Cybersecurity expert Chuck Brooks talks about where we stand in what many people call the "wild, wild west" of cybersecurity.
BY LARRY KARISNY / MARCH 2, 2016
If you're in the cybersecurity business, you know the name Chuck Brooks.
He is an advisor to the Bill and Melinda Gates Foundation Technology Partner Network, chairman of CompTIA's New and Emerging Tech Committee, subject matter expert to the Homeland Defense and Security Information Analysis Center, “passcode influencer” for The Christian Science Monitor, on the Board of Advisors for CyberTech, and on the Board of Directors at Bravatek and the Cyber Resilience Institute.
Brooks also has authored numerous articles focusing on cybersecurity, homeland security and technology innovation for such publications as Forbes, Huffington Post,InformationWeek, MIT Sloan Blog, Computerworld, Federal Times, NextGov,Government Security News, Cygnus Security Media, Homeland Security Today, The Hill and Government Executive.
I recently got a chance to get Brooks' take on where we are today in what many people call the "wild, wild west" of cybersecurity. Here are his thoughts.
Q. You wear many hats and certainly have been focused on cybersecurity for some time now. So tell me, who is Chuck Brooks and what is he trying to accomplish this space?
A. You are right, over my career in government, corporate and academia, I have worn many hats. There have been some strong common threads [of] science, technology, national security, and legislative and executive policy in all my various roles. Thankfully, I selected a professional vocation of government relations and marketing that encompasses all those threads.
My passion for cybersecurity issues was first established over a decade ago during the time I spent at the Department of Homeland Security’s Science and Technology Directorate. Back then, the threats to our critical infrastructure were not as pronounced as they are today. Of course we were just beginning to experience the smartphone era. The field of cybersecurity has evolved exponentially along with the technologies, networks and connectivity that make up the cyberecosystem. And the ecosystem is quite diverse and expansive, comprising software, hardware, monitoring, forensics, governance and more. All these elements make it an exciting area to explore since there is always more to learn from strategy and technology perspectives. Also, it certainly blends my common career threads.
For anyone’s career focus, studying cybersecurity makes [sense] since it touches everything work- or personal-related. In both the public and private sectors — just about every CIO survey — cybersecurity is the top concern. And of course, along with data analytics, cybersecurity is a annually a budget priority of federal spending. DHS Secretary Jeh Johnson recently described cybersecurity and counterterrorism as the two top priorities for the protecting the homeland.
What I want to accomplish in this space is to continue being a subject matter expert in cybersecurity; I enjoy writing and speaking about the varied aspects of the topic and especially in educating others on how it can impact their lives. My advisory and board director roles with organizations are a reflection of that interest. When I retire (which is a long way off), I hope to join academia again in a part-time role. I spent two years at Johns Hopkins University SAIS [School of Advanced International Studies] teaching graduate students homeland security and found it very fulfilling.
Q. You have one of the most active groups in LinkedIn under the heading of the Department of Homeland Security. How has this helped both yourself and DHS in feeling the pulse of the cybersecurity industry?
A. I do operate a half dozen groups that focus on homeland security and information security on LinkedIn, including a few of the largest groups: “U.S. Department of Homeland Security, DHS” “Information Technology (Homeland & National Security)” and “Homeland Security.”
In all, these groups include about 60,000 people. Among the members are a host of well-known cybersecurity professionals who often post and comment on issues of the day. Also, as any news on data breaches or cyberincidents occur, they are often posted in the LinkedIn groups.
Moderating these groups certainly keeps me updated and in tune with the pulse of policy. It has also served as a great networking venue to share ideas and information with some of the best security minds around in both the private and federal sectors. Many senior-level executives in the federal government are on social sites such as LinkedIn, GovLoop, Facebook and Twitter. There are an estimated 1.5 million federal government employees who regularly use LinkedIn, including over 65,000 from DHS. Because of the growing need for public/private-sector collaboration and interface, being actively involved in social media makes a lot of sense.
