Unlocking the Secrets of Cybersecurity

Industry experts discuss the challenges of hacking, tracking, and attacking in a virtual world.

BY GIL KLEIN Shortly after Defense Secretary Leon Panetta warned of a “cyber Pearl Harbor,” three of University of Maryland University College’s top advisers on cybersecurity agreed that he was wrong. A cyber Pearl Harbor is not in our future, they said. It already happened—as long as 20 years ago. sneak attacks against the nation’s computer infrastructure occur daily—from personal identity theft, to “hacktivists” trashing targeted Web sites, to thieves stealing corporate secrets, to foreign agents probing U.S. security weaknesses. but with these dangers come opportunities. For people willing to get the right education, cybersecurity offers unlimited possibilities for creative employment that will provide essential services to the nation. speaking were three members of UMUC’s Cybersecurity Think Tank, which has helped the university establish undergraduate and graduate programs in cybersecurity education: Retired U.S. Navy Rear Adm. Elizabeth Hight, who was vice director of the Defense Information Systems Agency and deputy director of JTF-Global Network Operations. She is now vice president of the Cybersecurity Solutions Group, U.S. Public Sector, of the Hewlett-Packard Co. Marcus Sachs, vice president of national security policy at Verizon Communications, who coordi- nates cyber issues with federal, state, and local governments. L. William Varner, president and chief operating officer of Mission, Cyber and Intelligence Solutions at ManTech International Corp. ILLUSTRATION They joined Achiever writer Gil Klein at the National Press Club in Washington, D.C., to probe BY ADAM NIKLEWICZ this unprecedented new security threat. They talked about the possibility of what Panetta meant by a PHOTOGRAPHS cyber Pearl Harbor—an overwhelming attack that shakes the nation’s security and economic system BY SAM HURD and warrants a military response.

Achiever | University of Maryland University College www.umuc.edu | Achiever A Pearl Harbor is usually painted as an unexpected attack, where the airplanes come in at dawn. Cyberspace is a little different. We’re constantly being attacked, very bad that’s unpredictable, and we only hear about it the we’re constantly being next morning. penetrated. So, many would GIL KLEIN: And Bill, how about you? say that our cyber Pearl Harbor ‟ L. WILLIAM VARNER: My real fear is the consequences of a successful moment is actually in our past. cyber attack anywhere in our critical infrastructure. We just don’t recognize it. I think we had a little taste last summer of what that might be like with the storms that came through the Washington, D.C., area. —MARCUS H. SACHS Many lost power for several days. I was fortunate to be able to find power sources nearby and keep my phone and laptop charged for the five days I was without power. But what would we have done but they were careful to emphasize that the situation is not had the power not come on in five days? What if it hadn’t come totally dire. Solutions are available and opportunities abound to on for five weeks? I think our behavior as a society would change at expand them to meet the ever-changing danger. that point, and it would be a much different place to live. As Marcus Sachs said, “All is not bad. We may paint a very horrible picture here, but we want to make sure people under- GIL KLEIN: Defense Secretary Leon Panetta, who probably doesn’t sleep at stand it’s not the end of the world.” all given all his responsibilities, recently warned of a cyber Pearl Harbor. Now, let’s start with Marc. What do you think that would look like? GIL KLEIN: Betsy, what keeps you up at night? MARCUS H. SACHS: Well, fortunately, Pearl Harbor has already hap- ELIZABETH A. HIGHT: The whole host of “unknown unknowns,” pened, and it probably happened about 20 years ago. The problem whether they be very well-meaning but poorly educated informa- is that we don’t know what a Pearl Harbor looks like. When was tion security officers, those who believe that the current host of the first intrusion into our networks? When was the first actual loss products will keep their systems well defended, or those who have due to cyber crime? A Pearl Harbor is usually painted as an unex- found unique and still undiscovered exploits to get into public, pected attack, where the airplanes come in at dawn. private, or personal systems. All of those things are still unknown Cyberspace is a little different. We’re constantly being unknowns to most of us. attacked; we’re constantly being penetrated. So, many would say that our cyber Pearl Harbor moment is actually in our GIL KLEIN: And Marc, do you sleep well? past. We just don’t recognize it; we’re still waiting for this big MARCUS H. SACHS: Generally, I do, because if you know what event, and we’re not paying attention to everything that has bad is out there and what good is out there, you can sleep well. already happened. But what bothers a lot of people is that one lucky person. This ELIZABETH A. HIGHT: Most people equate Pearl Harbor with the is one of the problems in cyberspace: Somebody can make a Big Bang. I mean, there were bombs dropping, there were people mistake somewhere that we don’t know about, and somebody injured and dying. There was a lot of noise. So when professionals can get lucky—an unknown hacker, an unknown terrorist, an use that reference, we think there’s going to be a great big, loud unknown criminal can get very lucky and do something very, bang somewhere. But that’s not the way cyberspace works.

