Hackers use innovative thinking when breaching systems, why can't government?
When I spoke on the need for cybersecurity innovation at the January ITEXPO conference in Fort Lauderdale, Fla., I sensed something interesting about my cybersecurity colleagues: They don't seem to care about innovation; they care about having a job in cybersecurity.
Unfortunately, this is a normal reaction, and has plagued both government and industry, leading to inferior cybersecurity products and deployments that may never catch up with the hacker -- unless we change our thinking.
The difference between a hacker and cybersecurity companies is that a hack has no brand, no national loyalty, no secure employment. Hackers immediately use or develop for their purposes the best hacking technology out there. It is this same innovative thinking we must use in approaching our cyber defense technologies.
One of the most difficult challenges in offering superior technologies to big government and big business is the massive amount of bureaucracy you must penetrate. As a cyberdefense expert and adviser, I know how to choose the best technologies while addressing the hurdles of bureaucracy. Like the hacker, I have no brands, bosses or bureaucrats influencing my objective selection (though I do admit to national loyalty as an American). I can focus on correcting cybersecurity problems and find the best in defense technologies to address them.
I have discovered that government and business are sometimes their own worst enemies. While government decisions are sometimes based on confusing politics, industry makes decisions based on a technology's return on investment or a corporate purchase that has now made a technology part of their company. This type of thinking not only delays needed new cyberdefense technologies from getting in, but can cause old technologies to be used due to political and business decisions. These inferior technologies are known and hackers can already can penetrate them. A perfect example of this was the U.S. Office of Personnel (OPM) data breach and the solution of the problem (EINSTEIN) that is plagued itself with problems. We need to find better ways of offering quicker technical responses to cyberdefense technologies or hackers will always be one step ahead.
Today if you are offering even an urgently needed technology there are two main factors that will give you road blocks. Government is making political decisions and industry is making monetary decisions. This is the worst place to be when offering a disruptive technology but is exactly where I have been in the last few years. I use a simple formula in addressing these road blocks. One is know your problem and predict how big it will become. My past articles written over a period of five years given me a discipline of putting my name on not only disclosing the problem but offering some suggested solutions to the massive weaknesses were are facing in cyber defense. With limit resources this is difficult but I have had the luxury of standing back from politics and business and staying focused on the problem and the fix just like a hacker focuses on getting in.
Now, you can't disregard the reality of politics and business, but you must surround yourself with people who excel at such things so you can maintain your focus on correcting problems. This approach has allowed me to surrounded myself with the best in both technology and business.
In an article in The Wall Street Journal by President Barack Obama titled, "Protecting U.S. Innovation From Cyberthreats," both the cyber attack threats and the immediacy in addressing these threats was clear. The president’s analogy that, “government IT is like an Atari game in an Xbox world," was a perfect example of how much catch-up is required by the federal government when it comes to cyberdefense systems.
In fact, the president is pushing a new Cybersecurity National Action Plan that includes $3 billion to kick-start an overhaul of federal computer systems. This is the right move to stop the bleeding. But let's go back to the hacker: All the employment and training in the world cannot stop a hacker's millisecond attack. People don't think in milliseconds; technology does. We need to find technologies that can proactively defend in milliseconds, or we will lose our defense capabilities to the first strike capabilities of hackers. This can be done, but will require big changes in our current cyberdefense technologies; we cannot continue using the patch and pray cyberdefense systems we employ today.
The reason hackers can hack in the first place is that the 3rd- and 4th-generation software used today can be exploited because it was made to connect and automate things -- not view or secure digital processes. The code and algorithms are, by nature, vulnerable to attacks. And new cyberdefense techniques such as analytics and business intelligence software may actually be adding to the prevalence of cyberattacks as they also run on 3rd- and 4th-generation software. In fact, my colleagues and I have been warning that security software's use of analytics and business intelligence software will be the next attack targets. Why steal a database when you just hack the analytics and business intelligence software to see what a company is doing? We can't continue this way. We need a true paradigm shift in cyberdefense technologies.
There is a great article in the Washington Post called, "A History Internet Security." It gives a great snapshot of where we started with Internet security and why we have the problems we do. The lack of security was intentional. No one thought the Internet would get so big or be used in so many ways. Interestingly enough, the reason the Internet was first developed was to create a survivable network even if an atomic war occurred. The survivable network was a great idea. Offering little to no security was not.
As an independent adviser I have worked with some of the best in both technology and business. Together we have seen the problems and have again and again come back with confidence to the same solution. First and foremost, we need to understand that cyberdefense is just the viewing and auditing of selected security policies in milliseconds for a specific process. It is validating what we want to happen, not what we don't want to happen. This is how we can protect critical systems and intellectual property residing on the Internet.
The entire cybersecurity industry has been looking at cyberdefense in the wrong way and frankly has used the wrong technologies in the wrong place when addressing it. To clarify the needed changes we must make in cyberdefense technologies, my colleague Tom Boyle, CEO of On Point Cyber, Inc., commented on what the problems are, what changes must be made and how they should be implemented.
Q: Can you explain the problems we face when it comes to cyberdefense technologies?
The proliferation of big data, the Internet of Things, cloud computing and mobile devices has created an intrusion detection environment that challenges current information security practices, if for no other reason than sheer volume of data. Detecting intrusion is akin to finding a needle in a haystack. Government and corporate leaders echo the need for a fundamentally different approach to cybersecurity, capable of sustaining the pace of cyber threats, while detecting intrusions at machine speed.
Q: What changes need to be made to address these weaknesses?
We see an information security transformation to the process side of information technologies, and work with companies who develop these capabilities, 5GL visual languages of logic with autonomic modeling of system operations for immediate reactive cyber security. Through these technologies, the cybersecurity playing field is leveled, so defenders can stop attackers within milliseconds, at the point of attack.
Q: How do we get this done and done quickly?
Fortunately for the United States, the Department of Homeland Security and other agencies have spearheaded cooperative research and development between private and government sectors, to readily identify and adopt new and emerging tools to secure our most critical cyber infrastructures. Now it is time to get it done.
The trouble with hacking is twofold: We don’t see it, and we don’t understand how damaging it is. So first and foremost, we need to find a different word for "hacking." It is too nice a term given the devastation it causes.
I grew up in Harper Woods, Mich., and lived one block away from Detroit and one block away from Grosse Pointe Farms -- my small city sat between these two vastly different communities. The satellite photo below shows these two communities: The left depicts the complete demolition of entire neighborhoods that were knocked down for the copper in the walls. Those living on the right side -- with which my small community aligned -- didn’t steal, nor would we let people who stole into our neighborhood. We had a good police force, but frankly, the old ladies were the enforcers: By the ear, they would walk the intruder right back to his house. Basic defense, but quite effective.
Cyberdefense is the right side of the picture. Cyber war or cyber offense is stealing back and forth, which in the end offers no gross national product until there is nothing left to steal. That is the left side of the picture. This is a picture of just millions lost over many years. Last year, in the private sector alone, British insurance company Lloyds projected that more than $400 billion was lost due to cyber attacks.
Anybody got a picture for that?