See, through the eyes of two tested industry veterans, what the nature of today’s cybersecurity realities are and what government should be doing about them.
There is clearly an issue. If you do 80 percent of security right you’ll stop 90 percent of attacks, but I don’t agree that most organizations actually get to 80 percent because IT can be a complex environment. Putting the onus on the IT department to fix the problem is not a successful strategy. The attackers are exploiting the end-users more and more, thus circumventing security controls altogether.
With that in mind, the two most urgent actions are for organizations to create awareness of the problem and build commitment among leadership to tackle it. A strong cybersecurity program warrants a comprehensive strategy to address any risks within the environment. These include everything from developing the strategy and a human capital plan to awareness and training.
Cybersecurity is not just an IT issue; that’s not how your adversaries are looking at it. Using IT happens to be the way they get into networks. Technology is only one aspect. Organizations need to look at it as a foreign intelligence collection effort. Bottom line, cybersecurity needs to be top-down driven, from the head of the agency or a CEO on down. Only then will the enterprise be adequately protected.
With any large, complex enterprise you’re always going to find weaknesses. It’s very hard to get an end-to-end view of the enterprise, and therefore hard to get a handle on just what is on the network and what weaknesses there are.
It’s also really hard to be proactive. That’s important when you consider the 80/20 rule, where 80 percent of the intrusions you can see and can avoid with proactive security. The other 20 percent are unknown and hidden, what are known as Advanced Persistent Threats (APTs). With those you need a little more predictive ability in order to get a level of resiliency.
The most urgent actions are those that give people a better understanding of the threat environment, and that give them the ability to apply appropriate actions and resources to mitigate the risks and threats. And that they understand that it’s really hard to have 100 percent security, but that they can have controls in place that are good enough to protect assets that are business/mission critical.
IT professionals are an integral partner in addressing the cybersecurity challenge, but the skill sets needed to succeed must be transformed. Clearly, there is a shortage of cybersecurity professionals in the U.S., and there are aspects of the profession that aren’t taught in any of our high schools or universities today.
That’s interesting when you look at other countries, where many of the colleges and universities start with an offensive approach rather than a defensive one. To be successful, you need a more rounded, full-spectrum view of the ability to attack, exploit and defend systems. Grooming tomorrow’s workforce is a top priority at Northrop Grumman. Through programs like CyberPatriot IV, where we serve as Presenting Sponsor, to our Cybersecurity Research Consortium, our own Cyber Academy, and our engagement with more than 100 universities nationwide, we are building excitement around this career choice. It is a very rewarding and challenging profession that I would even love to see my children pursue.
They are all siblings in the same cybersecurity/computer security family. One set of skills may focus on protecting technology and applications, while another looks at it from the view of the people and end processes. Both of them help to deal with the cybersecurity threat. What is needed is a way to shift the focus to how to use these skills depending on the threat environment.
Agencies also need to understand that skills may need to change or be added to, because cybersecurity threats are moving targets. As a defender they also have a different time scale to work with than attackers, who can take as much time as they want to infiltrate a network. But agencies have such a large frontage to defend they almost have to be right 100 percent of the time.
The threat itself is not hype, but assuming that APT techniques used by all adversaries are highly sophisticated, or more advanced, is somewhat suspect. So I think the term APT itself is overused.
Really persistent attackers will only use the techniques they need to compromise a system. In many cases, those techniques are not that advanced, though attackers do have those capabilities when needed. I’d also say that APTs launched by that top one percent of truly elite, state-sponsored attackers is under appreciated.
Unfortunately, when the term is overused, it hinders the ability to truly understand APT. Most of the major compromises that have made the news in the last year were not that sophisticated, and in fact used social engineering to gain access. There’s a bit of numbness that comes from overuse of the phrase.
They are definitely a reality. We face them every day and have been for some time. I think the reason why you are hearing more about them is because, as network defenders, we’ve become very attuned to APTs and are finding more and more of them. Our skills are improving and we’re starting to realize that those things that go bump in the night aren’t necessarily anomalies. We don’t think it’s hype. We see APTs as a bona fide and escalating threat.