A Brief History 1973 ARPANet Virtual of cybersecurity Communication By Melissa E. Hathaway, with Europe president of Hathaway Global Strategies and a member of UMUC’s Cyber Think Tank. Hathaway served in two presidential administrations, 1971 1974 spearheading the Cyberspace Creeper Worm 1973 Development of Policy Review for President demonstrates Motorola the Graphical User Barack Obama and leading 1970 mobility and invents the first Interface (GUI) the Comprehensive National 1969 Intel introduces self-replicating 1972 cellular portable paves the way for the Cybersecurity Initiative for ARPANet the first 1k programs on File Transfer telephone to be intuitive design of Mac President George W. Bush. Transmission DRAM chip ARPANet and TCP commercialized and Windows OS

1969 1970 1971 1972 1973 1974

Timeline content excerpted from a broader presentation and analysis. Achiever | University of Maryland University College LEFT TO RIGHT: Gil Klein, Marcus H. Sachs, Elizabeth A. Hight, L. William Varner.

so if we think about it that way, everyone will say, “Oh, no, What that means is that a lot of our protection today is no, there’ll never be a big Pearl Harbor.” But the consequences left up to private industry. In all honesty, companies like could be so severe that we would have exactly the same kind of ours are, in large measure, responsible for protecting their mayhem, if in fact our critical infrastructure were destroyed or own networks. even penetrated in some way. And it’s a big challenge. The bad guys only have to be right L. WILLIAM VARNER: And the worst thing is, we might not know until once. We have to be right 100 percent of the time. such an attack is well under way. It might not be the big, explosive, kinetic activity that we think we would immediately recognize. GIL KLEIN: Do you think the general public is aware of the threat? What MARCUS H. SACHS: It is, however, a fair analogy, because a lot more can be done to prepare the public for the possibility of a major of what led up to Pearl Harbor, what actually allowed it to cyber attack? happen, was the misinformation sharing and the stove-piping MARCUS H. SACHS: I think the awareness is there that cyberspace of information. People knew what was going on. We had has problems. But what’s missing is the “So what?” What do I intelligence, but there was no sharing. And this is exactly do about that? In the physical world, we do a pretty good job of what we see today. teaching people about looking left and right before crossing the street or about not slipping on the ice. We don’t do as good a job GIL KLEIN: And in general terms, how is the United States military of teaching people what to do in cyberspace to make themselves preparing for a cyber attack? Is it happening quickly enough? secure. That’s the education gap. L. WILLIAM VARNER: We should look at the responsibilities of ELIZABETH A. HIGHT: People may be very aware of the threat, but the U.S. Cyber Command and the Department of Homeland they really don’t know how it impacts them personally. Unless Security. Even more importantly, look at all of the aspects of our they—or a close friend or family member—have had their iden- Internet infrastructure that are not protected by either the Cyber tity stolen, for example, they won’t know the true impact on their Command or Homeland Security. credit report. They won’t know how long it will take to recover.

