On Tuesday, April 16, more than 200 intelligence and national security professionals from academia, industry, government and the media joined INSA for our Managing the Evolving Cyber Landscape symposium.
- The Washington Post: The Cybersecurity 202: Why a hacking operation by a proto-state in Ukraine could spell trouble for the U.S.
- Politico: Election officials back constitutional challenge to paperless voting
- Defense One: A New Consensus Is Emerging On How to Handle The Risk from China’s 5G
- CyberScoop: PPD-20 successor has yielded ‘operational success,’ Federal CISO says
- FCW: Federal CISO floats potential for new supply chain regs
- FCW: Can government fund emerging tech for the long haul?
- GCN: Emerging tech needs enough runway to take off, experts say
- MeriTalk: Partnerships Crucial to Advancing U.S. 5G, Beating China, Feds Say
- Federal News Network: IARPA working on ways to protect AI training data from malicious tampering
- Federal News Network: DHS leadership shakeup further delays progress on long-standing management issues
- ExecutiveBiz: APL Physicist Joan Hoffman: Quantum Tech Applications Could Spur Investments
- Inside Cybersecurity: CISO Schneider: New acquisition-security council preps for first meeting, to focus on strategy for tech exclusion orders
- Bloomberg Government/Technocrat: Government Needs Real Uses for Emerging Tech
- Biometric Update: IARPA expands research on protecting AI systems from tampering
Keynote Recap: Grant Schneider, Federal CISO and Senior Director for Cybersecurity, National Security Council
- The first codified in 15 years presents a shift in focus from policy and process to action and accountability.
- The federal government should serve as a model for how cybersecurity should be done. Noting the USG spends $90B on Information Technology and $16B on cybersecurity, Schneider noted, "we need to make sure our agencies are doing the basics really well."
- New passed in December established an interagency council with authorities to address supply chain risks in the procurement of information technology.
- Incentivizing behaviors we want to see in cyberspace is a challenge, "I don't believe the free market is necessarily going to get us there fast enough," said Schneider.
- A Digital Geneva Convention could establish "rules of the road for behavior that should be followed to protect cyberspace," McKay said.
- On the flip side, according to Baker, the idea that written rules can prevent cheating is naive. "It's Russia's business model. Get everybody to sign up for an international agreement and then we'll cheat."
- Treaties are not necessary, according to Lotrionte, as behaviors and accepted norms develop into customary international law that is "just as legally binding as a treaty but not written down."
- Challenges in enforcement can be expected, according to Corn, regardless of whether the behavior is governed through treaty or custom. But norms of behavior are necessary even though some actors will violate them.
- IARPA funds private sector research that addresses IC goals. Dixon noted IARPA does not do in-house research. "We invite people to propose against what we are trying to accomplish and then we fund." Regarding cyber, IARPA prioritizes cyber forecasting, microelectronics, and cloud security.
- Noting the looming omnipresence of AI requires us "to mitigate vulnerabilities we know exist," Dixon stated that IARPA is working on AI assurance programs.
- The national security implications of quantum computing are enormous. Hoffmann noted new devices coming online now, such as the Noisy Intermediate-Scale Quantum Devices, are "giving us a pathfinder on where we will be in coming years."
- Investments often focus on near-term technologies, according to Styer.
Luncheon Keynote Recap: Moderated Q&A with Amy Hess, Executive Assistant Director of the FBI's Criminal, Cyber, Response and Services Branch and INSA Vice President for Policy Larry Hanauer
- When a cyber event happens, the FBI is the lead agency for threat response and CISA the lead for asset response. CISA helps victims institute protection mechanisms. The FBI, Hess said, is "trying to identify who did it, what are the techniques, tactics and procedures they are using to identify who it comes back to...and ultimately, hold them accountable."
- The Bureau's critical mission enables it to attract and retain a talented workforce, Hess claimed, even though the government can't compete with the private sector on salary. "Some of the most sophisticated cyber actors you can encounter are the ones we are going after. Hopefully, the cool factor wins out when it comes to recruiting people with those skills and background."
- Advice for companies looking to prevent cyber attacks: 1. Have an incident response plan and practice it. 2. Notify the FBI. "A crisis is not the time you should meet your local police or fire chief for the first time. The same thing applies with a cyber incident and the FBI."
- Panelists echoed the need for a common lexicon around cyber threat intelligence. Effective public/private collaboration can’t happen, Ugoretz said, “if we’re not speaking the same language.”
- and the were cited as examples of efforts that break down types of activities from cyber threat actors and assign common names. Ettinger noted Carnegie Melon’s forthcoming ODNI-sponsored cyber intelligence study tackles this issue (will be released in May 2019).
- Ugoretz cited the potential of indiscriminate attacks as a significant threat. Wannacry and notpetya were meant to be targeted attacks but went awry and had global impacts.
- Panelists agree the application of AI/ML to CTI is promising, but there is still a ways to go before it is effective. Key challenges organizations face include lack of a clear problem statement (want to use X data to predict Y) and low fidelity data. Said Ettinger, “the algorithm is not the most important thing, it’s the data." The higher the quality of data, the simpler your model will be.
- Katavalos said while academia, government, and industry all have their lanes, "the space in-between is a weak spot" and merits enhanced public and private collaboration.
- Clapp noted sharing indicators and intelligence would promote a collective defense.
- China's Xi Jinping has one goal: Be the global leader, geopolitically, militarily, and economically. Controlling the world's 5G networks is the "golden goose for him."
- The U.S. must address the national security implications of 5G now. "If we don't deal with this now, 10-years from now it will be too late. Three years from now it will be too late."
- Securing 5G networks requires collaboration between government and industry.
- Large wireless carriers are moving away from "vendor lock-in to vendor dis-aggregation," according to Nagengast. Key steps toward this goal include virtualization of the infrastructure, a move away from dedicated hardware, and increased reliance on open source software.
- CISA's Costello identified three categories of national security risks: the risk of disruption, risk of espionage and compromise, and risk to the ecosystem.
- To mitigate the Huawei threat, according to Lewis, networks can impose a full ban on Huawei technology, impose a partial ban or architectural solutions that keeps Chinese technology away from sensitive areas, or set clear standards.
- Spectrum sharing has to be a key component of 5G implementation in the United States, noted Intel's Brown. Added Lewis, "We are not in a race with Huawei to deploy. We are in a race with ourselves. The question is which country can be faster freeing up spectrum to enable 5G deployment."