Too Late to Protect Networks, Experts Turn to Resiliency
Establishing trust and sharing information are the first steps toward a successful cyber future.
Half of all Americans and 100 percent of the work force had their personal information compromised in the Equifax hack this summer. While critical data, such as what was stolen in the hack, requires better data protection, enhancing its protection is no longer enough. Resiliency has to be a critical capability too.
Four cyber-focused panels recently tackled complex issues, with much of the focus on recent hacks, during the AFCEA Homeland Security Conference taking place in Washington, D.C. Leading experts discussed a variety of security issues as they affect government agencies, and they commented on the amount of collaboration happening between government and industry as well as with international partners. Overall, the speakers agreed that classification practices need to be examined, more information needs to be shared and trust has to develop.
Many of the panelists referenced the administration’s executive orders on cybersecurity and information technology. While the orders provided good information, by themselves they do not do much to move the ball, explained Rich Smith, vice president, CACI. The cybersecurity order is built on a lot of what has been going on already and features good common sense, but follow through is needed. Good policies are in place but are not being executed well, he added. Smith moderated a panel looking at cross-agency response. Another panel member, Dr. Sam Liles, acting director, Department of Homeland Security Intelligence and Analysis Cyber Division, elaborated that the cyber executive order is interesting and different from what people were expecting. It talks about how information is being shared and how much. Every good chief information officer wants to share information, but now something is driving them.
Greg Touhill, president of Cyxtera Federal Group and a member of Smith’s panel, followed up on the overclassification of information, saying it is limiting, especially when some things that remain classified are available on the Internet. In a test, he found TS SCI information on the Internet, despite the information still being classified.
In addition to understanding the importance of sharing information, it is equally important to act on information that is shared, he advised. He added that we are not good at this, but better than before. Still, “everyone seems to be in a state of denial,” Touhill observed. “Get things out as a heads-up sooner. Over classification creates a cone of silence, and nothing gets done.” Touhill concluded by stating that cybersecurity is not a technology problem but a risk management problem.
Beth Dunphy, program director, cybersecurity technologies, IBM and a participant in the cyber fireside chat panel, was in agreement, saying that if you are not sharing information, you are part of the problem, and it is critical that the country breaks through this.
Protecting data really comes down to determining which data is most important and working back from that because you cannot protect everything, said Chris Cummiskey, CEO of Cummiskey Strategic Solutions, also participating on the cross-agency incident response panel. Robert Carey, vice president of cybersecurity, cloud and UC solutions, General Dynamics Information Technology, participating in the fireside cyber chat panel, said that you put the most sensitive information behind lots of barriers and defenses. Make sensitive data a hard target. Big layers of cryptology cost money but it works, he added.
Speaking from the FBI perspective on the panel, Charles Garzoni, incident response coordinator for the FBI's Cyber Division, said that adversaries are going to do things in the way they know to do them, but they evolve faster than we do, so we have to keep up. They never run out of tools. He outlined several different types of threats: burglars who are after the money; vandals who want to promote political messages; muggers, such as in the Sony hack or when cyber bullies are picking on others; spies—internal or external and political or military; and saboteurs working to affect the critical infrastructure.
Dr. Frank Cilluffo, associate vice president and director, Center for Cyber and Homeland Security, George Washington University, and a panelist on the Roles and Responsibility panel, reiterated the point made by Garzoni: “Not all hackers are the same, not all hacks are the same, not all targets are the same and not all capabilities are the same.” He said the dilemma with cyber is to discern the intentions of the attackers. “Often you do not know, unlike when you have a kinetic incident."
Phil Reitinger, president and CEO of Global Cyber Alliance, also served on the panel. He warned that there can be too much emphasis on roles and responsibilities. There needs to be a focus on capabilities as well, he explained. Infrastructures have to be both defendable and adequately defended, but most infrastructures are not defendable. He added that prevention is important but resilience is the key.
Roles and responsibility go along with resources, so there needs to be a clearer road, said Kathy Kraninger, program associate director for general government, Office of Management and Budget. She agreed that there is a massively antiquated infrastructure on the federal side, and officials have to think about this smartly but not by bringing a lot of money to the problem.
Trust is an important part of solving cybersecurity problems, but trust between government and the private sector is just not there. “We must inject private sector thought and technology into all the government does. There has to be a convergence of a host of different skills, but while there is a ton of strategy at the 30,000 level we are missing the doctrine that puts strategy and tactics together,” stated Dr. Phyllis Schneck, managing director and global leader of cyber solutions, Promontory, also speaking on the topic of roles and responsibilities. Machine learning is a big part of this. It is not intended to replace people but to allow people to use their expertise on bigger problems.
Panelists discussed whether artificial intelligence will benefit attackers or defenders more. If it doesn’t benefit defenders more, Reitinger thinks we are in trouble. Schneck interjected that AI provides capabilities to crunch numbers fast and is as easy for the other side—and they have the money and don’t have the lawyers, she added. Cilluffo added that initiative lives with the aggressor. We need to get to the point where we can put some pain on the bad guys and stop blaming the good guys, he stressed.
The administration is exploring a common architecture where all civilian departments and agencies would operate on the same system. Having a common architecture helps people understand what is secure, but at the end of the of the day, it allows attackers to use the same method to get into all agencies. Dunphy said she is not a fan of homogeneity across multiple organizations. Having differences and complexity makes it harder for hackers, she stressed.
A panel moderated by Larry Clinton, president of Internet Security Alliance, looked at cyber more globally. Holly Phelps, deputy director, Cyber Information Group, U.S. Department of Treasury, pointed out that her department is focused on cybersecurity in the international sphere because global finances have no borders. “It is about integrity and trust. If you cannot trust transactions, you will have a hard time," she stated.
In working on international issues, Jon Boyens, a manager in the Computer Security Division of the National Institute of Standards and Technology, pointed out that a problem is differentiation between real security issues and industrial policy.
Jordana Siegel, director of International Strategic Affairs, DHS, identified some of that department's international cyber priorities. They include building international relationships to respond to incidents that occur and working with foreign partners and industry to help reduce cyber risk and infrastructure. Other priorities include combating cyber crimes, investing in digital forensics, strengthening information sharing and exchanging expertise and best practices with foreign counterparts. Investment is needed in research and development and the department needs to work closely with other international agencies to establish norms of behavior in cyberspace.
The cyber work force is an issue across the government and in industry. The work force needs extra skill sets, said Cummiskey. In the short term, Dunphy said IBM is looking at nontraditional sources. Veterans have the attitude and aptitude that their serving brings them. But skill sets have to start at the high school level. Applied learning is needed, not just theory.