There's no question the bad guys are trying to break in. Top cybersecurity experts from Homeland Security, the National Intelligence director's office, and private industry gathered to discuss the most urgent threats and how they're working to counter them.

Practically every day brings new revelations about foreign hacking. Behind the headlines, government and private-sector security experts are doing everything they can to counter those threats.

Top cybersecurity experts from the Department of Homeland Security, the Office of the Director of National Intelligence, and private industry came together at a recent event held at the Washington Post to discuss the cyberwar being waged with foreign adversaries as well as the overall threat landscape. Here are some of the insights shared on current and future threats, and what’s being done to combat them.

Today’s biggest cyberthreats

Tonya Ugoretz, director, Cyber Threat Intelligence Integration Center, Office of the Director of National Intelligence

Tonya Ugoretz’s department focuses on current cyberthreats, and she is unambiguous about which country poses the biggest danger to the United States: Russia. It is “the most aggressive foreign actor that we see in cyberspace," she said. "There is, for good reason, a lot of focus on their activity in 2016 against our election infrastructure and their malign influence efforts.”

Russia has done much more than is in the public eye. Both Homeland Security and the FBI, Ugoretz pointed out, have warned about “Russian cyber-actors' efforts to infiltrate and conduct intrusions into different sectors of our critical infrastructures, including energy and water and manufacturing. So the aggression is widespread. It's against multiple sectors. It's against multiple types of networks.” Combatting that, she said, “really does require not only a whole-of-government effort, but a whole-of-country effort, to be aware of what we're facing and to combat it.”

In practical terms, that means the government must think more broadly about how to combat cyberattacks. “The U.S. government does not have the monopoly on intelligence when it comes to cybersecurity," Ugoretz said. "There is a very robust cybersecurity industry in the private sector, and we need to look at new ways of partnering with them, feeding their information into what we see from classified intelligence sources, so that we can create a holistic picture of the threats that we seek.”

That relationship between the government and private sector has already borne fruit, notably in fighting the global WannaCry ransomware attack last year, Ugoretz said. As private industry organizations gathered information about the ransomware’s early infection points, they shared it with Homeland Security, which in turn shared it with others in the intelligence community. Armed with that information, government experts established that the attack had come from “North Korean cyber-actors,” in Ugoretz’s words. Because of that, she said, government policymakers could “consider response options” to cut down on future threats.

What tomorrow’s cyberthreat landscape looks like

Jason Matheny, director, Intelligence Advanced Research Projects Activity, Office of the Director of National Intelligence

Jason Matheny is involved with over-the-horizon research, meaning cyberattacks expected in the future versus the attacks we’ve already encountered. At the moment, he said, 70 percent to 80 percent of attacks from other countries and cybercriminals are social engineering attacks meant to manipulate the behavior of users. For example, phishing attacks are used as a way to trick people into downloading malware on their computers or give up their logins and passwords.

In the next five to 10 years, Matheny said, machine learning will make these attacks more dangerous and difficult to combat. At the same time, cyberdefenses will use machine learning to more easily detect those attacks. The result will be an arms race, he said. "The people who are developing phishing attacks are using machine learning in order to figure out ways of making more subtle phishing emails that bypasses filters," Matheny noted. "I think what we're going to see is a much greater degree of sophistication in the machine learning that's applied to this, so that every day, you're going to see a significant advance on both the offense and the defense. It's happening at machine speeds. The cyber-actors can, in a way, create industrial-scale phishing attacks. They automatically generate phishing emails in very large numbers. The Internet companies are developing defenses that are just as fast and scalable. That's, right now, what we consider one of the hardest problems in cybersecurity.”

Matheny's agency also addresses how to thwart social media used to influence a country’s public opinion, inflame political disagreements, and sow confusion. As part of that effort, the agency is looking at how to detect bots that target social media. The research concerns questions such as, “Can you detect sock puppets, which are manipulated accounts that are being used to express certain opinions or judgments? Can you detect those automatically?” Detecting them in an automated way is important, he said, “because there are so many such accounts, it’s impossible to identify them using human analytics.”

The third area Matheny's group is investigating is Russian disinformation attempts. "Domestically, the primary disinformation inside Russia is less censorship and more overloading the media and social media accounts with engineered data," he said. That creates "a huge volume of controlled information, much of it disinformation in order to drown out the genuine data.”

Over 1M people read enterprise.nxt. Are you one of them? Subscribe now

How private industry views the cyberthreat problem

Liz Joyce, chief information security officer, Hewlett Packard Enterprise

Liz Joyce has been working in cybersecurity for about 20 years. When she started out, cyberattacks happened typically about once a year and the attacks were limited in scope. “We were horrified when it was maybe 10,000 or 100,000 records,” she said. Today, though, “instead of things happening on a yearly basis, we're now dealing with threats that are occurring on a daily basis. Big headlines. And we're talking about millions and millions of records in a single data breach.”

Cybercrime has become a $1 trillion business globally. No longer are attacks launched by script kiddies. Sophisticated cybercriminal gangs are behind many attacks, in addition to “nation states as well as hacktivists that are doing things for ideological reasons,” Joyce said.

In earlier years, cyberprotection was straightforward. “Basically, we could take our critical assets, drop them in a data center, stick up a firewall, and feel good about things.” Now, however, “we're in a highly connected mobile hybrid environment, and your data is sitting in a data center, a cloud, on devices on the edge," she said. "And for those devices, we've hit a tipping point this year, where the number of devices now significantly outnumbers the number of human beings on this planet. It's about 11 billion to about 7 billion, and all of those things have data. How are we going to protect that data?”

The answer, Joyce said, is not to think about security as separate from the way companies do business but built directly into it. In her words, we must “think about things holistically.” That means creating applications with security built in from the start. It means building security directly into firmware and hardware. It means using technologies like artificial intelligence and machine learning, and training every employee in a company about cyberthreats and how to avoid them. And ultimately, it means building security into the core of the enterprise itself. “Everything from how you deliver your service, how you interact with your customers and organizations, you have to think about security from that point,” she added.

Cybersecurity is the most important issue facing government CIOs today, said Antonio Neri, president and CEO of HPE. He noted that at a CIO roundtable he hosted, “80 percent of the conversation was dominated by cybersecurity.” Among the most urgent issue is how companies can protect their data, particularly because it is hard to track where data is created and where it resides. “Seventy-five percent of that data actually is not created in the cloud or in the data center. It's created here, in fact—many of you are holding phones and digitizing this conversation; you're doing something," Neri said. "Everything computes in our life, but fundamental is how we protect that interaction between the user and the data in a way that protects our intellectual property.”

Homeland Security on cyberthreats to U.S. elections

Christopher Krebs, undersecretary of the National Protection and Programs Directorate, Department of Homeland Security

The Department of Homeland Security protects against cyberthreats to the nation's critical infrastructure, including power plants, healthcare facilities, wastewater treatment plants, and elections.

A major challenge in keeping elections safe from cyberattacks, said Homeland Security's Christopher Krebs, has less to do with technology than with the way in which elections are held in the United States. Elections, even those held for the office of the president and Congress, are run by state and local governments, not by the federal government. That means each state and, frequently, individual localities have their own way to hold elections, implementing different technologies—from paper ballots to multiple kinds of voting machines, including direct-recording electronic (DRE) voting machines, some of which do not produce a paper trail and therefore are vulnerable to being hacked.

Krebs put the conundrum this way: “It is the responsibility of the states to administer elections. It is the responsibility of the Department of Homeland Security and the federal government to provide for the national security and national defense of this country. There is a discussion that needs to happen between those two things.”

As a result, Krebs said, the federal government has been providing funds to modernize and harden voting technologies and protect the electoral process—most recently, appropriating $380 million. In addition, his department has been advising state governments on how to protect their elections and, as part of that, provides risk and vulnerability assessments.

In researching risks, the department found three common vulnerabilities across the country, Krebs said. First, the states run outdated operating systems. "They're not on the most modern systems. The most modern systems are just by their default nature generally the most secure.” Next, “they have some patch management and vulnerability management challenges, so when the operating system or whatever pushes a patch, it takes a lot longer, or in some cases, they don't actually patch that software.” And finally are misconfiguration errors. This resulted in a state voter registration database being breached by the Russians. “We share that information not just with the folks we've done vulnerability assessments for but more broadly across the country,” he explained.

Krebs believes the Russians will likely continue to try and disrupt U.S. elections. “I don't need to see threat intelligence that they're launching another attack along the lines of 2016. Because we know they have the capability and they have demonstrated the intent.”

And it’s not just the Russians. “Right now, China is the long-term strategic threat for this country,” Krebs said. “It's not just from a direct technical cybersecurity perspective. Look at the way they do strategic investment.” He added that North Korea and Iran also target the United States with cyberattacks.

“Our challenge is understanding what they are trying to do, what their capabilities are, and what their intent is," he said. "That's the intelligence community's space. My job is saying ‘So what? What does this piece of intelligence mean? What is the context? What are the potential consequences?’ And then asking a second question: ‘What are we going to do about it?’ It's not just about government working together. It's about industry and government working together. We have to have integrated cross-sector government/industry collaboration in the cybersecurity space and the critical infrastructure protection space, and that's where we're going.”

Related links:

Watch the recorded version of the Washington Post Cyber 202 event.

More malicious than ever: Preparing for today’s and next-generation malware attacks