4 April 2017

What keeps cybersecurity experts up at night?

Sara Sorcher

For Passcode’s last Influencers Poll, we asked an open-ended question: What’s the most urgent cybersecurity or privacy challenge right now, and what’s one way to fix it? 

MARCH 27, 2017 —Securing elections from hackers. The spread of connected devices. Nation-state attacks. The lack of cybersecurity talent. 

These were some of the pressing cybersecurity challenges that keep Passcode’s group of security and privacy experts up at night.

Passcode’s Influencers Poll regularly surveys 160 high-profile experts from across government, industry, and the advocacy community. For one last poll before Passcode shuts down, we asked an open-ended question: What’s the most urgent cybersecurity or privacy challenge right now, and what’s one way to fix it?
What do you think? VOTE in the public version of the poll. 

Several Influencers were concerned about the impending explosive growth in the sheer number of devices connected to the internet. “Whether one calls them embedded systems, or the 'Internet of Things,' the combination of these little computers, poor security design, and upcoming high-speed wireless networks are a perfect storm of sorts that holds the potential to make all of our current cybersecurity concerns worse, more persistent, and of much larger scale,” says Bob Stratton, a serial security entrepreneur, investor, and consultant.

In order to combat this, Mr. Stratton says, “we as consumers, investors, and regulators all have to make clear our insistence upon products (of all kinds) that have at least some basic modicum of system integrity and resistance to compromise built in at the time of manufacture. Not every connected light bulb has to have the same security features as a desktop computer, but it is reasonable to expect that ours will only obey commands from the proper controllers and at a bare minimum, that these little devices do not provide a foothold for an attacker trying to gain access to the rest of our home and business networks.”

To that end, the No. 1 challenge for Dan Kaminsky, cofounder and chief scientist at White Ops security firm, is making secure development of products “faster, better, and most importantly, cheaper.”

“Astonishing things can be built on a solid foundation. They can also be built on quicksand, but they won't last very long,” he says. “We need to escape the false dichotomy between quickly developed crud and monoliths of perfection. It needs to be relatively easy and straightforward to build and operate secure systems. A lot of that is going to involve actually studying what developers want and need, and giving them tools that maintain and retain security as a first class feature.”

Dan Geer, chief information security officer for In-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the intelligence community, took a big picture approach in his answer: The most urgent issue, he says, is people’s overall dependence on technology. “The more people use something, the more it is depended upon. Because the wellspring of risk is dependence, risk is therefore proportional to adoption. We call that on which we most depend critical infrastructures. Because dependence is transitive, so is risk,” Mr. Geer says.

“That you may not yourself depend on something directly does not mean that you do not depend on it indirectly. Interdependence within society is today absolutely centered on the Internet beyond all other dependencies excepting climate, and the Internet has a time constant five orders of magnitude smaller. The complexity of our problem is therefore unacknowledged correlated risk and the unacknowledged correlated risk of cyberspace is why cyberspace is capable of black swan behavior.”

To address this, Mr. Geer says there’s no single bullet. “Bring a revolver,” he quips, advocating for “disconnected operation for critical infrastructures, stress testing for entities too connected to fail, public seizure of abandoned codebases, mandatory cyber-event sharing above some threshold of seriousness” and to “geocode the internet, just as cellphones are.”

Other experts pointed to broader privacy challenges as consumers put more and more personal information online. Jenny Durkan, global chair of the Cyber Law and Privacy Group at Quinn Emanuel law firm, points to “gross and unnecessary overcollection of personal information” as her major concern – especially because it’s not adequately protected by the companies that collect it, and consumers have “no realistic way” to control how their personal data spreads online.

To solve this problem, Ms. Durkan says, “consumers should be given a easy and clear way to opt out of data collection and still utilize new technology, and should have the right to limit, review and remove data collected about them for commercial purposes. Innovators need to build and bake better security into technology from the outset. We must end the ‘innovate, then secure’ mindset.”

Several Influencers said the biggest challenges were not necessarily the cyberthreats themselves – but people’s reaction to them. “The most urgent challenge to both cybersecurity and privacy right now is the threat of overreaction that stems from incidents that occur,” says Christian Dawson, executive director and cofounder of the Internet Infrastructure Coalition. 

To prevent this, Mr. Dawson adds, “a focus on technical education is essential, to aid legislators and regulators in a sound understanding of tech issues. If they comprehend the tech environment prior to a threat, they will be less likely to over-react legislatively during one.”

Similarly, Jeffrey Carr, president and chief executive officer of Taia Global, Inc., worries about “the likelihood that we will go to war over incorrect attribution of a serious cyberattack."

“When the leadership of both House and Senate Intelligence Committees misrepresent the facts of electoral databases being hacked, and when national policy decisions are frequently driven by privately provided intelligence data that is often unverified and unreliable, and when the private sector and the media can announce nation state attribution of a cyberattack, right or wrong without fear of blowback, then a window of opportunity exists for a malicious third party to cause two nations to escalate to a kinetic conflict when the presumed attacking state is innocent," Mr. Carr continues. Unfortunately, Carr says there’s “no way to address it because the cyberthreat intelligence industry has no incentive to change and the US government doesn't acknowledge it as a problem." 

A few Influencers agreed that before any of these challenges can be tackled, the pipeline of people itself needs securing. "There are a reported one million or more job openings currently in the cybersecurity field, and some industries are just beginning to grow their efforts in this space," says Jeff Massimilla, chief product cybersecurity officer for General Motors. "This gap will likely increase, making it even more difficult for companies to find qualified individuals to fill these roles.” Mr. Massimilla suggests developing more robust university curricula and programs, specialized academic support and focused efforts on job placement after graduation for students interested in the cybersecurity field. 

Günter Ollmann, chief security officer at Vectra Networks, also said the shortage of appropriately trained and experienced cybersecurity staff is the biggest challenge, and offered two different ways to solve it. “There are two primary methods for incrementally addressing the shortage of experienced cybersecurity staff. Firstly, the increased deployment of machine learning and AI-based technologies that reduce the technical load on expert staff. And secondly, concerted efforts to encourage more women to join the information security field, coupled with better pay and support mechanisms for women already commencing their cybersecurity careers.” 

Mike Papay, Northrop Grumman

Challenge: “Cybersecurity of the things in our life we rely on: IoT, critical infrastructure, vehicles, etc.”

Solution: “Ensure a market-based economy exists that values the security as well as the capability of the systems we buy.” 

Nick Selby, Secure Ideas

Challenge: “There is still an almost total lack of training for non-federal prosecutors on cyber crime. This means almost no cybercrime cases are brought outside the federal system.”

Solution: “The DOJ and federal government must provide funding for training of District, County, and State's Attorneys on how to bring cybercrime cases. This is the only way to balance the load placed on federal authorities, and the only way to make a dent on logarithmic growth in cyber criminal activity.”

John Pescatore, SANS Institute

Challenge: “Increasing use of strong authentication – moving away from reusable passwords.”

Solution: “Require strong authentication for online tax filing.”

Christian Dawson, Internet Infrastructure Coalition

Challenge: The most urgent challenge to both cybersecurity and privacy right now is the threat of overreaction that stems from incidents that occur.”

Solution: “A focus on technical education is essential, to aid legislators and regulators in a sound understanding of tech issues. If they comprehend the tech environment prior to a threat, they will be less likely to over-react legislatively during one.”

Daniel Castro, Information Technology and Innovation Foundation

Challenge: “There is a market failure around cybersecurity. Consumers cannot easily compare the security features of two products. This is an information asymmetry problem that government can help fix.”

Solution: “Most companies publish a privacy policy, which helps create a transparent and accountable mechanism for regulators to ensure companies are adhering to their stated policies. However, no such system exists for security practices, which has resulted in vague standards, regulation by buzzword, and information asymmetry in markets. By publishing security policies, companies would be motivated to describe the types of security measures they have in place rather than just make claims of "we take security seriously.” This is a concrete step that policymakers can take to improve security practices in the private sector.”

Marc Rotenberg, Electronic Privacy Information Center

Challenge: “Growing threats to personal privacy and the increase in identity theft, data breach, and financial fraud.”

Solution: “The United States needs to establish a Data Protection Agency, like every other democratic government. There is a real risk of a cyber security policy that protects US businesses and US government agencies but leaves the personal data of Americans at risk.”

Chris Finan, Manifold Security

Challenge: “Vulnerabilities in the nation's operational technology. Many critical infrastructure industrial control systems remain at risk because some operators have not prioritized security. Americans could absolutely die as a result of an attack against one of these vulnerable systems.”

Solution: “Congress must enact legislation to ensure the operators of the most critical systems prioritize security. The public will eventually get legislation to that end that protects communities, it's only a question of whether it happens before or after a major incident.”

Abigail Slater, Internet Association

Challenge: “Keeping our nation's networks, including those of our key institutions, safe from malicious attacks. Trust is a must, and fostering trust online is a team sport. So the challenge will be restoring trust through teamwork.”

Solution: “Strong encryption is a tried and tested tool and is needed now more than ever. This is why the Internet Association supports policies that enable strong encryption online.”

Mårten Mickos, HackerOne

Challenge: “Citizens worrying that cybersecurity issues in society are in much worse shape than what any official spokesperson is ready to publicly acknowledge.”

Solution: “More transparency (in public sector and by companies) about cybersecurity threats, incidents and solutions.”

Cris Thomas a.k.a. Space Rogue, Tenable Security

Challenge: “The popular answer to this question will be 0-day, APT, IOT or international norms in cyberspace or any one of a dozen other trendy topics. But the most urgent cybersecurity challenge right now is the same as it has been for the last twenty years. Know thyself. The first thing an attacker does after they have gain access to a target network is map it out and find where the valuable information lies. In a short amount of time the attacker knows more about a network than the administrators of that network. We need to focus on the basic of network security, now your network and what is on it, that includes mobile, virtual, cloud and containers. Patch critical systems with critical vulnerabilities first. Most attackers don't waste 0-days if they don't have to, no, they search for the 100-day or even the 1000-day vulnerability that someone didn't patch. Make sure that your network is properly setup and configured, that the firewall rules are not set to any/any. Misconfiguration or underutilization of security tools is a continuous problem. Keep a tight control on user credentials, only allow the minimum access an employee needs to perform their job and restrict that access when it is no longer needed, especially when an employee leaves your organization. The failure to follow even the most basic cyber security principles such as these is the most urgent cybersecurity challenge right now.”

Solution: “The answer is not user education. Yes, used awareness training does help reduce security incidents but it won't prevent them and blaming a user for accidently clicking on a link is not the answer. Addressing the failure of most organizations to follow even the most basic cyber security principles is a multi-pronged problem. Executives are still not taking cyber security seriously enough and are not devoting enough resources to the teams attempting to correct the problems. In some cases the security teams themselves do not understand the severity of the threat or feel they need the latest blinky light solution to save them when all they really need to do is the boring mundane work of inventorying their networks, patch their systems, check their configurations and keep an eye on their access credentials.”

Ely Kahn, Sqrrl

Challenge: “I think the most urgent cybersecurity challenge is the need for all organizations to fully understand the cyber risks they face, how those risks affect their mission, and what are the most cost effective ways to mitigate those risks.”

Solution: “Adoption of the NIST Cybersecurity Framework is a great start.”

Charles Brooks, Sutherland Global Services

Challenge: “Google Evangelist (and a founder of the Internet) Vint Cerf has stated that there is no such thing as privacy on the Internet.I agree, especially in regard to our future.In our evolving digital world, anything and everything is likely to be connected. The rapid proliferation of Internet of Things (IoT) devices (Cisco predicts 50 billion devices by 2020) implies that privacy is becoming quite a conundrum. I would posture that IoT is our biggest privacy challenge because inencompasses every vertial, financial, health, commercial,energy, communications, and security.”

Solution: “A way to help ensure privacy in IoT is standardize security with manufactures, encrypt, authenticate, firewall, and practice strong cyber hygiene.”


Sascha Meinrath, X-Lab 

Challenge: “Educating key decision-makers about technological realities.”

Solution: “For the past ten years, I've been a vocal advocate of the need for technological expertise to be in the room and at the table whenever legislative and legal deliberations are taking place. In much the same way that we understand the need for lawyers to be involved in key decision-making, it is as important that technological savvy be equally represented in these processes.”


Tom Cross, Drawbridge Networks

Challenge: “The most urgent cybersecurity challenge right now is the need for more skilled security professional. Every organization that I work with is struggling to find and retain skilled people, and this challenge is slowing down their efforts to protect themselves."

Solution: “One way to address the skills shortage is to think about how to do more with less, both in terms of helping CISOs properly prioritize the tasks that they have, and developing security tools that have lower administrative overhead and amplify the efforts small numbers of people.”


Joel de la Garza, Box

Challenge: “User education and awareness.”

Solution: “Nationwide awareness campaigns. Similar to public safety campaigns around seat belt use or littering.”


Scott Montgomery, Intel Security

Challenge: “Trained labor is in the midst of a nasty math problem. The number of devices, the amount of data, the vectors of delivery, the variety of threats increase at a dramatic pace. The number of trained practitioners remains relatively static, as do budgets. There are still (I checked) only 24 hours in the day. Something has to give, and it's results. Time between breach and detection is higher than four years ago even with 'better' technology and more experience.” 

