A number of senior US civilian officials and military officers represented their organizations at the Summit. There was a general consensus that cybersecurity increasingly pervades everything their enterprises do (but that everyone needs to do more security-by-design), that legacy systems remain a field of vulnerabilities (and that their modernization and replacement represents an opportunity to improve security), and that the Government competes for cyber talent at a disadvantage (and must look for creative ways of attracting people into Federal service).
"Cyber first, cyber always" at the Pentagon.
Dana Deasy, US Defense Department Chief Information Officer, opened the conference with an account of how the Pentagon's information priorities aligned with its mission priorities. Defense Secretary Mattis has made his priorities clear, Deasy said. They are to deliver necessary lethality, to partner across mission areas, and to reform the Department's operations to maximize its resources.
The CIO has four key focus areas to support those priorities: the cloud, artificial intelligence, C3 modernization, and cyber dominance. Deasy wants to instill a "cyber first, cyber always" mindset, implementing a "comply to connect" policy for the Defense Industrial Base. He's wholly in agreement with making sound cybersecurity a condition of doing business with the Department of Defense and within the Defense Industrial Base.
Turning to personnel matters and the well-known shortage of cyber operators, Deasy expressed satisfaction with some of the authorities Congress has given the Department of Defense to offer competitive incentives to skilled cyber professionals. But such incentives, while important and valuable, can't, he said, induce us to lose sight of a fundamental difference between working in Defense and working in the private sector: government service is, and must remain, more calling than job. Successfully staffing the Department's cybersecurity positions will depend upon successfully communicating that to the young, and on persuading them to answer that call.
A panel on the "Cyber Strategies of the Services," moderated by Linnie Haynesworth (Senior Vice President and General Manager, Cyber and Intelligence Mission Solutions, Northrop Grumman) afforded an opportunity to hear the perspective of flag and general officers engaged in leading the Services' cyber operations. They all expressed a commitment to partnership and a strong interest in automation. There was also mention of what Air Force Major General Robert Skinner (Commander, 24th Air Force) characterized as a struggle against "institutional silliness" that impedes progress and obstructs the Services from using the powers and authorities they have.
Notes from the civilian side.
Federal civilian agencies also struggle with personnel challenges: compensation, the difficulty of obtaining security clearances, and—above all—the Government hiring process itself. Department of Homeland Security CIO Dr. John Zangardi commented on these in the course of his own keynote address.
The IT industry is increasingly global, he said, and it shows increasingly dynamic performance in terms of its rate of innovation, the pace of mergers and acquisitions, and the swift rise of consumer expectations. Embedded IT is the challenge for today, especially with respect to legacy systems. Increased connectivity leads to increased risk, as rivals grow more sophisticated and begin to attack supply chains.
"Governments depend upon routine," Zangardi said, "and that won't be sufficient to deal with an agile, adaptable opposition." Some of the changes he advocated included giving the Department of Homeland Security authority to exclude problematic vendors when necessary to the security of the supply chain. This would be, he hastened to explain, about risk management, not sole-sourcing or streamlining acquisition. Internally, the Department is standardizing and consolidating its security operations centers. (SOC) They hope to drop the number of SOCs they operated from sixteen to four or five.
Technology trends and priorities.
There were few reservations on display concerning automation and artificial intelligence. Marianne Bailey (Deputy National Manager for National Security Systems, NSA) said flatly that t's impossible to execute at the speed cyberspace demands without automation. Organizations need to reserve their human talent to accomplish more sophisticated tasks. The machines are enablers. These technologies, she noted, are in their maturation phase, and our adversaries are also well aware of their power. We're effectively in a race with them. "Our adversaries are using automation everywhere and all the time."
Michael Raeder (Director, Information Security Operations & Identity Security, Northrop Grumman) characterized automation as being about "funneling the cone." More intelligence arrives than organizations can handle with human operators alone, and automation plays a huge role in cleaning out the noise.
Noting that automating tasks makes people uncomfortable, Bailey reminded the audience that such automation is typically effectively indistinguishable from a human being following a checklist. Other panelists agreed, and noted that translating such checklists into machine-followable rules remains a challenge.
Artificial intelligence proper also received full-throated approval. Bailey, for example, called its potential "unbounded." One of the keynotes, delivered by T.K. Keanini (Distinguished Engineer and Product Line CTO for Analytics at Cisco) dealt with one particular application of artificial intelligence: detecting threats without decryption. One of his goals in speaking was to "demystify" the topic. Threat detection without decryption is, he said, just data science intelligently and creatively applied. "Networks are becoming more opaque, with better privacy," he said, "and this is a good thing." But the adversaries are also able to take advantage of this. It should surprise no one that adversaries, for example, are encrypting their command-and-control traffic.
But that opacity need not necessarily defeat threat identification. "All encrypted sessions begin unencrypted," he pointed out, and artificially intelligent systems equipped for machine learning can make highly accurate inferences about what's going on behind the encryption. You can compare known malware traffic with known benign traffic, extract observables, build detectors, and then detect known malware with high accuracy. He closed by observing, "If your scope is the global Internet, you have the largest denominator to any numerator you can put up."
With both sides of the crypto wars digging into their positions, it would be interesting to hear if Keanini's approach might represent some middle ground acceptable to all.