Tag Archives: cyber security

Do Young Humans + Artificial Intelligence = Cybersecurity?

Young Humans plus AI

West Point cadets conduct a cyber exercise.


“The Army is recruiting smart young soldiers to wage cyber war. But human talent is not enough.

Ultimately, say experts, cyberspace is so vast, so complex, so constantly changing that only artificial intelligence can keep up.”

“America can’t prevail in cyberspace through superior numbers. We could never match China hacker for hacker. So our best shot might be an elite corps of genius hackers whose impact is multiplied by automation.

Army photo

Talent definitely matters – and it is not distributed equally. “Our best (coders) are 50 to 100 times better than their peers,” Lt. Gen. Paul Nakasone, head of Army Cyber Command (ARCYBER), said. There’s no other military profession, from snipers to pilots to submariners, that has such a divide between the best and the rest, he told last week’s International Conference on Cyber Conflict(CyberCon), co-sponsored by the US Army and NATO. One of the major lessons learned from the last 18 months standing up elite Cyber Protection Teams, he said, is the importance of this kind of “super-empowered individual.”

Such super-hackers, of course, exist in the civilian world as well. One young man who goes by the handle Loki “over the course of a weekend…found zero-day vulnerabilities, vulnerabilities no one else had found in Google Chrome, Internet Explorer and Apple Safari,” Carnegie Melon CyLab director David Brumley said. “This guy could own 80 percent of all browsers running today.” Fortunately, Loki’s one of the good guys, so he reported the vulnerabilities – and got paid for it – instead of exploiting them.

courtesy David Brumley

The strategic problem with relying on human beings, however, is simple. We don’t have enough of them. “We don’t want to be in a person-on-person battle because, you know what, it just doesn’t scale,” Brumley told CyCon. “The US has six percent of the world’s population (actually 4.4). Other countries, other coalitions of countries are going to have more people, (including) more people like Loki.”

That creates a strategic imperative for automation: software programs that can detect vulnerabilities and ideally even patch them without human intervention. Brumley’s startup, ForAllSecure, created just such a program, called Mayhem, that won DARPA’s 2016 Cyber Grand Challenge against other automated cyber-attack and defense software. However, that contest was held under artificial conditions, Brumley said, and Mayhem lost against skilled humanhackers – although it found some kinds of bugs better and faster. So automation may not be entirely ready for the real world yet.

Even when cybersecurity automation does come of age, Brumley said, we’ll still need those elite humans. “What these top hackers are able to do… is come up with new ways of attacking problems that the computer wasn’t programmed to do,” he said. ” I don’t think computers or autonomous systems are going to replace humans; I think they’re going to augment them. They’re going to allow the human to be free to explore these creative pursuits.”

Sydney J. Freedberg Jr. photo

Young Humans

“For those of you who are in the military who are 25 years old or younger, captains and below…you’re going to have to lead the way. People my age do not have the answers,” the Army’s Chief of Staff said at CyberCon. After his speech, Gen. Mark Milley called up to the stage lieutenants and West Point cadets – but not captains, he joked, “you’re getting too old.” (He let the captains come too).

“It’s very interesting to command an organization where the true talent and brainpower is certainly not at the top, but is at the beginning stages,” said Lt. Gen. Nakasone at the same event. “It’s the lieutenants. It’s the sergeants. It’s the young captains.”

Sydney J. Freedberg Jr. graphic

The Army has rapidly grown its cyber force. It now has 8,920 uniformed cyber soldiers, almost a ninefold increase since a year ago (and cyber only became an official branch three years ago, when it had just six officers). There are also 5,231 Army civilians, 3,814 US contractors, and 788 local nationals around the world. All told, “there’s 19,000 of them,” Milley said. “I suspect it’s gonna get a lot bigger.”

At the most elite level, US Cyber Command officially certified the Army’s 41 active-component Cyber Protection Teams and the Navy’s 40 teams as reaching Full Operational Capability this fall, a year ahead of schedule. (We’re awaiting word on the Air Force’s 39). At full strength, the teams will total about 6,200 people, a mix of troops, government civilians, and contractors.

