Tuesday, October 14, 2014

Securing Cyberspace with Lessons Learned from Civil War Medicine

Those who cannot remember the past are condemned to repeat it. – George Santayana

The total number of Union dead during the Civil War ranges from 360,222 (if you accept the Fox-Livermore estimates from the late 19th century) to the (approximately) 437,006 estimated by Dr. David Hacker in late 2011.  Predictably, many historians struggle with and debate the revision to more than a century’s worth of settled fact.  What is not being debated is that approximately two-thirds of those who perished (between 240,148 and 291,337 men) fell not to Confederate bullets, bayonets, sabers or shells but to disease. 

In historical retrospect, this is surprising as huge investments, and concomitant advances, were made in medicine during the war.  Indeed, when the war began, the United States Army Medical Corps numbered just 87 men – and promotion was based strictly on seniority, not on merit.  By the cessation of hostilities in 1865, more than eleven thousand doctors had served.

Union medical care improved dramatically during 1862.  By the end of the year each regiment was being regularly supplied with a standard set of medical supplies and had an integral medical staff.  In January 1863, division level hospitals were established, serving as a rendezvous point for transports to the general hospitals.

By 1865, there were 204 Union general hospitals, capable of treating 136,894 patients.  General hospitals were designed to accommodate massive numbers of wounded and sick men.  They were built as pavilions with separate buildings, where thousands of patients could be sheltered.  Each building was its own ward, with high vaulted ceilings and large air vents, accommodating about 60 patients.  Ultimately over a million men were treated in the general hospitals, and the collective fatality rate was below 10%. 

Given the rapid development of this tremendous medical capability, the fact that hundreds of thousands of Union soldiers succumbed to disease during the war seems counterintuitive.  However, even a cursory look at what passed for field sanitation is illuminating. 

Soldiers rarely bathed, and the same pots that were used for cooking were also used to boil clothing to remove lice.  Regulations about camp sanitation and overcrowding were ignored.  Each company was supposed to have a field latrine.  Some regiments dug no latrines.  In other cases the men went off into open spaces around the edge of the camp.  Inevitable infestations of flies followed, as did diseases and bacteria they spread to both men and rations.

The Army diet was high in calories and low in vitamins.  Fruits and fresh vegetables were notable by their absence.  The food part of the ration was fresh or preserved beef, salt pork, navy beans, coffee and hardtack; large, thick crackers, usually stale and often inhabited by weevils.  Preparation of the food was as bad as the food itself, hasty, undercooked and almost always fried. 

And so, despite substantial investments in very large, very visible medical programs, huge numbers of Union soldiers died of disease.  Why? Because these programs were inherently reactive, responding to, but not alleviating, the root cause of the problem, which was the inherently unhealthful lifestyle of the individual soldier in the field.

For those in the burgeoning cybersecurity industry, and especially those who work at the nexus of the public and private sectors, Santayana’s words ring especially true.  Much like the Army Medical Corps in the early 1860s, a crisis of epic proportions is faced.  The number of cyber-attacks mounted on an hourly basis against government departments and agencies as well as their contractors and the national critical infrastructure is staggering.  Reports of data breaches suffered by major retailers, banks or manufacturers are a weekly, if not daily, occurrence.  There’s an ongoing information hemorrhage, flowing out through porous perimeters and effective countermeasures remain elusive. 

This isn’t to say that large, visible efforts and investments aren’t being made.  There are eighteen sector-specific Information Sharing and Analysis Centers (known as ISACs), established pursuant to Presidential Policy Directive 63, whose ostensible purpose is to promote risk mitigation, incident response, alert and information sharing within the discrete national critical infrastructure sectors.  Similarly, the United States Computer Emergency Readiness Team (US-CERT) was created in 2003 by the Department of Homeland Security (DHS) to analyze and reduce cyber threats, vulnerabilities, disseminate cyber threat warning information and coordinate incident response activities.

