BELCAMP, Maryland - Maj. Gen. Peter D. Utley, commander of the U.S. Army Test and Evaluation Command, served as this year's keynote speaker at an International Test and Evaluation Association cyber security workshop February 26, 2015, at Water's Edge Events Center in Belcamp.
ITEA's Francis Scott Key Chapter hosted a ballroom full of military and industry test and evaluation experts as part of their 2nd Cyber Security Workshop themed "Test and Evaluation to Meet the Advanced Persistent Threat."
"One of the primary things here is the collaboration, education, and awareness shared across communities, not only the Aberdeen Proving Ground community, but from DoD [Department of Defense], to DHS [Department of Homeland Security], and members of the cyber and intelligence communities," said John Schab, National ITEA Board of Directors member and past president of the Francis Scott Key ITEA chapter. "I think that's the point of events like these."
Cyber security threats affect those in academia, industry, finance, defense, government, and intelligence communities. Workshop participants were eager to share test and evaluation practices that reduce vulnerability to hackers.
"I think we can agree there is no such thing as being 100 percent secure when it comes to the cyber domain. I believe cyber warfare truly poses a real and imminent threat to our way of life, particularly in a democratic society. Clearly this issue is a global concern and I think everybody is in this together, to say the least," Utley explained.
And Schab agreed.
"I think we need to start accepting the fact that we're going to get compromised and we have to test our capability to react and recover from that. I think that is one of the main things that will come out of this week's event," Schab said.
From the Army test and evaluation perspective, Utley says cyber security must be tested with rigor throughout the life-cycle of a system by addressing it at every phase of the acquisition process. Right now, cyber defense testing is not considered until much later in the acquisition phase, but we are seeing positive and real momentum to move this critical effort earlier in acquisition process. He emphasized the reality of the cyber threat and that cyber has to be viewed as a life-cycle requirement described by Utley as a "Pre-Milestone A to Retirement" approach.
"We do have an established approach to address cyber in our test and evaluation efforts," said Utley. Underpinning this approach is early and continuous testing, but unless we address this requirement from a lifecycle perspective, our test and evaluation efforts will be for naught. Key actions associated with the lifecycle approach include establishing the security architecture early, continuous testing and evaluation of major software drops or hardware changes, and integration of systems into a baseline network to ensure understanding of the impacts on other fielded systems.
"To me, it's about discipline, standards, and policy. I would like to pose the question, 'do we have the same discipline, standards, and policies applied before Milestone C [decision to enter a production phase] as we do after Milestone C?" said Utley.
"Once these systems go into sustainment phases, and as we update software on these systems, we should apply the same rigor regarding cyber security. If we start this effort earlier in the acquisition process and through the retirement of a system, we will improve the overall security of the network," Utley continued.
There are multiple efforts in cyber defense across the Army, DoD, government and industry, but what Utley says is lacking is unity of effort in tackling the issues within the cyber domain. Utley said, "We have a number of organizations doing great work, but we still have gaps and seams. It is imperative we tie in our flanks."
Cyber security improvements will not be gained from technology alone. Utley said, "The Army is and must take a DOTLMPF approach to the cyber security challenge," referring to the DoD's practice of considering Doctrine, Organization, Training, Materiel, Leadership and education, Personnel, and Facilities to solve problems.
And ITEA members, comprised of government and industry test and evaluation experts, agree.
"As everyone becomes more interconnected, the government can't work by itself. There are so many industry solutions and best practices that can help influence government. On the other hand, there are a lot of things the government does internally that needs to filter back into industry, especially in the area of cyber and cyber security," said Schab.
Social Sharing