DCOi 2016, the US-Israel Cyber Security Summit, met May 18th and 19th, 2016, on the campus of George Washington University in Washington, DC. This year’s meeting was the third annual conference.
Organized by the Institute for National Security Studies (INSS, based at Tel Aviv University), DCOi featured high-level participation by both Israeli and US officials engaged in various aspects of cyber security. It also served as an opportunity for Israeli security companies to introduce themselves to the US market. Two overarching themes emerged: the centrality of rapid cyber intelligence development and sharing to security, and the importance of agility in developing and deploying security solutions.
Debbie Taylor Moore (CEO and Principal, CyberZephyr) and Richard Stiennon (Chief Research Analyst, IT-Harvest) served as masters of ceremonies. Their welcoming remarks drew attention to the cross-fertilization seen in the US and Israeli cyber security industry, particularly among the two countries’ start-ups.
A perspective on cyber conflict from General (retired) David Petraeus.
Dr. Colonel (res.) Gabi Siboni, DCOi’s founder and head of the INSS Cyber Program, opened the conference with an interview of General (ret.) David Petraeus, formerly US Director of Central Intelligence and commander of US Central Command, currently a partner at Kohlberg Kravitz Roberts and Company.
Siboni began by noting what he characterized as the “chaotic state” of international security, and asked Petraeus to offer an overview of the current situation. Petraeus, after mentioning with approval the proposed elevation of US Cyber Command to Combatant Command status, turned to ISIS and its activities. He thinks ISIS is noteworthy for its distinctive cyber capabilities, which have, he believe, proved dangerous. He praised social media companies for their cooperation against ISIS online activities. Russia he characterized as a very capable cyber operator; China, he noted, was a very large and active thief of intellectual property, with a massive, ongoing cyber reconnaissance program. Such reconnaissance, whether emanating from China or elsewhere he sees as a looming threat to SCADA networks.
Challenging Petraeus over his characterization of ISIS as a significant cyber security threat, SIboni acknowledged the group’s online presence, but asked if in fact ISIS did exhibit any significant cyber attack capabilities. Petraeus responded with a brief description of Iranian and Syrian Electronic Army cyber attacks. Noting that, however, “Iran and SEA aren’t ISIS” (and fairly clearly not sharing any high assessment of ISIS’s technical capabilities) Siboni turned to the question of the value of cyber in tactical operations. Petraeus thought that intelligence developed through cyber means had come to have great value in targeting. Advances in intelligence fusion have enabled targeting information to be developed “within weeks.”
Petraeus also urged that open source intelligence (OSINT) be given proper attention—he thinks OSINT is too easily overlooked. To Siboni’s question about whether cyber and OSINT could help address the “lone wolf challenge," Petraeus said, “Certainly,” adding that a number of lone wolves had been so identified. Community engagement is critical in developing timely, actionable indicators of imminent attack. The US Muslim community has, he believes, been helpful in this regard.
Siboni returned to the US cyber war against ISIS. It’s been much discussed recently; what can be said about it? Petraeus offered a general overview of what he takes to be appropriate US strategy in this campaign: cyber cannot be left as uncontested space for the enemy. The US cyber war fundamentally contests that space.
Petraeus said, in response to a question about the FBI/Apple dispute over encryption, that despite some tensions, the relationship in the US between government and industry is fundamentally a good one. He believes that, while companies shouldn’t be compelled to install backdoors, intelligence and law enforcement organizations “should be able to crack any device.” And he perceives no essential conflict between these two positions.
Lessons from the contrast between physical and cyber attacks.
Gil Shwed, founder and CEO of Check Point Software, after reviewing statistics on the awareness and perception of cyber threats, took the disparity between the way we understand physical and cyber threats.
He thinks this an instructive contrast on several levels: in conventional crime, as in conventional war, we know , we know who the attackers are, where they come from, what they're after. But this is much less clear in cyber. And, while in conventional attacks, the “big, damaging weapons” are in the hands of nation states only, in cyber operations the equivalent of strategic weapons are “in the hands of gangs and kids from New Jersey.”
Tripping a burglar alarm may well deter a conventional criminal but the equivalent is unlikely to happen with a cyber crime in progress: detection is tough, and detection is unlikely to scare off a hacker. For one thing, detection is usually retrospective, achieved only after you’ve been pwned. And in a cyber attack the number of agents involved and the speed with which damage is done overwhelm human ability to react.
Shwed argued that we should focus on prevention, blocking attacks before they happen, defending networks with advanced tools, and “protecting every frontier.” Mobile devices are particularly vulnerable (and typically unprotected; we need mobile threat protection. He called for collaborative, real-time intelligence. “So we need to protect mobile devices, the cloud, and the IoT.” Risks have shifted dramatically, and we need proactive, holistic security approaches, that focus on prevention, not reaction.
Threat intelligence and leaders’ responsibilities.
