Four Cyber Trends To Watch in 2017

Four Cyber Trends To Watch in 2017

From the hacking of the Democratic National Committee (DNC) to major data breaches at the FBI and the theft of NSA cyber weapons, 2016 was an alarming year for cybersecurity.

Now get ready for more of the same in 2017. Cybersecurity experts from government, industry and academia all see more trouble ahead.

1 Foreign Government Hacks

Future historians may look back at 2016 as the year cyber came out of the shadows. The CIA concluded in early December that Russia meddled in U.S. presidential politics through sophisticated spear-phishing attacks on the Democratic National Committee’s email system and then leaking the results to the media. The FBI agreed, and President Obama expelled Russian intelligence agents and imposed other sanctions against Russia on December 29.

“We’ve seen an increase in overt Russian aggression in 2016 and we expect that to continue in 2017,” wrote cybersecurity experts at the security firm FireEye, Inc., in its annual report on future cyber threats, Questions and Answers: the 2017 Security Landscape. “The attacks on the Democratic National Committee and other election-related organizations are clear examples of Russian aggression.”

Don’t bet on Russia stopping now that the election is over. “Russia has a well-funded cyber capability and excellent operational security to hide the source of their attacks,” FireEye says. Russia used tactics it had tried and proven against Ukraine, the Baltic states and others in Europe. Such cyber activities are inexpensive, effective and provide plausible deniability, even as they enable Russia to wield influence in the domestic affairs of rivals.

FireEye warns that Iran, North Korea and “dozens of government intelligence and military agencies worldwide” are arming with offensive cyber capabilities, encouraged by Russia’s success.

“We expect more of these nation-states to sponsor cyber operations that target regional rivals, terrorists living abroad, regime critics, major corporations, and Western governments,” the company says.

China appears to be the one bright spot in the international cyber scene. Since signing a 2015 agreement between President Obama and Chinese President Xi Jinping, (prompted by China’s hacking OPM’s database of 4 million security clearance records) “We have observed an overall decrease in successful network compromises by China-based groups against organizations in the U.S.,” FireEye experts report.

Under the agreement, the United States and China promised timely responses to requests for information and assistance concerning malicious cyber activities and to cooperate on investigations of cybercrimes and efforts to mitigate malicious cyber activity emanating from their territory; they also agreed not to conduct or knowingly support cyber-enabled theft of intellectual property, such as trade secrets or confidential business information,

2 Botnets attacks and attacking the Internet of Things

The Internet of Things (IoT) poses great promise for improved citizen services, but also risks that state and local governments are only beginning to understand.

Spending on the IoT is projected to more than double in 2017, reaching about $2 billion, according to MachNation, a Nevada-based consulting firm and governments intent on developing smart cities will be among those investing, MachNation analysts say.

Technology forecasters at Georgia Tech project even greater growth, as well as risk, in 2017 Emerging Cyber Threats, Trends & Technologies. “Devices and technologies used to manage smart cities will become much more commonplace, with the global smart city technology market estimated to be worth $27.5 billion annually by 2023.”

Alain Louchez, managing director of Georgia Tech’s Center for the Development and Application of Internet-of-Things Technologies, says rapid growth also means rapid risk. “As we become more interconnected and the Internet becomes more pervasive, you increase the risk for hacking or ill will or malevolent attack,” he explains. “You expose yourself to the possibility of a cascade of catastroph­ic failure.”

Threats range from local mischief-makers to nation-states launching destabilizing attacks, according to FireEye. “In 2017, we expect more nation-states to target both critical infrastructure such as power plants and consumer devices, such as home appliances – to coerce other nations by disrupt­ing government functions, instilling fear and holding physical systems hostage not for ransom, but as politi­cal bargaining chips.”

Security firm McAffee sounds a similar alarm: “With billions of IoT devices coming online during the next several years, the threat of cyber attacks is very real,” the company says. “IoT adoption will greatly increase the attack surface. Weak security and rookie mistakes by IoT device manufacturers will compound that problem.”

IoT devices, from security cameras to smart appliances and wireless routers, function much like basic computers, but many lack firewall protections and are too basic to run anti-virus and anti-malware software. Those that feature password protection are often unprotected because installers fail to change default passwords. That makes them easy targets to be co-opted and turned into “botnets” – digital robots that can are used to launch attacks.

Distributed denial of service (DDOS) attacks on internet infrastructure in late 2016 included several that utilized malware called Marai and another utilizing something called Leet. The two operate differently but each was able to use thousands of devices to generate similar effects: bombarding targeted servers with junk internet traffic at rates exceeding 650 gigabits/second.

