LifeJourney's Rick Geritz opened the Innovation Summit, welcoming the symposiasts and comparing the state of cyber security thinking today with the onset of the space race in the late 1950s. He suggested that our present moment will be seen, in historical perspective, as the kind of technological, economic, and policy watershed the United States experienced during the first years of its competition for space with the Soviet Union.
Geritz followed his opening remarks by conducting a high-level question-and-answer session with SINET's Robert Rodriguez. Rodriguez emphasized one of his recurring themes (and a theme subsequent speakers would also take up): the importance of public-private partnership in advancing the state of cyber security. He argued in particular that entrepreneurs can bring that partnership a distinctive and invaluable willingness to take risk, and he called for continued cultivation of a healthy innovation ecosystem for the sector.
Daniel B. Poneman, US Deputy Secretary of Energy, delivered the morning's keynote address. He observed that open societies have created effective ways of distributing energy, information, and tangible goods, yet the very source of these strengths has given their adversaries a large attack surface and a multitude of interconnected soft targets. The Department of Energy itself affords an example of such exposure: its nuclear mission makes it the custodian of some of the most sensitive and closely held information imaginable, but it also handles and distributes publicly accessible, completely open information about (to take one example) the power grid.
A few years ago three national laboratories came under cyber attack. The DoE's response was necessarily a hard one: lock systems out of the Internet and recover functionality through difficult, hands-on labor. Poneman drew several lessons from this experience. First, technology, capital, and policy are all necessary to an adequate response to the threat. Second, that response must be prepared, and exercised, in advance. (Exercises are particularly important. They reveal and fix roles and missions, exhibit legal authorities, expose communications gaps, and show technological needs.) Third, layered defenses are vital: you cannot parry a determined attack with a hard perimeter alone. Finally, automation is necessary not only to keep up with (and ideally ahead of) the adversary, but also to maintain situational awareness of your own networks.
The morning's subsequent panels would elaborate Poneman's and Rodriguez's points. The panelists were particularly clear on the need for adaptable, agile defenses in depth (and more than one suggested that biological models might help structure these). There was general consensus that automated analytical solutions would prove crucial to providing awareness of, to put it in military terms, both the friendly and enemy situation, and the actionable intelligence necessary to deal with threats. And they stressed the need for cyber intelligence, shared in near-real-time, that would enable enterprises to tune their defenses to the threat vectors.
Three articles highlighting some of the trends under discussion today appear in the special section below. We'll be offering another issue devoted to the Innovation Summit with tomorrow's CyberWire. We plan to include some interviews with those attending the conference as well as a summary of the afternoon's events. In the meantime we'll continue to provide live coverage via Twitter.
SINET's Innovation Summit concluded yesterday with discussions of appropriate cyber security roles for government and the private sector, the challenges of enhancing security and privacy, the use of actionable risk intelligence, and fresh collaboration models.
There was consensus among the symposiasts that effective defense would require broader collaboration, and that a prime form such collaboration must take is timely sharing and analysis of cyber threat intelligence. Automation—eventually realized in machine-to-machine links—seems essential to achieving both the speed and clarity necessary to development of actionable intelligence. Enterprises generate more data than human watchstanders can analyze, and without automated analytical tools these data will blind an enterprise with what amounts to the glare of war. (Human watchstanders and reverse engineers can also quickly become prohibitively expensive.)
In addition to threat intelligence, enterprises should also share defensive tactics, techniques, and procedures. These will inevitably involve defense in depth, and they should be developed and deployed in the context of sound risk management. Several panelists stressed the importance of situational awareness of one's own networks, and of improving security through behavioral analytics built around business processes.
That the cyber threat is both global and permanent seems beyond question. Adversaries are numerous, often well resourced, and above all adaptive. As the attackers, they enjoy an inherent advantage over defenders: the attacker need succeed only once to damage an enterprise. Both government and industry work to stop attacks, but stopping attackers—counteroffensive cyber operations—is by industry consensus a governmental responsibility.
