Twenty years after government and military officials revealed the menace, internet hacking remains such an existential threat to the nation that it will require a “moonshot-style” development to get ahead of the hackers, warned speakers at a cybersecurity symposium hosted by University of Maryland University College (UMUC) on Oct. 10.
The daylong “Cyber at the Crossroads” symposium, co-sponsored by the National Security Agency’s Cyber Center for Education and Innovation–Home of the National Cryptologic Museum and UMUC, attracted hundreds of cybersecurity professionals to hear panels of experts talk about the past, present and future of protecting information from hackers, thieves and spies. It came in the wake of a series of cyber breaches in government and the private sector that have allowed hackers to gain access to sensitive financial and personal information of millions of Americans.
“Whether we like it or not, we are at war and we are not winning,” said Retired Army Maj. Gen. Dave Bryan, president and CEO at Bryan Business Management and Technology. “Every leader in cybersecurity has to deliver the message that this is important to the nation’s survival.”
Incremental change will never be able to keep up with the hackers, said Retired Army Major Gen. John Davis, who is now the federal chief security officer for Palo Alto Networks. Industry and academia should join in a major government-financed effort akin to sending a man to the moon in the 1960s, he said.
Rob Joyce, special assistant to President Trump for cybersecurity, said finding the right mix of regulation and technology to protect cyber systems is not easy. Too much regulation or the wrong kind of regulation can make systems less rather than more secure. View his complete remarks.
Some regulation is essential and good Joyce said because it protects lives, and it is required when industry shows it will not self-regulate. But, he added, regulations become counterproductive if private industry needs “an abhorrent amount of time” to understand them at the state level, across a number of federal agencies and in multiple international marketplaces.
“Cybersecurity is actually weakened by competing regulations that allow a company to throw up their hands and say, ‘they are telling me right and left at the same time. I’m going to pick the one I like best,’” Joyce said.
Layers and layers of regulations that end up having no value are destructive, he said, and regulations that lock an industry into outmoded practices are self-defeating. The Trump administration is less about regulation and more about market forces, he explained.
“From my chair, a little bit less is more,” Joyce said.
In addition, more and more information is surfacing about the efforts Russia has employed to hack into election and campaign data to manipulate the 2016 presidential election, and hackers even have breached the computer systems of the NSA, the super-secret American spy agency that is charged with breaking into the systems of adversary governments.
Such incidents were predicted 20 years ago at the dawn of the cyber age when a secret military exercise dubbed Eligible Receiver 97 demonstrated that government authorities had little ability to recognize or defend against a coordinated network attack. The exercise showed that the nation’s critical infrastructure was open to hackers who could disrupt 911 emergency response systems in major cities as well as military networks at the top of the national command network.
At the symposium, much of a classified video report on the findings of Eligible Receiver 97 was made public for the first time so that attendees could see how much progress had been made in two decades.
“We found that no one at DoD was in charge of detecting, reporting and addressing cyber attacks, said Retired Air Force Lt. Gen. John Campbell, who had taken part in what is commonly called ER97.
The Defense Department realized that something bad was happening, Campbell said, but it did not know how to respond. Initially, there was a lot of resistance among the military’s service branches to have a joint authority that had access to all their systems. But ER97 became the foundation of information for talking with Congress about the problem.
In the ensuing 20 years, federal and state governments and private businesses have wrestled with how to approach cyber threats in general and who should spearhead the defense against them. To start by calling the threat cyber warfare was a bad idea, one panelist said because so many people outside of the Pentagon thought that warfare was not their responsibility.
“We still struggle with the problems of vulnerability and don’t close on them,” said Retired Air Force Lt. Gen. Ken Minihan, who is now managing director of the Paladin Capital Group. “We have not attended to the shared vulnerabilities between the government and the rest of us.”
And in 1997, the Defense Department was not focused on the threat from state adversaries, said Michael Warner, Ph.D., U.S. Cyber Command historian.
“We were focusing on terrorism and rogue states,” Warner said. “It wasn’t for another eight or nine years that we started thinking about state adversaries.”
With internet connectivity increasing at an exponential rate, the ability of hackers to find and exploit weaknesses keeps growing. The ubiquitous, nearly free microprocessor is part of almost everything, said Steven Cambone, associate vice chancellor at the Texas A&M University System.
“Every device has a microprocessor connected to the world,” he said, “but it [a microprocessor] has no security measure at all. Bugs can be inserted before it is sold. If it is not corrupted when it is delivered to you, it is easily corrupted after you get it.”
All the stories about hacking and cyber theft have yet to “sink in” to the American people or their leaders, several panelists said. Americans are more worried about the government getting access to their personal information, even while they gladly are giving it away to get a discount coupon on the internet, according to one.
“We are not angry enough at this point,” said Retired Adm. William O. Studeman. “We are still patch and pray. We are jeopardizing our future. There must be some form of national mobilization. This is one of the three or four top threats to the nation.”
But instead of making sure that everything produced for the internet is built with security in mind, said Palo Alto Networks security guru Davis, the nation is busy finding patches to fix vulnerabilities. He then compared cybersecurity to the automotive industry to underscore the point that patching existing systems doesn’t work.
“What we have today in the cybersecurity world, is a bunch of folks going out to a hundred auto parts stores and buying parts and trying to build the car themselves,” Davis said, “rather than going into a dealership and buying something that is designed to work together.”
One of the great vulnerabilities for individuals is the pilfering of personal information that can be used by thieves to create secret identities, Joyce said. That could be fixed by ending the reliance on Social Security numbers for identity.
“It’s going to be hard, but we have to stop using Social Security numbers,” Joyce said. “Once my Social Security number goes into a database, it is a risk to me. My Social Security number and some public information about me available on the web is enough to steal my identity and open accounts.”
The technology is available to change the system, he said, but summoning the political will to do it is more daunting. Ten years ago, there was an executive order to change the use of the Social Security number, Joyce said, “but here we are more than a decade after we realized it was a problem.”