To speed up recruiting, Gen. Milley wants to bring in cyber experts at a higher rank than fresh-out-of-ROTC second lieutenants – say, as captains. Such “direct commissioning” is used today for doctors, lawyers, and chaplains, but Milley notes it was used much more extensively in World War II, notably to staff the famous Office of Strategic Services (OSS). Why not revive that model? “There’s some bonafide brilliant dudes out there. We ought to try to get them, even if it’s only 24 months, 36 months,” he said. “They’re so rich we won’t even have to pay ’em.”

(That last line got a big laugh, as intended, but “dollar-a-year men” have served their country before, including during the World Wars.)

No matter how much the military improves recruiting, however, it will probably have enough talent in-house. (Neither will business, which is short an estimated two million cyber professionals short worldwide). So how does the military tap into outside talent?

Defense Department graphicOne method widely used in the commercial world is bug bounties: paying freelance hackers like Loki for every unique vulnerability they report. (Note that the Chinese military runs much of its hacking this way.) The Defense Department has run three bounty programs in the last year – Hack the Pentagon, Hack the Army, and Hack the Air Force – that found roughly 500 bugs and paid out $300,000. That’s “millions” less than traditional security approaches, says HackerOne, which ran the programs.

What’s really striking, though, is the almost 3,000 bugs that people have reported for free. Historically, the Pentagon made it almost impossible for white-hack hackers to report bugs they find, but a Vulnerability Disclosure Policy created alongside the bug bounties “has been widely successful beyond anyone’s best expectation,” said HackerOne co-founder Alex Rice, “without any actual monetary component.”

So what’s motivating people to report? For some it’s patriotism, Rice told me, but participating hackers come from more than 50 countries. In many cases, he said, hackers are motivated by the thrill of the challenge, the delight of solving a puzzle, the prestige of saying they “hacked the Pentagon,” or just a genuine desire to do good.

The other big advantage of outsourcing security this way, said Rice, is the volunteer hackers test your system in many more different ways than any one security contractor could afford to do. “Every single model, every single tool, every single scanner has slightly different strengths, but also slightly different blind spots,” Rice said. “One of the things that is so incredibly powerful about this model is that every researcher brings a slightly different methodology and a slightly different toolset to the problem.”

Those toolsets increasingly include automation and artificial intelligence.

DARPA photo

Automation & AI

“I’m the bad news guy,” Vinton Cerf, co-inventor of the Internet, told the audience at CyCon. “We’re losing this battle (for) safety, privacy, and security in cyberspace.”

Why? “The fundamental reason we have this problem is we have really bad programming tools,” Cerf said. “We don’t have software that helps us identify mistakes that we make…..What I want is a piece of software that’s watching what I’m doing while I’m programming. Imagine it’s sitting on my shoulder, and I’m typing away, and it says ‘you just created a buffer overflow.’” (That’s a common mistake that lets hackers see data beyond the buffer zones they’re authorized for, as in the Heartbleed hack.)

courtesy Wikimedia Commons

Such an automated code-checker doesn’t require some far-future artificial intelligence. Cerf says there are new programming languages such as TLA+ and COQ that address at least parts of the problem already. Both use what are called “formal methods” or “formal analysis” to define and test software rigorously and mathematically. There are also semi-automated ways to check a system’s cybersecurity, such as “fuzzing” – essentially, automatically generating random inputs to see if they can make a program crash.

Artificial intelligence doesn’t have to be cutting-edge to be useful. The Mayhem program that won DARPA’s Cyber Grand Challenge, for instance, “did require some amount of AI, but we did not use a huge machine learning (system),” Brumley said. “In fact, NVIDIA called us up and offered their latest GPUs, but we had no use for them.” Mayhem’s main weapon, he said, was “hardcore formal analysis.”

“There is a lot of potential in this area, but we are in the very, very early stages of true artificial intelligence and machine learning,” HackerOne’s Rice told me. “Our tools for detection have gotten very, very good at flagging things that might be a problem. All of the existing automation today lags pretty significantly today on assessing if it’s actually a problem. Almost all of them are plagued with false positives that still require a human to go through and assess (if) it’s actually a vulnerability.”