Crowdstrike’s Shawn Henry advocated using threat intelligence to achieve knowledge of the adversary, in particular what they’re after and how they themselves can be hunted. Achieving such understanding starts with leadership. “Leaders set the pace for the rest of the pack. If the boss doesn't care, neither will employees.” He urged proactive collection of threat intelligence and the use of appropriate technology to develop it.
Henry was followed by a panel on advanced cyber defense that expanded on these issues. Moderated by Check Point’s BG (res.) Rami Ben Efraim, the panel included Dr. Nathan Weiss (Senior Scientist, Cyber Programs, IAI), David Ross (General Manager, General Dynamics Commercial Cyber Services), Rami Efrati (President, FIRMITAS Cyber Solutions), and Rob Silvers (Assistant Secretary for Cyber Policy, US Department of Homeland Security).
Ben Efraim reviewed what he characterized as three recent, “game-changing” attacks: the December 2015 grid hack in Ukraine, the February 2016 Bangladesh Bank incident, and the recent wave of ransomware attacks on healthcare organizations. So where, he asked, are the attacks going? How can we contain them, and how can we stay one step ahead? Ross sees a failure to think about the attack surface properly. He also believes that security isn't, at bottom, a technological problem. Companies need to think of cyber strategically. There's little point in bringing tactical issues to a board. He made a case for cooperation: "It's not me against the world. It's us against the world."
Dr. Weiss said that disconnected devices are disappearing, and that therefore we now have ubiquitous entry points to our networks. There's a tremendous increase in cyber-physical systems vulnerable to cyber attack.
Silvers noted the pervasiveness of cyber threats, and the inability of any lone enterprise to successfully defend itself. The Department of Homeland Security’s vision is that a threat seen anywhere in the world would be shared at machine speed across the planet. He said that DHS is building the system to do that, and, in what sounded like an announcement of an operational capability, asserted that “this apparatus now exists,” and that privacy and liability concerns have been addressed.
International cooperation against a borderless threat.
The first day’s proceedings closed with a keynote by US Deputy Homeland Security Secretary Alejandro Mayorkas. The cyber threat is borderless. Moreover, the distinction between domestic and international threats collapses in cyberspace. This argues for the importance of swift adaptation to rapidly evolving threats.
Offering some gracious remarks about Israel's scientific capabilities and ability to develop cyber talent, Mayorkas commented on the speed and agility he sees in Israeli cyber operations. The US, he said, needs similar speed, and he sees the difficulty of contracting for cyber security products, services, and solutions as posing a significant obstacle to US ability to achieve the agility it needs in cyber defense.
He closed by advocating that we treat cyber threat indicators as a public good, not as private intellectual property, and he said that the Department of Homeland Security now had significant capabilities to rapidly share anonymized threat information.
Don’t scoff at the value of international agreements (and don’t buy that going-dark stuff, either).
The conference’s second day opened with a keynote by Richard A. Clarke, Chairman and CEO, Good Harbor, and former US National Coordinator for Security, Infrastructure Protection and Counter-terrorism.
He said he’d open with the “customary doom and gloom,” but promised to end with some optimism. The Clinton-era cyber strategy he wrote still looks good, Clarke said, but it hasn’t been implemented. We now have ample evidence that individual agencies cannot handle their own cyber security. While acknowledging with some evident skeptical resignation that Defense and the Intelligence community are unlikely to give up responsibility for their own IT and cyber security (“because they’re special,” shrugs), he thinks most Federal agencies (notably including the State Department) should give up the attempt to handle these matters on their own. He noted that many US states have created a single entity that does IT for the entire state government, and sees such centralization as a rational, affordable model for Federal agencies.
Looking at the current security landscape, he sees commercial and governmental enterprises spending a lot for an imperfect security return. The Internet-of-things will make this dramatically worse as it rises to five billion devices—and that’s five billion devices without security built in. This unfortunate situation has arisen because the people developing hardware and software for the Internet-of-things “haven’t the vaguest idea of how to secure them. As a profession, computer scientists should be ashamed of themselves.” The profession has no standards for cyber security expertise, and has not been able to develop a workforce capable of filling the tens of thousands of jobs in cyber that are unfilled for want of qualified people. We're not training enough cyber professionals, Clarke says, and he thinks Israel affords us a model for how to do this well: the country has, he believes the highest per capita population of cyber professionals in the world.
Israel has also turned out a very high number of innovative cyber companies. Yet it's still hard for Israeli companies to sell into US markets, especially into the Department of Defense. He advocates removing all barriers to Israeli companies' operations in the US (and their sales into the DoD).
As far he reached his promised optimistic conclusion, Clarke offered some advice to the next US Administration: they’ll have one (and only one, he suggested) positive achievement of the present Administration to build on: the Sino-US agreement to forego cyber industrial espionage against each other's companies. In the wake of this agreement, Chinese industrial espionage seems (and he stressed "seems") to have (largely) stopped. “All of you will think international agreements worthless. You'd be wrong.” He cited the record of conventional force reduction agreements, and nuclear, chemical, and biological arms control. “In all of these areas it took twenty years, but we made progress. We can do the same with cyber war.” Such agreements minimize the risk of war. Consider arms control during the Cold War. Did the Soviets cheat? Sure, a little. But the controls helped.
Clarke regards the Budapest Convention as a start, but thinks it needs teeth. The next US Administration should build on both the Budapest Convention and the Chinese-US accord on cyber espionage.
He responded to questions about cyber arms control—in respect to which he thinks there’s yet to be a serious public discussion because the government hasn’t sponsored one: in such matters national debate depends, he thinks, on the government’s convening power. (It’s worth noting that subsequent participants in the conference expressed skepticism about the applicability of the arms control model to cyber security—in particular, several people observed that the equivalent of strategic weapons in cyberspace are easily obtained by criminal gangs, non-state groups, and even individuals.)
And he also took questions about the crypto wars. He regards encryption and solid multifactor authentication as the sine qua non of security. Strong encryption is essential to security, and the US government shouldn’t undermine it, but rather encourage it. He noted that the White House has substantially accepted this position. He doesn’t buy the FBI’s publicly expressed concerns about criminals and terrorists “going dark,” and he pointed out that the White House hasn’t backed the FBI on this one. “The FBI’s drowning in data.” The problem isn’t going dark. The problem is that we can’t handle the data we already have. We need, he said, to formulate the issue correctly: we're not giving up security for privacy. Rather, we're balancing different kinds of security.
Sin, sharing, and the Russian Business Network.
A panel on cybersecurity information sharing was moderated by Connie Peterson Uthoff of George Washington University’s Cyber Academy and consisted of Dr. Frederic Lemieux (Director, George Washington University’s Cyber Academy), Fank J. Cilluffo (Associate Vice President and Director, Center for Cyber and Homeland Security, George Washington University), Air Shuali (Head of the Intelligence Division at Israel’s Ministry of Intelligence), and Paul Joyal (Managing Director, Public Safety and Homeland Security Practice at National Strategies, Inc.).
Shuali began by analogizing cyber problems to the Seven Deadly Sins. Lust is the first deadly sin of information sharing--don't make data toonattractive. Gluttony (too much collection) and greed are also deadly sins. So is sloth—taking too much time to share. Compliance failures incite wrath among regulators and enforcers. Envy, among agencies, is deadly. And finally there's pride, manifested in the overprotection of data.
Cilluffo, turning from moral theology to Sun Tzu, cited the maxim that one must know oneself and know one’s enemy. There’s a general recognition that we need to share cyber threat intelligence. He reiterated the often-heard call for automated information sharing, and predicted that the private sector would drive this.
The panel acknowledged that sharing information does introduce certain vulnerabilities, and that we need to address these vulnerabilities through “psychology” and education.
Panelists offered an interesting discussion of the Russian Business Network (RBN) as an example of a threat actor toward which intelligence collection and sharing ought to be devoted. The RBN is a skilled, deniable, and quite criminal organization that’s also used by Russia's government. The RBN's bread and butter is crime, which is why corporations need to share information about it. But it also serves—on retainer, as it were—as a pool of capability for Russian government offensive cyber operations. Anyone who doubts this might reflect with profit on this fact: Russia's government has issued travel advisories warning hackers not to travel to places that might extradite them to the US.
The view from US Cyber Command and the National Security Agency.
NSA and US Cyber Command head Admiral Michael Rogers delivered the closing keynote. He sees DCOi as a useful reminder of the the global nature of the cyber threat, which recognizes no geographical limits. NSA and Cyber Command don’t pretend to have all the answers. Indeed, there are no silver bullets—the cyber challenge is multifarious and shifting.
The world is changing, and technology is outpacing our legal and policy frameworks. As he reflects on his experience, he finds himself drawn back to the realization that you cannot stop operations when an adversary gets in. He advocates resilience and swift response.
He also stressed the importance of remembering the human dynamic in security. “Keyboards are used by people, and everyone now has access to a keyboard.” Networks, with the ability they bring to access information and disseminate insight, are pervasive.
In discussion, he responded to a question about commercial entities developing offensive cyber capabilities. He thought that unlikely to end well. Cyberspace may resemble the wild West, but having more people strapping on a gun and going into the street doesn’t seem to be a good idea.
To a question about the lack of cyber security professional standards among computer scientists that Clarke raised earlier in the day, Rogers said he was struck by how often capabilities were created first, and then security was bolted on as a kind of after thought. The profession might wish to address this.
He hopes to see a cyber deterrence regime emerge from an enlarged understanding of what’s acceptable in cyberspace (and what’s unacceptable).
Finally, in response to a question about Cyber Command’s proposed elevation to Combatant Command status, Rogers noted that this decision wasn’t his to make. And in any case, “we have a mission, and we need to focus on that.” The Department of Homeland Security also has a clear mission, and they all recognize the importance of interagency cooperation. No change in status is likely to affect that.
The conference closed with Gabi Shiboni thanking the participants.