1979 1G network (launched by Nippon Telegraph and Telephone in Japan) allows the first cell-to-cell transmis- 1983 sion without dropping DNS Registry lays the call foundation for 1978 expansion of TCP-IP becomes Internet 1977 universally accepted 1982 1983 Emergence of global standard 1979 AT&T divestiture 1983 Fred Cohen authors the smaller computers to supply network Intel introduces the in return for the DoD begins using first computer “virus”— layer and 8088 CPU and it is 1981 opportunity to go MilNet—mandates a term coined by his 1977 transport layer chosen to power IBM IBM personal into the computer TCP-IP for all academic advisor, Len Microsoft forms functionality personal computers computer business unclassified systems Adelman

1977 1978 1979 1981 1982 1983

Timeline illustrations by robert neubecker www.umuc.edu | Achiever And when you’re at UMUC, or in any college environment, that is the time to take your innovative ideas and tinker with them and mature them. And then offer them to the cal engineering or computer science does not necessarily mean he greater good. Because or she is ready to join the ranks of cyber warriors. cyberspace is open to all MARCUS H. SACHS: Cyber education is a lot like health and health- care. When kids are going through elementary, middle, and high of us. So when you innovate, ‟ school, we teach basic health principles. But not all kids grow up you’re helping all of us. to be doctors and nurses. —ELIZABETH A. HIGHT cybersecurity is the same sort of thing. We need to teach the basics of hygiene in cyberspace, the basics of what can go wrong. Some can go on to become the professionals. but I think what we’re missing is that early education. We tend to think this is only for the little geeks and wizards. But it should They won’t know that in fact what they put on social media is be for everybody, just like health education is for everybody. open to the world and will be there forever. ELIZABETH A. HIGHT: If ever there was a case for lifelong learn- I tell people all the time that we need to have a cyberspace ethics ing, it is cyberspace. All three of us are digital immigrants; we and civics class in elementary school to help teach our citizens from did not grow up with this technology. Our children and our the very beginning what this cyber thing is. Because children like to grandchildren are very comfortable with it. But the technology reach out and touch things, and they can’t do that in cyberspace. is so complex and changes so rapidly, there is no one who can sit back and think, “Oh, well, I understand it, and I don’t need GIL KLEIN: What is the need for a trained cybersecurity workforce? Are any more education.” universities producing the numbers needed? Are there enough students coming out of high school with the skills needed to begin learning this GIL KLEIN: Are there enough university programs to do this? Or is this an kind of complex information? And, of course, how intense is the compe- open field for universities? And who do you get to teach this if everybody tition for these jobs? That’s a lot of questions. who knows it has to be working and protecting somebody? L. WILLIAM VARNER: Those are easy questions, Gil, because the MARCUS H. SACHS: There’s a lot of opportunity there. answer to most everything is no. There are not enough people L. WILLIAM VARNER: There is. UMUC has a great program. I also currently. There are not enough people coming out of high schools work with almost every university in the area, as well as with some or being trained in our colleges. And there are just not enough that are not local. But to me, one of the most important things people in the general STEM—science, technology, engineering is making our career field attractive to people who are of the age and math—curricula altogether. where they are thinking about what kinds of careers they want. i know Betsy and Marc and I all share an interest in trying to MARCUS H. SACHS: It applies to all career fields. It’s not just for increase the number of trained cyber professionals in the country, those who get a degree in cybersecurity. If your degree is in educa- particularly those who are able to obtain the clearances that let tion, there needs to be a cybersecurity component, because you’re them work closely with our government agencies. going to be the one talking to kids. You need to understand cyber- And we sponsor a lot of training programs. Just because space at a level where you can talk about it, just like you talk about someone graduates from college with a master’s degree in electri- American history, just like you teach math.

1988 Morris is Internet’s first 1992 widely propagating worm OSD issues Policy 3600.2 Information Warfare 1988 After Morris Worm, DEC 1985 white paper introduces 1991 Microsoft Windows; the concept of firewalls 1989 National Academy of utility of computer and packet filtering; DoD Corporate Sciences: Computers easier for consumer launches the market for Information 1990 at Risk Report security products Management (CIM) CERN develops HTML code 1985 Initiative to identify and software (World Wide 1991 1992 Generic top- 1988 and implement Web is possible) First GSM network 2G networks 1984 level domains are DoD funds Carnegie management launches in Finland, make instant Cisco Systems Inc. officially implemented Mellon CERT-CC as a efficiencies in DoD 1990 giving way to 2G cellular messaging forms (.com, .gov, .mil, .edu) result of Morris Worm information systems Rise of Internet innovation networks possible