So automation can increasingly take on the grunt work, replacing legions of human workers – but we still need highly skilled humans to see problems and solutions that computers can’t.”



Cyber Tech Firms Need Integrator Partners to Broaden Their Services

Itegrator Parnter Oracle dot com

Image:  Oracle.com


“Given the frequency and severity of security intrusions in the public and private sector, cybersecurity companies are now looking for more complete offerings beyond their core capabilities.

By demonstrating an ability to technically integrate with third party vendor products, these companies can show that they are able to more fully meet the needs of Federal government customers.”

“Government agencies are looking for companies that can act as general contractors, but not all companies are system Integrators. Therefore, the goal for many companies is to have the ability to provide a more expansive, holistic offering beyond just their own product portfolio.

That hasn’t traditionally been the case among cybersecurity providers. These companies have typically focused on selling their uniquely specialized products into agencies, which understandably can limit their success in responses to requests for proposals in more comprehensive programs.

For the government in particular, the approach agencies to more easily make decisions on which products to deploy in complex environments.

Let’s look at how some general technical cybersecurity integrations can add benefit to customers:

Multi-Factor Authentication (MFA) – An agency looking to deploy MFA tokens to all their employees will likely need a card management system (CMS) to enroll the certificates stored on the physical tokens. Some companies offer both tokens and a CMS, but particularly when looking for high assurance tokens that were designed with the Federal government in mind, they are unique areas of expertise. Having the ability to vet out, in advance, a working solution that can be jointly offered to a customer simplifies the overall process and allows a customer to more readily select the appropriate vendor.

Storage & Key Mgt Encryption – What’s important here is whether a storage encryption solution can work with a key manager through open standards such as the Key Management Interoperability Protocol (KMIP). This type of interoperability is another way of layering levels of security and creating an overall efficient solution for the customer. It alleviates the challenge of the customer having to validate that the products they purchase will properly integrate in their environments.

Complete offerings – In some cases a company may be missing one element to an overall holistic solution. Among encryption providers, encrypt everything is the Holy Grail. Some come very close to meeting that promise with encryption solutions for web/application servers, databases, file servers, disk encryption, virtual machines, etc. Often, however, what might be missing is the ability to encrypt email and documents. Companies should pool resources to be able to offer that level of encryption and storage with hardware for root key management, to provide an integrated solution for all available data venues.

So after being a bit late to the game on the need to create integrated offerings, cybersecurity firms have come to realize that there is more value to creating a simple means for agencies to ensure their IT security than there is to owning a narrow segment of the market.”



“Who’s Who” in Cyberspace Operations (CSO)? DARPA Asks

DARPA Who's Who

(Photo credit: DARPA)

Defense Advanced Research Projects Agency Wants to Know


“DARPA wants to know who can do what when it comes to cyber research.

The agency wants to compile an up-to-date list of companies capable of participating in research projects in cyberspace operations (CSO).

“Ideally, respondents will include both potential performers currently holding security clearances and those who may be granted clearances based on technical capabilities and eligibility,” DARPA said.

“Often, these projects are classified and can only be solicited from a limited number of sources,” noted the FedBizOps request for information. “DARPA must maintain up-to-date knowledge about potential performers to maximize the number of sources that can be solicited for classified, highly specialized, CSO R&D initiatives.”

Interested parties should submit a white paper that includes a list of their personnel with CSO experiences, any security clearances those employees have, and a narrative description of their relevant skills. Companies should also list any relevant facilities, including secure areas.”




DARPA Wants Bots To Protect Us From Cyber Adversaries

Bots for Cyber Protection



“The military research unit is looking for technology and software that can identify networks that have been infiltrated—and neutralize them.

[They are]  looking for ways to automate protection against cyber adversaries, preventing incidents like the WannaCry ransomware attack that took down parts of the United Kingdom’s National Health Service networks.

The Defense Advanced Research Projects Agency is gathering proposals for software that can automatically neutralize botnets, armies of compromised devices that can be used to carry out attacks, according to a new broad agency announcement.

The “Harnessing Autonomy for Countering Cyber-adversary Systems” program is also looking for systems that can exploit vulnerabilities in compromised networks to protect those networks, making cyber adversaries—both state and non-state—less effective.

This isn’t the first time DARPA has investigated automated cybersecurity. In the 2016 Cyber Grand Challenge, participants were tasked with building systems that could thwart attacks without human intervention.

The businesses awarded contracts under the HACCS program will also come up with ways to measure how successful that technology is, incorporating how accurate the systems are in identifying botnet infections and the types of devices harnessed by the botnet.

It’s not enough to simply fortify Defense Department networks, the solicitation says, because botnets might operate without the owner of that network knowing. The Defense Department needs a way to initiate an immediate response even if the owner is not “actively participating in the neutralization process,” according to the announcement.

One way to build such an autonomous system might be to teach it to mimic the way human operators neutralize attacks in cyber exercises, according to a HACCS slide deck.

DARPA is not concerned about how stealthy the technology is in neutralizing botnets, the deck notes, but an effective system should only work on the networks that actually are compromised instead of taking the “kitchen sink” approach.

Some internet privacy advocates noted that law enforcement’s efforts to quietly neutralize botnets could violate the privacy of those who own the compromised devices, especially if the Federal Bureau of Investigation doesn’t inform them that they’re accessing their devices in their attempts to thwart attacks.

Proposals for DARPA’s four-year program, whose budget is undisclosed, are due Sep. 29.”



All the Ways the U.S. Government Cyber Security Falls Flat


Gov Cyber Security Falls Flat


“[An] analysis of 552 local, state, and federal organizations [was] conducted by risk management firm Security Scorecard.

The report goes beyond the truism of government cyber security shortcomings to outline its weakest areas, potentially offering a road map to change.”

“DATA BREACHES AND hacks of US government networks, once novel and shocking, have become a problematic fact of life over the past few years. So it makes sense that a cyber security analysis placed the government at 16 out of 18 in a ranking of industries, ahead of only telecommunications and education. Health care, transportation, financial services, retail, and pretty much everything else ranked above it.

Security Scorecard found that the government particularly lags on replacing outdated software, patching current software, individual endpoint defense (particularly when it comes to exposed Internet of Things devices), and IP address reputation—meaning that many IP addresses designated for government use or associated with the government through a third party are blacklisted, or show suspicious activity indicating that they may be compromised. A wide range of issues plague government agencies—but they’re largely fixable.

“There’s a lot of low-hanging fruit when it comes to the government sector overall,” says Alex Heid, SecurityScorecard’s chief research officer. “They’ll implement a technology when it’s very new and then it’ll just sit there and age. This creates a mix of emerging technologies, which might be misconfigured, or not everything is known about them yet, with legacy technologies that have known vulnerabilities and exploitable conditions.”

After a few years of high-profile government hacks—the devastating breach of the Office of Personnel Management chief among them—the sector as a whole has made some modest strides on defense, moving up from last place in a 2016 SecurityScorecard report. Even OPM has gained some ground, though findings (and a government review) indicate that it still has a long way to go. Agencies that control and dole out money—like the Federal Reserve, Congressional Budget Office, and National Highway Traffic Safety Administration—tend to have much more robust digital security, as do intelligence and weapons agencies like the Secret Service and Defense Logistics Agency. Even the Internal Revenue Service, which has been plagued by leaksover the past few years, has shown marked improvement, spurred by necessity.

SecurityScorecard gathers data for analyses through techniques like mapping IP addresses across the web. Part of this analysis involves attributing the addresses to organizations, not just by looking at which IPs are allocated to which groups, but by determining which organizations use which IP addresses in practice. This means that the report didn’t just assess blocks allocated to the government, it also tracked addresses associated with contract third parties, like cloud and web application providers. The group also scans to see what web applications and system software organizations run, and compare this information to vulnerability databases to determine which organizations should upgrade and patch their platforms more rigorously. Additionally, SecurityScorecard collects leaked data troves of usernames and passwords, and monitors both public and private dark-web forums.

