How an offensive strategy could transform cybersecurity
As听cybersecurity firms prepare for another year that could be full of high-profile breaches, they're looking for fresh ideas to keep criminal hackers out of computer networks.
On Wednesday, as news of suspected Russian tampering with the US election dominated headlines,听Passcode gathered experts from government, academia, and the private sector to discuss how digital defenders can respond to the scourge of incidents. David Brumley, head of Carnegie Mellon University鈥檚 CyLab, a cybersecurity research and education institute, had one idea: Prepare for hackers by invading your own network.
鈥淔or years it鈥檚 been defense, defense, defense. That鈥檚 only part of the equation,鈥 Mr. Brumley said at the event in Washington. That chanting might sound good in a football stadium, but in cybersecurity, 鈥渨e owe it to ourselves to have the best hackers break into our networks,鈥 he says.
Brumley is at the leading edge of research that may one day make this kind strategy more commonplace 鈥 and even autonomous.听The Carnegie Mellon professor led ForAllSecure, a team of computer science graduate students, to victory in the听Cyber Grand Challenge 鈥撎齛n听automated cybersecurity competition听at this year鈥檚 DEF CON hacker conference in Las Vegas hosted by DARPA, the Defense Department鈥檚 in-house technology incubator.
鈥淭here鈥檚 this great promise of defense at internet speeds,鈥 he says. 鈥淏ut when you can break everything at internet speeds, that鈥檚 really dangerous.鈥
Many companies that are targeted with cyberattacks, such as financial institutions, healthcare organizations, and government agencies, have begun to deploy so-called penetration testers, professional white hat hackers who simulate cyberattacks on sensitive听computer networks.
But Brumley thinks听an era in which automated machines take over cybersecurity from humans might be at least 20 years away. In the interim, governments are looking for new ways to insulate themselves from criminal hackers, known in the cybersecurity community as 鈥渂lack hats.鈥
鈥淭he extent to which all defenses are vulnerable to human error and anything that relies on single end users doing the right thing is flawed from the start,鈥 John Nicholson, first secretary of cyber policy at the British Embassy in Washington said at Wednesday鈥檚 event. 鈥淭here鈥檚 a range of lines of effort where we think there鈥檚 a legitimate role for government to work with industry.鈥
To that end, the British government a 鈥淣ational Cyber Security Strategy鈥 in November that sets out a roadmap to kickstart the country鈥檚 digital security efforts by 2021. London plans to invest听more than $2 billion听to boost cybersecurity in the next five years, and has established a National Cyber Security Centre (NCSC) to coordinate digital defenses.
Around the world, governments are also championing the development of computer emergency response teams 鈥撎齥nown as CERTs 鈥 technical experts that analyze and respond to major cybersecurity incidents, and mutual legal assistance treaties such as the Budapest Convention that make it easier to prosecute cybercrime cases internationally.听
But although experts at Passcode's event praised global efforts to facilitate the flow of intelligence on cybersecurity, some cautioned against putting too much stock into information sharing.
鈥淚t鈥檚 possible to put too much emphasis on [information sharing] in the policy environment,鈥 said Robert Sheldon, director of policy at Business Executives for National Security, a Washington-based nonprofit. 鈥淚f the government isn鈥檛 going to be fairly aggressive about it, then they might not add value over what鈥檚 happening in the private sector.鈥
And as Donald Trump and his team prepare to take up residence in the White House next month, Carnegie Mellon's Brumley hopes the new administration continues to invest in automating cybersecurity efforts to catch up to the quickening pace of the threat.
鈥淚f we鈥檙e relying solely on manpower we'll lose. We need to automate security to assist these people," he said.
鈥淲e just showed you the equivalent of rockets,鈥 Brumley said of this summer's DARPA challenge. 鈥淟et鈥檚 go to the moon.鈥
