Cyberspace is opening up new battle fronts between individuals, corporations and even nations. At Innovation Project 2017, former Supreme Allied Commander of NATO Jim Stavridis and a panel of cyber security experts delved into the new ways good and bad actors do battle across the internet, waging war on several fronts.
This is not your father’s internet. No more “you’ve got mail” chirping through tinny speakers. Now cyberspace is truly global, always on and beset with shadows where dangers lurk. In fact, ones and zeros are the new bullets and rockets where battles are waged over information, money and even politics.
In a presentation titled “Sailing the Cyber Sea” at Innovation Project 2017, retired Admiral Jim Stavridis, the former supreme allied commander of NATO, stated that “we are [at] sea … but let’s drill down a little bit and point out the magnitude that is just increasing almost exponentially in terms of the surface of risk.”
In one slide, he noted the population of the planet as a whole, which is growing rather slightly in comparison to the explosive up-and-to-the-right growth of the Internet of Things, as measured by how many devices are connected.
In fact, he noted 2010 marked the year where the number of devices outstripped the number of people and said that gap “will just keep going up and up and up … You can think of that as a ‘threat surface’ that you are dealing with.”
Along with that threat surface, said Stavridis, there are vectors to be concerned about. He defined “three rings” of cybersecurity issues: One is hacktivism, along with insider-driven threats and terrorism; another is financial security and the third is national competition across cyberspace.
Kitty Hawk and the Dawn of ‘Figuring All of This Out’
In sum, he said, “It’s military, geopolitical, national, it’s financial” and — pointing to a photo of the beach at Kitty Hawk where the Wright brothers launched the U.S. into the age of flight — the U.S. is still in the nascent stages of “figuring all of this out.”
Starting with the geopolitical/military threat, Stavridis brought up a slide that depicted the national flags of the Ukraine, Estonia, Latvia, Lithuania and the Republic of Georgia. Each of them, he said, has been attacked with a “combination of kinetic activity and cyberactivity.”
Georgia, he noted, will go down in history as the first nation to be attacked simultaneously by Russian tanks and aircraft, along with “massive cyberattacks against their command and control.”
And, he continued, Russia continues to be rather active in the cyberwar space, where cyberattacks have become a “fundamental part” of Russian military activity.
Among the first concerns in the geopolitical space, said Stavridis, is “the vulnerability of our electric grid. Ukraine had portions of their grid taken down in an attack by Russia. We will see more of this.”
One analogue in the United States has been the activity surrounding the elections last year, “all of which, in my view, unquestionably emanated from Russia.” And, in reflecting on the recent news that Yahoo had seen a breach of as many as 1.5 billion accounts internationally, Stavridis said that activity encompasses larger nations pushing on smaller ones and on other big nations too.
This is exacerbated when the Internet of Things can be used as a “botnet of things,” as he defined it. China’s own activities in this space can be thought of as “espionage-like,” as Chinese activity penetrated the U.S. government’s Office of Personnel and Management, which, as the name implies, holds a high level of records of personnel filling government positions.
For those employees with security clearance, “everything you revealed … flows through Chinese intelligence and Chinese commercial interests.” And in one highly publicized attack on U.S. soil that has drawn headlines even recently, North Korea hacked into Sony Pictures in the wake of a film by the latter, which was seen as unflattering to that nation’s leader, with significant sums of money lost and reputations damaged.
The U.S. remains an “aggressive [actor] in this space,” maintained Stavridis, where “a great deal of this comes out of the National Security Agency … and the impression people have of us [is] we are always listening … and we are.”
Geopolitical competition is already spilling over into the financial world, said Stavridis. The first big credit card fraud, he said, done by hackers, came in at about $100 million. That tally might seem “quaint” today against a backdrop of a global economy that has grown to $60 trillion — and where $1 trillion to $2 trillion is touched in some way by cybercriminal hands and gangs, from nations including China, Nigeria, Brazil, the U.S. and Israel, along with the Ukraine, Russia and Vietnam. The biggest bank robbery on American soil, said Stavridis, has ensnared the Bank of Bangladesh, through the New York Federal Reserve Bank, to the tune of more than $80 million — and now directly connected to North Korea.
Moving on to the third ring of concerns, Stavridis discussed terrorism and hacktivism, where, for example, the Islamic State operates across the dark web via bitcoin and other avenues. He stated that there is always an ever present threat of insider-based activities, such as those conducted by Edward Snowden and Chelsea Manning.
