How can America win the Cyber war?

I had the opportunity yesterday to provide testimony to the Senate Commerce Committee on the promises and perils of emerging technologies for cybersecurity. As part of the testimony I laid out five recommendations that the federal government can do to win the upcoming cyber wars.

First some historical context:

Cyber threats at a consumer level really started to emerge in the 1990’s with the commercialization of the Internet. Until the advent of the Internet, viruses could only pass to other computers through floppy disks or other storage media. Once consumers and businesses started connecting their computers to the Internet, viruses with names like Melissa and ILOVEYOU could propagate massively across the Internet and infect millions of users. The first generation of protection against these viruses were anti-virus companies such as Symantec and McAfee that used signature based techniques to create anti-virus software. In order to protect themselves from hackers, corporations started implementing perimeter security solutions. Prominent among these solutions were firewalls, Intrusion Prevention Systems (IPS), and Intrusion Detection Systems (IDS). While there was a cat-and-mouse element to this fight, for the most part people felt that the cybersecurity problem was in check until the advent of two major developments.

The first major development was a discovery by researchers in 2010 of a malicious computer worm known as Stuxnet that targeted industrial computer systems. What made Stuxnet different from other viruses was that it targeted programmable logic controllers (PLC) which were not connected to the Internet and were previously thought to be unhackable. Stuxnet showed that many elements of our critical infrastructure, such as dams, electric grids, water treatment facilities, hospital systems, factory assembly lines, and power plants, which use supervisory control and data acquisition (SCADA) and PLC systems, are now under threat, even when they are not connected to the Internet.

The second major development was the advent of highly sophisticated malware called Advanced Persistent Threats (APT) in 2013. These malwares function quite differently from the viruses of the past. The hackers goal is espionage and data theft. Once they infect a target, they use sophisticated root kit techniques to disguise themselves. They then connect to command and control servers on the Internet and both exfiltrate data and take new instructions. These sophisticated malwares can remain undetected for months or even years while slowly traversing across the entire network of the victim and grabbing valuable data. All the big breaches you have heard about recently – Anthem, Office of Personnel Management (OPM), Target, Sony – were victims of this technique. Legacy security vendors never architected their solutions to handle threats like this, and unless governments, enterprises, and consumers upgrade their security infrastructure to a modern architecture they are all exposed to this threat.

Given these two major developments, what can the federal government do to make sure we win the upcoming cyber wards? Here are five recommendations:

1. Modernize government procurement systems so that the government has access to the best technologies: The world’s best cybersecurity solutions are developed in America but unfortunately our government’s procurement laws are outdated and make it hard for young startups to sell to the government. As noted before, sophisticated malware threats like APT can only be countered by modern security software. I do want to acknowledge the efforts of entities such as In-Q-Tel and DIUx that have made progress in helping startups interface with government. However, these initiatives are focused on the defense side of the government and do not help any of the federal agencies focused on civilian issues. Our procurement practices are based on old frameworks that view software solutions in a static, object-oriented way. The fact is, modern software is cloud based and updated continuously and our procurement practices need to evolve to accommodate that. As a starting point, the Committee should collaborate with agencies within its jurisdiction to improve their procurement practices to better enable purchase of startup-generated technology. Beyond that, I recommend a more comprehensive examination of federal procurement practices by the Trump Administration to ensure the best technology is used to defend our government against 21st century threats.

2. Setting standards around cyber-hygiene: One way the government can help drive market solutions is by setting standards around cyber hygiene and expectations. The Cybersecurity Framework proposed by NIST is a good start. I recommend that NIST develop a systematic way to update the Cybersecurity Framework periodically and also establish test guidelines that all security products can be objectively compared against. In cybersecurity, we are only as strong as our weakest link so it is imperative that we create incentives for industry participants to practice cyberhygiene. One easy way to check an industry’s cyberhygiene is to check their Bitsight’s security rating

3. Enable legal frameworks for companies to share and exchange data: There is limited information flow today between companies and government. The CIA and NSA possess very sophisticated techniques and detailed information about threats and malwares, but there is no systematic and safe way for that expertise to be shared with the civilian sector. There is also minimal data sharing between companies, as people are worried about legal liabilities from disclosing data around breaches and malware. We need a better legal framework that allows more data sharing so that companies can team up against external threats, learn from each other, and benefit from each other’s solutions.

4.  Create a generation of cyberwarriors: Countries like Israel have sophisticated programs like Talpiot that identify talented high schoolers in computer science and orient them to cybersecurity careers. We need to create a generation of cyberwarriors and should consider different strategies, including perhaps setting up a cyber-academy like the U.S. Naval Academy where we can recruit, train, and develop the best young cyber talent in our country. Attempts to weaponize technology will not recede in our lifetime; it is time for us to build our institutions to recognize this fact.

5.  Use cyberinsurance to pool and minimize existential risk: Regardless of how much precaution companies take, there is always a risk of security and data breaches. The cost of these breaches can be astronomical and beyond any single company’s ability to handle. Similar to earthquakes and hurricanes, we need to develop a deep cyberinsurance industry so that companies have a way to pool and minimize existential risk.

Finally, my greatest recommendation is to use all policy tools available, including tax and regulatory policy, immigration, patent, and federal investment in basic research, to encourage new company formation. It is through the innovation created by entrepreneurs partnering with venture capitalists that we will have the greatest chance to both prepare and win the cyber wars.