Solution: “The overall amount of labor to achieve a solid security and privacy posture MUST be reduced. Industry needs to make more reliable, easier to use products that integrate well with competitors and other ecosystem vendors. Practitioners need to embrace automation and information sharing. Regulatory bodies should be agreeing on a smaller number of more useful standards. Organizations must begin data valuation efforts in order to stop treating all data equally and apply their meager resources where it matters most.”


Nicole Eagan, Darktrace

Challenge: “Cybersecurity has become an arms race – we have entered a new era of rapidly-evolving threats characterized by speed, sophistication, and automation. It’s no longer just about compromised websites or stolen data. Today’s threats are far more insidious, aiming to garner media attention and undermine the very integrity of our data, and the institutions who host it. Early glimpses of these ‘trust attacks’ have been seen from DNC to Yahoo. We’re even starting to see the beginnings of a new generation of cyber warfare, where attackers use machine intelligence to subtly infiltrate organizations and learn how to blend in. Legacy defenses rely too heavily on perimeter protection and rules and signatures. Yet, these approaches are no longer sufficient to combat evolving attacks, as companies struggle to stay abreast of the ‘unknown unknown’ threats and the ever present risk of insider threat. Quite simply, companies have a huge visibility problem – they cannot see what is happening beneath the surfaces of their own networks. Complete network visibility while securing networks from the inside out will be of paramount importance in the battle against advanced threat-actors.”

Solution: “Self-learning technologies using genuine machine learning will be critical to solving this problem. New ‘immune system’ technologies are capable of learning a ‘pattern of life’ for every user and device to establish a comprehensive understanding of the network as a whole. From this baseline, it can detect emerging anomalies in real-time, and even take precise action to automatically respond and neutralize the threat. It’s a brave new world, and companies need to arm themselves with a self-defending network to stay one step ahead of even the stealthiest threat-actors.”


Stewart Baker, Steptoe & Johnson

Challenge: “Nation-state hacking of banks.”

Solution: “Aggressive international sanctions on countries and groups identified as having hacked banks.”


Steve Weber, School of Information, University of California - Berkeley 

Challenge: “In one word: complacency. The internet has become a very dangerous place for businesses, governments, and people -- but most of us aren't scared enough to do much different.” 

Solution: “First, ban the word 'hacker' from the cybersecurity lexicon. Don't let criminals, spies, liars, and terrorists cover themselves with a label that makes them sound creative, innovative, and clever.” 


Terrell McSweeny, Federal Trade Commission 

Challenge: “As an FTC Commissioner, my focus is on consumer data privacy and security. At the moment, the most urgent privacy challenge facing consumers is Congressional action to eliminate broadband privacy -- a huge setback for consumer control over their sensitive data. Maintaining the FCC's current rules would make ISP practices more consistent with consumers' expectations of confidentiality. The majority's haste to lay waste to privacy protections doesn't bode well for the development of a thoughtful and comprehensive approach to consumer privacy. It also likely means we won't see comprehensive data security legislation to address one of the most urgent cybersecurity challenges: the billions of insecure IoT devices that are rapidly becoming integral parts of our daily lives.” 


Matthew Eggers, US Chamber of Commerce 

Challenge: “An urgent challenge is crafting a new US cybersecurity strategy that features business input.”

Solution: "America’s approach to cyber is at an inflection point. Industry is typically the first to take a cyber punch on the chin, and public policy should be adjusted accordingly. Policymakers need to engage the business community before, during, and after the strategy is written. We need to highlight international norms and deterrence. Our national deterrence deficit lies in our struggle to stymie attacks by criminal groups and foreign powers that fall into the malicious middle of the attack spectrum. This middling sweep of aggressions is bookended on the one hand by relatively minor attacks that companies are capable of blunting on their own and acts of war on the other, which could require government involvement.”

David Brumley, CyLab

Challenge: “Internet of Things device security.”

Solution: “Automating security checks. We need to move beyond manual approaches.” 


Adam Segal, Council on Foreign Relations

Challenge: “Lack of meaningful deterrence.”

Jonathan Zittrain, Harvard

Challenge: “It's profoundly difficult to figure out who owns cybersecurity -- who should be responsible for ensuring it systemically. It's tempting to think that this should fall to governments, but there are many downsides to the likely centralization that would come with increased direct government roles in securing our private networks and that which connects to them.”

Solution: “There are intriguing models for resilience through continued decentralization, with puzzles to be solved on interoperability and consistency, especially as many users are understandably not prepared to be personally and continually involved in actively securing their devices and data.”

Kevin Bankston, Open Technology Institute

Challenge: “The threat of governments restricting the deployment of encryption.”

Solution: “Leverage the fact that tech moves faster than policy and speed up the development, deployment and adoption of more strong encryption tools--not only to make us all more secure but to make attempts at anti-crypto regulation even more futile than they already are.”

Eric Burger, Georgetown Center for Secure Communications

Challenge: “The combined cybersecurity/privacy challenge is the market speaks loudly: there is no cost to public companies in any meaningful financial metric post-breach. As such, rational enterprises will only invest just enough to cover the most basic cyber security issues, as there is no meaningful penalty for getting breached. One has to assume that the not insignificant investment by large enterprises in cyber security is one reason they are relatively immune to any post-breach impacts. However, it is clear that asking enterprises to increase investment in cyber security would be an irrational exercise.”

Solution: “Go beyond breach notification laws and move to restitution laws. Today the consumer suffers the economic effects of a breach. If those effects were shifted to the enterprise, the enterprise would have incentive to protect themselves better.”
Mark Weatherford, Chertoff Group

Challenge: “Developing international norms for cybersecurity behavior.”

Josh Corman, Atlantic Council

Challenge: “Healthcare is sick. Connected hospitals are prone, they are prey, and predators have finally taken notice. They are target-rich; resource-poor. The bulk of hospitals lack a single qualified security pro on staff, are porous and unsegmented, and run WindowsXP and older unsupported systems. Given how familiar and exposed they are, even unskilled adversaries could do significant damage. They claim they lack resources (true). But/and: If you can't afford to protect it, then you can't afford to connect it.”

Solution: “Well, we can't treat the patient without a solid diagnosis. The Information Sharing CISA Law of 2015 required a 1 year HHS CyberSecurity Task Force. We are nearly done with our report back to Congress (late April) and we outline some short-medium-long-term ways to get us on a path to wellness. None of these are going to be easy. I hope this catalyzes corrective actions.”

Influencers who chose to remain anonymous 

Challenge: “The Internet of Everything - nearly everything connected globally, humans and things. This hyperconnectivity is and will always be the largest threat. Networks create collaboration and many positive advantages, but these massive new networks are incredibly vulnerable in so many ways it is impossible to deal with them. The only reason there haven't been more massive attacks or outages to this point is that bad actors are smart enough to keep their uncivil actions fairly small, so these interconnected networks keep running and stay alive to be exploited. From the weaponization of the social narrative we have seen in recent national elections globally to identity theft, to DDOS attacks at places like Dyn (October 2016), flashes of danger flare up occasionally. What if all of the attacks that have been stopped early on had been allowed to emerge full-bloom?” 

Solution: “There is no way to address the fact that billions of people and (soon) trillions of networked things in an always-evolving and constantly growing network have vulnerabilities.” 

Challenge: “The danger of foreign powers manipulating the data and systems of the United States and its allies.” 

Solution: “Imposing stronger punitive measures on those that hack into US systems.”

Challenge: “End-to-end encryption by default” 

Solution: “Build, support, and embrace zero-knowledge cloud services.” 

Challenge: “Individual freedom in the age of expanding government intrusion into personal devices.” 

Solution: “Devices have become so ubiquitous that people may not know the consequences of their data being copied and stored by the government for decades to come. Zero storage of data by government entities of any person who is not under indictment would be a good start.” 

Challenge: “Cyberattacks both criminal and foreign governmental.” 

Solution: “Spend far less time developing offensive capabilities in the NSA, CIA, and Cyber Command and far more effort and resources on developing a comprehensive national cyber defense capability.”

Challenge: “Governments understanding that honest people need security.”

Solution: “Government isn't monolithic. Most parts do, except for law enforcement, and even there it's only some of them. They need to look at how to do their jobs without changing tech.”

Challenge: “Securing elections in EU countries and here at home.” 

Challenge: “Lack of focused data protection in the public/private partnership. Too much time spent on walks not protecting data and access.”

Challenge: “The statistical increase in destructive malware based attacks targeted not just at US businesses and institutions of all sizes as anti-American sentiment grows.” 

Solution: “Machine learning and AI-based analytics applied at the network.” 

Challenge: “Insecure infrastructure.”

Solution: “Attention and funding.”

Challenge: “Bad InfoSec by major companies.” 

Solution: “Criminalize bad infosec.”

Challenge: “Securing critical infrastructure including financial, transportation, and other systems that our way of life depends on.” 

Solution: “Employing friendly ‘red teams’ to attack from within like real attackers.”

No comments: