Scared to Death: Cyber Insecurity in Alabama's Technology Hub
If you don’t “wake up at night scared to death of the threats to our national defense assets,” the military brass in Huntsville wants you to know you should. And the mayor of Huntsville has an economic development initiative that depends on it.
Greg Gaddy, Huntsville operations director for Metters Industries, believes a focus on supply chain management matches up with the city's growing logistics and materials capability.
Photos by Dennis Keim
Facing economic challenges from the first big Marshall Space Flight Center layoffs in years, the specter of cuts in military spending and the danger of virulent attacks on information systems holding the military secrets of its biggest businesses, the City of Huntsville responded not with despair but with plans to create a cyber security hub that would employ its displaced expert workforce and protect its sensitive information.
Huntsville Mayor Tommy Battle, who had campaigned for office in 2008 on an economic development platform only to face cuts and threats of cuts, announced plans for the new hub at the 2010 Space and Missile Defense Conference in Huntsville last August.
With input from a host of Huntsville-area IT security experts, including former Space and Missile Defense Command cyber experts Rodney Robertson and Jess Granone, Battle realized that the considerable information technology and computer security assets at Cummings Research Park and area universities could be redirected to make Huntsville a center for cyber research.
The proposed Cyber Systems Integration and Security Center (CSISC) would be devoted to cyber security research in support of Huntsville’s vast amount of weapons systems development. “Our vision is for Huntsville to become known as a center of excellence for cyber security,” Battle said at the time, adding that the center would pull together the best efforts of scientists, information technology experts and academics.
Battle proposed a location in the new Redstone Gateway Center, a 4.2-million-square-foot office and commercial facility under construction just outside the Gate 9 north entrance to Redstone Arsenal. CSISC would be a sort of anchor tenant within the more secure third of the complex that will be within the Arsenal.
Threats to National Defense
Cyber threats have grown in both frequency and intensity in recent years, and threats to both military and commercial targets were a hot topic at the third annual Cyber Security Summit in Huntsville in June.
Keynote speaker Antonio Scurlock, director of the Department of Homeland Security’s National Cyber Security and Communications Integration Center, told the more than 350 attendees that cyber security has now become a “warfighting domain” on the level with land, sea, and air warfare. In her presentation, Natalie DeLuca, information management and assurance for the Army’s Huntsville-based Program Executive Office (PEO) for Aviation, Missiles and Space, asked “How many of you wake up at night scared to death of the threats to our national defense assets?” She said a tremendous amount of data is being lost through open-source software and called for more security education and awareness.
The defense contractors are not immune. A May 2011 attack on Lockheed Martin’s information systems network was foiled before major damage could occur, but it took nearly two weeks for full network access to be restored.
Since the beginning of 2011, virtually all federal agencies have fought intrusions into their computer networks. James M. Miller, the Pentagon’s principle deputy undersecretary for defense told a large audience earlier this year that the U.S. is “losing terabytes of information, enough to fill multiple Libraries of Congress.” He termed as “staggering” the amount of the annual loss.
The military has noticed an increase in cyber attacks from China, according to a report from the U.S.-China Economic and Security Review Commission. “China has recognized the importance of cyber operations as a tool of warfare,” the Commission reported in 2010, noting that leading defense contractors including Raytheon, Boeing, and Northrop Grumman, in addition to Lockheed Martin, have been victims of cyber attack since 2007.
“There is a huge effort by the military services to protect the networks, but that is not good enough,” says Granone. “We must look at this as a cyber systems engineering problem to include the systems that are connected to the network. This will not be easy, due to the complexity of required efforts, such as modeling and simulation at a cyber level, within the systems themselves.”
Granone said a cyber attack could involve sophisticated hackers penetrating IT security in a defensive system, such as the Missile Defense Agency’s Ground Based Mid Course Missile defense, that could render the system virtually useless. An enemy, he said, might not find it necessary to totally knock out system capability, only to degrade capability enough to destroy the system’s accuracy.
Steering Committee Progress
Battle formed a steering committee, Cyber Huntsville, to push the initiative, and tapped Robertson to head it up. Since last fall, Robertson has traveled the country, promoting Huntsville as a potential cyber security research center. “People in Washington recognize Huntsville as an aerospace and missile town, and we want them to recognize us as a cyber security town,” Robertson said.