It’s always more affordable to introduce security early in the development lifecycle than it is to introduce it, or bolt it on, after it’s in production. That’s absolutely been quantified.
I also think security professionals can use the push to cut organizational costs and complexity to their advantage. For example, an agency could reduce external points of presence into and out of the organization, both improving security and helping cut costs.
The other big challenge is deciding the worth of your intellectual property (IP). If IP was lost, would a company still be in the market place, or would an agency still be successful? That needs to be included in any executive discussion about cybersecurity. We need to look at the impact 5, 10 and 15 years down the road versus quarter-by-quarter. Cybersecurity is a long-term asset and should be considered “strategic.”
The main argument is how much risk is the organization willing to accept if an asset is compromised or lost, or if it degrades over time because it can’t be used. If you can sit there and allow your network to be 75 percent compromised, then your risk profile from those organizations that can’t afford that level of risk. Most agency networks are vital to their missions.
Security professionals need to find a way to prioritize what has to be secured and why, tag those crown jewels in the network and then put monitoring and other security controls around them. This requires a good understanding of the mission/business process to identify the right critical assets, and what can be sacrificed if faced with a “life boat” situation. What will help is continual discovery of new ways to automate security, which will also drive greater affordability because you won’t need as many assets to secure those large and complex networks.
We haven’t seen a real example of cyber war yet. I prefer to say we are in a cyber competition, where we’re collecting information on one another or preparing the battlefield. In places like Estonia and Georgia, we have seen examples of directed cyber attacks that gave us an idea of what cyber war might look like using tactics such as denial-of-service for a government or a whole country, but not a true cyber war.
Many nations are investing in the development of cyber capabilities because they see those as force multipliers over and above traditional capabilities. And, at some point, we’ll see cyber warfare capabilities fully integrated with those we use to wage kinetic warfare.
It’s certainly taken out of context. Cyber exploitation is a more realistic set of terms to define the problem as it relates to the stealing of money and intellectual property. I do believe it’s real, but there are a lot of constraints involved. If you sit there and develop a cyber attack against the Internet, essentially you’ll be taking down parts of the Internet you need to get to the person you want to attack.
However, there are currently a lot of different kinds of actors who employ a range of cyber attacks, and they can have serious consequences both to economic and physical targets. When people see the level of damage that can be caused, and that it doesn’t take much to launch fairly sophisticated attacks, they tend to want to graft a term onto it that will raise the level of awareness. That’s one way the term cyber war is getting more traction. But an all out cyber war will be far more complex.
New technologies are constantly being introduced, some more secure than others. IPv6 and HTML5 are both designed with more security in mind. The concern, however, is during the transition period, when organizations are in the middle of implementation. Organizations have to be mindful of security shortcomings inherent with any legacy system that interacts with these new technologies.
We’re also faced with the challenge of an increasing consumerization of the environment, where many consumer systems don’t have strong security standards. We’re moving from a father-child IT relationship, where people were told what they had to have, to a peer-to-peer relationship, where customers are telling us what they want to have. It takes a tremendous amount of planning to support that consumer technology. That’s where the rapid integration of university-developed technologies from our Cybersecurity Research Consortium is making a difference.
Any new technology pretty much guarantees a greenfield of unknowns. However, over time, defenders are getting smarter so it’s hard to say whether these technologies will be inherently more insecure.
What you do see with them is a greater level of due diligence and a hardening of these technologies because developers have had a chance to take in what their predecessors did with something like IPv4, see where the vulnerabilities are and then build out the new versions to make sure they have less of them.
So, IPv6 provides new features that were not available in IPv4 and that are designed to enhance security. The same thing applies with HTML5. But they haven’t been tested to see what vulnerabilities and security problems have to be dealt with. And, for sure, potential attackers will already be looking for new ways to get around those security mechanisms.
Trust! As the largest provider of cybersecurity solutions to the federal government, Northrop Grumman is protecting some of the most attacked enterprises on the planet with the most at stake. We understand the full spectrum – exploit, attack, and defend. For more than 30 years, we’ve had relationships with intelligence, military and civil agencies around cyber space issues and have maintained those trusted relationships over that time. Our employees understand the environment and share knowledge and expertise across the diversity of our business, lending to a better protected network through government and industry as appropriate. Such collaboration also lends to more innovative technology and ultimately, better performance.
We know and live our customer’s mission every day. Because our customer’s mission success always remains our first priority we have become their trusted partner and have grown to be the number one IT provider of choice to the federal government.
As a system integrator, we essentially look at all of the technologies available to us, and we are pretty much agnostic about them—always looking to choose what best meets the customers’ needs. And we live and die on making sure we have good relations with everybody in industry as well as with our customers. On the back of that we have formed alliances with the best technology and product companies in the world, so that end-to-end customer solutions are fully integrated and tested long before they arrive on the customer environment.
They absolutely need to subscribe to defense-in-depth. They need to choose the security portfolio that’s appropriate for their goals and the threats they are up against. There is no silver bullet, but over the years we’ve learned where investments need to be made to best defend an enterprise. At Northrop Grumman, we work with our customers to define their cyber mission requirements before we architect a cyber solution. We begin by assessing vulnerabilities throughout the enterprise…from people to processes to technology. With Northrop Grumman’s multi-layered, defense-in-depth approach in place, even changes such as cloud services or the introduction of mobile devices will not suddenly void investments and will keep solutions affordable. If defenses are architected appropriately with agility part of the original design, they can adapt to provide the protections needed for new technologies or services to be introduced in the future.
Cybersecurity is not all-inclusive. It’s a people, process and technology problem and, as anybody knows who’s ever done application security, there isn’t such a thing as a 100 percent secure application. As agencies deploy cybersecurity, they have to look at what mechanisms they put in place for these new technologies such as cloud services and mobile devices. But there’s always going to be some work to do to make sure the gaps are realized and filled in.
What’s changed over the years is where the security focus has to be. In the 1990s it was on the firewall as the security device of choice. But we are dealing with many more and different kinds of attacks. Cybersecurity is becoming far more about people and process, and that’s where we are starting to see more of the focus. And with that comes more emphasis on sharing of information and of new tactics and procedures on how to deal with certain types of threats.
By and large, government can decide if they want security baked into their IT product design, the question is how much? There needs to be a high level of security built into those systems that are protecting classified or mission critical applications, but the decision should be based on the mission of the agency and the real need for the investment. Protection should be prioritized based upon the criticality of the information, systems and mission.
Also, guidance should not be too prescriptive. We’ve always found that the market responds better when the implementers of security products are given options to meet the intent of the controls. They may come up with more secure, less expensive solutions if given just a little bit of leeway. People are very creative in these situations.
I believe it should be integrated. When you’re designing a system, security controls should be considered at the same point as when you develop the concept of the system. It’s far more cost effective to have the security baked in at this point than bolted on afterwards. And industry is pretty much in sync with that thought now.
I agree that compliance for the sake of compliance doesn’t equate to security, because you can be secure at the moment you do the “box ticking” and 10 minutes later, be wide open again because a web developer added an application to a server.
However, more agencies are making an effort to do continuous monitoring, which we support. A simple adjustment towards a continuous monitoring regime is a much more effective approach than a compliance review once a year, and is a better verification of an agency’s security. The Continuous Monitoring and Assessment process that Northrop Grumman developed in conjunction with the Department of State is a great example of an affordable solution in this area.
As with anything, you have to have a balance between technology and the policies that will drive its use, because IT professionals can’t be everywhere. Things like FISMA and other policies enable people to understand what the secure state is and what standards and procedures they should follow to get there. Then also establishing a baseline for the technology and getting proactive mechanisms and security controls in place. That’s the three-legged stool for good cybersecurity.
I think government is farther down the line to getting to that than it was just a couple of years ago. It has a standard configuration for hardware and standard software controls. Then policies such as FISMA and the guidance NIST has produced along with a renewed look at the people processes so that agencies can make sure there’s user awareness of potential threats.
I think government understands what the three legs of the stool are, and now it’s beginning to move the baselines in order to get there. You have to remember the threat landscape changes rapidly and sometimes policies may lag, but they will catch up and on occasion leap ahead.
One of the big intractable problems is the IT supply chain. If you look at any product out there - whether it’s the PC sitting on my desk or the printer - you need to ask what is in the DNA of those systems. How can we really validate their place of birth? I’m sure if you took apart any of these devices, you’d find there’s plenty of foreign sources with input into their development, whether its code, firmware, etc.
It’s really a significant challenge and a weakness that is clearly being exploited. Obviously you can put in significant security requirements in order to meet your needs during the development of the product, but it remains a very difficult challenge. I am currently the Chairman of the Internet Security Alliance, which has been working with Carnegie Mellon, industry and government to tackle this challenge specifically for the electronics supply chain. We expect our guidelines to be published by March of 2012.
There’s a level of due diligence that has to be done by anybody that is going to outsource. They need to do that in order to understand that the company they outsource to follows the sound practices that agencies put in place and meet their security expectations. They’ll need to keep a small amount of it in-house in order to drive the checks and balances that will be needed to make sure the outsourcing companies are doing what they are supposed to. But as long as agencies do all of that, I don’t think they’ll face any extra vulnerabilities or suffer any more attacks than they would if they were solely responsible for running the enterprise.
Spear phishing continues to be the number one vector for attacking governments and businesses. When we look at our security plan for Northrop Grumman, and our training and awareness, and the countermeasures we put in to place against spear phishing, it’s a significant effort. We’re starting to make a dent in the success rate of our adversaries and coming up with solutions that are beginning to scratch the itch.
We do a careful analysis of our adversaries’ use of this vector to help us develop better defenses, and develop custom signatures based on that analysis. We also initiate employee awareness programs, which have helped improve our end users’ ability to identify and not click on, or respond to, targeted attacks. We even spearphish our own employees to help them recognize the signs of an attack and thus better defend our company.
A big part of it is persistent education married to research and development; we use this to develop innovative solutions that fill the gap.
It’s hard. Pretty much anyone that’s connected to and accessing the Internet is going to face this, because phishing has become the primary vector for attacks. What we try to do to bolster security in this area is through education and awareness. We have the Lockheed Martin “I Campaign” where we internally train our user force to understand what a phishing email looks like so they’ll be able to distinguish a genuine email from one that is from a cyber attacker.
But it depends on individual organizations as to how they do this, and what style that kind of campaign would take. The good thing is that there are now many tools that are available for this, as well as companies that know how to do it.
Within the Defense Industrial Base, a framework agreement between about 30 companies and the US government, I’d say information has been shared very effectively over the past few years. It’s created a trust framework for our industry that will help better defend the government and the companies themselves.
I think the next step is to scale this to include critical infrastructure and more critical infrastructure industries such as the financial sector. That’s something that the Department of Homeland Security will be taking a look at going forward.
The essential barriers to sharing information begin with the legal requirements. Streamlining the legal onramp to information sharing is probably the most critical area of focus for any information sharing effort designed to scale across hundreds or thousands of companies.
Information is routinely shared between government and the defense industry about specific attack profiles, and we’ve achieved some success in defending against attacks because of that. But I think that has to be expanded. There has to be more sharing between government and industry, and from industry to industry.
We are certainly not there yet, but the more we march in this direction we’ll start to see the same efficiencies that attackers get, because we know they do share information about tactics and procedures, as well as actual code. In order for us to meet threats with the same type of force, we have to do the same.
In the past, being successfully attacked was seen as something you had to keep quiet about because it was thought to reflect on the ability of your organization to do business. Now, people understand that it’s not necessarily indicative of the strength of their security program. It really has more to do with the complexity of the network and the sophistication of the attack.
