The pace of data generation is dizzying in our all-digital age—as is the rate of evolution for criminals exploiting that information for fun, profit, espionage and cyberwar. And as recent headlines about massive data breaches at JP Morgan, Home Depot and Target (News - Alert) show, the good guys need to revamp their approaches to protect personal, corporate and governmental data—or face ever-more destructive attacks.
Gen. Keith Alexander, director of the National Security Agency (News - Alert) (NSA), chief of the Central Security Service (CHCSS) and commander of the United States Cyber Command up until this past March, noted that this year alone will see the creation of 3.5 zettabytes of information—which is more information than was created in the last 5,000 years combined. And that has staggering ramifications for how we prepare to lock down and secure all of the informational perimeters and repositories that are out there.
Big Data—Really Big Data
“There are about 5.9 billion Google (News - Alert) searches per day,” Alexander said, speaking during a keynote at the MIRcon 2014 cybersecurity event in Washington D.C. this week. “If you have access to Google, then you have more access to information than the president did 20 years ago.”
The benefits of all of that additional information are, of course, myriad. For instance, consider the use of IBM’s Watson super-computer, which is perhaps best-known for beating out all the humans on Jeopardy. But, it’s also being used for real work: Watson has reduced the time it takes to craft a personalized radiation and chemotherapy plan for a brain cancer patient from 30 days down to 9 minutes—which is an enormous boon for treatment, considering that most diagnosed patients are given about 14 months to live because it metastasizes so quickly.
That said, there are also, naturally, enormous challenges that come with the digital-everything world.
The rate of innovation is especially in focus when it comes to workforce skills, and especially when it comes to infosecurity workforce skills.
“To put it in perspective, the top 10 in-demand jobs in 2013 did not exist in 2014,” Alexander continued. “If you’re a college freshman, half of what you learn in tech will be outdated by the time you get to your junior year. So we’re training students for jobs that don’t exist, on technology that hasn’t been created, to fight problems that haven’t yet materialized.”
And on top of that, we have a more multi-generational workforce than we’ve ever before had, thanks to lengthening retirement ages. So, there are traditionalists, baby boomers, generation Xers and the Millennials, all working side by side, and they all have different modes of communication. Respectively, they prefer to call, write, email or text to get their jobs done. And that means that it’s not just a question of training newbies up—it’s also requiring a massive cultural change in order to get everyone working at the same speed.
A Timeline (News - Alert) of Threat Evolution
As more and more information is generated, and as the pace of learning and skills-building accelerates, threats are evolving as well, and morphing into wildly dangerous vectors for real destruction.
“One of the things that we predicted early on is the evolution of the threat,” he said, noting that bad-guy activity has moved from exploitation to disruption to destructive attacks.
“Pre-2007, the Internet was used as a way to exploit things,” he said. But then in May of that year, it changed.
Specifically, he noted that in Estonia, a statue of Lenin was pulled down as part of deep civil unrest there, at the exact same time that a large distributed denial of service (DDoS) attack affected all 1.4 million people in the country for a 10 day periods. Estonia is often called the most wired country in the world, relying as it does on digital access to vote, bank and do almost everything else.
“They had to disconnect their entire country from the Internet,” he said. Similarly, a Russian attack in 2008 on Georgia saw that country’s banks hit with a DDoS at exactly the same time.
Then there was the 2009 issue with the Department of Defense networks. There were at the time 15,000 of them, each with its own system administrator. And it was found that there were 1,500 pieces of malicious software on classified networks.
While the NSA was able to clean the infection within 22 hours, “I realized that we have an indefensible network,” Gates said. “But we have to work as a team and train everyone to the same standard—and our defense has to be as good as the hackers’ offense.”
It’s a goal that has only gotten more difficult, as evidenced by the 2012 attacks in the energy sector in the Middle East, especially the Saudia Aramco attack. In that case, a DDoS gambit coupled with a destructive attack using the Wiper virus erased data from 30,000 systems. Shortly after, a destructive attack was launched on Qatar-based RasGas.
“Then we saw a series of 350 DDoSes on Wall Street firms—these were mostly a nuisance but could grow and get worse,” Alexander noted. “Then in 2013 there was the massive South Korea attack [which shut down banks and top firms in the country]. And, we found out that China is using a group called APT (News - Alert) 1 to steal all of our intellectual property.”
Overall, it’s been a fundamental change, he said, with the most recent evolution of bad actors being a shift from those who want to steal financial data, IP and secrets to those using the networks as an element of national power.
“That makes our mission much more difficult considering that there are about 130 countries in the world, all with at least a few actors bent on disruption and destruction,” he noted. “We’re here to protect our networks and our allies. Our job is to defend the nation. How do we do that better than we have?”
A Better Approach to Cybersecurity
With the threat landscape becoming more and more complex, and with a wider array of perpetrators behind it, new approaches are needed in order to meet the challenge of defending against tomorrow’s threats.
First of all, a defensible architecture with situational awareness is the ideal norm. And that comes down to training and information-sharing.
For instance, he mentioned that signature-based antivirus protections need to be augmented with behavioral models, and real-time consumable threat intelligence testing to detect, mitigate and report anomalies at network speed.
Preferably, he added, this type of intelligence gathering and analyzing should be done across all networks, both private and public. For all of its touted (and maligned) surveillance capabilities, government entities have a much smaller landscape for cyber-intelligence than private industry does.
“The attack surface for private industry is hundreds of times larger than what government sees,” Alexander said. “Consider that there are 7,000 banks in the country. The exploitation surface is thus enormous. The ability to gain intelligence from that—what attacks they face and how they operate—would position us for better behavioral modeling.”
He also championed cyber-legislation to over government a way to “work seamlessly with industry and our allies.” Various iterations of cybersecurity acts have been shot down amid privacy fears however.
“These are not technical problems,” he said. “It’s culture and competitiveness, and the way we work today. How do we work together? No one company has the solution. I think it will take several entities, working in a consortium, to solve this. But that’s where we need to go.”