Cyber Huntsville’s mission was spotlighted by the April 27 tornados, which showed how vulnerable critical systems can be to disruption. City leaders quickly realized that the storms, which knocked out power for nearly a week in some areas, offered a preview of what could happen in a full-scale cyber attack on utilities. They were determined to learn what they could. “It certainly heightened sensitivity,” said Jeff Wright, who previously headed the Cyber Exercise program at the Department of Homeland Security (DHS) and now participates on Cyber Huntsville’s events subcommittee.
The committee sponsored a late June meeting of city and utilities officials along with DHS and Department of Energy (DOE) representatives to conduct a Resiliency of Critical Infrastructure Summit. The participants took a hard look at what went right and what went wrong that caused Huntsville and much of the surrounding area to lose power for up to five days.
Those lessons will be at the forefront of a tabletop exercise planned for November 2 that will bring together a larger group of participants to simulate what would happen if a cyber attack were to knock out TVA’s power, as well as other government organizations. Participating agencies will include the Federal DHS, Alabama DHS, Huntsville-Madison County EMA, several Redstone Arsenal organizations, including the Garrison Commander’s Office, Marshall Space Flight Center and the FBI offices in Huntsville and Birmingham. Wright also expects participation from local hospitals, banks, and Internet service providers, as well as eight or nine firms from Cummings Research Park.
While the June event helped IT professionals address security problems, the tabletop event “is more focused on the community’s ability to respond,” Wright said. “We’ll be looking at the interdependencies in these infrastructures, how can we respond and be resilient. It’s certainly worth our time to look at how we can improve our capabilities.
“We’ll be looking at a large scale cyber disruption. We want to improve regional cyber resiliency by looking at the interdependence of this representative sample of organizations. We’re looking at cross-sector information sharing among all the different sectors, trying to identify critical priorities for incident response.”
Finding a Niche in Crowded Competition
Clearly a growth industry, cyber security research holds opportunity, but Huntsville finds itself in competition with other established cyber security research centers, which began years ago to respond to the threat. Huntsville’s military and aerospace focus only puts it into greater competition with military-based research centers such as the Air Force’s major cyber security research facility at Wright Patterson AFB near Dayton, Ohio, and Cyber Innovation Center at Barksdale AFB in Louisiana. The Navy has assigned cyber security to the Space and Naval Warfare Center (SPAWAR) in Charleston, South Carolina.
Huntsville certainly benefits from its long association with the Army, which in 2010 raised cyber security to command status. The new U.S. Cyber Command: CYBERCOMM, based at Ft. Meade, Maryland, has a primarily defensive mission: to defend U.S. military information networks, as well as conduct “full spectrum military cyberspace operations and ensure US/Allied freedom of action in cyberspace,” as its website describes it. A marker of the importance the Army now places on cyber security was President Obama’s choice of Lt. Gen. Keith Alexander, former head of the National Security Agency, to head the command.
Robertson sees Huntsville’s research center playing a supporting role to CYBERCOMM, possibly performing cyber research under contract to the cyber command, as well as other research centers, such as the Navy’s SPAWAR.
Cyber Huntsville leaders, such as Robertson and Wright, define Huntsville’s role broadly, to include most aspects of cyber security. “If it has to do with missiles, aviation, or other systems, none of these run without computers. Securing the protection of those networks is important,” Wright says.
Some Huntsville firms have defined that role more closely. At Metters Industries, a small business specializing in intelligence training and supply chain risk management, Huntsville Operations Director Greg Gaddy said a focus on supply chain management matches up with Huntsville’s growing logistics and materiels capability.
Wright agrees that security of supply chain makes sense as a niche. “Whether it’s chips or motherboards, we want to make sure they were built to the right standards, and they come to us uncorrupted,” he said.
But Huntsville should also be focusing on expertise involving the “smart grid” proposed by the U.S. Department of Energy, says Greg Bagley of Riverside Research Institute. Bagley explained that the smart grid—an effort to maximize the efficiency of the U.S. power grid—will be more vulnerable to cyber attack. “This could be Huntsville’s niche. We have a chance to do something that’s truly unique,” he said.
Battle continues to lead the charge, and reported solid progress at his one-year review during the SMD Conference. “We’ve raised the level of awareness that this is a viable industry. We have a lot of potential to work in this industry, to expand our industrial base, and tell what we are capable of doing.”
Mike Kelley is a freelance writer for Business Alabama. He lives in Huntsville.