ALEXANDRIA, Va – In a panel discussion Monday morning, a crowded table of top-level security experts from industry, military and government agreed that the threat posed by cyberattacks targeting U.S. critical infrastructure and private industry now outweighs any other national security threat. Problematically, the government will not and cannot solve that problem alone. Private companies will have to look within and to each other and partner with the government if they want to protect themselves and, more broadly, U.S. interests, the experts said.
The panel, called “Bringing Awareness to Cyber-Resiliency,” was moderated by Michael Riley of Bloomberg Business Week. The goal for securing networks, the panel would agree, is not one of preventing attacks altogether, but accepting that networks will be breached and aiming to limit the amount of time that an adversary spends within a compromised network. Former four-star admiral William J. Fallon noted that it’s better to have a solid array of defenses than to react to specific attacks by targeting perceived threat actors.
Part of that mission is to work with the government and other private companies to understand what an attack looks like ahead of time. Organizations — whether they operate a Wall Street bank or your local water treatment facility — need to be able to reliably tell the difference between real threats and minor nuisances.
The Target breach, Riley claimed, is a great example of a company with a solid security posture lacking relevant alarms. They had so many security alarm bells ringing constantly, Riley said, that it was nearly impossible for them to differentiate between what mattered and what did not.
Fallon warned against waiting for legislation or hoping the government would swoop in and solve all of our security problems. He said that smaller groups are amassing the power to do a great deal of damage. The government has a limited capacity to respond to hacktivists and criminals. Under ideal conditions, the military can respond to nation-state actors, but ideal conditions are hard to come by given that attribution is such murky business.
Former admiral Fallon leveled his criticism broadly, saying there’s “a kind of la-la land atmosphere out there despite the constant barrage of incidents that are occurring.” He argued that a commonly-held notion that the cyber-problem is merely one of many is “narrow and ill-conceived.” He also called out the government for failing to draft meaningful policy guidance, saying that there are too many special interests pulling the debate in too many different directions.
Jim Penrose, founder of the NSA’s Operational Discovery Center, urged that cyber-defense is not a matter of finger pointing. It’s far more important, he said, to stop intrusions before they occur rather than try to chase them down after the fact. This, he said, is where the government and information sharing are most helpful.
Again, Penrose hit the point that attribution is almost never clear. Incident investigation involves tracking attacks through relay countries that aren’t directly involved in an attack, but are merely serving as an avenue for traffic. This process is slowed down by bureaucracy.
Zachary K. Goldman, executive director of the center on law and security at New York University, explained that the government did just what Penrose is describing in 2012 following a series of massive distributed denial of service attacks targeting U.S. banks.
Instead of targeting the hotspots where attacks originated, widely believed to be Iran, the government reached out to more than 100 countries where the attack traffic passed through and asked them to shut down the malicious servers aiding the attack. The government then helped those countries that did not have the capacity to cut the traffic flow off.
Lt. Col. Bob Fanelli, a computer science professor at West Point and chief of the USCYBERCOMMAND/NSA combined action group, made clear that the military is ready to act if called upon to do so, but it does not make decisions about when and if and under what circumstances to strike. Those decision, he said, are in the hands of the president.
There is a lot of grey space between nuisance attacks and acts of war, but it stands to reason that an attributable attack leading to loss of life could constitute an act of war. He went on to caution against setting such red lines, saying that threat actors will test red lines, seeing how close they can get to them without triggering a reaction.
“DDoS attacks targeting web-facing private entities probably did not raise kinetic response alarms among decision makers,” he said.
Up until 2012, Goldman explained, there was a sense that a cyber-law would be adopted. It failed because of commercial cost concerns. Then, he said, we shifted to a regulatory, NIST-based framework, which has served as a set of guidelines for that ways a company should think about what they need to do security-wise.
Fallon argued that the policy approach has failed for two reasons, not including gridlock. Cost, he said, is one concern. Civil libertarianism, particularly the fear that legislation would limit individual choice, is the other. A lot of things that could be done that aren’t being done, he said.
“Most things that go wrong were not caused by malicious evildoers from across the ocean but by our own stupidity,” Fallon said. “Our own failure to implement proper security controls.”
The best thing the government can do is to look at critical areas and do their best to partner with the controllers of those areas to implement better security. We need to look at what kind of attacks cause inconvenience and which are truly catastrophic. Focus on the latter, he said. Work to address the no-brainer solutions and adapt smart security protections.
Neal Creighton, the CEO of security firm CounterTack, agreed with Fallon. There’s so much collaboration in the security industry, he said. This reality will help address a cyber-environment that has changed from people having fun to highly funded organization launching highly targeted attacks. Hacktivists and criminals – let alone nation states – are increasingly sophisticated. Creighton argued that we should look to potential co-investment between government and private industry, because much of the security industry innovation is coming from smaller companies providing services to government and larger corporations.
Penrose bluntly noted that we have gaps in our defensive tech. Attackers, he said, are deploying zero days we don’t even know about. We need to look at new technology that can better analyze the way our networks behave. Watch behavior patterns; react to odd behaviors. If a certain employee is performing actions on the network that he or she never performs, that’s a relevant alarm. Some of these alerts could be anomalies, he said, but disregarding anomalies is better than missing attacks.
Creighton would elaborate, saying we need to focus on the dwell time of attacks. Attackers often stick around in networks for months and even years. Protection needs to focus on shortening that amount of time. You will get infected, Creighton said, but if you can stop it within hours or even days, you will be doing a good job of security.
Fanelli chimed in that attackers will find the one system that wasn’t patched. Companies need to find those holes before attackers do. He said CEOs need to be more directly involved in security.
“Cyber security is the commander’s business,” he claimed he regularly tells his colleagues in the military.
To that point, Fallon said that on a strategic level, it’s important for the government to engage in meetings with their counterparts in China and elsewhere and seriously discuss how all this hacking business could escalate.
“Like nuclear, if it starts, no matter how, it could get real ugly real fast,” Fallon said.