Wednesday

The Race to Cyberdefense, Artificial Intelligence and the Quantum Computer

The power grid, oil and gas, and even existing telecoms are perfect targets for funding and development of these technologies.

By Larry Karisny August 8, 2017



I've been following cybersecurity startups and hackers for years, and I suddenly discovered how hackers are always ahead of the rest of us — they have a better business model funding them in their proof of concept (POC) stage of development.
To even begin protecting ourselves from their well-funded advances and attacks, cyberdefense and artificial intelligence (AI) technologies must be funded at the same level in the POC stage.
Today, however, traditional investors not only want your technology running, they also need assurances that you already have a revenue stream — which stifles potential new technology discovery at the POC level. And in some industries, this is dangerous.
Consider the fast-paced world of cybersecurity, in which companies are offered traditional funding avenues as they promote their product's tech capabilities so people will invest. This promotion and disclosure of their technology, however, gives hackers a road map to the new cyberdefense technologies and a window of time to gain knowledge on how to exploit them.
This same road map exists for technologies covered in detail when standard groups, universities, governments and private labs publish white papers — documents that essentially assist hackers by giving them advanced notice of cyberdefense techniques.
In addition to this, some hackers receive immediate funding through nation states that are coordinating cyberwarfare like the traditional military and others are involved in organized secret groups that fund the use of ransomware and DDoS attacks. These hackers get immediate funding and then throw their technology on the Internet for POC discovery.
HOW NOT TO DO CYBERDEFENSE
One project that strongly makes a case for rapidly funding cyberdefense technologies in an effort to keep up with hackers is the $5.7 billion U.S. Department of Homeland Security's (DHS) EINSTEIN cyberdefense system, which was deemed obsolete upon its deployment for failing to detect 94 percent of security vulnerabilities. As this situation illustrates, the traditional methods of funding cyberdefense — taking years of bureaucratic analysis and vendor contracts — does not work in the fast technology discovery world of cyberdefense. After the EINSTEIN project failure, DHS decided to conduct an assessment — it's currently working to understand if it's making the right investments in dealing with the ever-changing cyberenvironment.
But it also has other roadblocks, as even large technology companies and contractors with which DHS does business have their own bureaucracies and investments that ultimately deter the department from getting the best in cyberdefense technologies. And once universities, standards groups, regulation and funding approvals are added to these processes, you're pretty much assured to be headed for another disaster.
But DHS doesn’t need to develop these technologies itself. The department needs to support public- and private-sector POCs to rapidly mature and deploy new cyberdefense technologies. This suggestion is supported by what other countries are successfully doing — including our adversaries.
MAKING THE CASE FOR POC FUNDING
The same two things that have motivated mankind all through history — immediate power and money — are now motivating hackers, and cyberdefense technologies are taking years to be deployed. So I'll say it again: The motivational and funding model of cyberdefense technologies must change. The key to successful cyberdefense technology development is making it as aggressive as the hackers that attack it. And this needs to be done at the conceptual POC level.
The concern in cyberdefense (and really all AI) is the race to the quantum computer.
Quantum computer technologies can’t be hacked, and in theory, its processing power can break all encryption. The computational physics behind the quantum also offer remarkable capabilities that will drastically change all current AI and cyberdefense technologies. This is a winner-takes-all technology that offers capability with absolute security capabilities — capabilities that we can now only imagine.
BARRIERS TO CYBERDEFENSE POC FUNDING IN THE U.S.
The most recent funding source for hackers is Bitcoin, which uses the decentralized and secure blockchain technology. It has even been used to support POC funding in what is called an Initial Coin Offering (ICO), the intent of which is to crowdfund early startup companies at the development or POC level by bypassing traditional and lengthy funding avenues. Because this type of startup seed offering has been clouded with scams, it is now in regulatory limbo.
Some states have passed laws that make it difficult to legally present and offer an ICO. While the U.S. seems to be pushing ICO regulation, other countries are still deciding what to do. But like ICOs or not, they offer first-time startups an avenue of fast-track funding at the concept level — where engineers and scientists can jump on newer technologies by focusing seed money on testing their concepts. Bogging ICOs down with regulatory laws will both slow down legitimate POC innovation in the U.S. and give other countries a competitive edge.
Another barrier to cyberdefense POC funding is the size and technological control of a handful of tech companies. Google, Facebook, Amazon, Microsoft and Apple have become enormous concentrations of wealth and data, drawing the attention of economists and academics who warn they're growing too powerful. Now as big as major American cities, these companies are mega centers of both money and technology. They are so large and control so much of the market that many are beginning to view them as in violation of the Sherman Antitrust Act. So how can small startups compete with these tech giants and potentially fund POCs in areas such as cyberdefense and AI? By aligning with giant companies in industries that have the most need for cyberdefense and AI technologies: critical infrastructure.
BIG COMPETITION FROM BIG PLAYERS
The industries that are most vulnerable and could cause the most devastation if hacked are those involved in critical infrastructure. These large industries have the resources to fund cyberdefense technologies at the concept level — and they would obtain superior cyberdefense technologies in doing so.
Cyberattacks to critical infrastructure could devastate entire country economies and must be protected by the most advanced cyberdefense. Quantum computing and artificial intelligence will initiate game-changing technology in both cyberdefense and the new intellectual property deriving from quantum sciences. Entering these new technologies at the POC level is like being a Microsoft or Google years ago. Funding the development of these new technologies in cyberdefense and AI are needed soon — but what about today?
Future quantum computer capabilities will also demand immediate short-term fixes in current cyberdefense and AI. New quantum-ready compressed encryption and cyberdefense deep learning AI must be funded and tested now at the concept level. The power grid, oil and gas, and even existing telecoms are perfect targets for this funding and development. Investing today would offer current cyberdefense and business intelligence protection while creating new profit centers in the licensing and sale of these leading-edge technologies. This is true for many other industries, all differing in their approach and requiring specialized cyberdefense capabilities and new intelligence gathering that will shape their future.