We’re also getting smarter about the need to re-engineer business processes to increase protection for users’ information. We’re getting smarter about how to scrub all the key components so that, while we can tell you very precisely what kind of security event just happened, we can do so without risking the identity of those interests in other areas. I think that’s opening up a lot of sharing of information.
I’m a big fan of metrics. I absolutely believe in the old saying that if you can’t measure it, then you can’t manage it. At Northrop Grumman we have about 35 key performance indicators that we’ve been tracking for the past seven years – everything from performance to training and awareness, vulnerability remediation and so on. It’s critical for organizations to define those indicators upfront.
We’ve also found that if you’ve got multiple businesses and CIOs within an organization, metrics allow you to compare performance, which in turn creates a positive competition around who is doing security best. Defining performance metrics, getting them out to executives in the organization and making them visible is critical to the eventual success or failure of security efforts. Performance against these metrics can then be used to determine areas of over-investment or under-investment and thus help inform changes in your strategy or security portfolio. Measuring effectiveness is no doubt critical to success.
By delving into your network and understanding how it works you can come up with a number of key steps that an attacker would successfully have to accomplish to get to his objective. Within Lockheed Martin we describe a “cyber kill chain,” that we know cyber attackers have to go through in order to get to the company’s crown jewels. Such things as reconnaissance, the cyber weapons they use, command and control procedures, and then what they do once they get into the system.
Before, we believed we didn’t have any chance of stopping attacks because there were so many actors involved. But now we know what they need to do, and we can insert ourselves in order to disrupt them. I think those are the kinds of metrics we have to focus on. Get away from the idea of trying to provide 100 percent security and instead really focus on what the attacker is trying to do and then find ways to deny them and disrupt their ability to do that. Then we can measure success against how well we’re doing that.
I think it’s easy for agencies to understand the various phases of this, but it’s often hard to implement. It’s a constant learning process because attackers don’t stay static, but that’s the way to become more effective. Instead of going after a single attack or vulnerability you can now start eradicating whole classes of attacks.
Finally, recognize that some attacks may be successful and one needs to build resiliency into the system so that operations continue despite disruption.
In the last five years we’ve seen a tremendous focus on cybersecurity, and I believe that will only continue. There’s also a tremendous effort underway within both the House and Senate to have a comprehensive cyber bill this year, and I’m hopeful that will happen. I also see government and industry working together in new ways on many of these cybersecurity challenges. Things are trending in the right direction from the resources and funding perspective, and there’s even international discussion around the topic.
The area that gives me pause is the workforce. We do not have the numbers of security professionals that we’ll need for the future. We do not have the curriculum defined to properly educate that future workforce, and we really need to devote more time to that issue if we are to have the workforce we need 10 to 15 years from now.
Northrop Grumman is committed to building the pipeline of qualified cyber pros through programs like CyberPatriot, a national high-school cyber defense competition. What gives me hope is the encouraging rise in teams competing over the past few years. The program went from 176 in 2010, to 661 in 2011, to more than 1,000 teams competing this year. A very exciting trend!
The future is not grim, I can tell you that. We’re getting smarter and we’re getting faster. We understand what the threat is more quickly, and we’re starting to move resources towards doing things more effectively. The main elements that will be key are automation and understanding how the people, processes and technology intersect so that we can put controls in place that will actually enhance their ability to use the technology, but securely.
One thing we as security professionals and IT users have to do is become more predictive so we have a much better idea of what the next cyber threats will be. And then find ways to drive down the costs of putting those better security mechanisms in place, because what drives effective security is affordability. It can’t be cumbersome, and it can’t be expensive.
I do think both government and industry understands this and know what it will take. And they are working out ways to move toward it faster.
8609 Westwood Center Drive, Suite 500, Vienna, VA 22182-2215 703-876-5100 © 1996-2016 1105 Media, Inc. All Rights Reserved.
8251 Greensboro Drive, Suite 510, McLean, VA 22102 | 703-876-5100
© 1996-2017 1105 Media, Inc. All Rights Reserved.