The report found that government agencies tend to struggle with basic security hygiene issues, like password reuse on administrative accounts, and management of devices exposed to the public internet, from laptops and smartphones to IoT units. “There were more IoT connections available from government networks than I would have expected,” Heid says. “Even things like emergency management systems platforms from the mid 2000s were available to the public.” When systems are unwittingly exposed online, hackers can find credentials to gain access, or use software vulnerabilities to break in. Sometimes this process takes attackers very little effort, because if an organization doesn’t realize that something is exposed online, it may not have made the effort to secure it.

For government groups, the report found that digital security weaknesses and pain points track fairly consistently regardless of the size of an organization. (Shout out to the Wisconsin Court System and the City of Indianapolis for strong cybersecurity showings.) That means that despite the large number of issues across the board, the same types of strategies can potentially be applied widely in an effective way. The question now, Heid says, is how effectively legislation can guide government IT and cybersecurity policy. There’s a mixed track record on that at best, but in the meantime breaches and market forces are slowly driving progress.

“It boils down to the conception of information security as an afterthought,” Heid says. “‘We’ve got operations to handle and we’ll deal with the problems as they arise’ is essentially how it’s been implemented into government. But for some agencies they end up having losses in the millions of dollars. People start wearing kneepads after they fall off the skate board a few times.”



Estonia Lesson Learned: “Every Country Should Have a Cyber War”




” Estonia’s biggest turning point was 10 years ago, when the country came under sustained cyberattack.

The shock of a cyberwar united the community to take action.  Estonians don’t see cybersecurity as a phenomenon,  it’s about being empowered by technology, not controlled by it.”

“Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves.

In 1991, Estonia was part of the dying communist empire. Its economy was run by central planners in Moscow, less than half of all households had a phone line, and goods were so scarce that people had to line up for food.

Skip ahead 26 years, and Estonians don’t even have to queue to vote. They do that online.

In just over two decades, Estonia has become one of the world’s most digitally innovative and efficient countries. In fact, Estonians conduct all their civic responsibilities online. Offices and paper forms have become obsolete as state-issued digital identities allow all citizens to carry out any financial or government transaction from their laptops or cellphones. And that gives them an edge when it comes to cybersecurity.

Estonia’s journey down the digital road has been astonishingly fast. When it gained independence from the Soviet Union in 1991, it had almost no money and few natural resources. But it did have one advantage: It was the designated center for software and computer production for the USSR. After achieving independence, the country had a pool of tech expertise for them to build on.

During these early years of independence, Estonia needed to create the means for a new economy. And it wasn’t going to be easy. The country’s tiny population of just 1.3 million is spread over a relatively vast countryside. Outside the capital Tallinn, there’s an average of just four people per square kilometer. The new government didn’t have the resources to extend government offices or banking facilities to small towns and villages, so it decided to encourage self-service, and spread internet access across the country in order to do so.

To achieve this, the government set up an investment group to build computer networking and infrastructure. By 1997, almost every school was connected to the internet, and by 2004, 300 wifi access points had been established, bringing the internet even to small villages—and mostly for free.

In 2007, Estonia was in the middle of a political fight with Moscow over plans to remove a Soviet war memorial from a park in Tallinn. Suddenly, it was hit with three weeks of D-DoS (designated denial of service) attacks. When this happens, multiple sources send multiple online requests, flooding a service or system and making it unable to function. It’s the digital equivalent of crowding an entrance to a building so that no one can come in or out.

As a result, the internet shut down as websites were bombarded with traffic. Russia denied any involvement, but Estonia didn’t believe it.

“War is the continuation of policy by other means,” Estonian president Kersti Kaljulaid told a NATO cyber-conference in Tallinn in June 2017. “Ten years on, it is clear that the decision made by Estonia not to withdraw but stay and fight for the security of our cyberspace was indeed the right one.”

The attacks made Estonia more determined than ever to develop its digital economy and make it safe from future attacks. “I think every country should have a cyber war,” says Taavi Kotka, the government’s former chief information officer. “Citizens get knowledge about what an attack means, about how phishing works, how D-DoS works, and they start to understand and live with that. People aren’t afraid if they know they can survive something. It’s the same thing as electricity going off: Okay, it’s an inconvenience, but you know how to deal with it.”

