ARTICLES

How to Stop Cyber Threats to America

On May 22, 1998, President Clinton signed an Executive Order on the nation’s cybersecurity that was developed by experts, referenced best practices, and encouraged information sharing. On May 12, 2021, President Biden signed a similar Executive Order on the nation’s cybersecurity that was developed by experts, referenced best practices, and encouraged information sharing.

Despite Clinton’s order twenty-three years ago, the cybersecurity posture of our nation has grown progressively worse. It is my belief that Biden’s recent order will have similar non-impact. This a shame, because there is a better way – one that can actually reduce cyber risk. I say this with some confidence, because I’ve spent my entire life immersed in the protection of critical infrastructure from cyber threats. I’ve seen what has worked and I’ve seen what has not worked – and the current direction being espoused by the US government will do nothing more than leave the nation more vulnerable. And with nuclear plants, water supplies, and financial systems increasingly controlled by software, failing to solve this cyber challenge cannot be an option.

That said, I do believe that valuable hints to truly solving our nation’s growing cybersecurity challenge can be found in various successful wartime efforts from our nation’s history. To best illustrate this point, perhaps it helps to share some history of my own.

My personal journey to cybersecurity began forty years ago at a sushi bar located blocks from the campus of NYU where I now serve as a professor. My sushi mate was my Dad, then in the prime of a career borne of the second PhD degree in computer science ever issued. “Computer security will be big,” he predicted over his California roll. “You should get into that area.” Luckily, I agreed – and before long, I was enrolled in a doctoral support program at Bell Labs, convening on occasion with the geniuses at Bell Labs who created the influential Unix operating system and C Programming Language. Being around these folks to research security was like being in Edison’s Menlo Park lab to research light bulbs.

As the years progressed, I was given a bird’s eye view into some of the most amazing security projects in the world. I helped secure the software being used for Reagan’s Star Wars – or, at least, for what had been planned. I helped develop security systems with talented scientists at the National Security Agency under a contract to help address difficult security challenges. And then, in the mid-90’s, I was suddenly approached by the President of the AT&T Network, Frank Ianna. AT&T was fresh off a stinging outage to its long-distance network in January 1991. The original root cause analysis involved the possibility that a computer worm had been the cause (which turned out to be wrong). Anyway, Ianna’s request was simple: Could we take what we were learning about protecting data and systems from these various projects with the government and apply similar methods to protect the AT&T network? It was an intriguing question, and thus I began a two-decade quest trying to invent the best means to protect critical infrastructure from cyber threats.

If you ask any CISO today why they struggle to stop cyber threats, I can assure you that their answer will include heavy references to insufficiencies. They will talk about insufficient funding, and insufficient staffing, and insufficient tooling, and insufficient support from executive leadership, and insufficient ability to deal with the massive complexities of modern computing. Yes – insufficiency is a core issue – and if we accept that CISO-led teams represent the new battle front for today’s cyberwar, then this is like military commanders begging from their foxholes for additional support. One cannot help but think to our nation’s lack of readiness before World War I, when our army included roughly one hundred thousand soldiers, compared to a German standing army of eleven million. I believe our nation’s present lack of readiness in cybersecurity is comparable in scope.

This issue of non-readiness in industry is important to recognize, because at the root of both the Clinton and Biden Executive Orders is the assumption that industry could stop cyber threats if it really wanted to, and that government should just make them do so. This is realized by encouraging industry groups to share their existing expertise and valuable insights with one another. Certainly, goes the argument, if a big US bank notices an attack, then it should alert the other banks. Furthermore, industrial entities should be shamed into doing a better job – and what better way than to demand that they expose their failure? This means that if a nation-state adversary, with its unlimited resources and world-class cyber offensive power, is successful in targeting a power company, or bank, or retail organization, then such negligence must be exposed on a public wall of shame. Now, I am no historian – but I am unaware of any instance in our nation’s past where any person or entity would be blamed for having been attacked by a foreign power.

Readers might jump to a commonly cited reaction: These rich, powerful companies with their stock repurchases and executive compensation should be held to the fire. They should agree to properly fund their security teams and to stop complaining about being attacked. While it is reasonable to demand that companies do their part to provide proper funding, staffing, and support, we need to recognize the lopsidedness of this situation. I can illustrate this with a story: At NYU, we run student-led cyber exercises that demonstrate offensive tactics against defensive systems. A recent, pre-Pandemic exercise was held on our campus with the New York City Cyber Command. Invited reporters, bloggers, and officials mulled around the exercise premise asking students questions, taking pictures, and getting quotes for articles. In the defensive room, there were roughly thirty defenders working to stop the simulated attack. But down the hallway, the offense at times consisted of one student at a keyboard hacking away. One-on-thirty is thus considered a balanced fight in a cyber exercise. If you carry forward the ratio, then a nation-state military with ten thousand trained experts must be countered by three hundred thousand defenders. The extrapolation may be imperfect – but you get the idea.

