There is a lot of talk these days about solving the big cybersecurity threats to the United States. Former New York City Mayor turned international security contractor Rudy Giuliani says he is “this close.” Former President Obama, continuing his legacy-polishing job, latched onto this growing threat during his final days by declaring that, “During my administration, we have executed a consistent strategy focused on three priorities,” and went on to name an increased level of defense, deterring and disrupting malicious activity, and responding to and recovering from attacks.
He failed to mention that in spite of repeated policy reviews, cybersecurity frameworks, international “common understandings,” cyberinformation sharing acts and countless new initiatives, the Office of Personnel Management (OPM) suffered the largest breach in U.S. government history.
We also have to stop worrying about collateral damage. Our enemies don’t.
SONY Pictures, Target Stores, Home Depot, JP Morgan Chase, Yahoo, Dyn, and hundreds of other breaches all occurred while the National Institute of Standards, General Services Administration, U.S. Cyber Command, and Congress were all running around like keystone cops implementing new executive orders leading nowhere.
If Obama had stopped making speeches and simply asked someone like former Department of Homeland Security official Paul Rosenzweig for a reality check, he would have told him that, “Government moves at 60 miles per hour and internet innovation moves at 6,000 miles per hour. Hackers are ahead of defenders, defenders are ahead of legislators, and legislators are ahead of regulators.” That seems simple enough, right?
While cybercrime has increased during the past eight years, our government continues to inordinately rely on outdated technology, people, and processes. We are facing a dramatic imbalance between the wherewithal required to mount a cyberattack and the massive requirements necessary for the defense of these attacks. Conventional warriors would call this asymmetric warfare, and nowhere does it exemplify the enormity of the problem better than in our current struggle in cyberspace.
[lz_ndn video= 31920614]
Giuliani is partially correct when he claims that we have spent way too much time on defensive technologies and nowhere near enough on offense, but that tag-line doesn’t fully characterize the problem.
President Donald Trump’s new cybersecurity team would do well to focus on two known challenges. One, we need to disrupt the attacker-defender dynamics. We live in a world where a $25 exploit kit in the hands of a teenager with a PC can outwit the world’s largest bank, which spends $500 million a year on cybersecurity. This is the same world where a handful of network bots can and did bring down internet access throughout the U.S. last October for the better part of a day just as the result of a probe. And this is the same world where a foreign contract hacker can gain access to highly sensitive emails and impose emotional chaos on a massive scale as we just witnessed in this past election cycle.
Until we change the trajectory of our own offensive strategies to target the source of these dark web resources, we don’t have a chance of disrupting that dynamic. We also have to stop worrying about collateral damage. Our enemies don’t.
The second challenge is the nature of malware itself. We have historically directed the bulk of our energies around prevention and perimeter defenses. We have largely depended on anti-virus software and gate-keeping technologies to ward off attackers. That ship sailed a long time ago, yet the technology that OPM used to defend those millions of sensitive personnel records was an ancient intrusion detection system known as Einstein.
That system, which DHS deployed twelve years ago, focused on the perimeter of the federal networks, but was completely ineffective against even the most lightweight modern attack. Today’s malware knows how to bypass all conventional perimeter defenses. You could have asked any civilian cybersecurity analyst whether that made sense in 2011 — let alone in 2015 — and the answer would have been a resounding “no!”
The good news however, is that all malware relies on a specific and predictable multistage process to conduct its attack. Focusing on technologies that identify and detect these attacks while in progress is the only effective way to combat today’s advanced threats. And we need to start applying them.
We now have artificial intelligence and deep learning technologies in our more advanced commercial cybersecurity solutions that can detect in real-time even the slightest signals indicating anomalistic behaviors. This detection instantly leads to discovery and capture long before bad actors have a chance to strike. But, as of this writing, Einstein’s replacement still has not been named for government system protection.
Assigning political hacks to manage the oversight of sensitive assets and the systems that are designed to protect them is disgraceful and a reading of the history of the OPM attack is revealing. Watching the current confirmation proceedings in Congress is proof enough that huge changes will be required if we are ever able to fundamentally rethink how cyberspace is secured and then mount a serious offense against cyberthreats.
Based on the last two weeks of furious executive orders driving actual work, I am highly optimistic that once President Trump is properly briefed on what needs to be done, he will sign new and effective cybersecurity orders as well.
Steve King is the COO and CTO of Netswitch Technology Management.