“I’d invite you to think about what’s on that supercomputer you are carrying around in your pocket or your handbag right now,” he told the audience.
The Big Question: What to Do?
This all begs the question: What to do? Among the key initiatives, he said, is education. As an example, he cited the Fletcher School of International Relations, where he serves as dean and where three professors of cybersecurity have just been hired. Separately, reading (and even with some nonfiction thrown in) can better expand the imagination of stakeholders involved in cybersecurity. There’s also a need to understand, technically, what is really going on, via the internet. Preventative “cyber hygiene” is crucial, he noted, across enterprises, with some benefit to be gleaned from spending more time thinking about biometrics. At the government level, there should be “a cabinet voice for cybersecurity.”
“… And it’s time to start thinking about a cyberforce,” said Stavridis, adding that “100 years ago, we had an army, a navy and a marine corps. We didn’t have an air force 100 years ago. Why? Because we did not fly airplanes … We are going to look back in 50 years and say, ‘Where was our cyberforce in 2017?’”
Such a force, he said, will be staffed by young people, “who will come and defend us in cyberspace in the same way our SEALs and our rangers defend us on the battlefield today.”
In a separate panel presentation, Stavridis brought up a number of experts, including Sunil Madhu, CEO and president at Socure; Blake Hall, founder and CEO of ID.me; Allison Guidette, CEO at G2 Web Services; and Corey Thomas, CEO of Rapid7. The panel discussed some of the bigger trends and issues facing their individual firms and tackled what it means to have an online identity in an age where security is crucial.
Said Thomas, “What we find is that one of the biggest threats to cybersecurity … is that IT is poorly managed … We don’t update our systems, we don’t monitor our systems, we don’t do a good job of understanding how well we run and operationalize our own IT and technology environment.”
Guidette said of her firm, which helps financial institutions, largely acquiring banks and their value chains, that a key imperative includes ensuring merchants (that are getting these payment capabilities) are not engaging in illegal activity. She sees G2’s role as playing the “cops of the internet.” The main focuses here are counterfeit goods and the sale of illegal drugs online, which she defined as among the biggest problems with which her firm grapples.
Hall noted that among the most alarming statistics that loom from reports centered on cybersecurity, Verizon has noted that 63 percent of data breaches “happen because a login is compromised, whether it is stolen or whether it is phished …”
Hall went on to note that some of the biggest data hacks were successful because they hurdled relatively weak password protection at firms and government agencies. In the end, he stated, there is a fine line between authentication and usability.
He likened his own firm’s efforts to activities that take place in the physical world, such as when DMVs issue drivers licenses and working with the VA, the IRS and Treasury, and “citizens can authenticate with a trusted login that they already have.”
When asked about other avenues of technology, Hall stated that “biometrics are part of the future.” He stated that biometrics in the developing world, where record-keeping might be scant, can be a strong way to start with the establishment of an official identity.
Said Madhu, there are 5.5 billion individuals worldwide who do not have an online identity because they are young and have moved away from what might be defined as traditional credit behavior, or they simply live on cash.
One issue before the panel: how to attract top tech talent. Said Thomas of his own firm, the approach is “to develop talent.” The pool of people from which to develop that talent is a large one, both in the U.S. and around the world. The education need not focus so much on the technology, said Thomas, as it might look instead at “the human behavior aspect … You have to make cybersecurity solvable by people who have a generalized skillset,” he added.
Guidette noted that competition in the field for talent comes from large tech firms like Amazon and Microsoft. For her company, the ability to make money while at the same time doing societal good proves to be a strong lure for workers. Madhu posited that “innovation is key” and that the U.S. remains a strong bastion of innovation, with capital expenditures dedicated to technology and even risk-taking.
One benefit for cybersecurity, especially in the enterprise environment, would come with focusing on fewer people, he said, with disparate systems across an enterprise throwing off large amounts of data that can be drawn upon to glean patterns that might not be apparent to individuals. With more automation in place, companies can operate more efficiently and on a grander scale.
In a question-and-answer session that involved the audience, a question arose as to how to balance the trade-off between security and privacy centers, how much one must expose about themselves in an interaction.
Madhu noted that “the reality is that we do not need to expose 100 percent of ourselves in each context.” Authentication and verification, he said, should be placed in the context of the risk. The higher the risk, he said, “the more things you throw in the path of the consumer.”
But he gave a nod to the fact that more information than ever is being collected on consumers, and the larger question is “what are we doing to guard that information?” Creating standards for the minimal amounts of data that can be acquired based on the transaction is a desirable goal, he said.