Nimble and adaptive, more innovative public-private partnerships between government and industry are needed to combat threats in cyberspace
On a brisk October morn at the Massachusetts Institute of Technology, a veritable cornucopia of cybersecurity stakeholders from across academia, industry, and government gathered with a singular focus: cyber, cyber, cyber, and cyber. Massachusetts was a natural selection for both DIUX-East and this event. Tech is in our blood.
But if there was one recurring theme at the inaugural Cambridge Cyber Summit it was keep your allies close, but your insider threats even closer. CNBC, which hosted the event, was quick to highlight this:
Employees inside public and private organizations may be the biggest cybersecurity threat those organizations face when it comes to defending against cyberthreats, cybersecurity experts from both the public and private sector agreed.
On an interview on CNBC's "Power Lunch," Assistant Attorney General for National Security John Carlin confirmed that the FBI had arrested and charged the individual with theft of government secrets, including classified information, on August 29.
"The threat of insiders is real and what can happen is you have amazing defenses to protect your intellectual property and other secrets from those who are trying to obtain them from outside your company's walls, but you forget sometimes to have a program where you are watching those who you trust," said Carlin.
It is one of the most serious threats a company can face, he said. "We take that type of conduct very seriously," he said.
Part of the answer lies in education, as well as tightly controlling what level of access each employee is granted, particularly when it comes to a company's "crown jewels," said Fanning.
And always assume the worst. When it comes to cybersecurity, paranoia pays. Employees may deliberately steal from an organization or they may be the victims of smart hackers who are able to trick them into clicking on something they should not, deploying malware into an internal system.
In warfare, it is incredibly difficult for an opposing force to distinguish enemy combatants from noncombatants. This is the crux of virtually every counterinsurgency debate for a decade plus: who is the enemy, precisely? And, since we cannot identify them, how are we to combat them effectively? At the node? At the head? Is there a head? Wait, they’re decentralized? In the human domain, the adversary uses cover and concealment to deny the opposing force any advantage and to deceive their leadership. All modern militaries utilize what is colloquially termed military deception to strategic effect except America’s. Unfortunately, this realization has come too late.
And so, because insurgents weave themselves into the population and society in the human domain, our armed forces and broader intelligence community came to understand future adversaries may do the same in a parallel domain: cyber. Cambridge has been the deserved center of innovation in the technology industry for decades, certainly since the War, and before the advent of a Silicon Valley or an Austin (a topic I’ve written about).
Arrests this past August of yet another mole, buried deep within the capable yet ultimately opaque bureaucracy of NSA underscores the necessity of aggressive counter-espionage efforts. There are animals in the system. They are gnawing at the wires, boring holes in the walls, chipping at marble and granite, tunneling below the walls, and floating across the moat.
Paired with a dramatic reinvestment in denial and deception activities, it would be possible to identify, neutralize, and exploit such insider threats to strategic advantage. Bryan Martin was caught and turned by federal law enforcement before he penetrated Joint Special Operations Command. And IARPA, the thinktank loosely modeled on DARPA and headquartered on the campus of the University of Maryland’s campus, a stones throw from NSA, has begun gaming out applications for the government to catch and trick would-be cyberspies:
Historically, denial and deception (D&D) has been used by militaries for defense, whether it be to instill uncertainty, or to provide misinformation. For present purposes, “deception” is the deliberate action taken by a cyber defender to mislead and gain an advantage over a cyber adversary through a variety of tactics such as manipulation, distortion, or falsification of evidence.
Novel, disruptive, legally sound but envelope-pushing thinking, applications, and solutions will be critical to securing the cyber domain and America’s ability to operate across it unhindered. An intelligence surge as championed on the 2016 trail, both here and abroad, remains appropriate, lawful, and necessary.
There should be serious political, economic, and military responses for any provocation in cyberspace or elsewhere. We must not let the adversary outpace us in cyberspace and public-private partnerships will be key to turning the tide in the cyber domain.
Clearly, what is needed is a network operating at the speed of the enemy. Industry would do well to partner with mechanisms like the DIUX office in Cambridge, Massachusetts, IARPAs counter-deception unit, and other entities to fashion commercial-off-the-shelf solutions to identify and neutralize insider threats before they strike.
The fact of the matter is that industry is being limited by government, and government is not moving aggressively enough to adapt to the problem at hand. Industry is taking insider threat seriously. In fact, just last year, Booz Allen Hamilton executives crowed about their laser-like focus on countering insider threats:
“Booz Allen Hamilton, which was Snowden’s employer when he leaked his trove of NSA documents to the US and British media [...] has undergone a “metamorphosis of security,” declared Art Davis, the company’s Director of Corporate Security [to journalist Timothy Shorrock]. He said Booz has doubled its spending on security by adopting a “full-scale counterintelligence program” focused on 2,500 employees with “access to the kingdom”—a reference to the highly classified documents that Snowden and Booz’s privatized army routinely handled. Such employees are subject to “continuous evaluation,” Davis said.
“If they don’t pass, they leave their jobs.”
While on the surface this sounds like a supremely effective program, there is, clearly, room for improvement.
Insider threats and asymmetric threats in the cyber domain are here to stay. With rising powers and non-state actors taking aggressive steps to counter American hegemony in the cyber domain it will be necessary to set the table to our liking. The Find, Fix, Finish approach applied to great tactical effect by special operations forces can and should be emulated by US Special Operations Command in the cyber domain, in concert with the Cyber National Mission Force via 110th Information Operations Field Support Battalion. Take the fight to the enemy.
Fortune favors the bold, and tapping the intellectual firepower of Americans in academia is the first step.
The above, adapted from Fortune Favors The Bold: Principled Leadership In A New American Century, has been separated from the deliverable with the express permission of the client.