Q. What is Sutherland Government Relations and what do you do for the company?
A. Sutherland Global Services is a global provider of business processing services, contact centers, IT service desks and management consulting serving government and U.S. leading corporations across multiple industries, including health care and insurance, technology, mortgage and loan services, finance and banking, retail, and travel. Sutherland has 36,000 employees and annual revenues of over $1.2 billion, [and] was listed in 2015 as one of the fastest growing private companies in America byInc.
I work for the recently created Sutherland Government Solutions as VP of Government Relations and Marketing, where we are at several agencies and are known for integrated services for citizen service needs and digital government. Our cybersecurity operations at Sutherland Government Services are internal, but we do have a practice in customer relations management after a company or agency has been breached. Our cybersecurity practice is led by Glenn Schoonover who has a deep technical background. He is a former chief information security officer for the Army and was responsible for providing network security to the Department of the Army headquarters. He is also a former senior technology strategist for Worldwide National Security and Public Safety at Microsoft.
Q. I see you are active in both the public and private sectors when it comes to cybersecurity. What are the similarities and differences between these two sectors?
A. The biggest difference is that government is motivated by mission, and the private sector (for the most part) is driven by profit and loss. The R&D efforts, innovation sector and skilled technical expertise in the private sector has been more robust than in government. Industry is more agile and able to react to threat trends.
On the federal side, the landscape has really changed over the past few years. [The U.S. Department of Defense], of course, has had the cybersecurity war-fighting mission and continues to build upon new requirements for operations and for systems. On the civilian side, DHS takes an increasingly larger role in cybersecurity. Presidential and congressional directives have mandated that DHS play a growing and more primary role, especially with protecting critical infrastructure (transportation, health, energy, finance) that is mostly owned by the private sector. DHS has to step up its activities in assessing situational awareness, information sharing, and resilience research and development plans with stakeholders. This has led to a trend in public-private partnering for sharing threat information and in creating standards and protocols. In both the public and private sectors, training of the next-generation cybersecurity technical and policy [subject matter experts] is a major priority.
Q. To date, there seems to be a stand-off between Apple and the federal government when it comes to iPhone security. What are your thoughts on this, and can this bring about some lessons learned for the cybersecurity industry?
A. This is the topic of the day, and it is a complicated issue relating to government requesting a corporation to provide software to allow access to data. My thoughts may be a bit different from some of the others in the industry. While I recognize the importance of privacy and the dire risk of an Orwellian surveillance state, I consider protecting innocent lives as a mitigating circumstance. What if that data that the FBI is seeking on the terrorist's encrypted phone uncovers a deeper terrorist network planning more horrific acts? In my opinion, this is a mitigating circumstance.
What should be done is to establish protocols between industry and law enforcement to cooperate in these type of instances (with proper warrants and assurances) so that company Internet protocol can be isolated and privacy issues for the company’s customers can be best addressed. I am quite sure Congress will be looking closely at this case to establish legislation to create a working formula. The lesson for cybersecurity is that there is a balance between privacy and security that has to be constantly reviewed in accordance with the threats at hand.
Q. With billions of Inernet of Things devices on the near horizon and zetabytes of data projected by 2020, can we secure and control our digital processes, or are we headed for a digital train wreck?
A. According to Gartner, there will be nearly 26 billion networked devices on the Internet of Things (IoT) by 2020. Moreover, it will keep expanding as the cost of sensors decreases and processing power and bandwidth continue to increase. The fact is that most of these IT networks will have some sort of an IoT-based security breach. We could be headed for a digital train wreck if IoT security standards are not adopted. We may have a digital train wreck even if they are adopted. Standards will have to be developed industry by industry. Protecting a network of medical devices in a hospital will require different sets of standards than protecting utilities with SCADA [supervisory control and data acquisition] systems that make up the electric grid. There are a lot of questions, including who enforces compliance? And what are the liabilities of an IoT breach?