In Estonia, people are not afraid of cyber warfare, nor are they afraid of sharing personal data across public and private institutions. Go to a hospital, and the nurse or doctor can call up your entire health records from any doctor you ever visited without the need to call their offices and asking them to send files.

Full marks for convenience, simplicity, and efficiency. But what about the dangers of nameless bureaucrats accessing your personal data? Isn’t there a risk of future governments abusing the system and using your intimate details against you? Isn’t this inviting an Orwellian nightmare?

Estonia says no. Unlike an authoritarian state like the old Soviet Union, government transparency is built into the system. While all your private data is online, only you can give permission for any data to be accessed. And you can check who has accessed what. If a doctor you don’t know has viewed your records, it will be traceable, and you can have them sacked. As one software developer Quartz spoke to said, “You become your own Big Brother.”

Data is protected through a framework known as X-road, which helps exchange decentralized data between big government databases. X-road has built-in security measures that encrypt traffic and time-stamps so that the data cannot be manipulated. Taimar Peterkop, from Estonia’s Information System Authority, says that the security measures built into E-identity databases are all but impenetrable by outsiders. “Estonia takes data integrity very seriously because our society is so digitized,” he says. “If someone manipulates citizens’ data, that’s a challenge for us. We use blockchain-based technology to ensure the data is as it should be.”

When it comes to security, Peterkop says humans are usually the weak link. “Cybersecurity starts with us. If you have weak cyber hygiene, that’s a problem. We need to raise awareness and educate people about using strong authentication methods,” he says. For example, Estonia has public-education campaigns about how to use your smart devices wisely.

It seems like glaringly obvious advice, but a look at the recent USelection shows that basic cyber hygiene has been an after-thought, even for the powerful. When Democratic nominee Hilary Clinton’s campaign chief John Podesta’s Gmail account was hacked, Wikileaks founder Julian Assange claimed Podesta’s password was simply the word “password.” The campaign denied this claim and said they fell victim to a phishing scam. Whatever the case, it was an avoidable security breach that should never have occurred.

Peterkop also says that consumers need to ask more questions about the Internet of Things, especially when it comes to everyday household products and devices. “There is so much pressure to come up with new products in a hurry, so security measures are an after-thought,” he says. “As consumers, it’s essential that we start paying attention to it. We don’t do enough risk mitigation. Basically every TV is a computer now.” These issues are present already: A recent document dump from Wikileaks points to hacking tools that directly relate to Samsung televisions.

Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves. As well as creating a paperless public service, Estonia is now backing up government data on secure servers offsite in Luxembourg. It has also prioritized tougher international action for cyber-crime and encouraged private companies to review security measures and have stronger agreements with server providers.”



A New Tool for Looking at Federal Cybersecurity Spending

cyber Spending

Image:  “Taxpayers for Common Sense”


“A new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.”

“More and more of what the federal government does relies on complex computer systems and networks. This high tech infrastructure makes the government work better by making services more efficient and accessible.

But that digital revolution also comes with big risks—just think back to the massive data breach at the Office of Personnel Management disclosed in 2015, when hackers compromised sensitive information about tens of millions of Americans. Last year, there were at least “30,899 cyber incidents that led to the compromise of information or system functionality” at federal agencies, according to a White House report released in March. The number of attacks on federal computer systems have risen sharply over the last decade.

So how much is the government spending to protect itself (and us) in this brave new world?

Unfortunately, the answer is “we don’t really know.” But a new tool from nonpartisan watchdog group Taxpayers for Common Sense provides perhaps the most comprehensive analysis of federal cybersecurity spending.

Last week, Taxpayers released a new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.

Taxpayers used public budget documents to build the database, but it wasn’t easy. “There is no government-wide standard definition or method of accounting for what qualifies as cyber funding and, therefore, no way to fully track it,” the organization explains on its methodology page. Agencies also use a variety of different approaches to tackle the issue, making it even harder to pin down their spending. Then, there is the government’s murky “black budget” of classified spending. So Taxpayers “settled on providing the best picture [it] could develop from extensive research of government programs” that are unclassified, spending two years searching through thousands of budget documents for terms like “information security” and “information assurance.”