Government speakers acknowledged that industry has much to teach them, not only in terms of technology, but in terms of best practices as well. There was widespread unanimity on the value of joint cyber exercises as essential to effective cyber defense.
We link to several articles below that illustrate some of the symposium's themes: the enduring nature of the threat (particularly as it manifests against the financial sector), the possibilities of collaborative defense (and how exercises enhance it), and the value of a fresh look at policy (especially personnel policies).
One executive attending the conference, Peter Clay (of CSG Invotas) offered us his perspective on the value of cooperation, and the challenges involved in achieving it. "The information security community is currently overcoming enormous hurdles that were imposed out of fear that any threats they were experiencing would be exposed. After all, this is a community that historically has struggled to even admit that there might be an issue with security." He regards a forum like SINET as invaluable. "Until about two years ago, there were few forums for organizations to share their security challenges in a safe and confidential environment. Before that time, the information organizations were willing to share was often out of date to the point of being useless. Today, open and up-to-date information sharing can take place without significant concern of reputational risk or undue public scrutiny. Simply learning to communicate threat exposure or risk doesn't solve all of the issues, but it is an excellent first step."
Admiral Michael Rogers, Commander of US Cyber Command and Director of the National Security Agency, closed the conference with the day's second and final keynote address.
He opened by expressing his belief in the cooperation SINET is working to create. "Cyber," he remarked, "is the ultimate team sport." The engines of technological advance aren't in the government, and the government, finance, and technologists need to work together to share information and expertise.
That sharing is more difficult than Admiral Rogers would like it to be, both within and outside the government. He'd like to get faster. He'd like to know what malware the private sector is seeing, and what tactics have worked against it. He'd like to share threat intelligence, harnessing NSA's foreign intelligence mission to understand what's going on in cyberspace, and pushing as much intelligence as reasonably possible out to the private sector and other government agencies.
Cyber is particularly challenging: it's no respecter of traditional boundaries, whether geographic or organizational. "If we can't get beyond our comfortable boundaries," he said, "bad things will happen."
A question from the audience asked about the possibility of going out of the government's comfort zone by holding joint exercises including uncleared, non-contractor private-sector enterprises. Admiral Rogers agreed that some such set of tactical exercises is needed. We should also begin by picking sectors we work with well now.
A follow-up question asked about the possibility of including the private sector in offensive cyber operations, and here the Admiral demurred. There are legal obstacles to this, and we should certainly begin with the easier, more obviously permissible defensive exercises.
Another question from the audience likened a compromised computer to an enemy soldier, and asked how we could secure all the computers in the US? Admiral Rogers proposed an analogy—there are millions of vehicles on the roads in the US. The federal government, the states, industry, and private individuals all have a role in automotive safety—it amounts to a vast partnership. "I think cyber is like this in its complexity. I don't foresee any governmental agency or level assuming full responsibility for cyber defense." It's a complex partnership: we need legislation to protect companies from liability for sharing information (or acting on it). And leaders can no longer tell the CIO "this is your problem; fix it." Our cyber problems are foundational and must be dealt with as such.
In response to a question about what can be done to rebuild trust and repair the damaged brand of NSA and the US as a whole, the Admiral said that NSA has a real and important mission. "But we need more transparency. Recognition of the inherent rights of individuals led to the creation of the United States. It's our foundational idea." He called for broader dialogue to engender trust.
His conclusion reminded the conference of the severity and reality of the threat. "Let me conclude by cautioning you not to believe everything you read. There are adversaries who seek our annihilation. As much as we want transparency, those adversaries also listen, and they watch very closely. If I'm too specific, I weaken us. We absolutely need dialogue. And we need to balance this dialogue with measures to secure us against those who wish our destruction. There are enemies out there who would, if we permitted it, repeat 9/11 on a vastly larger scale. We can't forget this."