Threat, vulnerability, consequence, and mitigation (with names named).
White House cybersecurity coordinator Rob Joyce addressing the Billington CyberSecurity Summit. Nathan Mitchell for Billington CyberSecurity
By The CyberWire Staff
Sep 15, 2017

Threat, vulnerability, consequence, and mitigation (with names named).

The annual Billington CyberSecurity Summit convened in Washington on September 13, 2017. Here's an overview of what the leaders who exchanged views had to offer.

Internet-of-things equals infrastructure-attack-surface.

Consensus among Government leaders who spoke at the Summit was that proliferation of the Internet-of-things, designed for the most part with inadequate attention to security, has vastly increased the attack surface US critical infrastructure presents to adversaries.

Naming the adversaries.

Who those adversaries are is not in much doubt: nation-states Russia, China, Iran, and North Korea (listed roughly in order of severity of threat, based on capabilities and intentions) and also violent extremists like ISIS (not particularly capable at hacking, but enjoying considerable success at inspiration). Speakers took a particularly dark view of Russian intentions, with Representative William Hurd (R-Texas) calling that country's operations in Eastern Ukraine (which is "not a separatist movement at all; there are more Russian officers in Eastern Ukraine than there are Ukrainian officers") among other things a large-scale effort to perfect their electronic and cyber warfare capabilities for use elsewhere.

The Commander, US Central Command, General Joseph Votel, was similarly clear on the Iranian threat. He regards Teheran as a principal source and beneficiary of regional instability ("it operates in the grey zone"), and he's seen a significant increase in its offensive cyber capabilities. On violent extremism, Votel noted that as ISIS's physical caliphate continues to shrink to insignificance under direct military pressure, a virtual caliphate has arisen to take its place. That virtual caliphate has so far shown little cyber offensive capability, but it's enjoyed considerable success in information operations, appealing to recruits and inspiring lone wolves worldwide. 


No one had anything to say against information-sharing; all speakers were strongly committed to doing so with partners (and the partnerships included government and the private sector as well as international alliances). Cyber ambassadors from Australia and the UK described a commitment to public-private information sharing scarcely distinguishable from that expressed by their American counterparts.

Risk-management, not compliance.

There was complete consensus that cybersecurity had to be approached as an exercise in risk management, not checklist compliance. This was the view even among those who saw the value and utility of frameworks like the NIST cyber framework and the NISPOM security requirements.

It's noteworthy that the two US officials asked about the just-announced ban on Kaspersky software by the Department of Homeland Security flatly and strongly supported DHS. Representative Hurd and Robert Joyce (Special Assistant to the President and White House Cybersecurity Coordinator) both characterized it as sound risk-based decision. Joyce thought the ban both prudent and proper. "It was a risk-based decision and the right call. It's unacceptable that a company could move data to Russia, where law requires it to cooperate with the FSB."

The AI imperative.

Finally, the amount of data ingested by automated systems requires artificial intelligence to handle. AI is an imperative, in the view of several experts we spoke to at the Summit. It's especially important in view of labor shortages and the need to keep up with swiftly advancing technology.

More extensive coverage of these topics may be found in the linked articles.