In terms of cyber, the United States is “a victim of our own success,” said Ernest Hibbs, chief engineer in the Defense Information Systems Agency’s (DISA) Infrastructure Directorate, during the AFCEA TechNet Cyber 2019 symposium in Baltimore May 15.
“In other countries, we are considered cutting-edge. So what does that make us? A target,” he said.
Hibbs gave a presentation arguing in favor of applying systems engineering principles to cyber-defense efforts.
The Defense Acquisition University defines systems engineering as “a methodical and disciplined approach for the specification, design, development, realization, technical management, operations, and retirement of a system.”
The emphasis of systems engineering is on preventing issues by identifying customers and potential functional, physical, and operational issues that could occur in the intended use environment, along with ensuring costs are kept to a minimum, said Hibbs.
He believes systems engineering is not baked into cyber today due, in part, to cultural problems and opinions. He described for attendees the six reasons why he believes this to be true.
- Oversimplifying the complexity of the problem.
- Spending excessive funds just discussing the problem.
- Commissioning a burdensome documentation effort.
- Forcing engineers to perform tasks outside their primary skill sets to accommodate urgent needs.
- Meeting the changing needs of the program manager.
- Organizing systems engineering efforts is harder than building systems.
Hibbs went on to say not only is systems engineering in the cyber domain very important, it is necessary.
“Systems engineering serves to help anticipate how a computer or network-based system will be affected by malicious actors and cyber-attacks,” he said.
Eugenia Jacobs, a computer scientist in the DISA’s Infrastructure Directorate, explained further.
“Systems engineering provides a proven framework used to enhance stability and reliability in the development of cyber solutions,” she said. “The goal for adversaries in the cyber environment is to create chaos and to exploit vulnerabilities.”
Jacobs said systems engineering provides an organized approach to anticipate hostile attacks, combat them, monitor the development of the solution, and measure the solution’s effectiveness.
Hibbs ended the discussion by saying the biggest hindrance to conducting effective systems engineering as it relates to the cyber domain is ego – the tendency of a program manager or system owner to believe they have already anticipated every potential vulnerability.
“Wherever we go, there is an ego – and that is something that we have to stabilize,” Hibbs said.
A copy of the systems engineering presentation is available on DISA.mil.