In a July 16, 2008 campaign speech, Barack Obama said, “As President, I’ll make cyber security the top priority that it should be in the 21st century.” Shortly after taking office President Obama designated the nation’s cyber infrastructure as a “strategic asset” and announced that he will be appointing a cyber advisor to report directly to him. The message that cybersecurity is critical to America’s future is not new, but the need to act quickly and decisively has increased due to emerging threats to government, public, and private networks. As audiovisual data grows on these networks, so does the need for government AV technology managers to become informed participants in proactively securing AV systems to protect the networks and information we depend on to perform our missions.
In a proclamation that designated October as National Cybersecurity Awareness Month, the President stated that, “In the Information Age, the very technologies that empower us to create and build also empower those who would disrupt and destroy,” and “Cyber attacks and their viral ability to infect networks, devices, and software must be the concern of all Americans.” In a related Cybersecurity Awareness Month kick off event, the Department of Homeland Security (DHS) Secretary, Janet Napolitano, announced that DHS will be hiring up to 1,000 new cybersecurity professionals. “Effective cybersecurity requires all partners – individuals, communities, government entities, and the private sector – to work together to protect our networks and strengthen our cyber resiliency,” said Secretary Napolitano.
The Department of Defense (DoD) is also taking an active role in cyber security. Several components of the DoD including the Air Force and the Navy have consolidated their cyber operations. In August, the Air Force brought together their space and cyberspace units under a single command. On October 1, the Navy announced the creation of a Fleet Cyber Command. Both of these actions and several more like them are being completed in advance of the stand up of the DoD’s new Cyber Command (USCYBERCOMM) that will operate as a sub-command under the Strategic Command (USSTRATCOM). Defense Secretary Robert M. Gates is expected to nominate Lt. Gen. Keith Alexander, the National Security Agency (NSA) Director, to receive a fourth star and to lead both NSA and the Cyber Command. This shows that the military understands their digital dependence on cyberspace and that they are treating it as a domain that is as relevant as land, sea, air, and space to military operations.
All of these activities are taking place now because the United States is being challenged for cyber dominance by a very aggressive China and a resurgent Russia. At the same time, cyber attacks have shown that national and military cyber infrastructures are vulnerable to international and domestic terrorism, malicious hacking, and foreign government attacks. Complacency is not an option since the U.S. has become completely reliant on its cyber infrastructure for critical communications, information, power, and other infrastructure needs.
But why should a government AV technology manager care about cyber security? The answer is simple. Audiovisual technology is becoming increasingly important to agencies’ communication and information processing activities. As AV technologies find new distribution paths through IT networks, the AV systems that used to be stand alone are now processing information in cyberspace. Since AV components are now part of the overall computing environment it is critical that these systems be thoroughly inspected and tested for vulnerabilities. The risk associated with these vulnerabilities must be assessed and plans must be formulated to mitigate them. In a speech on May 29, President Obama said, “It’s long been said that the revolutions in communications and information technology have given birth to a virtual world. But make no mistake: This world –cyberspace—is a world that we depend on every single day.” The president went on to point out that the United States’ economic, military, public safety, and national security depend on cybersecurity and that “we’ve failed to invest in the security of our digital infrastructure.” As managers of a significant portion of the United States’ digital infrastructure, AV technology managers must do their part to secure AV technologies, the information these technologies process, and the networks they touch.
A lot of technical managers see security as an unnecessary burden and view security officers as overly restrictive because they don’t understand the technology. To some extent that may be true, but I believe the responsibility lies with the technical team to prove to security officers that AV systems are built to mitigate risk and are compliant with regulations. The security team can help AV managers identify which regulations are relevant and AV managers can reciprocate by providing detailed system security documentation. This requires AV managers and their team subject matter experts to assist with defining configurations, settings, and architecture plans. They should also demonstrate risk mitigation impact in whitepapers and other technical documents. Keep in mind that security experts need to understand all security regulations and may have only a basic understanding of specific technologies. AV technology managers, on the other hand, need to have an expert level understanding of AV systems and a strong knowledge of relevant security regulations. A short meeting with a security expert can eliminate the need to review thousands of pages of regulations to find the relative few that matter.
A few tangible actions that AV technology managers can take to improve cybersecurity include:
- Keep anti-virus software, operating systems, and program software for all of your systems up to date and/or compliant with the current baseline for your organization.
- Maintain backup copies of your software and files.
- Get to know your information assurance, cyber security, and physical security teams and schedule reciprocal information sharing sessions between AV and security teams.
- Become familiar with all federal departmental and organizational policies, directives, and other guidance that relates to audiovisual. Most IT policies relate in some way, so IT policies are good places to start.
- Get your staff trained on all relevant security policies and practices.
- Work with design consultants and integrators that specialize in security to perform security audits to check systems for compliance with policies and regulations.
- Get configuration information and volatility reports from manufacturers to discover and mitigate risks.
- Be observant and look for vulnerabilities to fix. These vulnerabilities may be operational, procedural, or environmental. They are not necessarily always systems issues.
- Create comprehensive security checklists for your AV systems.
- Perform regular preventive maintenance inspections and get to know your systems inside and out.
- Build cybersecurity awareness into your AV team’s culture.
Gary L. Hall, CTS-D, CTS-I, is a program management execution officer at the National Geospatial Intelligence Agency (NGA) in Bethesda, MD. He is also an adjunct instructor at the InfoComm Academy and can be reached at firstname.lastname@example.org. The views expressed in this article are those of the author and are in no way officially endorsed by NGA, and do not necessarily represent the views of the United States.