The recent Executive Order included many reasonable cyber defensive recommendations. It proposed, for example, that enterprise teams follow a modern solution known as zero trust, which is a concept consistent with protecting cloud applications. It also recommended an approach known as software bill of materials (SBOM) which involves the excellent idea of having software providers list the ingredients in their products. And it reinforced solid prevention, detection, response, and yes – information sharing practices that collectively represent the best methods available today to protect infrastructure.

The problem is that critical infrastructure security teams already know these methods. Perhaps more shocking – they must already support such practices in the context of other security frameworks in existence today. This includes the NIST Cybersecurity Framework (CSF), the Payment Card Industry (PCI) Data Security Standard, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the General Data Protection Regulation (GDPR), and on and on. Security teams are thus already being forced to map their methods to frameworks. Executive orders just add new requirements to under-funded and over-worked teams that are trying to juggle multiple frameworks using different language to request more or less the same thing. The entire situation is a mess.

So why can’t defenders just stop hackers? Why can’t they prevent attacks to pipeline operations, or government email systems, or retail credit card processing systems? What is the big deal here? The answer lies in the spectacular level of complexity that exists in the modern software and networking systems used to power infrastructure. This one issue – complexity – might be the second phrase you’ll hear from CISOs, after insufficiency, that has caused their lives to become nightmares. The central problem is that no one can possibly understand how our infrastructure actually works. Everything has become so feature rich, network-connected, and rapidly changing that no human could possibly hold an accurate, end-to-end view of what needs to be protected. And remember: the defenders must know enough to stop all possible paths into a system. Hackers need only find one hole. Here’s how the great scientist, John Von Neumann, once referenced this issue: For smaller devices, he is said to have remarked, it’s easy to understand how they work, but not what they do. But for larger systems, it’s easy to know what they do, but not how they work.

You might also ask about the commercial vendors that have emerged in recent years – which, by some estimates, number in the multiple thousands. These companies peddle products and services that use every conceivable method on the planet to reduce cyber risk. This includes artificial intelligence, homomorphic encryption, honey pot deception, graph theoretic data analysis, and on and on. Surely these vendors should have the answer to preventing cyber threats to national infrastructure – right? Well, they do help – but the problem is no longer whether we have good technology. The challenge, instead, is how we should use it – and this requires budget, expert staff, experienced managers, and capable operators. In my experience, over 95% of the companies running consequential infrastructure in America today are lacking in every one of these essential categories. Having good weapons is useless if you don’t know how to fire them.

I believe the first secret to solving our cybersecurity challenge lies ironically with yet another Executive Order – this one by President Kennedy. On March 1, 1961, he signed an order establishing the Peace Corps. His remarks after signing the order included this: “In establishing our Peace Corps we intend to make full use of the resources and talents of private institutions and groups. Universities, voluntary agencies, labor unions and industry will be asked to share in this effort--contributing diverse sources of energy and imagination--making it clear that the responsibility for peace is the responsibility of our entire society.” I believe that our nation should embark on a new program – a Cyber Corps, if you will – which should involve funding four-year computer science undergraduate degrees in return for five years of service working in the IT security department of some critical infrastructure organization. You can fill in the blanks on how this new Cyber Corps would work, but it should be serious and massive. Perhaps the Fortune 2000 would each agree to fund twenty students to result eventually in 40,000 new computer science grads entering civilian agencies, banks, railroads, state governments, and the like each year to help prevent cyber threats. (The program can enhance its social benefit by sending kids from Brooklyn to Tennessee and kids from South Carolina to Boston.)

Such a massive Cyber Corps program designed along these lines would have a tremendous impact on our nation’s cybersecurity posture. It should be evident, for example, that the average twenty-something today knows more about hacking and cyber protections than the average public board director. (As a former independent director of a large public bank, I can personally attest to this fact.) In addition, the influx of new ideas and fresh perspectives would literally reinvent how the receiving organization would operate. Imagine an energy company, for example, with a hundred staff working to stop cyber threats, accepting twenty new Cyber Corps staff. It’s hard to imagine this not having a direct and positive impact on everything from security policy to selection of tools. As an additional check – ask yourself this: How would an adversary nation view this type of initiative? Would they consider this an excellent move? I think they would.