CYBERSECURITY EXPERT CHUCK BROOKS' MASTER LIST OF CYBERSECURITY TECH AREAS, PRIORITIES AND EMERGING TRENDS
Emerging Technology Areas:// Internet of Things
// Drones and robots
// Artificial intelligence
// Smart cities
// Connected transportation
// Quantum computing
// Protecting critical infrastructure through technologies and Public/Private cooperation
// Better encryption and biometrics (quantum encryption, keyless authentication)
// Automated network-security correcting systems (self-encrypting drives)
// Technologies for “real-time” horizon scanning and monitoring of networks
// Diagnostics and forensics (network traffic analysis, payload analysis and endpoint behavior analysis)
// Advanced defense for framework layers (network, payload, endpoint, firewalls and antivirus)
// Mobility and BYOD security
// Big data
// Predictive analytics
// Informed risk management
// Emergence of public/private sector partnerships
// More information sharing and collaboration between the public and private sectors
// Shared R & D spending
// Increased spending for cloud computing
// Consolidation of data centers
// Expansion of hiring and training of cybersecurity workforce
// Tech foraging
The costs of cyberattacks have significantly affected corporate bottom lines, and nation-state attacks have threatened the security of entire countries, renewing the focus on and demand for cyberdefense.
BY LARRY KARISNY / JANUARY 13, 2016
In 2015, we determined that the important criteria of cybersecurity include the need for proactive defensive approaches, what weaknesses exist in current cybersecurity technologies, how even billion-dollar systems are being hacked, the current and future dangers if we don't fix these problems, and the need to do this all in milliseconds.
To tackle all of this is a tall order, but as I will discuss in my opening session on Jan. 26 during the four-day ITEXPO in Fort Lauderdale, Fla., we can do this. And here's a sneak preview.
DATA TRANSMISSION HISTORY: WE STARTED OFF GREAT
When data communications started, the X.25 protocol — one of the first packet-switching data transmission services ever used — was transmitted over plain old telephone system (POTS) lines or private point-to-point lines. At the time, analog phone lines were prone to interference that often would drop data before being received at the transmission endpoint. To eliminate this possibility, an auditing system validated 8-bit packets that were placed in the data transmission's footer and header. This packet would then be audited and confirmed at both ends of the transmission.
Believe it or not, this was one of the most secure data communication systems ever developed. So what happened?
The 8-bit packets transmitted in the X25 protocol, however, pale in comparison to the terabytes of information that pass through our information networks today. Though this ultimately is a problem, it remains one of the principles behind today's deep packet inspection. When talking to X25 engineers back then, they knew the desire for more connectivity — and data on networks overcame the need for security. This is what really led to the Internet. We needed to find a way to rapidly and economically move all this data over a shared network. The need to distribute information quickly and economically on a network was the first priority as security and auditing the information became an afterthought. Understanding this we can realize why we are using network connection mediums that had known security issues as did the software that these networks and applications ran on. These vulnerabilities lead to a lot of work done on the network layer of cybersecurity with some success. The real danger in cyberattacks though lies not in the network but the software, and more importantly in the processes used in our day-to-day information technologies. This is where the hackers are getting in and can be viewed. This is where we must focus if we are to defend and future-proof information security processes.
THE INSATIABLE DESIRE FOR MORE SOFTWARE, DATA
Though the term "big data" was a tad overused in recent years, I love it. And when it comes to data, the priority has always been connecting and using data efficiencies — which is why security was pushed to the back burner. The cybersecurity risk analysis dilemma continues to be this: We can make this much this quarter if we use this software, and we can use the efficiency of the Internet to distribute it globally.
From corporations that can add millions to their bottom line to government's struggle with security versus wanting a backdoor in, the insecurity of cybersecurity in the past may have held more value than actually having security.
Things have changed, though.
The costs of cyberattacks have significantly affected corporate bottom lines, and nation-state attacks have threatened the security of entire countries, renewing the focus on and demand for cyberdefense.