Taxpayers found the amount spent on cybersecurity has quadrupled over 11 years. The group was able to tally $7 billion in unclassified cybersecurity spending in 2007, as compared to $28 billion in 2016. But some of that growth could be attributed to improvements in how the government tracks cybersecurity funding.

The resulting snapshot isn’t perfect, but it’s an impressive start—and a necessary one. After all, you can’t figure out what bang the government gets for its cybersecurity buck if you don’t know where those bucks go.”







The Business of National Cybersecurity


Business of Cyber Security



“With all the attention this subject is now receiving, one would think the business of national cyber security (commercial, government and defense) would be very robust.

Small and medium-sized businesses are not singing a happy, carefree tune. Delays in contracts, budget cuts and delayed payments seem to be the most common complaints.

It is hard to open a browser, look at a newspaper, or watch or listen to a news show without the topic of cybersecurity coming up. In mid-June, Microsoft received a lot of attention from headlines about the company’s warning of an elevated risk of cyberattacks. Another attention-grabbing headline came from Chris Childers, the CEO of the National Defense Group located in Germantown, Maryland, who shined light on the fact that many satellites in use today are dated and use old technology that was made before cyberthreats were a real issue and prior to when cyber defenses were readily available.

With all of the headlines about cyberattacks, viruses, ransomware attacks (WannaCry) and so on, you would think cybersecurity business is booming. Odds are it is not as robust as many people think. Let’s not forget when the Department of Homeland Security said 20-plus states faced major hacking attempts during the 2016 presidential election.

Today, basic cybersecurity understanding and skills need to reach into every profession and every level of the workforce. Updating the skills of the workforce must be continuous, and this takes time and money.

Another interesting point was brought up during a recent cyber strategy thinking session: Could our adversaries be leveraging inexpensive cyberattacks and threats as economic warfare, knowing full well that we will move to identify, analyze and address the emerging threats — something that would cost us money? After all, what choice do we have?”







Cyber Training and Education Must Be Continuous

Cyber Training

(Photo Credit: Staff Sgt. Alexandre Montes/Air Force)


“Today, very few organizations have as a requirement for employees and contractors the upkeep of cyber security knowledge.

That must change immediately if we are to keep pace with the ever-changing cyber threat environment.

Times are certainly changing. Politics, regulation, threats, conflict and so much more are changing; but it can be difficult to adapt to all the new and emerging technologies and their applications. There is little doubt that the world’s reliance on computers and their use continue to increase rapidly. Arguably, digital transformation is the leading driver of change. All these are producing a significant amount of new data and data communication paths that are all potential targets for cyberattacks by our adversaries and criminals. The sum of all this equals changes to our knowledge base, education requirements and the cyberthreat environment. Let’s take a look at some of the stats.

Cyberattack surface area

In 2016, there were multiple numbers that clearly showed just how large the cyberattack surface area has become. It was estimated that in 2016, internet of things, or IoT, devices rose to 17.6 billion. In 2016, there were an estimated 12.5 million connected cars produced and put into operation. Also in 2016, an estimated 45 percent of Americans had either a smart home or invested in smart-home technology, according to a survey by Coldwell Banker.Now we should also include robots. In the forth quarter of 2016, robot orders in North America surged by 61 percent. The increases in robot sales has led analysts projecting that robots will take/occupy 6 percent of all U.S. jobs by 2021.

Here is something that provides a partially over-arching perspective: data storage. IDC projects data storage growth by 35 to 40 percent per year for external storage and 33 to 38 percent for internal storage. Finally, consider Gartner’s projection that “manufacturers, consumer goods companies, medical device providers and their supply chain vendors are expanding the use of 3-D printing.” Think of the data files flowing to those printers! Think about the value of those files. Theft of those files enables counterfeit products, for sure. Think about all the changes in technology and to the cyberattack surface area the above data represents.