It is worth also anticipating a likely protest from readers: Why, one might ask, should the nation’s government take responsibility to hire staff for companies? Why can’t they just do this hiring on their own? Well – the answer lies in a massive cybersecurity skills shortage, the likes of which we’ve not seen in our country since the Industrial Revolution. The typical CISO in a critical infrastructure company will likely point to dozens or even hundreds of unfilled positions that include tasks such as security testing of safety critical systems or maintaining an inventory of vulnerabilities that a nation-state adversary might exploit. Is it in anyone’s interest for our nation to allow these positions to go unfilled? I believe the answer is no – and programs such as Cyber Corps can help to manufacture skilled workers to close the gap.

I believe the second secret to solving our cybersecurity challenge lies in the support provided by government to critical organizations before, during, and after an incident. Today, the government is moving in the direction of demanding more reporting. In the wake of the Colonial Pipeline incident, the Biden Administration recently announced that pipeline companies will have increased reporting requirements regarding breaches or incidents. In my view, there is zero evidence that such reporting will reduce risk in any material way. Instead, I believe that the government should be focused on offering tangible assistance in the form of direct and rapidly deployed funding to any group being targeted. And yes – the government has frequently offered intangible assistance in the form of intelligence, guidance, and oversight. But I believe this is nonsense. Our nation has had just as much difficulty protecting government systems such as the Office of Personnel Management (OPM) as with non-governmental systems. What CISOs need is real budget increases, not more frameworks. They need capital, not humiliation. They need discounts on selected cybersecurity tools, not fines for having succumbed to an attack from the Russian military.

Funding this approach might be simpler than one would expect. A typical organizational cybersecurity budget for a billion-dollar company might be thirty million dollars. Sending a direct payment of fifteen million dollars to increase this budget by fifty percent seems like a reasonable investment for our nation. Again – remember that the most intense attacks – the ones intended to cause loss of lives – are largely coming from foreign sponsored actors. Sending fifteen million dollars to the top one thousand critical infrastructure companies or agencies – perhaps including ones who might be managing nuclear power plants – could be the most leveraged fifteen billion dollars ever spent. And why not get even more creative? Debt instruments such as war bonds, so important to our nation’s history, might be issued to help finance cyber wartime payments to infrastructure companies.

Cyber Corps programs and cyber war bonds are heavily indexed to larger companies and agencies – and this is appropriate given their outsized impact on infrastructure. For smaller firms, local agencies, and schools, however, we can take an additional page from our nation’s history. Why not create strong personal incentives for local technology experts to serve as the cyber equivalent of an air raid warden? Such individuals might be given tax breaks to organize training sessions and to create security resource centers for the more modestly sized groups in their community to learn how they might reduce their own risk.

If I’ve not properly explained the intensity of our nation’s cybersecurity challenge, then perhaps a brief anecdote might help: In 2012, an Iranian connected hacking group targeted our nation’s banks with distributed denial-of-service (DDOS) attacks that were designed to flood their websites with garbage traffic. What was interesting is that before attacking, the bad guys called out the time, place, and method to be used – along with an apology to the security teams for forcing them to work late (I kid you not.) Even with these Babe Ruth-type hints, the combined forces of banking, technology, service providers, and security companies – all sharing information and following best practices – could barely keep these banking websites up. It was chaos that ended with the attackers just moving on to something else. It was a wake-up call.

We now need a new approach – and the current path of regulating, fining, and humiliating enterprise teams is not the best way to proceed. Instead, the nation’s proud history fighting wars provides valuable hints for how this should be done instead. Our nation should organize around these new themes – attracting new staff through Cyber Corps incentives, providing tangible financial support to IT security teams, and organizing locally through personal incentives for IT experts. If Americans embark on these types of efforts, then some real progress might actually begin to follow.

Dr. Edward Amoroso serves as Distinguished Research Professor at the NYU Center for Cyber Security (CCS), as well as Chief Executive Officer of TAG Cyber, a research and advisory firm. During his thirty-one-year career at AT&T, he served for two decades in the senior-most cyber security executive role, including Senior Vice President and Chief Security Officer. He holds the PhD degree from the Stevens Institute of Technology and is a graduate of Columbia Business School. Dr. Amoroso formerly served on the Board of Directors of M&T Bank and is a former member of the NSA Advisory Board.