Experts hash out next-generation cyber defenses

“There are only two types of networks, those that have been compromised and those that are compromised without the operator’s awareness,” wrote James Scott, senior fellow at the Institute for Critical Infrastructure Technology, in a collection of essays on next-generation cyber defenses. The writers, ICIT fellows and industry security experts, voiced a common theme: Cyber threats continue to pervade government systems and no one solution is a cure-all.

The government sector is second only to the health care industry in system vulnerability and susceptibility to attack, based on total records breached, Scott wrote. In 2016, 36.6 million records were exposed, 13.9 million of which came from government systems.

Between 2010 and 2016, he said, federal and state agencies publicly disclosed 203 breaches, and there was a 40 percent increase in public-sector data breaches in 2016. Attackers exfiltrated personally identifiable information, such as names, birthdates and Social Security Numbers, as well as operational intelligence "that could be leveraged to impact the public, critical infrastructure, national security, or additional public and private sector organizations," Scott added.

Additionally, the average breach takes 229 days to detect, which many of the experts cited in the report decry as too long. To Scott, that means the number of exposed records in 2016 could jump as more breaches are discovered.

He and others blame the problem partly on old, outdated technology. For instance, firewalls can serve as middleware but can’t prevent traffic interception, Scott wrote.

Organizations should modernize their systems and protect data at rest or in use through encryption, tokens, data masking and enterprise key management, Scott said.

“Government entities have a moral and legal responsibility to act as role-model data custodians,” Scott wrote. Agency leaders and legislators must prioritize data protection, ensuring that data is "holistically and systematically protected at rest, in transit, and during processing on all agency and third-party systems such that even a sophisticated and persistent adversary that gains access to critical system or caches of sensitive information cannot leverage that access to inflict further harm by exploiting it against the public.”

Yet modernized systems aren’t immune to attacks either, wrote Malcolm Harkins, ICIT fellow and chief security and trust officer at Cylance.

“It barely costs attackers resources to launch spear-phishing or [distributed denial-of-service] campaigns,” Harkins wrote. “If one employee responds to the lure or opens a malicious attachment, the organization is compromised. If one subsystem buckles under the Distributed-Denial-of-Service attack and the network suffers, then the attacker’s DDoS attack has succeeded.”

He recommended modernization combined with machine learning and artificial intelligence could alter the asymmetric threat landscape to give public and private organizations a chance to preempt or mitigate adversarial campaigns.

“Sophisticated machine learning and artificial intelligence solutions dynamically detect and respond to suspicious activity before malicious code executes on the system,” Harkins wrote. Deep learning algorithms and behavioral analytics can be applied to modern networks to detect and mitigate breaches that result from human-error and insider threats. "These solutions can manage network authentication and access events across applications and infrastructure," he said.

Additionally, federal guidelines and laws don’t go far enough when it comes to cyber, some experts said. Don MacLean, ICIT fellow and chief security strategist at DLT, noted shortcomings in the National Institute of Standards and Technology’s Risk Management Framework, such as conflicts of interest and lack of incentives.

For instance, agencies under evaluation should not choose their own evaluators, MacLean wrote. “Companies performing security assessments should be contracted by an agency separate from the agency under scrutiny,” he wrote. The Government Accountability Office, Homeland Security Department or Office of Management and Budget are options.

What’s more, government workers should have incentives for protecting systems and data and greater punishments for failing to do so, McLean wrote. “A bonus structure for performance, and more stringent accountability for dereliction of duty, would materially improve security,” he wrote.

The 10 essays also address defenses related to protecting legacy systems, data encryption, cyber intelligence fusion centers and layered security policies.

Read the collection, Next-Generation Defenses for a Hyper Evolving Threat Landscape: An Anthology of ICIT Fellow Essays, Vol. 1, here.