In today's IT utility processes, the third- and fourth-generation language software we use links to other software and data to achieve the desired digital processes. These actions are then historically saved in a data log. Current cybersecurity technologies have historically viewed these logs to determine if the system is running properly or if there has been potential exploit. But finding potential flaws can take days, months, even years of manual subjective analysis. If a system breach is found, a software patch is typically put in the system utility — and this is the window of opportunity a hacker leverages, and will continue to leverage, unless targeted security process policies can be audited in front of the utility system processes.
We need to move beyond the utility approach of connecting and moving data from one place to another toward viewing and auditing actual systems process events in real time. We cannot audit algorithms or software in milliseconds, as there is too much data that is ever-increasing in complexity. Auditing software and data at the utility level is too complicated and slow, so to achieve real-time cyberdefense, we must change the way we view and audit targeted system security policies in specific digital process ecosystems proactively.
New approaches are now being hailed by research organizations and standards groups in both the public and private sectors, which also are promoting and investing in this needed cybersecurity paradigm shift. We must move quickly in deploying these new technologies because as cyberattack predictions go, the worst seems yet to come.
WHY OUR CYBERDEFENSE APPROACH MUST CHANGE NOW
When it comes to cyberattacks, we are faced with two simple facts: Current cyberattacks are increasing, and we are going to connect many more things to the Internet. In fact, research firm Gartner predicts that in 2016, there will be 6.8 billion connected devices in use — a 30 percent increase over 2015. By 2020, that number will jump to more than 20 billion.
Cybersecurity experts cite attempted cyberattacks at about 500,000 attacks per minute, and the number of connected devices presents an even greater opportunity for hackers. Trying to defend from cyberattacks using current cybersecurity technologies is no longer feasible. We have neither the people nor the time to defend ourselves against the onslaught. We must drastically automate our cyberdefense approaches or hackers will have too many opportunities to strike — and at best, we will always be caught in patch-and-pray cybersecurity catch-up.
We need to understand software processing languages and business processes if we are really to understand the issues with cybersecurity today. Hackers manipulate software and can change the desired digital process action to their benefit — and can activate these changes in milliseconds.
Whether a network or specific data process application is in use, it all basically runs on software that activates specifically designed processes. From flooding attack points with terabytes of data creating denial of service to tricking employees to accessing centralized data at rest databases, hackers use software as their real-time attack tool — while current cyberdefense solutions often are blind to what is occurring. Thus, the hacking must be addressed by viewing and auditing the critically targeted security policies the event caused by taking action — action that occurs through the use of software, not software or IT utility itself. To do this, our focus must shift from viewing and auditing the IT utility function run today to a more process-focused approach. We must shift our focus from technical assets to critical business processes.
CALLING FOR CHANGE IN CYBERDEFENSE
In 2015, some very promising things occurred as far as addressing the known and future problems with our cyberdefense strategies. Many organizations — including the Defense Advanced Research Projects Agency (DARPA), the National Institute of Standards and Technology (NIST), the Institute of Electrical and Electronics Engineers (IEEE), and RSA Security — have been looking at technologies that offer microsecond viewing and auditing intelligence outside of utility function of today's IT processes. These new approaches are more focused on what is happening in workflow security policies rather than how the utility system processes happen.
To understand the importance of this new cyberdefense paradigm, I pose this question: How do you stop a hidden encrypted cyberattack exploit already in your system?
The answer to this shows us why we are always trying to put the wrong cyberdefense technologies at the wrong place at the wrong time. The only way you can stop this attack is by allowing the hacker to activate the exploit and stop it in milliseconds before it disrupts system security policies. This requires a new way of looking at information processes security — and major organizations are beginning to understand the need for these changes.
NIST has done a good job of getting organizations, specifically in critical infrastructure, to find and define both their cyberdefense vulnerability and to establish specific security policies in addressing these potential points of breach.
DARPA has done a good job in calling attention to these security policies in which events may be the function of a microsecond machine actions and, in turn, must be defended in microseconds.
RSA is convinced we need to move from technical utility assets to a critical process approach by establishing business-centric risk assessment processes to transform information security, while the IEEE is focused on a similar approach it calls model-driven security. Even the recently passed Cybersecurity Information Sharing Act of 2015 has emphasized the need for DHS to establish a pilot to test and deploy advanced technologies to improve detection and prevention.