McAffee says the successful attacks by networks of bots on U.S. digital infrastructure in 2016 heightened awareness. But it may take years for technology vendors to incorporate comprehensive security fixes. Some under development include “new encryption options, security and privacy embedded in silicon, device control systems to automatically manage and secure IoT devices, and behavioral monitoring of IoT devices.”

3 Intelligence Sharing of Cyber Vulnerabilities

Sharing information about cyber vulnerabilities and cyber attacks as soon as they’re discovered is a proven method for blocking future attacks. But potential legal liabilities and embarrassment over having been hacked has made agencies and companies hesitate to admit to cyber deficiencies. That might be about to change.

McAffee security experts predict that “2017 will be the year in which threat intelligence sharing makes its most significant strides.”

“Sharing threat intelligence shifts the balance of power away from the adversaries and back to us, the defenders,” writes MacAfee’s Jeannette Jarvis.

The Cybersecurity Information Sharing Act Congress, passed in late 2015, paves the way for easing concerns about sharing threat information, she says. The act “provides legal foundations for sharing threat intelligence between the U.S. government and the private sector,” and between private sector entities. It also provides liability protection to the entities that share, Jarvis says.

So worries about unintentionally releasing private individuals’ information, losing competitive advantage and alerting the public that it has indeed been attacked, should abate.

“We should see much more threat intelligence sharing in 2017,” Jarvis predicts.

Or maybe not. Jimmy Lummis, associate director at Georgia Tech Cyber Security, says actual sharing remains weak, “especially between the government and private sectors.”

A number of “hurdles bar the way,” among them the “large number of false positives” that make security professionals’ jobs harder. He’s also less sanguine about liability concerns: In 2017, “information sharing will continue to be a major issue for both companies and govern­ments,” Georgia Tech forecasters predict.

4 Information Manipulation

Stealing data – whether Social Security or credit card numbers, or the secrets of stealth jet fighters – has been a staple of cybercrime. But cybersecurity experts increasingly worry not just about stolen data, but also about altered data.

“The integrity of information will be one of the biggest challenges global consumers, businesses and governments face in 2017,” says John Worrall of the security firm CyberArk. Suddenly, “information from previously venerated sources is no longer trusted.”

When the Office of Personnel Management was hacked in 2015, exposing millions of records related to security clearances, one of the principal concerns wasn’t just what was exposed, but the chances that investigation records might have been altered, or that fake records may have been introduced. Similarly, penetrating a bank’s computer systems might enable cyber criminals to alter transaction records, creating accounts or transferring large sums of money without detection. Even trusted audio files may no longer reflect reality.

“This will move to the next stage where information can no longer be trusted at all,” Worrall writes in an assessment of what’s ahead in 2017.

U.S. intelligence officials also warn that information manipulation attacks are coming. James Clapper, director of national intelligence, warned as early as 2015 that “the next type of attack will involve deletion or manipulation of data as opposed to perhaps stealing it or denying service.”

Changing information in military databases, for example, could convince troop commanders to attack the wrong target – or not to attack at all. Altered data in control systems could shut down critical infrastructure. Agents with security clearances may suddenly seem to have suspicious relatives, nefarious acquaintances or shady activities. And new fictitious agents could be created out of thin air.

Mike East, vice president at cyber-defense firm CrowdStrike, Inc., predicts that “in 2017, the manipulation of data to remove its integrity will be significant enough to send companies under.”

The fundamental focus of such attacks may not be to steal money or infiltrate government systems, but rather to undermine trust. That’s the same effect generated by fake news and efforts to influence the U.S. election. Undermining trust creates instability, and that in itself can be an aim of foreign powers.

“Attackers aren’t just accessing information; they’re controlling the means to change information where it resides and manipulating it to help accomplish their goals,” writes John Worrall of CyberArk, on CSO. “It will be easier than ever to piece together real information stolen in a breach with fabricated information to create an imbalance that will make it increasingly difficult for people to determine what’s real and what’s not.”

In Europe, the German and Estonian governments accuse APT 28, one of the two Russian hacking groups identified by U.S. intelligence as behind the DNC attack, with meddling in their internal politics using the same kind of spear phishing techniques.

More to Come

While IT trends come and go, cyber however, is forever. The internet infrastructure will continue to evolve, but hackers and security experts are locked in a game of hide-and-seek, in which the growing volume of connected systems and communications traffic makes finding attackers ever more difficult.

Security is often reactive, a step behind the threats. Writes FireEye: “One sobering thought is that the threat activity we expect to hear about in 2017 may be taking place right now, with adversaries already inside many of the systems and networks.”

Cyber threats aren’t usually identified right away, but rather operate under the radar for months or even years undetected, much like moles in old-fashioned Cold War spy novels.

“Most of the events that will make headlines in 2017 – and the many that won’t – are already underway,” FireEye says.

Related Articles

GDIT Recruitment 600×300
NPR Morning Edition 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Nextgov Newsletter 250×250
GDIT HCSD SCM 3 250×250 Train Yard
Innovation at Work: Can DoD Get Tech and Acquisition in Sync?

Innovation at Work: Can DoD Get Tech and Acquisition in Sync?

This article is the first article in a series titled Innovation at Work, in which GovTechWorks will examine innovative strategies and techniques government agencies and their partners are employing to accelerate technology adoption throughout the public sector. 

They call it the “clockspeed dilemma:” When technological innovation outpaces users’ ability to incorporate advances, decision makers have to re-imagine how to keep their systems as current as possible. The same thing is happening today in defense and government cyber acquisition today.

Consulting firm KPMG coined the term in a late 2015 report on automotive innovation. Cars today, the report said, contain “an amazing blend of road machine and sophisticated computer,” incorporating “a dazzling array of the latest technologies—sensors, cameras, radar, lidar, and sophisticated chipsets.”

Technology is advancing so fast, in fact, it’s disrupting both suppliers and buyers. Automakers are being challenged like never before by emerging technology firms that make up for a lack of automotive experience with advanced technological know-how. And consumers are stuck trying to figure out whether to spring for something new that could be outdated in just two or three years or to wait and risk being even further from the technological edge.

Government technology suffers from a similar clockspeed dilemma, and it’s prompting a variety of efforts to harness innovation to get government and military information technology more in sync with cost-saving, performance-enhancing technologies.

Brig. Gen. Patricia A. Frost“Technology is moving at a speed we’ve never seen in modern history,” said Brig. Gen. Patricia Frost, the Army’s newly installed director of cyber. Frost’s job is to try to speed up the process of getting new cyber technologies into the hands of soldiers.

The Army can’t wait “through a 10-year acquisition process, or a five-year or even a one-year” process, Frost told industry and military members at a recent panel discussion.

To shorten those cycles, the Defense Department and the military services are setting up innovation organizations that can circumvent traditional acquisition rules, such as the Army’s Rapid Capabilities Office and its Cyber Silicon Valley Innovation Project. Similarly, the Defense Department’s Defense Innovation Unit Experimental (DIUx) and Defense Digital Service programs also seek to accelerate innovation by identifying non-traditional suppliers and using non-traditional contracting efforts to quickly acquire and test new technological solutions.

That’s still not good enough. “We have to do more,” said Lt. Gen. Edward Cardon, chief of the Army Cyber Command. One problem, of course, is funding. The Army’s science and technology budget may sound like a lot at $4 billion a year, Cardon said, but it’s “a drop in the bucket” compared to what leading technology businesses are pouring into research and development.

So if the Army can’t match private sector investment, it’s got to figure out how to leverage what industry is spending. One way, Cardon says, is through greater use of private-public partnerships – provided, that is, the agency can make those so-called “PPPs” look attractive enough to interest private partners.

“The challenge we have with them is our current acquisition system,” Cardon said.

It’s not just the clockspeed dilemma. The heart of the problem, said Ben FitzGerald, director of the Technology and National Security Program at the Center for a New American Security, is that the military’s “fundamental strategic approach to developing technology is optimized of for a bygone era.”.

The conventional process for developing new weapons is to study an existing or anticipated threat, develop requirements to counter the threat, then hire a contractor – preferably the lowest bidder – to build a weapon that meets the requirements.

That still works reasonably well for building things that are unique to the military, FitzGerald said in an interview. The military is relatively adept at defining requirements for fighter jets, missiles and aircraft carriers, and its contractors are experienced at building the companies will build to those specifications.

But in cyber and other emerging technologies, where the U.S. military represents only a small piece of the potential market, there is little incentive to produce military-specific technology or to get bogged down in the military’s acquisition bureaucracy. There is more money to be made more quickly elsewhere.

Peter Newell, a retired Army colonel and former director of the Army’s Rapid Equipping Force, calls this “a social problem.” The military and the technology industry approach issues in fundamentally different ways.

“Our problems are articulated as requirements not problems,” Newell said. “That turns away 95 percent of people who could work with you.”

Newell offered this example: While working with university students, he asked for volunteers to tackle military technology problems. As they dug into their assignments, Newell said some were dismayed. “We don’t want to be told what to build,” they told him. “We want to be told what the problem is,” then have the flexibility to determine the best solution themselves.

Newell noted that some of these students are likely soon to be leading start-up technology companies whose help the Army and the other services could use. “It’s not the speed at which you can buy things, it’s the speed at which you can identify a problem and attract people to work with you to turn it into a solution,” said Newell, now a managing partner of BMNT, a Silicon Valley consulting firm.

But to others, the cumbersome acquisition process is, indeed, part of the problem. Many technology companies find the military acquisition process discouragingly slow, said Raj Shah, director of DIUx. The government’s arcane rules and regulations slow things down and fuel a culture that places a premium on compliance over risk. “Speed and agility are not an incentive in government,” Shah said. “Nobody gets fired for taking a little longer and making sure every box is checked.”

In the private sector, he said, there are fewer rules and speed is valued more.

Shah, a former F-16 pilot, said that while visiting cyber operators at Nellis and Creech Air Force Bases, he noticed that they had “great hardware and great technology,” but their intelligence, surveillance and reconnaissance feeds were running “slow and jerky.” When he asked why, he learned the system was built on the 2001-vintage Windows XP operating system.

Can the Military Do Better?
Acquisition reform has been an elusive ambition for decades. There have been more than 150 major acquisition reform studies since the end of World War II, the Congressional Research Service reports. Yet cost, schedule and performance problems persist.

Much like the nimble tech companies, the Aerospace Industries Association says traditional defense companies also want relief from current acquisition practices. The association wrote to reform-minded senators on the Armed Services Committee in 2014 that “it’s time to revise the overly complex and burdensome system that drives unnecessary cost into programs, and may soon make them unaffordable under declining defense budgets.”

DIUx seeks to cut through bureaucratic red tape to speed up the process specifically for high-tech firms that might otherwise be scared off by government contracting requirements. But is that fair to the Pentagon’s traditional suppliers? Alan Chvotkin, executive vice president and counsel at the Professional Services Council doesn’t think so.

“If you can streamline the timelines for awards for some types of companies, you ought to be able to do that for everybody,” he said. “If you can reduce the administrative burden on some firms, you should reduce it for everybody.”

Is further acquisition reform likely? Fitzgerald is optimistic

“It’s always going to be a challenge for a bureaucracy as large as the Department of Defense to change,” FitzGerald said. “But right now we’re in the middle of a window of opportunity in which we might see change.”

Defense Secretary Ashton Carter and his deputy, Robert Work, seem to understand the problem and are pushing for change, FitzGerald said. The House and Senate Armed Services Committees are also engaged and interested in acquisition reform, he said, providing another reason to hope.

Whether those initiatives can survive the post-election transition to a new administration and Congress is the next big question. “Will the new leadership team continue to push for change?” FitzGerald asked. “History suggests that change is not likely,” he said. “If you look at the past 12 months,” however, change does seem possible.

Related Articles

GDIT Recruitment 600×300
NPR Morning Edition 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Nextgov Newsletter 250×250
GDIT HCSD SCM 3 250×250 Train Yard
Can DoD Develop Effective Cyber Deterrents?

Can DoD Develop Effective Cyber Deterrents?

Rep. Adam Schiff and others repeatedly urged President Obama “to call Russia out” over cyber intrusions into U.S. political, election and personal computer systems last summer, but it wasn’t until Oct. 7 that the United States formally accused the Russians for trying to interfere with U.S. elections through a series of computer hacking incidents this year.

As one embarrassing cyber breach after another emerged, Director of National Intelligence James Clapper and other senior officials stopped short of publicly blaming the Russians, highlighting one of the biggest challenges in the cyber domain: how to create a credible deterrent threat.

The Department of Defense Cyber Strategy calls for “a comprehensive cyber deterrence strategy to deter key state and non-state actors” from launching cyber attacks against U.S. interests. The strategy promises response “at a time, in a manner, and in a place of our choosing” and describes attribution as fundamental to deterrence by removing the anonymity that enables so much malicious cyber activity.

Sean KanuckBut this is easier said than done, notes Sean Kanuck, a former cyber issues chief in the Office of the Director of National Intelligence (DNI). “Many actors remain undeterred,” he said.

In economic as well as security terms, cyber is a disruptive force. Cyber reconnaissance, espionage and attacks remain relatively cheap and the consequences appear to be benign. But return on investment can be huge, Kanuck said at the Intelligence and National Security Summit in September.

Tailoring the Deterrent
Choosing an effective cyber deterrent “depends on what actor you’re trying to deter,” Kanuck said. To stop criminals, activists, ideologues and terrorists, “you have to have the ability to identify them and the ability to impose a punishment on them that will deter them.” he said. Today that’s seldom possible.

For nation states, the situation gets more complicated. U.S. officials remain reluctant to fight cyber with cyber. And other options like sanctions, can take years to have an effect.

“There’s a lot of discussion about cyber hammers and cyber nails,” said Lt. Gen. Kevin McLaughlin, deputy chief of U.S. Cyber Command. “But in general, we’re not thinking about it that way. We’re thinking about deterring adversarial behavior using all the tools available to the department.”

McLaughlin said the Cyber Command aims to provide combatant commanders with response options that include imposing costs and denying benefits to an adversary as well as increasing U.S. cyber defenses and resilience.

Fighting Cyber with Cyber
Simply unleashing a cyber counterattack is problematic because of the difficulty in proving beyond doubt where attacks in cyberspace originated, McLaughlin said, citing the “huge risk” in launching a cyber counterattack on the wrong target.

Kanuck agreed. Cyberspace “is massively multi-polar,” he said. Attacks can come from anyone, from hostile governments to terrorists to individual hackers.

Shawn Henry, former executive assistant director of the FBI and current president of the cybersecurity firm CrowdStrike Services, said specific characteristics in malware or in methods of attack may point to a particular culprit, but attribution with 100 percent certainty is extremely rare. Officials may also be reluctant to offer proof because doing so may expose tactics, techniques and procedures used to monitor cyber intrusions.

The U.S. military is anxious to develop better methods for attribution. The Defense Advanced Research Projects Agency (DARPA), for example, hopes to improve attribution through its Enhanced Attribution program. DARPA says it hopes to provide “high-fidelity visibility into all aspects of malicious cyber operator actions.” It aims “to increase the government’s ability to publicly reveal the actions of individual malicious cyber operators without damaging sources and methods.”

But cyber attribution and deception go hand in hand. Security experts believe cyber attackers will respond to efforts to increase attribution by developing better techniques to foil them. “Cyber tools are perishable,” DNI’s Kanuck noted.

Clear Red Lines
Some advocate establishing clear “red lines” to indicate to adversaries “what is no kidding off limits,” as Henry puts it. Doing so, the reasoning goes, would make cyber more like kinetic warfare, where it’s understood that physical attack will be met with an in-kind response.

But in cyberspace, Kanuck said, setting red lines essentially “invites people to do anything they want below the red line, thinking they have immunity.” Moreover, red lines can back nations into a corner such that they have to respond in a given way when a line is crossed in order to preserve their credibility, he said.

Perhaps that’s why Cyber Command’s McLaughlin says that, for now, the U.S. prefers ambiguity. But Henry argues that waiting until after a cyber attack to decide whether and how to retaliate makes responding more difficult. At a minimum, it wastes precious time.

Better Defenses
At present, the best deterrent may be simply making it far more difficult to mount a successful attack. That’s not as hard as it sounds since many breaches can be traced back to careless or sloppy human errors. “Most successful intrusions or penetrations take advantage of the failure to follow basic cyber hygiene,” McLaughlin said. Failure to patch vulnerabilities and to update systems and failure to understand which parts of the system need higher levels of protection provide adversaries with too many openings for attack, he said.

So it stands to reason that improving system defenses raises the cost for cyber attackers: it “makes the adversary work harder,” McLaughlin said. “Today they don’t have to work hard.”

Cyber defenses could also be improved through better information sharing among government agencies, international governments and also private-sector businesses. Sharing information about attacks helps everyone improve their defenses.

But convincing everyone to cooperate hasn’t been easy. Since most of what’s on the Internet is privately owned, “the private sector is often the first line of defense,” CrowdStrike Services’ Henry said. And private companies’ first concerns are usually “all about stopping the bleeding, protecting their brand, protecting their company, their clients and their corporate interests.” Often, they fear disclosing details of a cyber attack could open them to legal liabilities and other damages, he added.

Unresolved Policy Matters
A landmark 2010 exercise called Cyber Shockwave conducted by the Bipartisan Policy Center with support and guidance from academia and such industry leaders as General Dynamics, revealed multiple weaknesses and holes in U.S. cyber policy. Role players were highly experienced former senior administration and national security officials, such as former Homeland Security Secretary Michael Chertoff and former Director of National Intelligence John Negroponte. The exercise concluded with a series of recommendations, including:

  • Establish clearly-defined responsibilities among U.S. agencies for maintaining situational awareness on critical operational developments in cyberspace
  • Develop clear responsibilities for the departments of Defense, Homeland Security and others as to what each will do during response to and recovery from a major cyber attack
  • Stop relying on the Communications Act of 1934 and the Telecommunications Act of 1996; modernize the laws governing how government agencies respond to cyber attacks
  • Consider seeking international agreements on what activity is permitted in cyberspace
  • Launch a national education campaign to inform U.S. citizens about cybersecurity and require all internet users to have updated virus and malware protection
  • Establish mechanisms for government cyber defenders to collaborate more effectively with their private sector counterparts

“There has been progress on a few,” said Blaize Misztal, director for national security at the Bipartisan Policy Center. “But most remain unaddressed or at least insufficiently addressed.”

The greatest progress came with the passage of the Cybersecurity Information Sharing Act in 2015, which began laying a legal foundation for closer private-public partnerships for identifying and sharing information about cyber threats, Misztal said.

Internationally, progress has also been made in establishing international norms of conduct in cyberspace through the NATO Cyber Centre of Excellence and the 2015 U.S.-China agreement to stop cyber-enabled economic espionage, he said.

“And most certainly, public awareness of cyber threats has increased dramatically, even just this year,” Misztal said. “But this alone is not sufficient to improve cyber hygiene. In almost every other area, significant work remains to be done.”

Roles and responsibilities within the government still aren’t clear, Misztal added: “Look at the current debate about whether the Department of Homeland Security should protect state electoral systems or not.”

There is “still is no clear decision-making process, let alone guidelines, for determining how to deal with cyber incidents. Just witness the very different responses to the Sony, Office of Personnel Management and Democratic National Committee hacks,” he said.

Legal authorities for the president in a cyber emergency have still not been updated, “nor are we any closer to reaching a societal understanding of what ‘privacy’ should mean in the digital age,” said Misztal.

Finally, he added, while cyberattacks are becoming easier to attribute, “we still have no policy framework for when we name names or how we will respond if we do identify the perpetrators.”

These are issues the next presidential administration will undoubtedly have to address. Whether they can advance the ball and develop such a framework however, remains to be seen.

Related Articles

GDIT Recruitment 600×300
NPR Morning Edition 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Nextgov Newsletter 250×250
GDIT HCSD SCM 3 250×250 Train Yard
Hacking the Election and Other Worries that Keep Intel Chiefs Up at Night

Hacking the Election and Other Worries that Keep Intel Chiefs Up at Night

Hackers are penetrating U.S. government, industry and personal accounts daily with little risk, while America’s inexorable march toward increased connectivity of cars, homes, buildings and other infrastructure foretells a potent mix of opportunity and cyber vulnerability.

Against that backdrop, U.S. national security and intelligence leaders gathered in August to discuss concerns and developments at the Intelligence and National Security Summit, an annual Washington gathering lead by the Intelligence and National Security Alliance in conjunction with the Armed Forces Communications and Electronics Association (AFCEA).

Attendees discussed the vulnerability of the U.S. election system, concerns about the lack of a meaningful deterrent to discourage persistent international hacking threats and the debate over encryption and privacy that has pitted the national security establishment against Apple and other technology giants.

FBI Dir­ect­or James Comey

Worries about the digital security of next month’s U.S. elections tops the list with fewer than 40 days before Election Day. Russian hackers have broken into U.S. election databases and hacked Democratic National Committee computers, but FBI Director James Comey says the clunky U.S. election system makes a tough target for tampering.

“We have, in a way, a wonderful resilience because [the election system] is incredibly disparate and dispersed” over 50 states and thousands of other jurisdictions, he said. The number and variety of voting machines and the multiplicity of ballot counting procedures make the system “clunky as heck,” Comey said. But “there’s a blessing in that” – it’s difficult to hack.

The voting system “is not exactly a swift part of the Internet of Things,” Comey said. A hacker “looking to crawl down a fiber optic cable” to alter the vote count is likely to find instead “a woman named Sally and a guy named Joe” who open up the voting machine at the local precinct and pull out the paper ballots and count the vote by hand.

Still, hackers don’t have to get inside the whole system. In a close election, hacking even a single battleground county in a closely contested election could throw a state – and all its electoral votes – to one candidate or the other. Politico Magazine reported in August that hacking the election – and stealing victory Nov. 8 – “would be child’s play.” The article detailed how a Princeton professor bought a voting machine, pried out read-only memory chips from its circuit board and installed new firmware designed to alter results – all in just seven minutes.

VotingIn a flash warning, the FBI warned states to be on the lookout for attempts to infiltrate their systems or undermine voter security or confidence. The warning detailed efforts to break into state election systems in June, July and August, including the use of sophisticated penetration testing and data exfiltration from the system. Such a hack might not directly affect vote counts, but could enable outsiders to insert illegitimate voters into the system.

