It started with a minor inconvenience that quickly escalated into nationwide panic. Twenty million of the nation’s smartphones have stopped working, and a massive power outage is spreading throughout the Eastern seaboard. Multiplying in strength, the phone outage soon reaches 30 million users and causes disruptions at the New York Stock Exchange and electric grid failures. America quickly comes to a standstill. The culprit: A malware program planted in phones months earlier through a popular “March Madness” basketball bracket application.
Although just a fictitious cyber attack against U.S. critical infrastructure, the “Cyber ShockWave” simulation made it clear the nation was far from prepared to deal with cyber terrorists, a topic highlighted at last week’s AFCEA Cybersecurity Symposium held at the Hilton Washington in Washington, D.C. The day-long event covered several panels with government officials and military leaders who highlighted the importance of protecting the nation’s most critical infrastructure and discussions on public-private partnerships.
Participating in the “Reaction to Cyber ShockWave – Enter DoD & USCYBERCOM” panel, Gen. Ronald E. Keys spoke about the process of information sharing between government and industry.
“If I want you to share information, some of you will readily share, some of you will won’t because of privacy concerns,” he said. “Because of concerns of your customer base becoming less than happy with your lack of security, how do we strip the sources of methods, if you will, like we do [off] intelligence, how do we strip proprietary and customer concern off information so we can share it?”
Deputy Assistant Secretary of Defense for Cyber Policy Bob Butler discussed the focus areas the Pentagon has been working on, including looking at cyberspace as a separate domain, deciding whether current efforts are enough or if there is a need for new operating concepts, extending interagency and international partnerships, and training of a cyber workforce.
“Doing security framework is one element that we use as a venue, but there are many others,” he said. “But it really comes down to looking at things in different ways, potentially changing business models and significant implications in terms of policy.”
Keys spoke about some of the steps to prevent cyber terrorists from attacking. By imposing consequences on their illegal actions and making it “painful” for individuals to act criminally, it is possible to deter bad behavior, he said.
“You have to make it dangerous, I believe,” Keys said. “And dangerous means someone is going to knock on your door and pick you up by the scruff of the neck. Or maybe your computer is going to stop working, or you have to make it not worth the time. … You can make it painful that way. You raise the cause, you raise the danger — you’re going to get caught, or something is going to happen to your system.”
Navy Rear Adm. Michael A. Brown, deputy assistant secretary for cybersecurity at the Department of Homeland Security, stressed the importance on acting swiftly rather than waiting for something catastrophic to happen.
“We just cannot wait for an event to occur before we know how we’re going to operate,” he said.
Substituting for scheduled keynote speaker Deputy Undersecretary of the National Protection and Programs Directorate Philip Reitinger, Bruce McConnell spoke about how to turn an insecure ecosystem into a healthy one that can respond to threats. McConnell, who is a senior adviser to Reitinger, stressed how there needs to be a collaborative defense between machines and humans to defend the environment.
With a rare public appearance, White House Cybersecurity Coordinator Howard Schmidt rounded off the event with a closing keynote echoing Keys’ sentiment on creating a policy of deterrence to combat cyber threats. He also stressed how poor cyber hygiene makes it easy for hackers to intrude networks.
“Why is it that we keep seeing these problems over and over again?” he asked. “Why do we keep getting reports on intrusions in our systems? Why do we keep seeing theft of intellectual property … in the private sector? And the simple answer to that is because we have vulnerabilities.”
Speaking about the aspect of the cost/benefits aspect of doing cybersecurity, Schmidt addressed the issue of how to make it less lucrative for cyber criminals to carry out their efforts.
“[If] someone is able to sell a stolen identity for $5, how do we create an environment where it’s going to cost them $10 to get back? There’s just not cost/benefit in them doing it,” he said. “I think that’s one of the components that the private sector will look at on a regular basis, how can we raise the costs of them doing the things that they try to do to the benefit they get out of it?”