This is a good start to finding new approaches to cybersecurity — approaches that must be put in place if we are to deploy the effective cyberdefense capabilities we so desperately need today.
I will be discussing these new approaches in more detail in my ITEXPO security session opening later this month. Hope to see you there.
BY LARRY KARISNY / NOVEMBER 12, 2015
From access to activation, we pass through multiple digital ecosystems with devices that can be used to hack unrelated digital system processes in a millisecond.
When it comes to recent cybersecurity talks, the prevalent theme seemed to be, “We know we need to do something, but what?”
The recurring questions are: Where do we start, and how fast do we need to react to stop cyberattacks? What's become quite clear is that if we are to secure our digital world, we need to do it with technologies that run as fast as the networks and applications in which they operate — in milliseconds.
Repeated time and again in recent discussions is the need for proactive defensive measures in cybersecurity — and how quickly they must react to stop today's hacker. Even the language in the new cybersecurity billseems to fall short of true cybersecurity protection, as it is more based on the sharing of information to assist in the detection and recovery of a cyberattack rather than a proactive cybersecurity solution that would stop the attack.
And this leads to a few important questions: Is there a big disconnect between the public and the private sectors when it comes to what cybersecurity is suppose to achieve? If so, what is that disconnect, and how can we move forward?
THE SECTOR MISSIONS OF CYBERSECURITY ARE DIFFERENT
The way the public sector reacts to a cyberattack is much different from how the private sector reacts. When the public sector responds to an attack, officials immediately disclose the attack in order to obtain additional funds to fix it. In the private sector, however, officials don't want to disclose the attack because the company will take a stock hit — which would reduce revenue sources that could be used to fix the problem.
The public sector typically looks at problems after they've occurred and then tries to get funding to analyze the size of the problem and how to control it. The private sector tries to immediately address the problem, running it through a risk management process to evaluate how expensive it is and how much it will cost to fix.
Even private-sector technology providers' loyalties differ compared to their counterparts in the public sector. This was clear when 22 of the largest tech companies were firmly against the controversial Cybersecurity Information Sharing Act (CISA) due to their customers' privacy concerns. Knowing this, the passing of the recent cybersecurity bill by the U.S. Senate explains clearly why there is so much opposition between the two sectors: They haven't been on the same page from the start, because they serve different customers and operate their organizations very differently. Wespend a lot of time and money in cybersecurity only to be left with technologies that potentially deter attacks or historically define when and how the attack occurred.
Keith Alexander, a retired U.S. Army general and founder and CEO of IronNet Cybersecurity, made two straightforward comments about cybersecurity in a keynote address at the University of South Florida Cybersecurity Center Annual Conference earlier this year: “Our current cybersecurity technologies don't work," he said, and, "we need to focus on proactive defensive cybersecurity technologies."
Although Alexander called CISA “a good start,” the bill is now reaching its fifth year trying to get approval. It will then take years of public/private breach information-sharing before cyberattack improvements would be realized. Many are saying that passing this cybersecurity bill has taken so long that the solutions in addressing how cyberattacks suggested in the bill are now obsolete.
In an article focusing on cybersecurity insurance, Scott L. Vernick, a partner at Fox Rothschild LLP in Philadelphia called cyberlegislation a good first step, but “we shouldn't get carried away” about what it can and cannot accomplish given that cyberattackers “are changing what they're doing in milliseconds.”
The private sector's response to leading-edge cybersecurity technologies is not much better. Combine private-sector technology purchases with product lifecycle time frames, and it's nearly a guarantee that the "security" in cybersecurity will always be behind the curve. Both the public and private sectors are at fault here; they are more the reason for a lack of cybersecurity defensive technologies than part of the solution.
So where is the disconnect in truly understanding how to achieve superior cybersecurity solutions and rapidly offer leading-edge services that work?
