19 August 2017

Will U.S. Cyberwarriors Be Ready for the Next Big Hack?

By Sandra Erwin

Hackers around the world see weaknesses in U.S. voting systems, electric grids and other pillars of American society.

Russia’s alleged election meddling and other high-profile breaches have created a heightened sense of vulnerability even as new gee-whiz technologies to keep hackers at bay flood the market.

To deter future attacks, experts warn, the United States needs to shore up its defenses and upend the perception that its systems are easy prey.

“I guarantee the North Koreans and the Iranians saw what the Russians did and they’re going to try things in 2018 and 2020,” said former Pentagon cybersecurity policy chief Eric Rosenbach. “We have to change the perception that they’re going to get away with that,” he said at an industry conference last month.

Intelligence analysts have been raising red flags about North Korea taking a page from the Russian playbook. Cyberattacks are part of the regime’s “nontraditional methods that they can use to both support their own goals and gain some leverage in the international community,” said Priscilla Moriuchi, director of strategic threat development at Recorded Future and a former National Security Agency official.

“When it comes to cyber, they have realized that the cyber realm is an area in which they can exercise a degree of power and influence that they don’t have in other more conventional areas,” she said in a recent podcast.

North Korea’s primary intelligence service, the Reconnaissance General Bureau, has been known to sponsor criminal cyber activity, Moriuchi said. The country is suspected of being involved in the 2017 WannaCry malware attack on systems running Microsoft Windows and the hack of Sony Studios in 2014, but North Korean officials have denied any responsibility.

The U.S. election infrastructure is “woefully ill-prepared for future interference,” said Danielle Root, voting rights manager for democracy and government at the Center for American Progress. Outdated systems and “inadequate cybersecurity measures for voting machines and databases are just a few vulnerabilities that leave U.S. elections open to subversion by hostile entities.”

At professional hacker events in Las Vegas this summer, the nation’s alarming cyber vulnerabilities made for heated debates. The largest of the events, called DefCon, had “hacking villages” where techies tried to break into voting machines, medical devices, electric grids and industrial machinery.

And, for the first time in the conference’s 25-year history, two members of Congress — Texas Republican Rep. Will Hurd and Rhode Island Democrat Rep. Jim Langevin — attended and received a rock-star reception, according to attendees.

“The community was happy to see us,” said Jessica Wilkerson, a professional staff member of the House Committee on Energy and Commerce. On Capitol Hill, she said, there is a push to build a relationship with friendly hackers, also known as “security researchers.”

One of the themes across cyber conventions like DefCon, Black Hat and Bsides was a need to “try to bridge the gap between the technology and policy worlds,” said Beau Woods, cybersecurity analyst at the Atlantic Council.

Striking a balance between security and privacy has been a contentious issue for years. Mistrust between the government and the tech sector deepened in the wake of Edward Snowden’s leak of NSA documents in 2013. Apple, in 2015, rejected the government’s demands for an encryption backdoor in the iPhone for law enforcement after a mass shooting in San Bernardino, Calif.

As the nation faces increasingly tougher threats, “hackers and policy makers are trying to empathize with each other,” Woods said during a recent panel discussion in Washington, D.C.

Langevin’s talk at DefCon drew more than 2,000 people, said the congressman’s legislative director, Nick Leiserson. “That was different,” he said. “People were surprised to see us there.”

Woods and other experts cautioned that cybersecurity has become such a tech-dominated area that there is a risk of becoming enamored of buzzwords and shiny objects.

The ubiquity of cloud computing is a case in point, he said. “It’s impossible for aftermarket solutions to work when the cloud was not built with security in mind upfront.”

Promising technologies like artificial intelligence — software that autonomously detects and thwarts attacks — are fueling investment and innovation, but should not be seen as silver bullets, noted Ariel Robinson, a cybersecurity writer and analyst.

“Every vendor saying they can solve all your problems is a huge issue,” Robinson said at the Atlantic Council forum.

Ivan Novikov, CEO of security startup Wallarm, reported that companies around the world spent $157 billion on information security products over the past two years.

The “product-centric” approach to cybersecurity is a major concern because it distracts from the fundamentals, noted Mark Orlando, chief technology officer of Raytheon's managed security services business.

Raytheon in June received a five-year, $1 billion contract from the Department of Homeland Security to help protect “.gov” websites from cyberattacks.

“Everyone in the industry is trying to find a fresh angle on solving difficult cybersecurity problems,” Orlando told RealClearDefense. “But breaches are still occurring. Sophisticated attackers are a persistent presence,” he said. It takes on average 200 days to detect intrusions.

“As an industry we’re still largely taking a product- and technology-based approach,” he said. Vendors will promise a “magic box that can solve your problems, stop data leakage, find bad guys,” but the new age of cyberwarfare requires a greater focus on people skills. “Defenders and hunters, responders and engineers … we need to pair them with technology that can support them in their mission,” said Orlando.

At Black Hat this year, there appeared to be more emphasis on “proactive hunting,” which is a positive development, he said. “The industry is starting to come around to the fact that we need people who are every bit as skilled and knowledgeable as these attackers to go out and look for these threats. You can’t just rely on tools to do that.”

Companies are making multibillion-dollar investments in new means of automating cyber defense, such as artificial intelligence and machine learning.

“That is absolutely necessary,” Orlando said. “However we still have high-visibility breaches still happening because we’re still not great at doing the fundamentals.” That means going back to the basic blocking and tackling of cybersecurity: reducing the attack surface, making sure systems are updated, that controls are in place to prevent unauthorized access, and that vulnerabilities are patched quickly. “These are very basic functions that we are still, as an industry, not doing reliably, repeatedly, as well as we should.”

Defending networks further should be an integral part of an organization’s larger security strategy, and that applies to everything from military information systems to electric grids, said Michael Daly, cybersecurity chief technology officer at Raytheon.

“It’s about making sure that the ways systems behave, data flows and people interact is as expected,” he said. “What you worry about is having the right entities touching the data.”

People skills in cybersecurity also are needed at the policy level, said Debora Plunkett, former director of information assurance at the National Security Agency. “Cyber is a lot of technical work, but also a lot of policy.”

“We need lots of technical people,” Plunkett said at a New America conference in Washington. “We also need lots of people who can think from the policy perspective, who can envision what the future looks like, who understand international norms, and people who can lead through difficult challenges.”

No comments: