There's cybersecurity, and then there's cyberwarfare. My next guest is both an academic and a practitioner of cyber wargames. He's here to update us on the types of...
There’s cybersecurity, and then there’s cyberwarfare. My next guest is both an academic and a practitioner of cyber wargames. He’s here to update us on the types of exercises going on right now in federal agencies. David Brumley is CEO of ForAllSecure, and recently returned to Carnegie Mellon University as a computer science professor
Interview Transcript:
Tom Temin Let’s start with that distinction between cybersecurity, which everybody does, and cyber warfare, which you don’t hear as much about, but you presume one presumes is going on.
David Brumley Yeah, I mean, they’re different. Cybersecurity is a very broad term. It applies to lots of different things. And typically it has a notion of something that you’re trying to be defensive about when you’re talking about cyber warfare. What you’re really talking about they’re strategies to achieve an ends. Like the end goal in cyber warfare is not to put a bit on someone’s desk or put a file, it’s to have some military intelligence outcome. And so you’re you’re thinking about a different cybersecurity really focus on just the cyber aspect and you ignore things that are outside that. Well, in cyber warfare, you’re trying to look at the holistic picture picture and the outcomes you’re trying to achieve. And just by the nature of our digital society, cyber is becoming a bigger and bigger part of that.
Tom Temin And we know that some rivals, let’s say, to the United States, particularly China and Russia, are very good at getting information out of U.S. systems. It happens pretty regularly. Is that cyber warfare? Because they’re trying to understand what our secrets are, what our strategies might be, what our capabilities might be as distinct from entities in those same areas that are going after ransomware from hospitals just to get the money.
David Brumley Oh, that’s a great question. So actually, I think there’s another distinction I want to make. So if China breaks in and tries to steal secrets, we have agencies whose entire job is foreign intelligence doing the same thing. I call that traditional, good old fashioned spycraft. This has been going on for ever. The main job of these agencies for spying are to gather information, write a report and inform military. We’re talking about cyber warfare. That’s actually something a little bit different in my mind. We’re actually talking about a conflict where there’s active participants and it’s probably an important part to talk about strategy here, because the U.S. strategy in cyber warfare is just different than Russia or China, because, again, when we talk about strategy, we’re talking about a means to an end. China, part of their cyber strategy is to break in and steal a bunch of IP because then they can use the US intelligence and all the patents that we have and all the great work that goes on not have to reinvent the wheel and get a leg up that way, right. Compete for us economically. So their stronger strategy is a lot about economic dominance. In the US, we would never do this. There’s nothing in the US where an NSA would break into a place in China and steal IP and give it to an American business. This is just illegal. It just doesn’t happen. And so when you think about cyber warfare, you also have to think about not just like what are the cyber tactics, but what are the goals. They may be different and what are the legal frameworks that each one’s working under because everyone is working under a different framework or a different thought.
Tom Temin Well then how do our strategy is to understand what’s going on militarily or what their strategies are? What form do you suppose that might take and how do they how do they develop the strategy into an operational construct that they can carry out the strategy?
David Brumley I think it’s easier to talk about what our adversaries are doing in this sort of forum. Right. So China very much has this strategy of breaking and stealing IP and redistributing it and competing with us economically. When we look at the US, we of course, like everyone, have good old fashioned spying and we have great spies in cyber who can gather intelligence. When we think of cyber more from a warfare point of view, we’re looking more at there is an armed conflict or there is a conflict, the rules of warfare apply. You try to limit collateral damage, and it’s very much within that scope of combat. Compare this to Russia. Right. Russia’s strategy is very interesting. There are Russian hackers who really are criminals, but it’s kind of like the Al Capone, right? Putin will let them be as long as he can call them from time and time to a favor. And so their strategy is a little bit different. And if you think about like, how do you arm your cyber warriors. The US, its enlisted people, it’s government employers, while Russia it can be some criminal who’s really good at cyber. And then just ask him for a favor. It’s really an interesting battlespace.
Tom Temin We’re speaking with Dr. David Brumley. He’s a Carnegie Mellon computer science professor and CEO of AllSecure. And so how do you counter that? Because if we don’t purloin IP, what do we do over there and how can we get us back into cybersecurity again? The posture of defensiveness to keep people out of our IP, we’re not very good at it. So you have the cyber warfare seems like a one way proposition that way.
David Brumley I think, yes, the US has several advantages as far as like being the top in AI, having a lot of IP, having top computer manufacturers. A lot of our efforts should be defensive focused for how we go about and secure our infrastructure because just naturally we’re going to be the big target. Part of defense js doing offense but doing offense locally. So I want to distinguish between breaking into someone else’s computer and trying to break into your own computer. And so when we think about the US, a lot of what they’ve been doing is purely defense. Defense. They’ve been trying to figure out how do we put up firewalls, how do we check our risk posture where we haven’t been quite as good as this offensive defense. Can I hire a hacker to break into the system so that I can learn from it and fix it? In fact, in other countries, they’re a little bit better at the I’m going to break into someone else’s computer just because they don’t have the whole construct of that we have in the US with what are the rules and regulations for doing that?
Tom Temin I remember one case a few years ago of an intel employee, not the intelligence community, but the Chipmaking company, Intel, who found a big cyber flaw across their systems, did not actually execute the hack of it, but showed what could happen. And I think they fired him and he might have been subject to prosecution for ethical hacking. I guess at least from his standpoint, it seemed ethical. Is that still going on or are we still we seem to have a lot of squeamishness about things that other countries do with relish.
David Brumley I think what a lot of people in computer security has have realized is it’s a terrible battle. When you’re fighting this on a legal front, really, you face this on a public publicity point of view. And so we see like Tesla going to great hacking contests like Pwn2Own putting out their products. Sure, they get hacked, but then Tesla takes that back and improves their security and people think of them as a better product because of it. Same with Google Chrome. There are still some companies who try to take this legal. You weren’t authorized to do it. I think they end up failing not really because of the legal, but because everyone realizes that’s not the right thing to do. There is something called bug bounties. You mentioned ethics. Ethics is an interesting question. There is no legal authority. Everyone has to hack into someone else. Like if you find a vulnerability in commercial software, you are not legally you’re protected from action. Unless the company has a bug bounty program. A bug bounty program is what gives you that legal safe harbor. And so when we’re thinking about how you as a as a company or how the federal government bug bounties are really a way of giving people permission to responsibly disclose without fear of prosecution.
Tom Temin Got it. And you yourself participate in some pretty elite bug bounty or hacking teams, blue team, red team, black team, white team activities. What’s the most common thing people just don’t do to leave themselves vulnerable?
David Brumley Yeah, I mean, there’s two things. First, there’s the do nothing is always the common enemy. The second thing that I’ve seen, and this has really been over the last five years, is security doesn’t have access to the developers who write the code or to make changes to the code or configuration. So I’ve seen, as you just mentioned, a blue team. Right? A blue team’s entire job is to protect infrastructure, but they have no control over how it’s set up or what goes into it, or they can’t talk to the developers. They’re destined to fail. At the best case, they’re just always behind. And so when we look at the elite hackers, the people who are really good at this sort of stuff, they’re getting into the code, they’re looking at the attack surface and it’s really quite beautiful. Hackers, to me are just creative people who can bend computers to their will. Most of us are locked into these ecosystems and have no idea how to do it. But the best hackers, what distinguishes them as they just don’t get locked in because they understand everything at all levels. The danger is when people think security is just this butter you apply at the top at the end.
Tom Temin You could almost make an analogy with the COVID vaccine. The thing that enabled the country to understand what was going on was the photo micrographs of the bacteria of the virus itself. With the little hairs are sticking out, little purple tentacles all over the sphere and the locking mechanism that it had with human cells. And otherwise, if you just looked at it externally, you’d never come up with a cure.
David Brumley That’s actually a great analogy. Certainly a great thing to use bleach in cleaners. That’s a little bit like what a lot of security teams are relegated to clean up trying to prevent further infection. But until you look at the virus, until you get that scientific deep understanding, you can’t come off something proactive like a vaccine.
Tom Temin Well, what you’re saying sounds like there needs to be almost a brand new construct in how systems are developed with the eventual the architects and the coders needing to communicate with one another and understand what one another are doing and what their goals are. And that you don’t see much of, do you?
David Brumley We don’t see much of it, especially in the federal government. Almost zero of this in the federal government. Security comes at the end and tell you the truth, often there’s not even money to fix the problem. It’s basically to identify problems when you go and look at the best in industry, if you look at a Google, for example, they do have that tight connection. And that’s the way they can have public infrastructure that’s up 99.99% at the time and gets hacked once per three years and then the next day it’s fixed as opposed to a lot of the fed systems.
Tom Temin Well, that leads to a question of the difference between just intelligence gathering and cyber warfare from who does what in the federal government and who should be doing what.
David Brumley Yeah, it’s something most people don’t appreciate, but there’s different international laws and US laws based on what people can do and the consequences of it. If you think about it. Intelligence, you think about spies and people like the NSA and spy is a very dangerous craft, right? Like if you capture a spy in your country, often they’re executed. Even in the US after World War II, we executed two spies for revealing nuclear secrets. When you look at combat and you look at cyber warfare, you’re really talking about operating what’s under called Title ten. And there you have enemy combatants. Completely different rules of warfare apply between these two. So they’re both part of cyber. They both have an effect on the US in the world, but they’re actually completely different activities. So that’s, for example, why we have an NSA and CYBERCOM that are different.
Tom Temin And do they understand what one another are doing, do you think? It’s hard to tell externally, but I sense you might have some knowledge of that.
David Brumley They very much do. So NSA and CYBERCOM are there’s a person named General Nakasone who’s dual hatted. He’s in charge of both. And that’s actually controversial. It originally was done that way because CYBERCOM is a new command, a new military command. And so the idea was NSA already had expertise. As CYBERCOM was first growing. They could learn that expertise from NSA because they were traditionally the best people. And that’s continue to this day. There’s a lot of discussion on whether they should separate because they do have different missions. NSA’s mission is foreign intelligence. Well, Cyber Command’s mission is to support the combatant commander in the battlefield so they know what each other is doing, but they have completely different rules going on. And so that’s kind of the hard part. When you have dual hat is. The person Nakasone has this hard job of saying and my operating under this set of laws or this set of laws.
Tom Temin Right. So when he talks to himself, he has to keep changing hats.
David Brumley Yeah, I’d love to be in the room with that conversation.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED