Questions include what is critical infrastructure, who should defend what, and how to best train workforce to fight it
Cybersecurity is a slippery thing, hard to define, train for and fight against.
And it may be the biggest threat of the 21st century.
Is a cyberattack on a movie studio an attack on the United States? What is the Department of Defense responsible for in cyberspace? How do you train a sorely needed workforce when the diploma they earned a month ago is already outdated? How do you deal with a threat that outpaces legislation? What should people in government know?
Six members of Congress, one senator and representatives from academia, business and the military gathered at the first Arizona State University Congressional Conference on Cybersecurity on Wednesday to frame questions and paths forward.
“An unbelievable economic and military threat,” ASU President Michael Crow called cyberthreats. “I don’t think any of us, including those in this room, understand how important it is.”
Invisible, with minimal resources and maximum speed, cyberattacks are a “bloodless way to disrupt democracy,” Crow said. Because the internet was designed with none of this in mind, cyberattacks are “not easily solvable.”
The entire information domain has become a battle space. Hackers have attacked everything from NASA to businesses to a dam north of New York City.
Cyberattacks are a blend of conventional and unconventional power projection, said U.S. Sen. John McCain (R-AZ), chairman of the U.S. Senate Committee on Armed Services.
There is no plan from the White House on cybersecurity, McCain said.
“I can assure you our enemies are not the junior varsity,” he said. “If they’re able to change the results of a presidential election, then they’re able to change democracy. ... We must make sure our adversaries pay a price for these attacks.”
The current system is overgrown with bureaucracy and poorly defined authority, McCain said. Compounding the problem is a lack of personnel and trained workforce.
“There is no widespread definition of what people in government need to know,” said retired Lt. Gen. Robert Schmidle, former deputy director of U.S. Cyber Command. “The biggest vulnerability in any network is us.”
Schmidle described a Marine field exercise in the desert using a wireless internet network. He had cyber experts hack it. The biggest problem with it wasn’t being shut down; it was sowing doubt about enemy and friendly positions. Officers simply didn’t know where red forces were.
Every major weapons system has to undergo a cyber resiliency assessment for the Department of Defense, said retired Brig. Gen. Linda Medler, cyber director at Raytheon Missile Systems and former director of Capability and Resource Integration at U.S. Cyber Command.
She described cybersecurity as the nexus of information systems and hardware. None of the panelists could agree on a definition of the term. The word “attack” suffers from the same handicap.
“Is an attack on Sony an attack on the country?” Medler asked. “In my mind the Department of Defense has a responsibility to protect the nation in air, land, sea and space. That should extend to cyberspace.”
Should corporations have offensive capabilities? “I don’t know,” Medler said. (McCain said yes, they should.)
Policy and technology are speaking different languages, and they need to come together. There is a lack of communication between parties that need to communicate most.
“In order to make good policy, you have to understand the technology,” Schmidle said. “It’s not enough to rely on the one article you read in Wired magazine on the plane.”
Schmidle described meetings at the Pentagon where no one understood the geek speak in one meeting nor the policy wonks participating in the discussion from 64,000 feet, “with no idea how their return key works,” he said.
Intelligence and the military have different authorizations.
“I would suggest the line go away altogether,” Schmidle said.
Congress should update what is considered critical infrastructure, and then who should defend what should be delineated.
“I would suggest Sony is not going to make the list,” Schmidle said.
Holding a hairdresser’s data for ransom is different than monkeying with a nuclear power plant.
“What is an attack?” asked Jamie Winterton, director of strategy for ASU's Global Security Initiative. “Understanding a little bit more of what we’re talking about would help.”
There are currently more than 200,000 vacant cybersecurity jobs, with an estimate of up to 1 million vacancies in the field by 2020.
“Skills are having a hard time keeping up with our requirements,” said Maj. Gen. John Baker of Network Command at Fort Huachuca. Baker commands 15,000 people around the globe working in cyberdefense.
“I’m not looking for the person who is just better,” he said. “I’m looking for the person who is a hundred times better.”
There is a dire need to build skills in the current and emerging workforce.
“When we teach our students, we teach them not only the white-hat"White hat" refers to a person who hacks into a computer network in order to test or evaluate its security systems. "Black hat" refers to a person who hacks into a network with malicious or criminal intent. perspective, but the black-hat perspective,” said Raghu Santanam, a professor of information systems at ASU’s W. P. Carey School of Business and a cybersecurity expert. “That’s where you learn the real warfighting skills.”
“You cannot practice defense unless you have a good understanding of offense,” said Adam Doupe, assistant professor in the School of Computing, Informatics and Decision Systems Engineering at ASU.
Business has discovered some ways of speeding up the pipeline of qualified cyberwarriors.
Brian Johnson, senior director of global security at PayPal, outlined a few ways his company is building a talent pipeline. Paypal retools and reskills its existing workforce, uses academic partnerships and teaches K-12 kids basic coding and cybersecurity fundamentals.
The company also job-trains underprivileged young people.
“Out of these we get a great group of candidates,” Johnson said. “That’s a good pipeline.”
Top photo: U.S. Sen. John McCain, chairman of the U.S. Senate Committee on Armed Services, talks about the universal threat of computer hacks and attacks at the first Arizona State University Congressional Conference on Cybersecurity on Wednesday at ASU's Polytechnic campus. Photo by Charlie Leight/ASU Now