The head of U.S. Cyber Command argues stronger data protection needed in new threat environment.
Admiral Michael S. Rogers, head of U.S. Cyber Command, called Russia’s cyber operations “destabilizing.” During recent exchanges on Capitol Hill, Rogers appeared to be in agreement with the U.S. intelligence community that Russia's election interference is likely to be a new normal.
Russian President Vladimir Putin “figured that he was no military match for the United States, but he could launch a Manhattan Project for cyber attacks,” Rep. Jamie Raskin, D-Md., declared last month at a hearing of the House Oversight and Government Reform information technology subcommittee.
It is still an open question how the United States will fight back, whether it’s Russia or other foreign hacking onslaught. U.S. officials and experts warn that it is time for fresh thinking on how to combat these threats, both in government agencies and in the cybersecurity industry.
A cybersecurity executive order President Trump signed May 11 says the government for “too long accepted antiquated and difficult–to-defend” information technology systems.
And as the government turns to the private sector for ideas and solutions, the industry has a big challenge at hand, says Roger Hockenberry, founder and CEO of the consulting firm Cognitio.
Cyber attacks like those being perpetrated by Russia and other nations cannot be fought in conventional ways, Hockenberry insists. “I will say these attacks are going to continue and they will grow in scale.” The resources needed to wage cyber warfare are “so commoditized they're easy to assemble.”
Much of the government and the industry are still wedded to “legacy security” that aims to build walls or “moats” around information systems, as if they are guarding a castle, says Hockenberry. “The problem is that moats are ineffective,” especially as more systems and devices are connected to the internet.
Eventually most “end point” security barriers are breached, which is why he favors approaches that focus on the data, regardless of where it resides. “We know networks are going to be compromised so why not focus on information integrity and the veracity of the data?”
Many of the industry’s biggest players today are pushing their own “platforms” and setting unrealistic expectations, Hockenberry says. “What you see is companies saying they can defend ‘zero day attacks,’” he says. “But you really can't. You might be able to tell me something has gone amiss in my network but you can't ‘pre detect’ a zero day attack. And you can't stop people from clicking on links they shouldn't click on.”
Some legacy products like virus scanning software and malware countermeasures are always going to be useful, he adds, but the goal should be to “move toward the ability to protect data” and ensure its accuracy.
At an industry conference last week in Washington, D.C., experts argued that the rapid growth of the “Internet of things” is launching a new wave of security nightmares.
“We literally have an explosion of IOT devices in the Department of Defense and on the tactical edge,” noted Charles Wells, a retired Army colonel and now senior account executive at Symantec. Wells called for bigger investments in “analytics” to monitor networks and for increased hardening of network hubs. The military is deploying thousands of sensors in combat zones that are connected to information systems and create additional vulnerabilities, Wells said.
As more devices and sensors connect into the Internet of things, he argued, the government needs machine-learning tools so systems can self-defend. “As the system gets smarter it learns when it’s a legitimate user versus an intrusion,” said Wells. “It’s a compelling solution.”
Hockenberry countered that the industry has to rethink its obsession with protecting networks. “The goal for us is to stop focusing on device security and start focusing on information security and information veracity.” Even if a system is compromised, that is not as critical as whether the data has been corrupted. If the Russians are trying to influence our elections, the question should be, “What information can I trust?” As more sensors are deployed, “We collect more information but do we understand the data?”
Congress is right to be worried, cautions Hockenberry. “Cyber attacks are becoming more complex, hackers will seek more lucrative ground from a criminal perspective.” Increasingly their goal is not only to steal information but also to change information to create doubt and uncertainty. If Russia’s cyber army is able to create distrust about our system of government, “We have to be able to protect against that.” How could that be done? “You have to give the right messaging back to the citizens, such as ‘This is how we are going to guarantee the veracity of our election results and minimize this kind of influence.’”
To this day, there is no company creating a product to do that, says Hockenberry. “There is going to be this empty space where attackers have an advantage for a certain period of time until technology catches up. This is the nature of the race that we're in.”