Rebalancing the Cyber Equation

By Teresa Shea, Executive Vice President and Director of Cyber Reboot at In-Q-Tel

2016 was another banner year for cyber security, due heavily to the dizzying number of attacks and data breaches. As is custom at the end of a year, let’s recap some of what we’ve learned and experienced:

  • The Internal Revenue Service reported that the personal information of more than 700,000 taxpayers was compromised in the 2015 hack vs. 100,000+ as it previously reported;
  • LinkedIn, MySpace, and Tumblr all suffered mega data breaches, leaving exposed an estimated combined total of 500 million accounts;
  • Yahoo fessed up to the largest single company discovered data breach since the beginning of the internet, which affected a minimum of 500 million accounts;
  • Popular websites and services including Twitter, Netflix, and Amazon were shut down due to a Distributed-Denial-of-Service (DDoS) attack using hacked Internet of Things (IoT) devices;
  • State actors breached the Democratic National Committee prior to the Presidential election, and just six hours post-election, cyberattacks commenced against American political think-tanks and non-government organizations; and
  • The San Francisco Municipal Transportation Agency was the latest organization to suffer from a ransomware attack, which affected the operations of the San Francisco municipal railway.

We could go on of course. But of these, the DNC and IoT hacks appear to be the most eye opening and attention getting.

The DNC attack (re)turns the spotlight to adversarial nation state actors, and their attempts to undermine the U.S., its systems and infrastructure. These attacks also raise serious questions about highly-skilled and well-resourced adversaries, but perhaps the most pertinent one is: How should we respond?

The growing footprint of IoT devices continues to fuel threat landscape; today it is not uncommon for appliances, athletic clothing, pill bottles and even forks to be equipped with computing resources. There are predictions that 50 billion devices and five billion people will be connected to the Internet by 2025. The September DDoS attack launched against renowned security site turned out to be a botnet army consisting of hacked devices – a departure from the PC-only botnets of years past.  That DDoS attack was followed by an even larger and more sustained internet attack against Dyn, an internet infrastructure company, which resulted in problems for an array of companies including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix. These attacks have prompted renewed debates on device security, software security, systemic risk, and manufacturing liability, and they highlight how critical cybersecurity remains in this increasingly connected world.

As one considers these events, the number of people affected, and the range of organizations impacted, it’s tempting to conclude that breaches and data theft are simply part of the “new normal;” we are living in a modern world and just like rush hour traffic and power outages, we now face security breaches. But when one considers the long-term impact of decreased consumer and citizen confidence, material reductions in privacy, and intellectual property theft, a fundamental re-thinking of our approach is called for.

We need to re-balance the attacker-defender equation; we need to make it harder for adversaries to achieve their objectives, and we need to help the defenders be more successful.

To start, next generation defenders need to know their networks and computing environments better than anyone else. Too many successful attacks have been the result of adversaries knowing a target’s environment better than its defenders do. If a defender can definitively know the state of his assets and networks — and take automated action when anomalies occur — the attacker’s job will become a lot more difficult. But to achieve such an objective we need to take maximum advantage of advances in networking, machine learning, and cloud computing. Can the combination of machine learning, intelligent asset mapping, and software defined networking allow for automated visibility and response? Is real-time asset status achievable? If these goals are realized, would automated posture changes finally be possible? We aim to find out.

There is no doubt that technology advancements in cybersecurity continue to flourish in both the U.S. and in other parts of the world, with estimates of up to $1 trillion to be spent globally on cybersecurity over the next four years[1]. In the U.S., speculation abounds on what the new Administration’s priorities will be for cybersecurity. Early indications are a focus on “active-defense” approaches to cyber threats, embracing information sharing networks, a boost in law enforcement efforts to pursue cyber criminals, and a top-down review of cybersecurity practices.[2] Perhaps it is time to restart, and build upon what we have with variable response, situational awareness, and security orchestration in mind. Doctrine and awareness enable action that can drive up the cost of the attacker by constantly removing their footholds while keeping the defender’s resources relatively flat. Tracking, identifying, and attributing attacks change the political landscape. A good first step may be establishing a livable equilibrium by changing the economics and politics of the attacker.