HACKERS ARE NOT OBSOLETE
When a large technology company or government research group evaluates a proof of concept for a fix to cyberattacks, that fix is immediately met with resistance, even if the technology works. From the government side, it is how that technology could work with technologies in already-funded programs —technologies that may be inferior, or even obsolete. These technologies are funded by big research grant monies that take so much time to get approved, the money and studies continue flowing even if the technology is going in the wrong direction.
Those in the corporate world may be caught between having a superior technology but needing to recoup investment of an inferior technology before that superior tech can be allowed in. And because years pass between these decisions being made, hackers have plenty of time to change their game plans. As these delays continue, hackers have time to obtain information from government entities, standards groups and corporate product releases that disclose what they're doing. So as big government and big business stifle new ideas in defense cybersecurity technologies, hackers can continually place themselves ahead of the obsolescence curve — always putting themselves in the position of cyberattack innovator.
Large organizations also have a need to centralize cybersecurity technologies for control and profit. This is the main reason for standards groups and open architectures that can put a thousand eyes on a particular cybersecurity architecture. There is value in these standards, but cybersecurity works at a very granular level — right down to individual, location and processes of the digital technology used. Essentially, use of the same cybersecurity solution may greatly differ depending on who, where, what and why it is used.
Most cybersecurity technologies are focused on protection and prevention by analyzing historically logged digital analysis techniques while adding access and encryption techniques for intrusion prevention. In reality, what's needed are technologies that audit in real time the uniquely targeted security policies and events of a particular process or ecosystem that often occur in milliseconds. This millisecond requirement has been echoed by both Arati Prabhakar, director of the Defense Advanced Research Projects Agency (DARPA) and an IEEE citation by the Department of Homeland Security's Peter Fonash and Phyllis Schneck inCybersecurity: From Months to Milliseconds. This need is now being demanded as a proactive cybersecurity requirement echoed by many industry and government leaders.
As a cybersecurity advisor, I have proposed the need for this millisecond cyberdefense capability —and I've found working and patented technologies available and ready for use to address this requirement. These technologies were already lab tested are well beyond proof of concept; they are ready for targeted deployment. What my associates and I struggle with, as do many innovative idea companies, is how to get this information out and technologies deployed within the established bureaucracies in both the public and private sectors.
If even working solutions can't find a rapid process of evaluation, hackers will always maintain the technological advantage. Do you think hackers submit proof of concept to bureaucratic oversight groups to see if their stuff works? Of course not. They just do it and see if it works; they aren't waiting for someone’s permission. And if we are to close the innovation window between needed cyberdefense technologies and advanced cyberattack technologies, we must find avenues of testing and deploying cyberdefense technologies in the same manner.
CYBERSECURITY BILLS VS. REAL-TIME CYBERSECURITY
The process of evaluating hackers by determining how they hacked somebody is flawed. For starters, it takes too long to share the data without potentially disclosing personal information not related to the breach, as the scrubbing of non-pertinent private information could take months. By that time, the hacker has already morphed a new version of its cyberbreach exploit, which means those trying to protect against these attacks will just be playing catch-up.
We must focus on cybertechnologies that define the correct digital actions taking place and audit these events as they are used — which means tackling them in the millisecond windows in which our digital systems operate.
When it comes to cybersecurity, many recurring facts are oddly misunderstood. For starters, cybersecurity is local and it is often human-initiated, but then it operates as a microsecond machine-to-machine action that often cannot be traced.
From access to activation, we pass through multiple digital ecosystems with devices that can be leveraged to hack unrelated digital system processes in a millisecond. With millions more digitally enhanced devices projected in the near future, we need to effectively focus on authenticating, viewing, auditing or blocking these millisecond machine actions as they relate to the security policies of our accepted processes and digital ecosystems.
This is the reality of the millisecond machine action cyberworld we live in today — it's one that is rapidly growing, adding the potential of many more system breaches. If we are to enjoy the amazing digital technologies of today and the many more on our doorstep, we must find and deploy millisecond technologies that can defend cyberattacks ahead of the hacker.