Cybersecurity Risk and Strategy Program.

I wish to thank professor Ed Amoroso of and teaching assistant Moshe Satt of NYU for their great work in NYU’s Cybersecurity Risk and Strategy Program.

Topic 1: Nation-State Cybersecurity Approaches

Competing nation-states take offensive and defensive cyber approaches to varying degrees. High profile US indictments of foreign nationals who will never see a US court room demonstrate the limits of US federal and state laws against highly organized state-sponsored groups or nation-state cyberattacks. Such public announcements of the existence of “cyber bad guys” also make reasonable people conclude that the US government is conducting its own cyberspace activity. In effect, the US government is making the public aware of the existing danger but the government doesn’t say it has an overarching solution to the problem.

American culture is a barrier to government control of cyberspace security. The American people have a long-standing conflicted nature: we understand the need for “big government” to provide some critical services but we do not trust “big government”. Contrast the American attitude with the Russian or Chinese government’s clear dominance of its citizens’ cyber presence with dual agendas to “protect” from foreign intrusion and to censor and control information. The American reaction to such activities and agendas now leads some in the US to accuse Google of “Un-American” attitudes and borderline treason for Google’s coziness with China. The argument is that there is no real distinction between Chinese government sponsored activity and “private” activity; the Chinese regime either controls everything or the recalcitrant entity ceases to be.

I believe it is logical for the United States to “nationalize” cybersecurity for critical industries. “Critical industries” should include utilities, state and local governments, the health care industry, the financial industry, the aerospace industry and any contractor doing business with a US government agency or state or local agency. The cost should be borne by the taxpayer because this is truly a national security issue. The huge cost will be fodder for political objections unless and until the day when a major nation-state inspired attack kills Americans and interrupts the US economy.

Absent a cyber “9/11”, the nationalization of cybersecurity as a national defense matter presents macro political issues, corporate board room implications and IT architecture issues to consider. Political issues would include the perceived “surrender” of corporate intellectual property secrets or trade secrets by making the US the protector with possible back door access to such valuable assets. It is doubtful that corporate boards will be comfortable with the perceived risk of government “snooping”. The notion that private industries, utilities, publicly held corporations or state and local governments are deemed “too big to crash” will be met with the same hostility as the “too big to fail” government intervention policy during the last financial crisis.

A US cybersecurity defense system will not eliminate enemy nation-state attacks on the protected critical industries or attacks on the private sector not protected by the US cybersecurity “umbrella”. Sophisticated cyber attacks by intelligent individuals or by nation-states will continue because our IT architecture is composed of vulnerable software code, vulnerable hardware and by systems that are “hanging on”; that is, the systems that are near or at the end of their life cycles.

A government cybersecurity umbrella may provide more nimble response to attacks against the government or critical industries, thus reducing the severity of the attacks. A well-funded government cyber umbrella may gather cyber intelligence that can be used to forecast emerging trends in attacks and thwart them; such cyber intelligence is simply not available currently to US private industries and vulnerable state and local governments.

Based on our discussion so far, the concept of a US cybersecurity umbrella cannot guarantee cyber safety. The probability of a successful attack is one hundred percent, over time. However, the US could declare that an attack on any protected industry will result in a US counterattack. Such a threat raises the spectre of cyber warfare that can lead to conventional and nuclear attacks, as well. It is reasonable to assume that the Pentagon and intelligence agencies have played cyber war games and added cyber attacks to more conventional war games to determine how such attacks could escalate after an enemy state attack. Based on existing statutes, federal government action against organized crime attackers or “gray area” state-sponsored attackers may be exempt from constitutional war declaration or War Powers Act requirements.

The spectre of conventional or nuclear war resulting from cyber attacks by nation-states is frightening. It is my opinion that the US cybersecurity umbrella will not be considered of value until a cyber 9/11 occurs.

A less draconian alternative is to create a cyber academy funded jointly by the government and private industry. The goal of the academy would be to develop a “common language” to explain how a private or public IT system is to be properly designed in a rigorous manner before the IT system goes live and faces cyberattacks. The simple rubric “CIA” (confidentiality, integrity and availability) needs to be teased out in colleges and graduate schools. Children need to understand the necessity of having a rigorous, thoughtful design and implementation of an information system because this interconnected world is vulnerable to life-threatening attacks from cyberspace. Undergraduates and graduates in computer science need to have practical experience in risk assessment, analyzing the proposed architecture against existing and possible threats from cyber attackers, and looking for practical mitigation strategies. Coders, too, need to be well-versed in the existing catalogue of malware and otherwise innocent but badly written code that made a system vulnerable to attack.

The more practical solution to cyber insecurity is to better train the IT community. This new generation will then be responsible for rolling out cyber-facing IT systems that are more thoughtfully designed before the system goes live. A better trained IT community will be more capable of responding to threats.

The ever existing threat will be underfunding by the corporate or government owner of the IT system. That matter will never be resolved.

Topic 3. Bill Fedorich: Big Data, AI and Cybersecurity.

An AI “big data” weapon would be based on historical data about various networks and applications. Not all similarly arranged systems will have exactly the same vulnerabilities. Similarly, not all similarly arranged networks or systems will contain critical assets that could cripple the target or the nation in which the target lives. In addition, similarly arranged systems or applications may belong to a class of commercial or private targets that are of low strategic importance because the owners cannot afford even mediocre cybersecurity defensive strategies. After a cursory review of this AI operation, the results may not result in a “first strike” take-down of the United States.

The cyberattack “theatre” is ever-changing. Attackers adapt their strategies and weapons as defenders respond effectively. Human intelligence is engaged in an “act and react” posture in cyberspace. The historical data collected by the Chinese or any other enemy nation state grows stale over time just like human intelligence or satellite data. Theoretically, as more corporate and government dollars are spent on risk mitigation strategies, the less vulnerable the high and low value assets will be.

In theory and practice, there should be multiple layers of “security” in any system. A failure of one should not lead to the total failure of the entire network or the destruction or theft of essential data. Firewalls, intrusion detection systems and anti-malware (when properly managed and updated) can provide the layers of protection necessary to prevent the complete collapse of a network. As corporations and governments install and update such defenses, vulnerabilities should be reduced and the threat “vectors” will change. A resulting cyber attack by China or any enemy state will recede over time: only to be replaced by new threats.

Artificial intelligence (AI) suffers from its own biases and may be less effective than some of its greatest proponents will admit. The data input to the AI system may suffer from selection bias. The AI tool will only learn from the data actually made available to it. For instance, did the Chinese choose to scan networks, applications and endpoints of only certain industries? Is the input biased and incomplete as a result? The output may be of some value in this instance, but not reflect the entire cyber-vulnerability map of the United States.

Bias also exists in the code written by the Chinese military. How did the code writer define a “breach”? How did the code writer describe a “network” or “system”? Who tested the code before implementation? Who “fine tuned” the code if errors in output were detected? How does one know when the output is “wrong” or that the AI has “gone haywire”? The Chinese military may act on bad AI results and expose itself as having attempted a cyber “first strike”. The risks of using such an AI-big data bomb may be too high because it will lead to more conventional war.

A cyber attack by a nation state is likely to be focused on key military and communications links. US commanders would find it difficult if not impossible to communicate orders with military forces and gather communications from satellites. Effectively, a cyber attack would be the beginning of a major conventional or nuclear war between China and the US.

It is time for all nation states to agree on principles of engagement and “de-escalate” cyber tensions. The major cyber powers need to agree not to use cyber attacks in an offensive posture to injure or kill civilians and not to use cyber weapons in any war. As with any weapon development program, it is more popular for a government to say it is testing “cyber weapons” for defensive purposes only. However, we know that the weapon will, in fact, be used at least in response to a first strike by an enemy. We must not suffer a cyber Pearl Harbor. The results in a cyber world would escalate quickly to full scale nuclear annihilation.