So we must find creative ways of rapidly funding cyberdefense technologies at the conceptual level. If this is what hackers do and it's why they're always one step ahead, shouldn't we work to surpass them?

Saturday

Cybersecurity Industry Must Adopt Cyberdefense Tech that Utilizes Analytics, Artificial Intelligence

We must recognize that our cyberdefense technologies are not working and will not work. Cases in point: Our most sensitive cyberoffense technologies have been hackedpower companies admit they would have great difficulty stopping a cyberattack and are being asked to be prepared to operate at much less than full capacity under a cyberattack; 70 percent of oil and gas companies have been attacked — and the threat is growing.
The cybersecurity industry is in chaos and needs to move toward new technologies — cyberdefense technologies that are beginning to leverage analytics, machine learning and artificial intelligence (AI). Hackers are taking advantage of the same technologies, so the cyberdefense industry needs to jump on board. Let's quit playing catch-up and instead take a proactive approach to cybersecurity.
So what is this industry doing wrong, and how can we change it?

CYBERSECURITY 101

One of the core principles in cybersecurity is to establish a baseline of what the operational and industrial system is doing. Once this is done, you can:
  • define your security policies;
  • evaluate the risk;
  • look at security technologies that could reduce the risk;
  • evaluate the potential threat impact cost verses the cost of the security technology;
  • get management approval; and then
  • deploy the security technology. 
Sounds simple, right? Not so. 
We have layered so much hardware, network and software on top of each other that we truly can't see what our systems are doing. And if we can't see what our systems are doing, how can we establish a system baseline of what is normal in daily system operations? The fact is that we can't see it, which is not a good start to one of the most basic principles of security. This must change.

DEHUMANIZING OUR MACHINE SYSTEMS

Conventional cybersecurity generally points everything to the human first while the system's machine actions are doing most of the operational and industrial processes. As metadata grows, it becomes increasingly difficult to manage and understand. Even the best analytic algorithms can't keep up and are themselves subject to error. 
Human error is the major reasons for cyberbreaches, and we are pointing increasing complex systems toward people who can neither see nor understand what the systems are doing; it is a dangerous scenario to continually disconnect the human from massively automated systems that run without audit. Hackers know this, and they will continually exploit these systems until new technologies can deeply and consistently view and audit our operational baseline.    
People need to be able to see with deep inspection the structured and unstructured data that run the systems. Without this being done first, a true operations and security baseline cannot be established, leaving the system exposure to cyberattacks. AI, machine learning and analytics can assist in the viewing of this data, but exponentially increases the amount of structured and unstructured data that must be secured. These approaches also create vulnerabilities because they layer additional algorithms and software over critical data and systems actuaries. This gives hackers a targeted system exploit capability that could allow a complete hijacking of system processes. This is being done while humans are continually being removed from our system processes.

