The cyber threat agencies continue to face will dramatically expand over the next five years as the amount of data and the use of devices grow.
The increasing complexity of networks and data requires agencies and contractors to think differently about cybersecurity. David Bray, the Federal Communication Commission’s chief information officer, said to defend the networks and devices of tomorrow, agencies need to consider changing their current approach.
Bray, who spoke Thursday at the AFFIRM and U.S. Cyber Challenge’s Second Annual Cybersecurity Workforce Summit in Arlington, Virginia, said for him that different thinking focuses on three principles. “We do a lot on signature detection, how can we also move to be much more about behavior, so we can deal with unknowns? It may just be the hardware or software is having an issue, but it also could be a cyber threat that isn’t characterized yet,” he said. “The second step would then be thinking about how do I move from just security to resiliency? If you accept that there are a lot of known threats and there are unknown threats and they will only get larger, it’s really about how rapidly can you be resilient in terms of something happens you contain it, you clean it up and then you can respond to it. And then third, how can we work together as teams? You definitely need the experts and the professionals, but it really takes an entire team to deal with that new world in terms of both public relations, in terms of what’s going on behind the scenes with network operations, and just generally understanding the code too. Can we write code that shifts us from being much more about application centric to data centric?”
The reason for this new thinking isn’t just the evolution of smartphones or tablet computers, but the quickly morphing of everyday items into networked devices from cars to refrigerators to many common household items.
Insight by Splunk: USDA, FDA and Army Futures Command will explore how agencies are using data as a tool in digital transformation and cybersecurity.
Bray said some estimate that there currently are 7 billion network devices and 4.5 billion terabytes of data on the planet. He said many expect those figures to double every two years, meaning by 2022, there will be between 75 billion and 300 billion network devices and 96 billion terabytes of digital content around the world.
To some this is what the Internet of Things (IoT) is all about — a totally networked society.
IoT running on insecure systems
Bray said the cyber problem — at least right now — is the IoT will run mostly on industrial control systems using the Internet protocol Transmission Control Protocol/Internet Protocol (TC/IP). He said TC/IP is not a secure protocol, leaving many connected devices to face the same cyber challenges as computers, PCs and the like face today.
If organizations move from looking for malicious or attack signatures to training employees and using identity management and access control techniques, they will address many of the current cyber vulnerabilities.
Bray said a key piece to changing behavior is depending on computers to spot abnormal online actions of employees.
“If something happens that looks odd, it’s not an immediate stop, it’s just more that the security officer or someone will have a conversation and say, ‘I see you are trying to access this application that you don’t normally access, is there a reason? Can you tell me why? Or are we seeing abnormal patterns?'” he said. “I think that is what we need to get into, which is almost like the machine is helping to tip and cue what looks odd. There may be a valid reason, or it may be a hardware or software issue, but there’s just so much going on in an organization that if we are reliant solely on human eyes paying attention to it, we will miss things. We need the machines that can actually say, ‘I’m not exactly sure what’s going here, but someone needs to take a look at it.'”
Bray said a machine can act like a 5-year-old child, who can recognize when things are wrong, but aren’t sure why.
At the FCC, Bray said he’s moving as much of his infrastructure to public clouds to capitalize on the scale and expertise of the service providers.
“With that, we also are trying to work with our partners so that we do get information on what’s being done with our data, can we also start doing trend analysis so we can actually say what is normal access patterns for the behavior in the cloud beyond what we normally see,” he said. “We have to be strategic about our pivot. I don’t want any business of maintaining infrastructure as it is right now at the FCC. The good news is since I’ve been here, we’ve gone down from having 207 different systems now to have more like 102 or 103, so that’s half way there. But we still have a long way to go and I just cannot continue to spend the limited budget I have on maintaining aging infrastructure. I really do have to move to the cloud and then focus on resiliency, that includes security but also reliability, agility and flexibility.”
A CDC for cyber?
This approach of machine learning and then pairing the computer with a human expert already has proved successful. Bray said cancer researchers taught a computer to recognize the difference between normal cells and those that may have changed. Bray said the machines can be 95 percent to 98 percent accurate in identifying cancerous cells.
Bray, who in late 2014 received the honor of being named a 2015 Eisenhower Fellow, recently spent time in Taiwan and Australia learning and discussing the Internet of Things.
He said that experience provided a broader viewpoint around the challenges of securing millions of networked devices.
“With IoT, maybe we need to approach it much more like public health than just building higher walls and tougher locks,” he said. “What I mean by public health is yes, we teach you good hygiene, and we want you to practice good behaviors like seeing a doctor, getting antibiotics and vaccinations. But we recognize you still might get sick, and when you do get sick, it’s really about rapid detection, rapidly addressing whatever the things are and then rapid clean up. We may need to think about the same thing for devices. Questions I got in Taiwan and Australia, who is going to take care of your grandmother when her car gets hacked or when her refrigerator gets hacked? At least in my experience as an Eisenhower Fellow and my personal views, I’m not necessarily sure it’s going to be law enforcement or even the military, I think it’s going to have to be something new, much like how we do infectious disease and public health.”
Bray said officials from the Taiwanese and Australian governments said a public health-like approach to cyber is an interesting concept to them as well.
The third piece of Bray’s idea of a new approach to cyber is focused on teamwork.
He said it’s not just cyber experts, but people from many disciplines, including the program or mission side, data scientists and coders who will need to contribute to the protection and defense of future networks.
Over the last 20 months, Bray said he’s created a broad team of experts made up of long-time FCC employees, new workers from academia, Silicon Valley and even former contractors.
“We’ve assembled this diversity of talent and it really is different views. Often, I see my job as bridging those different views,” he said. “As a result, we get this rich diversity to how we tackle things. That applies to how we do resiliency and how we are baking into certain resiliency approaches.”