Who’s behind those hacks remains unclear. But Director of National Intelligence James Clapper says foreign actors constantly probe U.S. government systems.

“The Russians hack our systems all the time – not just government, but corporate and personal systems,” he said. So do the Chinese, other nations and non-state actors, he said. “The point is cyber will continue to be a huge problem for the next administration.”

Tony Cothron, vice president for customer requirements at General Dynamics Information Technology, said these threats affect all sectors of society. “The technology in use in personal lives, our businesses and our government today is incredibly complex,” he said. “If we are going to keep our country and families safe, we really have to pay attention to the details of how we are developing, operating and securing any information technology.

“We like to think that information technology is a commodity,” he added, “but I think most people will agree that security is not something we can afford to buy based only on the cheapest price.”

DNI Clapper also cited three other worries:

  • The United States will be in a “perpetual state of suppression for some time to come.”
  • Russia and China “have embarked on very aggressive space capabilities and counter-space capabilities” that could challenge American dominance in that domain.
  • Climate change. As population centers compete for ever diminishing food and water resources, climate change will become “the underpinning” for future national security challenges.

Moving back to technology, Clapper said advances in artificial intelligence and self-driving cars “have the potential to revolutionize our lives for the better,” while also opening up new vulnerabilities.

Adm. Michael Rogers, chief of U.S. Cyber Command and director of the National Security Agency, said one of the major challenges is the lack of an effective deterrent to cyber attacks. “Many have come to the conclusion that there is not a significant price to pay” for cyber attacks against the United States, he said.

Dialogue with China has helped establish “a broad cyber framework” for what is acceptable and what is not in cyber activity, Rogers said. But the matter of deterrence remains unresolved. Cyber attacks persist, in part, because the United States has not yet developed severe enough consequences to deter cyber spying, theft or destruction.

“I don’t think any of us are comfortable with the current situation,” Rogers said.

Encryption or not?

Domestically, the continued battle over encryption continues to be a struggle, with law enforcement still butting heads with technology firms.

The FBI’s Comey has pressed U.S. tech firms for more than a year to provide special access to encrypted hardware and communications, arguing their failure to provide that access effectively strengthens and emboldens criminal activities using commercial digital technologies. He says he’s in favor of encryption – with limits.

“I love strong encryption,” Comey said. “I love end-to-end encryption. I don’t want anybody looking at my stuff: my bank information, my health care information….

“But I also care deeply about public safety, and those two things are crashing into each other. Absolute privacy has never been a feature of American life,” he continued. “The bargain the founders stuck was that your stuff is private unless the people of the United States need to see it.” When law enforcement officials demonstrate probable cause and obtain warrants, he added,information should be accessible.

For now, however, “we’re going to a place where huge swaths of life are absolutely private – and maybe that’s okay, but there are significant costs to that from a public safety perspective,” Comey said. “I want the American people to either say that’s a great idea, we want absolute privacy, or we need to figure out what to do about that to reconcile to optimize these two values.”

Related Articles

GDIT Recruitment 600×300
NPR Morning Edition 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Nextgov Newsletter 250×250
GDIT HCSD SCM 3 250×250 Train Yard
National Background Investigation Bureau Prepares for Launch

National Background Investigation Bureau Prepares for Launch

The new agency responsible for federal security clearances is looking at a variety of technologies to speed up the process and shrink a massive backlog that’s grown in excess of 500,000.investigations.

The National Background Investigations Bureau (NBIB) is set to take over security clearance screenings from the Federal Investigative Services Oct. 1 and aims to use automation and modern digital technology to “transform the federal investigative process,” said Jim Onusko, the NBIB’s transition leader.

The Defense Information Systems Agency (DISA) will be responsible for building out the backend systems that undergird NBIB’s work. DISA issued a request for information (RFI) Sept. 13, including a 46-page PowerPoint slide deck in which it provides an overview of the program objectives and describes a modular system architecture incorporating as many commercial off-the-shelf solutions as possible to help speed the design and development process. Security is paramount, the deck emphasizes repeatedly, a nod to the massive security breach at the Office of Personnel Management in 2015, which led to the new agency’s creation.

The NBIB plans to digitize existing records and to use automated data analysis from a plethora of sources, ranging from commercial and government data bases to social media feeds to investigate and clear government and contractor employees.

Edward SnowdenThe agency also plans to introduce continuous monitoring and evaluation to keep tabs on government and industry employees who already have security clearances. Major data leaks caused by cleared personnel, including former CIA contractor Edward Snowden and Army Pfc. Bradley Manning, have highlighted the risk of insider threats from cleared individuals who, for whatever reason, change from trustworthy to dangerous. Continuous monitoring aims to ferret out tell-tale details that might indicate potential risks.

