I’m worried. And when I lose sleep about a cyber security threat, my track record has unfortunately been all-too-accurate. Back in the mid-90’s, for example, a group of us at Bell Labs were begging both political parties to fix security weaknesses in their email infrastructure. I remember feeling sick to my stomach at their failure to recognize how email vulnerabilities could influence future elections. They should have listened to us.
Back in the late 90’s, I remember a similar feeling of dread when it was explained to me how little zombie programs (now you would call them bots) could be harvested into armies that could be commanded to overwhelm a target. Many Amtrak Metroliner trips from Newark to DC followed, with the purpose of warning Meet the Press-types about what was coming. But, of course, little was done. Today, we call this type of weapon a botnet.
And back in the early 2000’s, I developed another sick feeling in my stomach that a new type of cyber attack – something my friend Greg Rattray was calling an Advanced Persistent Threat – would be nearly impossible for businesses to stop. I started publishing technical warnings that companies needed to micro-segment – a concept I called Rings Around Things. That was a decade and a half ago, and companies still remain vulnerable. Sigh.
My fear now, however, is ten times more intense than anything I’ve ever experienced. And the focus of my concern is on our country: the United States of America. We spend nearly seven hundred billion on a national defense – but I see a clear and present danger where a carefully-designed cyber offensive campaign from an adversary could take us out, easily. The solution, I respectfully submit, requires a National Cyber Czar. Let me explain:
Three serious cyber threats exist for US national infrastructure, most of which is privately-held: First, we have no collective means for coordinating a reasonable and cooperative defense against multiple, continued, intense, and voluminous DDOS attacks. If an adversary decided to be really, really persistent in creating large and continuous DDOS attacks, then I believe our national digital infrastructure could collapse for hours, days, or more.
Recognize that I am not talking about pedestrian DDOS attacks. I am talking about massive attacks from enormous botnets that do not stop. And the math is frightening: A few million bots pushing out ten or more Mbps of attack traffic could fill the entire peering capacity of our nation. It would be like a traffic jam clogging every street, road, and highway – and yes, I understand that filtering would be done. But isn’t that the purpose of DDOS?
Second, we have no good means for coordinating an effective defense against APT attacks on our systems. Weak perimeter defenses remain, and tiny progress toward distributed, resilient, virtualized infrastructure crawls along at a snail’s pace. Imagine deciding to escape an exploding building on a tricycle – and you have the correct image here. Our adversaries know this, and APT attacks against the US are like taking candy from a baby.
Which brings us to election systems: I think it should be well-established and obvious that the work required to fix our local, state, and national elections must involve a collage of policy, training, awareness, technical support, upgrades, and on and on and on. Despite the best efforts of agencies such as NSA to address the issue, I find it unimaginable that a spy agency would best positioned to coordinate such tasks. We need a Cyber Czar.
And third, we have no good means for coordinating a reasonable and cooperative defense against the coming threat of artificial intelligence-based offensive cyber weapons. The best of these will come from China and they will use machine learning from billions of ready and willing training examples (i.e., their citizens and businesses). The United States will lose cyber superiority in five years if cooperative action is not organized now.
Many of you might not understand the ease with which AI software can be taught to recognize patterns. By feeding network descriptions from every citizen and business in China into learning programs, our greatest cyber adversary will be able to recognize weaknesses in any network. This results in the perfect offensive cyber weapon. What are we doing about this? The answer is nothing, because we have no cyber coordination.
Look, we’ve been lucky as Americans to have had three Cyber Czars with strong backgrounds and expertise. Howard Schmidt, Michael Daniel, and Rob Joyce were exemplary public servants who approached the role of White House Cyber Security Coordinator with skill. They knew their objective was clear: Coordination of our national cyber defense. And coordination is needed today in the areas I listed above.
I would thus call on Americans from both sides of the aisle to make their voices heard that this essential position must be re-instated. There are dozens of excellent candidates (not including this author) who are ready, willing, and able to step into the position. I will not embarrass anyone by mentioning names, but suffice it to say – there are wonderful candidates who would be acceptable to Republicans, Democrats, and Independents.
Now, I know that various departments and agencies in government have been tapped to fill this leadership void: DHS has created CISA, many states and cities have decent cyber teams, WHCA is taking over PITC protection with dissolution of the White House OCISO, and our Cyber Command certainly knows how to hack. So, we do have national cyber capabilities in place, and thank goodness for that.
But what we are lacking is a great national leader – one who can step forward and coordinate our cyber defenses. We need to address our present cyber threat with urgency, but also with the expert touch required to coordinate with industry. Perhaps more importantly, however, we need to lay the groundwork for a future cyber defense that will almost certainly have to deal with intense cyber weaponry from China and Russia.
What can you do? Contact your elected official. Write to the President. Set up a table outside your local supermarket. Forward this article to everyone you know. It’s time that we make our voices heard. The United States of America needs a Cyber Security Coordinator. The cyber threats to our infrastructure have nothing to do with politics or partisan bickering. We owe it to present and future generations of Americans to close this obvious gap now.
Mr. Trump, hire a Cyber Czar.