CYBERDEFENSE GOING IN THE WRONG DIRECTION

Industry experts are warning of the use and abuse of AI and its use in both cyberdefense and hacking. 
As Sean Carroll, a cosmology and physics professor at the California Institute of Technology told Vox.com, "It is absolutely right to think very carefully and thoroughly about what those consequences might be, and how we might guard against them, without preventing real progress on improved artificial intelligence."
And Nick Bostrom, director of the Future of Humanity Institute at Oxford University, also told Vox.com that “the transition to machine superintelligence is a very grave matter, and we should take seriously the possibility that things could go radically wrong. This should motivate having some top talent in mathematics and computer science research the problems of AI safety and AI control.”
Even the newest neural network technologies that Google is using — the basis of its DeepMind Artificial Intelligence technologies — can be hacked. The reason is that we're using existing technologies to learn what our systems are doing, so we are essentially adding points of offensive exploit to cyberdefense technologies that are supposed to reduce the attack vector. The cybersecurity industry is, in essence, going in the wrong direction. 
A good example of this is tech giants buying up AI cybersecurity startups. This is being done while the DARPA Cyber Grand Challenge demonstrated how AI could hack into AI. Machine learning and AI connect to a very sensitive part of operational and industrial control systems. That’s how it learns. Hackers can use AI to watch what AI is doing, which in turn can offer total control of the machine systems. All third- and fourth-Generation programing language (code) can be hacked, period. We must find a migration path to codeless fifth-generation programing language (5GL) that uses codeless signature patterns.

THE DEMAND FOR NEW CYBERDEFENSE TECHNOLOGIES THAT WORK

I have discussed the use of 5GL in previous articles and spoke about the technology at Oak Ridge National Laboratory. I clearly discussed how we need to use 5GL codeless patterns in parallel with existing operational and industrial system technologies. This use of 5G in cybersecurity as a system auditing tool could be the much-needed answer to new cyberdefense technologies.
A company called On Point Cyber has been watching the development of these 5GL technologies for years, and CEO Tom Boyle said he thinks the timing is right for 5GL.
"Disruptive technologies must have a migration path back to existing technologies and forward to newer technologies. To achieve this, we first index all the current structured and unstructured data, then run them in parallel to the new 5GL codeless signature pattern technologies," he said "This offers a real-time deep inspection of the operational system security baseline and the immediate detection of anything not part of that baseline. 
Boyle also noted that what's great about 5GL technology is that it can be used without changing any of the current operational and industrial system technologies.
"These newer technologies can then offer older technologies a migration path to code vs. codeless signature pattern technologies that could even be used in the Quantum computer," he added. "The use of 5GL in cyberdefense could prove the most important use of this technology today. Clearly, we need to do something different.”

CYBERDEFENSE PUBLIC-PRIVATE PARTNERSHIPS

We are entering dangerous times in cybersecurity, and both the public and private sectors must recognize the urgency in finding an industry correction. Immediately invest in cybersecurity technologies that offer more than calculated risk remediation. We are throwing things on the wall that could potentially put our cyberdefense technologies in greater danger. We need to find solutions that stop cyberattacks. 
In the confusion of pretty words and explanations of cyberdefense technologies, government officials and CEOs are asking the simple question, "Can I invest in cyberdefense technologies that work?" It is time to answer that question with the recognition that we need to move on to entirely new technologies that can secure us today and prepare us for the future. 

Friday

Chuck Brooks on Cybersecurity: The Weakest Link Will Always Be the Human Elemen

Cybersecurity expert Chuck Brooks talks about where we stand in what many people call the "wild, wild west" of cybersecurity.

BY  MARCH 2, 2016
If you're in the cybersecurity business, you know the name Chuck Brooks.
He is an advisor to the Bill and Melinda Gates Foundation Technology Partner Network, chairman of CompTIA's New and Emerging Tech Committee, subject matter expert to the Homeland Defense and Security Information Analysis Center, “passcode influencer” for The Christian Science Monitor, on the Board of Advisors for CyberTech, and on the Board of Directors at Bravatek and the Cyber Resilience Institute.
Brooks also has authored numerous articles focusing on cybersecurity, homeland security and technology innovation for such publications as ForbesHuffington Post,InformationWeek, MIT Sloan Blog, ComputerworldFederal TimesNextGov,Government Security News, Cygnus Security Media, Homeland Security TodayThe Hill and Government Executive.
I recently got a chance to get Brooks' take on where we are today in what many people call the "wild, wild west" of cybersecurity. Here are his thoughts.
Q. You wear many hats and certainly have been focused on cybersecurity for some time now. So tell me, who is Chuck Brooks and what is he trying to accomplish this space?
Chuck+BrooksA. You are right, over my career in government, corporate and academia, I have worn many hats. There have been some strong common threads [of] science, technology, national security, and legislative and executive policy in all my various roles. Thankfully, I selected a professional vocation of government relations and marketing that encompasses all those threads.
My passion for cybersecurity issues was first established over a decade ago during the time I spent at the Department of Homeland Security’s Science and Technology Directorate. Back then, the threats to our critical infrastructure were not as pronounced as they are today. Of course we were just beginning to experience the smartphone era. The field of cybersecurity has evolved exponentially along with the technologies, networks and connectivity that make up the cyberecosystem. And the ecosystem is quite diverse and expansive, comprising software, hardware, monitoring, forensics, governance and more. All these elements make it an exciting area to explore since there is always more to learn from strategy and technology perspectives. Also, it certainly blends my common career threads.
For anyone’s career focus, studying cybersecurity makes [sense] since it touches everything work- or personal-related. In both the public and private sectors — just about every CIO survey — cybersecurity is the top concern. And of course, along with data analytics, cybersecurity is a annually a budget priority of federal spending. DHS Secretary Jeh Johnson recently described cybersecurity and counterterrorism as the two top priorities for the protecting the homeland.
What I want to accomplish in this space is to continue being a subject matter expert in cybersecurity; I enjoy writing and speaking about the varied aspects of the topic and especially in educating others on how it can impact their lives. My advisory and board director roles with organizations are a reflection of that interest. When I retire (which is a long way off), I hope to join academia again in a part-time role. I spent two years at Johns Hopkins University SAIS [School of Advanced International Studies] teaching graduate students homeland security and found it very fulfilling.
Q. You have one of the most active groups in LinkedIn under the heading of the Department of Homeland Security. How has this helped both yourself and DHS in feeling the pulse of the cybersecurity industry?
A. I do operate a half dozen groups that focus on homeland security and information security on LinkedIn, including a few of the largest groups: “U.S. Department of Homeland Security, DHS” “Information Technology (Homeland & National Security)” and “Homeland Security.”
In all, these groups include about 60,000 people. Among the members are a host of well-known cybersecurity professionals who often post and comment on issues of the day. Also, as any news on data breaches or cyberincidents occur, they are often posted in the LinkedIn groups.
Moderating these groups certainly keeps me updated and in tune with the pulse of policy. It has also served as a great networking venue to share ideas and information with some of the best security minds around in both the private and federal sectors. Many senior-level executives in the federal government are on social sites such as LinkedIn, GovLoop, Facebook and Twitter. There are an estimated 1.5 million federal government employees who regularly use LinkedIn, including over 65,000 from DHS. Because of the growing need for public/private-sector collaboration and interface, being actively involved in social media makes a lot of sense.
Q. What is Sutherland Government Relations and what do you do for the company?
A. Sutherland Global Services is a global provider of business processing services, contact centers, IT service desks and management consulting serving government and U.S. leading corporations across multiple industries, including health care and insurance, technology, mortgage and loan services, finance and banking, retail, and travel. Sutherland has 36,000 employees and annual revenues of over $1.2 billion, [and] was listed in 2015 as one of the fastest growing private companies in America byInc.
I work for the recently created Sutherland Government Solutions as VP of Government Relations and Marketing, where we are at several agencies and are known for integrated services for citizen service needs and digital government. Our cybersecurity operations at Sutherland Government Services are internal, but we do have a practice in customer relations management after a company or agency has been breached. Our cybersecurity practice is led by Glenn Schoonover who has a deep technical background. He is a former chief information security officer for the Army and was responsible for providing network security to the Department of the Army headquarters. He is also a former senior technology strategist for Worldwide National Security and Public Safety at Microsoft.
Q. I see you are active in both the public and private sectors when it comes to cybersecurity. What are the similarities and differences between these two sectors?
A. The biggest difference is that government is motivated by mission, and the private sector (for the most part) is driven by profit and loss. The R&D efforts, innovation sector and skilled technical expertise in the private sector has been more robust than in government. Industry is more agile and able to react to threat trends.
On the federal side, the landscape has really changed over the past few years. [The U.S. Department of Defense], of course, has had the cybersecurity war-fighting mission and continues to build upon new requirements for operations and for systems. On the civilian side, DHS takes an increasingly larger role in cybersecurity. Presidential and congressional directives have mandated that DHS play a growing and more primary role, especially with protecting critical infrastructure (transportation, health, energy, finance) that is mostly owned by the private sector. DHS has to step up its activities in assessing situational awareness, information sharing, and resilience research and development plans with stakeholders. This has led to a trend in public-private partnering for sharing threat information and in creating standards and protocols. In both the public and private sectors, training of the next-generation cybersecurity technical and policy [subject matter experts] is a major priority.
Q. To date, there seems to be a stand-off between Apple and the federal government when it comes to iPhone security. What are your thoughts on this, and can this bring about some lessons learned for the cybersecurity industry?
A. This is the topic of the day, and it is a complicated issue relating to government requesting a corporation to provide software to allow access to data. My thoughts may be a bit different from some of the others in the industry. While I recognize the importance of privacy and the dire risk of an Orwellian surveillance state, I consider protecting innocent lives as a mitigating circumstance. What if that data that the FBI is seeking on the terrorist's encrypted phone uncovers a deeper terrorist network planning more horrific acts? In my opinion, this is a mitigating circumstance.
What should be done is to establish protocols between industry and law enforcement to cooperate in these type of instances (with proper warrants and assurances) so that company Internet protocol can be isolated and privacy issues for the company’s customers can be best addressed. I am quite sure Congress will be looking closely at this case to establish legislation to create a working formula. The lesson for cybersecurity is that there is a balance between privacy and security that has to be constantly reviewed in accordance with the threats at hand.
Q. With billions of Inernet of Things devices on the near horizon and zetabytes of data projected by 2020, can we secure and control our digital processes, or are we headed for a digital train wreck?
A. According to Gartner, there will be nearly 26 billion networked devices on the Internet of Things (IoT) by 2020. Moreover, it will keep expanding as the cost of sensors decreases and processing power and bandwidth continue to increase. The fact is that most of these IT networks will have some sort of an IoT-based security breach. We could be headed for a digital train wreck if IoT security standards are not adopted. We may have a digital train wreck even if they are adopted. Standards will have to be developed industry by industry. Protecting a network of medical devices in a hospital will require different sets of standards than protecting utilities with SCADA [supervisory control and data acquisition] systems that make up the electric grid. There are a lot of questions, including who enforces compliance? And what are the liabilities of an IoT breach?

CYBERSECURITY EXPERT CHUCK BROOKS' MASTER LIST OF CYBERSECURITY TECH AREAS, PRIORITIES AND EMERGING TRENDS

Emerging Technology Areas:
// Internet of Things
// Wearables
// Drones and robots
// Artificial intelligence
// Smart cities
// Connected transportation
// Quantum computing
Priorities: 
// Protecting critical infrastructure through technologies and Public/Private cooperation
// Better encryption and biometrics (quantum encryption, keyless authentication)
// Automated network-security correcting systems (self-encrypting drives)
// Technologies for “real-time” horizon scanning and monitoring of networks
// Diagnostics and forensics (network traffic analysis, payload analysis and endpoint behavior analysis)
// Advanced defense for framework layers (network, payload, endpoint, firewalls and antivirus)
// Mobility and BYOD security
// Big data
// Predictive analytics
// Interoperability
Trends:
// Informed risk management
// Emergence of public/private sector partnerships
// More information sharing and collaboration between the public and private sectors
// Shared R & D spending
// Increased spending for cloud computing
// Consolidation of data centers
// Expansion of hiring and training of cybersecurity workforce
// Tech foraging

Thursday

Bringing Innovation into Cyberdefense Technologies

Hackers use innovative thinking when breaching systems, why can't government?


The U.S. Office of Personnel data breach and its solution -- that is plagued with problems -- are a perfect example of inferior technologies that hackers are aware of and can penetrate.
MARK VAN SCYOC / SHUTTERSTOCK.COM

When I spoke on the need for cybersecurity innovation at the January ITEXPO conference in Fort Lauderdale, Fla., I sensed something interesting about my cybersecurity colleagues: They don't seem to care about innovation; they care about having a job in cybersecurity.
Unfortunately, this is a normal reaction, and has plagued both government and industry, leading to inferior cybersecurity products and deployments that may never catch up with the hacker -- unless we change our thinking.
The difference between a hacker and cybersecurity companies is that a hack has no brand, no national loyalty, no secure employment. Hackers immediately use or develop for their purposes the best hacking technology out there. It is this same innovative thinking we must use in approaching our cyber defense technologies.

HOW BIG GOVERNMENT, BIG BUSINESS STIFLE CYBERDEFENSE INNOVATION


One of the most difficult challenges in offering superior technologies to big government and big business is the massive amount of bureaucracy you must penetrate. As a cyberdefense expert and adviser, I know how to choose the best technologies while addressing the hurdles of bureaucracy. Like the hacker, I have no brands, bosses or bureaucrats influencing my objective selection (though I do admit to national loyalty as an American). I can focus on correcting cybersecurity problems and find the best in defense technologies to address them.
I have discovered that government and business are sometimes their own worst enemies. While government decisions are sometimes based on confusing politics, industry makes decisions based on a technology's return on investment or a corporate purchase that has now made a technology part of their company. This type of thinking not only delays needed new cyberdefense technologies from getting in, but can cause old technologies to be used due to political and business decisions. These inferior technologies are known and hackers can already can penetrate them. A perfect example of this was the U.S. Office of Personnel (OPM) data breach and the solution of the problem (EINSTEIN) that is plagued itself with problems. We need to find better ways of offering quicker technical responses to cyberdefense technologies or hackers will always be one step ahead.

THINK LIKE A HACKER

Today if you are offering even an urgently needed technology there are two main factors that will give you road blocks. Government is making political decisions and industry is making monetary decisions. This is the worst place to be when offering a disruptive technology but is exactly where I have been in the last few years. I use a simple formula in addressing these road blocks. One is know your problem and predict how big it will become. My past articles written over a period of five yearsgiven me a discipline of putting my name on not only disclosing the problem but offering some suggested solutions to the massive weaknesses were are facing in cyber defense. With limit resources this is difficult but I have had the luxury of standing back from politics and business and staying focused on the problem and the fix just like a hacker focuses on getting in.
Now, you can't disregard the reality of politics and business, but you must surround yourself with people who excel at such things so you can maintain your focus on correcting problems. This approach has allowed me to surrounded myself with the best in both technology and business.

PROTECTING INNOVATION WITH INNOVATION

In an article in The Wall Street Journal by President Barack Obama titled, "Protecting U.S. Innovation From Cyberthreats," both the cyber attack threats and the immediacy in addressing these threats was clear. The president’s analogy that, “government IT is like an Atari game in an Xbox world," was a perfect example of how much catch-up is required by the federal government when it comes to cyberdefense systems.
In fact, the president is pushing a new Cybersecurity National Action Plan that includes $3 billion to kick-start an overhaul of federal computer systems. This is the right move to stop the bleeding. But let's  go back to the hacker: All the employment and training in the world cannot stop a hacker's millisecond attack. People don't think in milliseconds; technology does. We need to find technologies that can proactively defend in milliseconds, or we will lose our defense capabilities to the first strike capabilities of hackers. This can be done, but will require big changes in our current cyberdefense technologies; we cannot continue using the patch and pray cyberdefense systems we employ today.
The reason hackers can hack in the first place is that the 3rd- and 4th-generation software used today can be exploited because it was made to connect and automate things -- not view or secure digital processes. The code and algorithms are, by nature, vulnerable to attacks. And new cyberdefense techniques such as analytics and business intelligence software may actually be adding to the prevalence of cyberattacks as they also run on 3rd- and 4th-generation software. In fact, my colleagues and I have been warning that security software's use of analytics and business intelligence software will be the next attack targets. Why steal a database when you just hack the analytics and business intelligence software to see what a company is doing? We can't continue this way. We need a true paradigm shift in cyberdefense technologies.

WHERE THE CYBERSECURITY INDUSTRY WENT WRONG

There is a great article in the Washington Post called, "A History Internet Security." It gives a great snapshot of where we started with Internet security and why we have the problems we do. The lack of security was intentional. No one thought the Internet would get so big or be used in so many ways. Interestingly enough, the reason the Internet was first developed was to create a survivable network even if an atomic war occurred. The survivable network was a great idea. Offering little to no security was not.
As an independent adviser I have worked with some of the best in both technology and business. Together we have seen the problems and have again and again come back with confidence to the same solution. First and foremost, we need to understand that cyberdefense is just the viewing and auditing of selected security policies in milliseconds for a specific process. It is validating what we want to happen, not what we don't want to happen. This is how we can protect critical systems and intellectual property residing on the Internet.
The entire cybersecurity industry has been looking at cyberdefense in the wrong way and frankly has used the wrong technologies in the wrong place when addressing it. To clarify the needed changes we must make in cyberdefense technologies, my colleagueTom Boyle, CEO of On Point Cyber, Inc., commented on what the problems are, what changes must be made and how they should be implemented.
Q: Can you explain the problems we face when it comes to cyberdefense technologies?
The proliferation of big data, the Internet of Things, cloud computing and mobile devices has created an intrusion detection environment that challenges current information security practices, if for no other reason than sheer volume of data. Detecting intrusion is akin to finding a needle in a haystack. Government and corporate leaders echo the need for a fundamentally different approach to cybersecurity, capable of sustaining the pace of cyber threats, while detecting intrusions at machine speed.
Q: What changes need to be made to address these weaknesses?
We see an information security transformation to the process side of information technologies, and work with companies who develop these capabilities, 5GL visual languages of logic with autonomic modeling of system operations for immediate reactive cyber security. Through these technologies, the cybersecurity playing field is leveled, so defenders can stop attackers within milliseconds, at the point of attack.
Q: How do we get this done and done quickly?
Fortunately for the United States, the Department of Homeland Security and other agencies have spearheaded cooperative research and development between private and government sectors, to readily identify and adopt new and emerging tools to secure our most critical cyber infrastructures. Now it is time to get it done.

WHAT A CYBERATTACK LOOKS LIKE

The trouble with hacking is twofold: We don’t see it, and we don’t understand how damaging it is. So first and foremost, we need to find a different word for "hacking." It is too nice a term given the devastation it causes.
I grew up in Harper Woods, Mich., and lived one block away from Detroit and one block away from Grosse Pointe Farms -- my small city sat between these two vastly different communities. The satellite photo below shows these two communities: The left depicts the complete demolition of entire neighborhoods that were knocked down for the copper in the walls. Those living on the right side -- with which my small community aligned -- didn’t steal, nor would we let people who stole into our neighborhood. We had a good police force, but frankly, the old ladies were the enforcers: By the ear, they would walk the intruder right back to his house. Basic defense, but quite effective.

Cyberdefense is the right side of the picture. Cyber war or cyber offense is stealing back and forth, which in the end offers no gross national product until there is nothing left to steal. That is the left side of the picture. This is a picture of just millions lost over many years. Last year, in the private sector alone, British insurance company Lloyds projected that more than $400 billion was lost due to cyber attacks.
Anybody got a picture for that?
Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sector.

Wednesday

Cybersecurity 2016: Out with the Old, in with the New

The costs of cyberattacks have significantly affected corporate bottom lines, and nation-state attacks have threatened the security of entire countries, renewing the focus on and demand for cyberdefense.

BY  JANUARY 13, 2016

In 2015, we determined that the important criteria of cybersecurity include the need for proactive defensive approaches, what weaknesses exist in current cybersecurity technologies, how even billion-dollar systems are being hacked, the current and future dangers if we don't fix these problems, and the need to do this all in milliseconds.
To tackle all of this is a tall order, but as I will discuss in my opening session on Jan. 26 during the four-day ITEXPO in Fort Lauderdale, Fla., we can do this. And here's a sneak preview.
DATA TRANSMISSION HISTORY: WE STARTED OFF GREAT 
When data communications started, the X.25 protocol — one of the first packet-switching data transmission services ever used — was transmitted over plain old telephone system (POTS) lines or private point-to-point lines. At the time, analog phone lines were prone to interference that often would drop data before being received at the transmission endpoint. To eliminate this possibility, an auditing system validated 8-bit packets that were placed in the data transmission's footer and header. This packet would then be audited and confirmed at both ends of the transmission.
Believe it or not, this was one of the most secure data communication systems ever developed. So what happened?
The 8-bit packets transmitted in the X25 protocol, however, pale in comparison to the terabytes of information that pass through our information networks today. Though this ultimately is a problem, it remains one of the principles behind today's deep packet inspection. When talking to X25 engineers back then, they knew the desire for more connectivity — and data on networks overcame the need for security. This is what really led to the Internet. We needed to find a way to rapidly and economically move all this data over a shared network. The need to distribute information quickly and economically on a network was the first priority as security and auditing the information became an afterthought. Understanding this we can realize why we are using network connection mediums that had known security issues as did the software that these networks and applications ran on. These vulnerabilities lead to a lot of work done on the network layer of cybersecurity with some success. The real danger in cyberattacks though lies not in the network but the software, and more importantly in the processes used in our day-to-day information technologies. This is where the hackers are getting in and can be viewed. This is where we must focus if we are to defend and future-proof information security processes.
THE INSATIABLE DESIRE FOR MORE SOFTWARE, DATA
Though the term "big data" was a tad overused in recent years, I love it. And when it comes to data, the priority has always been connecting and using data efficiencies — which is why security was pushed to the back burner. The cybersecurity risk analysis dilemma continues to be this: We can make this much this quarter if we use this software, and we can use the efficiency of the Internet to distribute it globally.
From corporations that can add millions to their bottom line to government's struggle with security versus wanting a backdoor in, the insecurity of cybersecurity in the past may have held more value than actually having security.
Things have changed, though.
The costs of cyberattacks have significantly affected corporate bottom lines, and nation-state attacks have threatened the security of entire countries, renewing the focus on and demand for cyberdefense.
In today's IT utility processes, the third- and fourth-generation language software we use links to other software and data to achieve the desired digital processes. These actions are then historically saved in a data log. Current cybersecurity technologies have historically viewed these logs to determine if the system is running properly or if there has been potential exploit. But finding potential flaws can take days, months, even years of manual subjective analysis. If a system breach is found, a software patch is typically put in the system utility — and this is the window of opportunity a hacker leverages, and will continue to leverage, unless targeted security process policies can be audited in front of the utility system processes.
We need to move beyond the utility approach of connecting and moving data from one place to another toward viewing and auditing actual systems process events in real time. We cannot audit algorithms or software in milliseconds, as there is too much data that is ever-increasing in complexity. Auditing software and data at the utility level is too complicated and slow, so to achieve real-time cyberdefense, we must change the way we view and audit targeted system security policies in specific digital process ecosystems proactively.
New approaches are now being hailed by research organizations and standards groups in both the public and private sectors, which also are promoting and investing in this needed cybersecurity paradigm shift. We must move quickly in deploying these new technologies because as cyberattack predictions go, the worst seems yet to come.
WHY OUR CYBERDEFENSE APPROACH MUST CHANGE NOW
When it comes to cyberattacks, we are faced with two simple facts: Current cyberattacks are increasing, and we are going to connect many more things to the Internet. In fact, research firm Gartner predicts that in 2016, there will be 6.8 billion connected devices in use — a 30 percent increase over 2015. By 2020, that number will jump to more than 20 billion.
Cybersecurity experts cite attempted cyberattacks at about 500,000 attacks per minute, and the number of connected devices presents an even greater opportunity for hackers. Trying to defend from cyberattacks using current cybersecurity technologies is no longer feasible. We have neither the people nor the time to defend ourselves against the onslaught. We must drastically automate our cyberdefense approaches or hackers will have too many opportunities to strike — and at best, we will always be caught in patch-and-pray cybersecurity catch-up.
We need to understand software processing languages and business processes if we are really to understand the issues with cybersecurity today. Hackers manipulate software and can change the desired digital process action to their benefit — and can activate these changes in milliseconds.
Whether a network or specific data process application is in use, it all basically runs on software that activates specifically designed processes. From flooding attack points with terabytes of data creating denial of service to tricking employees to accessing centralized data at rest databases, hackers use software as their real-time attack tool — while current cyberdefense solutions often are blind to what is occurring. Thus, the hacking must be addressed by viewing and auditing the critically targeted security policies the event caused by taking action — action that occurs through the use of software, not software or IT utility itself. To do this, our focus must shift from viewing and auditing the IT utility function run today to a more process-focused approach. We must shift our focus from technical assets to critical business processes.
CALLING FOR CHANGE IN CYBERDEFENSE
In 2015, some very promising things occurred as far as addressing the known and future problems with our cyberdefense strategies. Many organizations — including the Defense Advanced Research Projects Agency (DARPA), the National Institute of Standards and Technology (NIST), the Institute of Electrical and Electronics Engineers (IEEE), and RSA Security — have been looking at technologies that offer microsecond viewing and auditing intelligence outside of utility function of today's IT processes. These new approaches are more focused on what is happening in workflow security policies rather than how the utility system processes happen.
To understand the importance of this new cyberdefense paradigm, I pose this question: How do you stop a hidden encrypted cyberattack exploit already in your system?
The answer to this shows us why we are always trying to put the wrong cyberdefense technologies at the wrong place at the wrong time. The only way you can stop this attack is by allowing the hacker to activate the exploit and stop it in milliseconds before it disrupts system security policies. This requires a new way of looking at information processes security — and major organizations are beginning to understand the need for these changes.
NIST has done a good job of getting organizations, specifically in critical infrastructure, to find and define both their cyberdefense vulnerability and to establish specific security policies in addressing these potential points of breach.

DARPA has done a good job in calling attention to these security policies in which events may be the function of a microsecond machine actions and, in turn, must be defended in microseconds.
RSA is convinced we need to move from technical utility assets to a critical process approach by establishing business-centric risk assessment processes to transform information security, while the IEEE is focused on a similar approach it calls model-driven security. Even the recently passed Cybersecurity Information Sharing Act of 2015 has emphasized the need for DHS to establish a pilot to test and deploy advanced technologies to improve detection and prevention.
This is a good start to finding new approaches to cybersecurity — approaches that must be put in place if we are to deploy the effective cyberdefense capabilities we so desperately need today.
I will be discussing these new approaches in more detail in my ITEXPO security session opening later this month. Hope to see you there.