USCENTCOM expands the Central Region Communications Conference
The fifth Central Region Communications Conference (CRCC) concluded with a multinational commitment that will expand the depth and scope of what has been U.S. Central Command’s premier cyber security event.
With the concurrence of CRCC attendees from nine partner nations, U.S. Brig. Gen. Peter Gallagher, head of USCENTCOM J-6 and director of the Joint Cyber Center, promised to hold quarterly workshops in which conference participants and interested newcomers could develop joint strategies to deal with threats in cyberspace.
“We’ve got to take action. This just can’t be the great get-along and a bunch of briefings. And then we wait till next year to come back together to rehit some of the same lessons,” the general said on the final day of the conference that ran May 12-14, 2015, in Washington, D.C.
“We want to use the umbrella of the CRCC to conduct quarterly workshops in cyberspace. We can do these in a collaborative fashion, using what we call APAN, the All Partner Access Network. We would establish a website with access, and within the next three months, we would like to bring this collective team together. And we could also open it up to partners who weren’t able to make it.”
The announcement capped a busy three-day conference attended by senior cyber security leaders from Afghanistan, Bahrain, Egypt, Kuwait, Lebanon, Oman, Qatar, Saudi Arabia and the United Arab Emirates. Delegates from Afghanistan, Egypt and Qatar gave formal presentations of the progress their domestic cyber security agencies have made defending computer networks. They were joined at the podium by senior U.S. government officials and industry experts from companies such as Google and AT&T.
A common refrain was the need for cyber partnerships, not just between nations, but between governments and the private businesses that are making most of the technological breakthroughs. Such partnerships are needed to share vital knowledge about how to repel criminals, hostile governments and terrorists lurking online.
Staff Brig. Gen. Dr. Mubarak Al Jaberi, Head of Communications and IT Department at the UAE Armed Forces, suggested building a joint “road map for the whole region” that could be “presented by our friends in Washington, D.C.” Five years ago, the UAE set up the National Electronic Security Authority (NESA) to help defend cyberspace. It was the first agency of its kind in the region.
“We need to start thinking of creating and building a task force. We need to go for rapid deployment,” Gen. Al-Jaberi said. “We need to be connected. We shouldn’t be disconnected. We don’t need terrorists or any party to take advantage of the disconnectedness.”
The need for cooperation was affirmed by Saudi military officers in attendance, who made a plea for a cyber alliance with countries that had learned from hard experience how best to protect computer networks from threats online. “We don’t want to start the way they started years ago,” said Brig. Gen. Dr. Abdullah Al-Mogbil, chairman of the E-Transactions Subcommittee in the Royal Saudi Land Forces. “We would like to start from where they stopped.”
Cyber resilience — hardening network defenses against hostile penetration — occupied much of the discussion at the CRCC. Dr. Edward Amoroso, chief security officer at AT&T, told attendees that surrounding a company’s or a nation’s systems with general-purpose firewalls and other security software — what he termed “sandbags” — represents a less-than-ideal approach. Each of these defenses can be easily breached with proper motivation on the part of a nation’s enemies. The best solution is to create a virtual cyber architecture that isolates various branches of information technology, such as email and websites, into separate, more easily defensible strongholds, he said. That way, a firewall failure won’t compromise every system at once.
“It’s hard to build and very easy to destroy,” Vice Adm. Mark Fox, deputy commander of USCENTCOM, told conference attendees. “So part of our challenge is to find ways to work together to create resilience and strength.”
Lebanese retired Brig. Gen. Joseph Nassar, whose national delegation was attending the CRCC for the first time, picked up that theme in a plea for more cooperation.
“We cannot protect ourselves from all intruders. But we can minimize and mitigate the security risk by defining where it’s coming from, whether it’s terrorist organizations or from hackers,” he said. “Then we can decide on the prevention and measures to be taken.”
The message of public-private cooperation corresponded to Kuwait’s approach. The country recently set up its first national cyber security agency and began by reaching out to technological leaders in the cyber field. “We don’t have much experience in cyber security,” Kuwaiti Col. Mohammed Al-Enizi announced. “That’s why now we are working with the big companies and partners such as Cisco, Microsoft and HP to just establish a secure environment.”
In December 2014, Egypt established a High Council for Cyber Security. Its 24 members come from various sectors of government and industry. The formation of such a body is helping the country unite around an issue that hasn’t always been at the top of the agenda, said Dr. Sherif Hashem, vice president for cyber security at the National Telecom Regulatory Authority.
“People agree that security is important. But when it comes to deploying resources, developing the skills and supporting infrastructure development, that’s when budgetary concerns limit participation,” Dr. Hashem said.
Starting with much less than many of its partners in the region, Afghanistan has made huge strides in adopting information technology over the past 13 years, particularly in the spread of mobile phone use to a majority of the population. Zmarialai Wafa, one of the country’s top cyber security officials, outlined the process by which Afghanistan has tried to defeat attacks on its fledgling networks, culminating in 2014 with passage of the National Cybersecurity Strategy of Afghanistan.
Afghanistan’s efforts earned praise from Khalid Al-Hashimi, Qatar’s assistant undersecretary for cyber security. Qatar’s Computer Emergency Response Team has led most of the region in conducting national cyber defense drills. “I was very impressed about the activities and initiatives in the Islamic Republic of Afghanistan. Very impressive,” Al-Hashimi said. “You were able to pass laws that took other nations years to do. I applaud you for that.”
The work of CRCC 2015 will continue through quarterly workshops to which delegates from countries such as Jordan, Iraq and Yemen will also be invited. The moderated workshop sessions will likely occur in an interactive online format. The exact date and location of Central Region Communications Conference 2016 had yet to be determined.
Vice Adm. Fox called on his military and civilian colleagues to apply themselves to what has become one of the biggest security challenges of the 21st century.
“If we don’t find a way to do this efficiently, both as nations and as partners, there are people who will do our citizens harm. They will steal, they will destroy,” the admiral said at the conference’s conclusion. “It is our job as stewards and as public servants to find a way to protect our citizens and ensure our national interests are protected. That’s why we’re here.”
Key takeaways from CRCC 2015
- Cyber risk is a global phenomenon shared among governments, businesses and individuals.
- The world needs a common understanding and measurable metrics of what success looks like in cyberspace. If you can measure it, you can manage it.
- The cyber world requires redesigned architecture to plug vulnerabilities in cyber security defenses.
- Nations and industries must train and educate a certified pool of cyber experts to protect information systems.
- Balance security of networks with individual’s privacy concerns.