breaches and incidents.”
The changing cyber landscape demands new security strategies and levels of collaboration, he added.
“We need to be ready to overcome the current and future challenges we face collectively with speed, strength and ingenuity,” he said. “A complete loss of trust in cyber could result in severe adverse effects to our nations’ futures, especially from a security and economic standpoint. We are, therefore, very grateful for the opportunity to be here and to learn and share experiences with our partners in this conference.”
John Desrocher, the U.S. State Department’s deputy assistant secretary for Egypt and Maghreb affairs, said cyber risks multiply as the number of internet-enabled devices increases. Vulnerabilities can be found in just about any device, he said, citing as an example an internet-enabled children’s doll that was easily hacked to eavesdrop on conversations at home. Organizations must constantly adapt to the changing environment.
“Our strength is in the collective wisdom we hold,” Desrocher said. “All of us have a role to play in cyber security.”
At the conference, senior government representatives spoke about the best practices in their countries, providing insights and sparking discussions.
“In Iraq, the growth of the internet’s popularity — for security, business and personal use — coincided with a lack of secure cyber infrastructure,” explained Maj. Gen. Mahdi Yasir Zubaidi, director of military communication for Iraq’s Ministry of Defense. “This raised awareness of the need to understand the dangers of cyber crimes accompanying every new technological development, especially in the context of society’s transformation into a cyber community.
“It grew out of individuals’ and institutions’ dependence on cyber and communication systems, which are considered some of the principal sources of danger. The security sector must adapt to each new technological development. It should also design a specific cyber infrastructure and manage it according to the specialized concerns of cyber/communication security. It could also create other electronic government services, including online education.”
A good cyber defense takes more than just software. To better protect networks and identify vulnerabilities, system administrators must be trained to understand how adversaries think and how to “hunt” them down in a network, experts said.
Summer Fowler, deputy technical director of cyber security solutions at Carnegie Mellon University in the United States, explained the four pillars of effective cyber security:
Pre-incident: Policies must be in place that operators understand and know how to implement. Assets must be identified, assessed and prioritized.
During an incident: How will an organization detect, contain and eliminate an intruder?
Post-incident: Procedures should be designed for reporting and analyzing the latest attacks to enable organizations to be better prepared.
Continuous task: How do you know if you are prepared? How do you measure preparedness to include courses of action in the event of major cyber breaches and how can your organization recover?
Countries such as Kuwait have succeeded in developing a whole-of-government approach to cyber security. Mohammad Altura, executive board member of Kuwait’s Communication and Information Technology Regulatory Authority, gave a detailed presentation about his country’s strategy development process. Kuwait has identified objectives for the next three years, including promoting a culture of cyber security in Kuwait, safeguarding national assets and critical infrastructure, and promoting cooperation, coordination and information exchange with local and international organizations.
Kuwait plans to implement many projects that will help it achieve its goals. They include establishing a Kuwait National Cybersecurity Center security operations center and a national threat intelligence team to work with global organizations to identify threats to Kuwait.
“There is an absence of international laws regarding cyber security today,” Altura said. “With military, the laws are very clear regarding a country’s sovereignty. With cyber, it’s still open.”
Dr. Ghazi Salem Al-Jobor, chairman of the board of commissioners and CEO of Jordan’s Telecommunications Regulatory Commission, said the conference gives Jordan’s government and military a greater awareness of communicating with the private sector and regional partners when implementing cyber security.
“Learning from the United States’ experience and others’ experiences and measures was very useful in steering our thoughts on how to mitigate cyber attacks and the importance of the factors that need to be taken into account to have effective national and regional response measures,” he said.
One of the innovative programs presented during the CRCC was the U.S. Department of Defense’s “Hack the Pentagon.” Kate Charlot, director of cyber policy in the U.S. Office of the Secretary of Defense, shared information about a “bug bounty program” in which hackers were paid to identify vulnerabilities on certain DoD sites. The program was considered a huge success because the hackers found more than a thousand vulnerabilities missed by red teams, including more than a dozen considered high-risk. The U.S. Army is launching a similar program.
Waleed Zakarya Aly, executive director of the Egyptian Computer Emergency Readiness Team, part of the National Telecommunication Regulatory Authority, attended the CRCC for the first time and came away impressed.
“In my opinion, it is one of the most important conferences I have attended during my technical life,” he said. “The speakers were top-notch in both the technical and strategic tracks, and the topics covered during the conference were the latest issues in the cyber security space. The remarks and suggestions from the participating countries were very interesting and showed high potential for cooperation to improve the incident handling processes.”