Consider the following metrics as an indication of the current pace of change to the cyber environment. In just one quarter of 2016, Panda Labs stated there were 18 million new strains of malware identified/captured. That equates to about two and one-third new pieces of malware being identified every single second. That is what was found! It is anyone’s guess what was actually released. In 2016, ransomware continued to grow in number. In fact, some place the growth rate at approximately 300 percent. That means in 2016 there were on average approximately 4,000 ransomware attacks occurring every day. That equates to two and three-fourths ransomware attacks per minute. We shouldn’t forget about the growing use of cryptocurrencies for payment in ransomware attacks! At the time of writing this, there were more than 850 differentcryptocurrencies with a total market capitalization equal to or over $97 billion. Think about all the nefarious activities that cryptocurrencies could be used to fund. It’s proven to be so relevant that a recent cryptocurrency webinar had approximately 3,000 professional attendees.
Distributed denial of service, or DDoS, attacks in 2016 were up in frequency, intensity and the amount of flooding data. In fact, we saw the largest DDoS attack of its kind in history. One company reported DDoS traffic of 1.2 terabytes per second. But hold on. Think about the potential for a highly distributed IoT bot net. That is a distinct possibility evolving right before our eyes.

Impact on cyber training and education

The pace at which the cyberthreat environment is changing creates a huge challenge for our military and intelligence communities. Keeping up with these changes is a large and growing task. Considering the pace with which technology is advancing and implemented, it is easy to see just how essential continuous education has become. With all of the changes that have taken place and continue to take place, updating the curriculum must be an ongoing activity; the same goes for the knowledge and skill-set requirement of professionals in the cybersecurity field. Today, very few organizations have as a requirement for employees and contractors the upkeep of cybersecurity knowledge. That must change immediately if we are to keep pace with the ever-changing cyberthreat environment.”



Half of Industrial Control Systems Suffered Cyber Attack Last Year

Cyber Attacks

The National Institute of Standards and Technology’s industrial control security testbed. (Photo Credit: NIST)


“Data gathered comes from 359 industrial cyber security practitioners in 21 countries that completed online surveys between February 2017 and April 2017.

One-in-five respondents experienced two incidents within the 12-month window.

Threats to industrial control systems are becoming increasingly widespread, according to a new survey from cyber security firm Kaspersky Lab and Business Advantage that found over half of the companies sampled reporting at least one cyberattack in the last 12 months.

The top observed threat remains conventional malware, which played a part in 53 percent of actual incidents, followed by targeted attacks, such as spear phishing to more sophisticated advanced persistent threats. The top perceived threats are  third-party supply chain/partners and sabotage/intentional damage from other external sources.

This has led three-in-four companies to expect a cyber attack to happen to them, though 83 percent feel prepared to combat an incident.

Organizations might not be as ready as they believe themselves to be, however, considering the fact that the anti-malware solutions already implemented by 67 percent of respondents still allowed for so many incidents.

Increasing the frequency of issuing patches/updates could contribute to protection from incidents like the WannaCry pandemic, but the increased attack surface and access granted to external parties by growing enterprises complicates matters.

Therefore, risk management is being recognized as a growing priority, but finding properly trained staff and reliable external partners to implement cyber security tops the challenges of companies that acknowledge financial loss is shown to decrease in organizations that have security awareness programs for staff, contractors and partners.

Looking at the survey’s findings, the top risk factors appear to be the access of external parties, a lack of compliance with industry/government regulations and the use of wireless connections. This has led companies to express support for some level of mandatory reporting and governance to help bring about more transparency to help develop frameworks to address the risks.

Some factors that appear to help mitigate threats include documented cybersecurity programs being set in place; regular security assessments/audits being conducted; vulnerability scans and patch deployments happening biweekly at minimum; unidirectional gateways being installed between control systems and the rest of the network; anti-malware solutions being installed for industrial endpoints; industrial anomaly detection tools, intrusion detection and intrusion prevention tools being used; and staff and contractors being given regular security awareness training.”

The entire survey can be accessed by filling in a form on the Kaspersky blog.