I had the great honor of representing Palo Alto Networks as the corporate sponsor of The Washington Post’s 2016 Cybersecurity Summit last week in Washington D.C.
In advance of the summit opening, I hosted a breakfast for approximately two dozen government and industry leaders and held a discussion about the latest cyberthreats, as well as some best practices and potential solutions that governments and industries around the world can implement in order to successfully defend against modern cyberthreats. A few of the best practices I shared with the attendees included:
1). Moving away from legacy technology that is focused only on detecting and responding to a cyber threat after a breach or attack -- when it is already too late -- to next-generation technology that is focused on protecting what’s most critical to an organization through a prevention-first approach.
2). Moving away from purchasing isolated point solutions, which are not designed to communicate with one another, for security against the various independent stages of the cyberthreat lifecycle toward an integrated platform approach that is natively designed to correlate all of the various stages of a cyberthreat lifecycle, thereby reducing false positives, complexity, and the need for more and more people to sift through endless amounts of uncorrelated information.
3). Moving away from a very expensive and labor-intensive manual response to the ability to leverage automation and save your most precious resource, your people, to do what only people can do.
As the summit began, I had the privilege of providing opening remarks and was able to use the three points above to set the stage for some positive solutions to a very complex and growing problem that was subsequently discussed in four expert panels and during a one-on-one interview with Lisa Monaco, assistant to the president for homeland security and counterterrorism. In case you missed the live stream of the event, here’s a recap of the panel discussion topics and some key points made by the experts.
One of the key points from the first panel discussion about protecting personal data came from Dropbox Head of Trust & Security Patrick Heim, who said he doesn’t believe we’ve struck the right balance between our technological capabilities and policy discussions, and that policies need to be able to address criminals who are often highly skilled and organized.
I totally agree with Mr. Heim. The cybercriminal underworld is no longer represented by the hacker in the hoodie operating independently. Cybercrime is now an extremely professionalized business, with a marketplace of effective information-sharing across criminal and quasi-criminal entities. This includes customized attack tools that are getting cheaper by the day, due to the decreasing cost of computing power as well as the use of effective underground marketing of products and services, automation and cloud capabilities to support the explosion in polymorphic malicious code—and even customer support for victims to assist in paying ransom through bitcoin!
During the second segment titled “Leaks: The Post-Hack Problem,” one of the key points of the discussion came from U.S. Election Assistance Commission Chairman Thomas Hicks, who said that it would take an extremely organized and coordinated effort to hack into the U.S. voting system because it is so decentralized. However, much of the discussion among the panelists centered around the surprising ease with which alleged nation-state cyber threat organizations can penetrate the systems and networks of U.S. political organizations to potentially sow doubt and undermine confidence in our election process and systems. Detection and response to this type of a threat from a nation-state are wholly inadequate functions by themselves, and in my opinion, that is why a prevention-oriented approach is so critical and will help prevent these kinds of attacks in the first place.
One of the more interesting and controversial points during the third panel on cyberwarfare came from Juan Zarate, chairman and co-founder of Financial Integrity Network, who said that it can be ethical for private sector companies to hack foreign governments. I respect Mr. Zarate’s opinion, and I understand the growing frustration across industry that comes from an environment where it seems like response options are limited and it’s not a fair fight against the modern cyberthreat. However, I ultimately disagree with this approach, and here’s why.
First, it’s currently illegal to hack back. I think there’s a very good reason why current laws should not change on this particular matter. As a national security professional with more than a decade of experience in dealing with foreign nation-state and non-state cyber threats, including criminal threats, what kept me up at night was the growing mixture of state and non-state entities operating in an increasingly murky haze of nefarious cyber activity.
The confusing mixture of state and non-state cyber activity is a recipe for increasing instability, uncertainty, and the chance of misinterpretation, miscalculation and, ultimately, mistakes happening in the cyber environment that could potentially spill over into the physical world in a very escalatory way. Offensive action in the cyber environment should be the purview of nation-state activity and illegal for non-state entities, in my view.
During the last panel discussion regarding critical infrastructure protection, one of the more poignant points of the discussion came from Brett Leatherman, assistant section chief of the Cyber Operational Engagement Section at the FBI. Leatherman said that the willingness of government to step out early and collaborate with private companies to solve cybercrimes is necessary for understanding what happened and how to respond. He said that criminals are partnering all the time, and if the public and private sectors don’t partner together, we’re going to continue to lose that battle as opposed to gaining a footing on the modern cyber threat.
He also noted that speed and scale is important, and because of this, sharing threats two weeks after the fact is no longer acceptable. I absolutely agree and believe that the only way to increase the speed of threat information-sharing and the scale required to be effective is by leveraging automation and standardized formatting.
The final session was a one-on-one interview conducted by Washington Post National Security Reporter Ellen Nakashima with Lisa Monaco, assistant to the president for homeland security and counterterrorism. During her tenure at the White House, Ms. Monaco noted that cybersecurity issues and cyberthreat intelligence were increasingly becoming a part of almost every daily intelligence briefing, and that this was a very high priority in the president’s national security agenda. “I’ve been struck by the breadth of the threats that we’re facing, certainly against the U.S. government, against the private sector,” Monaco told Nakashima during the interview.
She indicated that there were many lessons that she and others in the national security community had learned from counterterrorism issues over the past decade and a half, and several of those lessons were currently being implemented to address cyberthreats. She highlighted the administration’s prioritization of cybersecurity and the establishment of the Cyber Threat Intelligence Integration Center, which consolidates the view of the intelligence landscape and is considered parallel to the National Counterterrorism Center. Both fall under the the Director of National Intelligence.
Similar to countering the terrorism threat, Monaco noted that the U.S. government always considers a range of options when evaluating cyberthreats. These actions can be diplomatic, economic, informational or entail intelligence, law enforcement, or military involvement. Additionally, she noted that these responses may be done publicly or kept private, citing such factors as the need to preserve sources and methods as an example of a criterion for keeping action non-public.
Finally, she explained that there should be a set of international norms for responsible nation-state behavior in the cyber environment during peacetime, and provided a few examples, such as restrictions against the theft of intellectual property for commercial profit, attacking a nation’s critical infrastructure, and interfering with a nation’s cyber incident response capabilities.
I was very proud to represent Palo Alto Networks as the sponsor for this event and want to pass on my heartfelt congratulations to The Washington Post for continuing these annual cybersecurity summits, which contribute to the public’s education on a topic of significant national, economic, public safety and individual privacy concern to the nation. Take a look at The Washington Post’s coverage of this event.