24 August 2017

The Five Essentials to Winning America’s First Cyberwar

by Steve King

The characteristics of the cybersecurity war in which the United States is now engaged are not dissimilar from any team sporting contest. Whether in football, baseball or basketball, the game is won or lost on four key elements. Winning almost always comes down to offense, defense, coaching, and playbook execution.

In cybersecurity, winners and losers are defined by their ability to beat their opponent in education, information, technology and economics. We have seen in recent years that the U.S. government and U.S. businesses do not possess a superior advantage in any of those four key categories.

In education, our colleges and universities have failed to develop and deliver cybersecurity programs to their students — on such a mass scale that in all but a small handful of colleges, it is hard to find cybersecurity courses even within computer science programs. Businesses have failed to educate their employees on the fundamental cybersecurity issues surrounding their specific job duties. We have tons of educational programs aimed at social sensitivity training but none targeted toward an understanding of common cyberthreats or the precautions necessary to avoid being hacked.

While we possess little of the knowledge and skills necessary to compete with a global cybersecurity threat, our adversaries have focused enormous energy and expense on building a trained workforce. Such teams have extraordinary skills to not only deal with threats but to also militarize that knowledge as part of an active cyberoffensive that's prepared for global conflict. As an example, North Korea began training electronic warfare soldiers well before the internet era, and selected math prodigies and trained them to become software developers, online psychological warfare experts, and hackers.

Our State Department estimates that there are over 10,000 trained cybersecurity hackers embedded in units of the North Korean military, busily executing a variety of global offensive cyberattacks, many of which we hear about on a weekly basis. And of course, North Korea is not alone.

Information in cybersecurity means the intelligence each adversary has at its disposal for use in attack planning and strategy. A quick review of large-scale cyberattacks during the past four years would suggest that we know very little about out attackers, while our attackers know a whole lot about us. A simple example would be the Sony Pictures attack, where forensic analysis seemed to point at the North Koreans, but many in the InfoSec community believe it was the Chinese who conducted this attack as a social media exercise to gauge the U.S. response.

As we witness countless cyberattacks on both private- and public-sector entities, it is hard not to conclude that the actors have much more information about their targets, our defenses, and the technology we use to detect and protect than we have about their attack styles.

We like that we have plug and play stuff, and we don’t like having to figure out how or whether we should change the default passwords in our home routers.

On the technology front, you would think we would be blowing away the competition, as we are always seeing claims of how we are the superior innovators and how countries like China regularly rip off our proprietary designs and copy them. But of those 400+ software products in the space, very few of them are designed to detect modern and advanced malware.

For example, of the 25-plus products that claim to be in the Cybersecurity Artificial Intelligence (AI) space, many are currently working to integrate AI technologies to aid with threat detection. Yet these are only very recent developments, and only a few have actually brought commercialized products to market.

IBM's Watson may be quite good at Jeopardy and Chess, but predictive analytics are usually most effective inside a finite space where the rules are known and the variables, while many, are limited. Also, unlike in games such as Go, where again Watson has proven to be masterful, our counterparts in cybersecurity don’t follow rules.

The economic picture is even less heartening as we watch threat actors using increasingly commoditized Cybercrime-as-a-Service tools costing as little as $25 for a fully functioning exploit kit to wage successful attacks against behemoths such as Chase Bank, which is spending a half billion a year on cybersecurity defense measures. It’s $25 vs. $500 billion, and the guy with $25 is winning.

But the fifth essential key may be the most important key of all, and it is the one that is definitely missing for the home team. The fifth essential key is leadership.

Businesses in the private sector do what they have always done in a capitalist system. They maximize revenue, speed to market and profit. Manufacturers of hardware and software are only interested in satisfying consumer demand. And right now there is no demand for security. We are for the most part an entitled and optimistic society, which would rather focus on desired outcomes than on attendant risk and vulnerability. We like that we have plug and play stuff, and we don’t like having to figure out how or whether we should change the default passwords in our home routers.

We do, however, have a maverick in the White House, and he may decide to don the leadership cape and head out onto the playing field with an agenda for change. Change in the way we manufacture internet-capable devices, in the way we design and deliver software applications, and in our national security policy and processes, so that the software manufacturers cease becoming the last to know that there are vulnerabilities in their products. Change in the way we interpret international law during a time of war, so that we may pursue our adversaries and weapons dealers in cyberspace, as we would on a physical battlefield, and change in our education system so that our students can prepare themselves for a future that will be defined by this existential threat.

And finally, a change in leadership so that this single and perhaps most potentially devastating danger to our national interests is elevated to a level of policy definition on equal footing with our defense, health care, social and economic agendas. If we fail to do this and instead continue to ignore the tremors along the fault line, we will soon reflect back on the last few years as a day at the beach compared with what we will be facing in the future.

Steve King is the COO of Netswitch Technology Management.

No comments: