The global threat landscape.
Increasingly, it's about like-minded states being threatened by unlike-minded states.
Dr. Dennis McCallam (Fellow, Mission Systems Sector, Northrop Grumman) moderated an international panel on global cyber threats. The panelists included John Felker (Director, NCCIC, US Department of Homeland Security), Tamar Peterkop (Director General, Information System Authority, Estonia), Richard Oehme (Director, Cyber Security and Critical Infrastructure Protection, PwC Sweden, and former Director of the Office of Cybersecurity and Critical Infrastructure Protection, Swedish Civil Contingencies Agency), and Robert Strayer (Deputy Secretary for Cyber and International Communications and Information Policy, US Department of State).
Six tiers of threat.
McCallam opened the discussion by introducing the Threat Tiers developed by the Defense Science Board. There are six of them, ranging in severity from nuisances (Tier One) to existential threats (Tier Six). Tiers One and Two are those in which an attacker exploits pre-existing, known vulnerabilities. Tiers Three and Four are those in which an attacker discovers and exploits an unknown vulnerability. And Tiers Five and Six involve the attacker's creation and exploitation of vulnerabilities using a full-spectrum of cyber operational capabilities.
Which technologies are most troubling?
Within this framework, he asked the panel what they found most worrisome among new and emerging technologies.
Oehme was pessimistic, in the short term, and Peterkop noted the difficulty of predicting where cyber threats will emerge. Solutions we've used for years have security flaws: consider Spectre, Meltdown, and the like. He expects that we'll have to deal with more of these kinds of existing vulnerabilities going forward.
Felker agreed with Peterkop on the risk these long-standing vulnerabilities present. They can enable nation-states to hold critical infrastructure at risk. "The bar to entry is low, for attackers. All you have to do is buy tools on the Dark Web." The Dark Web is something the NCCIC has been thinking particularly hard about, especially insofar as it represents a proliferation threat. He reiterated familiar themes about the importance of being able to share information among partners in a trusted environment.
And which threat actors are most troubling?
Noting that the Internet has grown into a multi-trillion-dollar resource, Strayer pointed out that the US finds four nation-state actors heavily engaged in pursuing cyber operations as a low-cost tool of statecraft. They are, unsurprisingly, Russia, China, Iran, and North Korea.
He sees the advent of fifth-generation mobile technology as opening us to a period of increased vulnerability of disruption. The US is working to develop norms of responsible behavior in cyberspace, and has succeeded in getting agreement to many of these in the G20. And the US is working to call out—and impose consequences on—international bad actors.
We're seeing, Strayer said, a convergence of digital economic regulation and cybersecurity. "It's impossible to imagine a cyber threat that doesn't transit private sector assets. Thus a collaborative government-private sector approach is imperative."
Changing notions of resiliency.
McCallam asked how our notions of resiliency were changing. Felker, citing former NSA Deputy Director Chris Inglis, said you've got to understand the adversary is in your network, and then you've got to continue to work while he's there. Deception, Felker believes, has become an important contributor to resiliency: "How do you convince the enemy he's in your network when in fact he's not?"
Strayer emphasized the importance of sharing techniques to enhance one's partners' abilities to identify, detect, respond to threats. Good CERT-to-CERT cooperation must move from technical to policy levels.
"We learn every day that someone creatively misuses parts of cyber we depend upon (witness Cambridge Analytica)," Peterkop said. Cyber is distinctive in the difficulty it presents us when we try to predict what will come next. He thinks that for these reasons resiliency should be conceived as a property of the "entire culture of the ecosystem."
Oehme agreed, and drew some lessons from Sweden's experience. They experienced what appeared to be a disruptive DDoS attack on a transit system. In fact it was nothing of the kind, but rather a service interruption produced as an unintended consequence of a system upgrade. Trust between the public and private sectors enabled a proper response as opposed to a hair-trigger, mistaken one.
Talent and capacity in cybersecurity.
What, McCallam asked, can be done to address the well-known scarcity of cyber talent? Oehme admonished that first, you should actually use the staff you have. This is often not done. Second, take the obvious step of developing new staff through training and education. And third, increase what he called "small education" for lawyers, business people, and so on.
Recognize that government can't have all the competence, Peterkop said. "Our strategic depth is in the companies and universities."
Felker saw possibilities in a cultural change. "We've got to stop thinking of IT as support, and start thinking of it as operations. We've got to change our culture on this point." He also offered a caution against getting too wrapped up in credentials: "It's not about the tickets you punch, but about how you do the job."
And what of a global response to cyber incidents?
Peterkop, thought that cooperation should built from the ground up among "like-minded nations." He loves what the US has recently done with attribution. "Smaller nations need allies." And with respect to attribution and the imposition of consequences, Strayer advised getting as close to the event as possible to ensure we can make it clear that someone's violating the norms of international behavior.