These efforts pale, however, when compared to two ongoing programs intended to secure civilian government networks and systems.  The Continuous Diagnostics and Mitigation (CDM) program is intended to provide capabilities and tools that identify, prioritize and mitigate cybersecurity risks on an ongoing basis.  The Development, Operations and Maintenance services in support of the National Cybersecurity Protection System, or DOMino program is intended to continue DHS efforts to protect the federal .gov domain with an intrusion detection system that monitors the network gateways of government departments and agencies for unauthorized traffic and malicious activity.  As an example of the magnitude of resources allocated to these programs, CDM has a program ceiling of $6 billion. 

Acquisitions resourcing is matched by policy efforts.  In February 2014, the National Institute of Standards and Technology (NIST) released the first version of its Framework for Improving Critical Infrastructure Cybersecurity.  The widely touted document, a collaborative effort of a consortium of industry and government partners, provides standards, guidelines and practices to promote the protection of critical infrastructure.

The Department of Defense (DoD) has also overhauled its cybersecurity policies and guidance so as to be more responsive to the ongoing cybersecurity emergency.  In March 2014, the DoD declared its information assurance mechanism (the Defense Information Assurance Certification and Accreditation Process, or DIACAP) obsolete and replaced it with a set of policies and guidance called the "Risk Management Framework (RMF) for DoD Information Technology (IT)."  The RMF, which aligns with the NIST RMF, is intended to address IT security risks throughout the IT life cycle.
All of these programs are important, necessary and from a purely parochial cybersecurity perspective, very welcome.  However, they also represent the same sort of top-down and reactive approach to security that the Army Medical Corps displayed with respect to soldiers’ health during the Civil War.  That is not to say that this sort of approach is incorrect, but rather that it does not form the basis for a complete solution to the problem.  A complete solution requires concurrent, systemic applications of both top-down and bottom-up approaches.

This was recognized by the military healthcare community, and critical changes were put into place with respect to both the individual soldier’s hygiene and sanitation in the field and the overall military medical system.  As a result, while there were 62 deaths from disease per 1,000 Union soldiers (using the Fox-Livermore statistics) during the Civil War, the number dropped to 25.6 per 1,000 in the Spanish-American War, and 16.5 in the First World War.  By the Second World War, less than one American soldier per 1,000 died from disease.

The systemic machinery of government information technology is already responding to the cybersecurity epidemic.  If the overall cybersecurity treatment is to be effective, comparable changes and improvements must be made to the cyber-hygiene requirements at both the operational user and acquisitions program levels.  More precisely, just as compliance with the high-level, top-down security requirements is required for a program to gain or maintain authority to operate on a government network, compliance with low-level implementation guidelines should be required as well.

The good news is that most of these changes are readily implemented, and not matters of breakthrough research.  A non-exhaustive listing of a few examples:

·       Assume that a breach is not a matter of if, it’s a matter of when, and design all systems to continue to operate effectively despite the presence of attackers.
·       Encrypt everything.  This includes data at rest, data in transit and data in use.  This way, even if an attacker gains access to protected system resources they will be of little or no value upon exfiltration, thus maintaining confidentiality despite a breach.  Additionally, they will be difficult if not impossible to alter, thus maintaining data integrity.
·       Implement comprehensive and fine-grained authorization management to ensure that the principle of least privilege is automatically implemented and maintained.  The open standard for the implementation of attribute based access control, the eXtensible Access Control Markup Language, or XACML, was first published in 2004, and there is a wide array of tools from which to choose when implementing this capability.
·       Ensure that email traffic is subjected not only to in-line spam filtration, but also to psycholinguisitic analysis intended to determine the degree to which a communication is deceptive.
·       Require that all personnel received mandatory training on good cyber hygiene and that continued compliance with cyber-hygiene standards is part of an annual or semi-annual performance evaluation.
·       Partner with industry to ensure a constant influx of innovative ideas.
It’s often said that government is only capable of broad, systemic action requiring years to develop and many more years to implement.  With respect to the current hostile state of cyberspace, the luxury of time simply doesn’t exist.  However, as can be seen by the improvements in military medical and hygiene standards, government is absolutely capable of implementing extremely effective solutions that merge both top-down and bottom-up approaches.  The battle for cyberspace can be won.  We simply have to, collaboratively, choose to win it.

No comments:

Post a Comment