Onusko conceded to intelligence insiders at the Intelligence and National Security Summit in Washington Sept. 7 that getting the records repositories of various federal agencies automated and digitized will be a major challenge.

Nonetheless, he said, a “whole-of-government solution” is needed to “neutralize” the security clearance backlog. Agency records repositories are essential to the background investigating process, and must be made “nimble and responsive.” But ultimately, the government needs “a central repository” for clearance data, Onusko said, both to accelerate security investigations, and to make it easier for cleared employees to move from one agency or program to another, or from private companies to federal agencies and vice versa, he said.

Such moves can take months today, because existing clearances are not accepted. Yet “it would seem to be, logically, just a few days process,” said Tony Cothron, vice president for customer requirements at General Dynamics Information Technology.

Automation to the Rescue
The Federal Investigative Services (FIS) has been struggling to reduce the backlog in its waning days before turning over the process to NBIB. Onusko said FIS tried to speed the process by hiring hundreds of new investigators, only to find that training newcomers slowed down experienced investigators. It tried to rehire retired investigators and to offer overtime as an incentive to staff, also to no avail.

NBIB, meanwhile, has launched a business process reengineering program to develop its electronic solutions that can eliminate much of the labor. In the future, Onusko said, “big data will be able to supplant shoe leather, so to speak.”

NBIB will rely on a range of data sources, from arrest records to credit reports, tax records, automobile and driving records, tax liens and court judgments, consumer purchases and travel records, phone numbers and a torrent of other personal information.

In a white paper on technology that might speed security clearances, the Intelligence and National Security Alliance (INSA) concluded that “commercial technology companies have fully embraced this brave new world of big data, developing and deploying new and profoundly intrusive and ultimately insightful consumer-tracking technologies.” It’s time for the government to do the same, the report urged.

The availability of big data has “created an entirely new emerging industry of data-gatherers” who use “intensive surveillance of people to sell data about, and predictions of, their interests and activities, in real time,” INSA said.

Case in point: A 2011 study by Massachusetts Institute of Technology showed that by tracking cell phone signals alone, researchers could compile enough information about the phone users to predict “with uncanny accuracy” where they are likely to be at any given time in the future, INSA reported.

A few defense contractors have been early adopters, tracking data daily on their entire workforces. They have the ability to know almost instantly when workers have traveled and where, whether they have declared bankruptcy, been divorced, fallen into financial trouble or whether they’re moonlighting outside the company.

But that doesn’t mean they have the issue licked. Collecting the data is the easy part. Securing and analyzing it are the real challenges. “On continuous monitoring, we’re not there yet,” Cothron told GovTechWorks in a video interview. “We don’t have the instrumentation of all the networks, of all the organizations, to really be on top of it and stop the abnormal behavior and stop insider threats.”

Advocates for tighter government security want the NBIB to follow that lead, subjecting cleared employees to “continuous evaluation” – what INSA describes it as continuous “clearance health” checks on security clearance holders.

That contrasts with current federal practice, where cleared individuals are subjected to re-investigation only once every five years or so.

William Evanina, National Counterintelligence Executive in the Office of the Director of National Intelligence, said that means a cleared employee might have a “law enforcement interaction, a domestic dispute, undocumented travel and a bunch of security violations – and you might not find that out for five years.”

“With continuous evaluation, you find it out now,” he said.

Katherine PhersonBut the federal government has been hesitant. Katherine Pherson, a former CIA intelligence and security analyst and now head of Virginia-based Pherson Associates, a consulting and training company that specializes in analytic tradecraft, counterterrorism, homeland security, law enforcement, and counterintelligence, said there are several pilots underway, including one by at the Army and another in at the office of the director of national intelligence,. But concerns about privacy, security of the information collected and the accuracy of the collected data remain.

Discovering that employees have problems needn’t be solely punitive, Pherson said. When an agency learns an employee faces financial or personal problems could enable the agencies to help them. “You have a population that is valuable and wants to serve the government and you have to take care of them,” she said.

Evanina, meanwhile, is focused on identifying potential insider threats – employees who could be motivated to steal or compromise national security secrets – before those threats become serious.

“The object of continuous evaluation is to get to the left of the action,” Evanina said. Continuous monitoring should identify risks before an employee “decides to do something bad.”

Related Articles

GDIT Recruitment 600×300
NPR Morning Edition 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Nextgov Newsletter 250×250
GDIT HCSD SCM 3 250×250 Train Yard