1984 1985 1988 1989 1990 1991 1992

Achiever | University of Maryland University College LEFT TO RIGHT: Marcus H. Sachs, Elizabeth A. Hight, and L. William Varner

but other career fields—engineering, law—are also wide open. versation we were just having about manpower—our adversaries It doesn’t just have to be focused on technical skills. I think this is have the same problem. There aren’t a lot of smart attackers out where UMUC is really gaining an advantage, because they have a there, either. In fact, if I had the choice to work for one of us and wide course curriculum, a big audience. have a beautiful, bright career, or to work for a terrorist organiza- L. WILLIAM VARNER: And in the position we’re in now, I don’t think tion and perhaps get blown up, I might decide that I don’t want all of the universities and colleges added together could produce to be a terrorist. enough people to meet the needs that we have today. this is an interesting quandary, because our adversaries do face the same problems. Government targets are lucrative, but a GIL KLEIN: Talk a little bit about the kinds of attacks that are going on right government system is no different from a private sector system, now. Who is making these attacks? And how much impact do they have? or a university system, or a home system. It’s the same silicon, the ELIZABETH A. HIGHT: There are basically three types of attackers. same software, the same vulnerabilities. There are the hacktivists and the joyriders that we’ve seen for the information may be different; the value of the information years and years. There are the state-sponsored attackers. And there may be different, but that is actually a strength, because lessons are criminals. So each of them has varying degrees of support and that you learn in the government can be applied to industry, to education and training and opportunity. academia, or to home systems. And vice versa. that creates a huge problem for the entire federal, state, and so it’s a fairly level playing field in terms of defense. Solutions local government environment, because they have to protect work in multiple places. And that’s a strength we need to play to. against the entire continuum. MARCUS H. SACHS: There are some commonalities. It’s not GIL KLEIN: Can any of you tell me a story about an attack, how it came machines that are attacking us; people are attacking us. The con- about, and what was accomplished?

1996 1997 1993 OSD Issues 3600.1 Framework for MILNET becomes 1994 1996 Information Operations Electronic Global NIPRNET VCJCS directs ITU works on stan- Broadening the Commerce policy IW Joint Warfare dard (H-323) for Definition to Engage (known as the “Green Capability assessment 1994 1995 Voice over Internet During Peace Paper” in the U.S.) $10 million stolen from AOL phishing attacks Protocol (voice and encourages international 1994 Citibank; Steve Katz for passwords and data over single adoption of DNS Nokia proof—sends becomes the first chief credit card information network reduces 1996 data over cell phone information security infrastructure costs) US relaxes 1997 (Wi-Fi possible) officer (CISO) 1995 export President‘s Commission 1993 Evident Surprise 1996 controls on Critical Infrastructure Mosaic Web wargame DEPSECDEF Defense Science on Protection leads to browser makes and IC agree Board paper: encryption products to formation of ISACs the Internet an to coordinate Information Warfare- foster global electronic (information sharing and everyday tool IW policy Defense commerce analysis centers)

1993 1994 1995 1996 1997

www.umuc.edu | Achiever Companies like ours are, in large measure, responsible for protecting their own networks. And it’s a big challenge. The bad guys only have to be right once. We ELIZABETH A. HIGHT: We’ve had cases of government organizations have to be right 100 percent dealing with their own bureaucracies. A recent state case involved of the time. the lack of a state information security officer for more than a year. The thing that held it up was the bureaucracy of finding ‟ —L. WILLIAM VARNER someone with these critical skills who would accept the pay of a person in a government bureaucracy. here in Washington, D.C., especially, I think the unemploy- ment rate for cybersecurity specialists is less than zero. They’re in great demand. And that’s true not just for government but for industry as well.

MARCUS H. SACHS: What we see today usually comes on one of two GIL KLEIN: Bill, do you have a great story here? levels. There is the subversive attack that is very hard to see. The L. WILLIAM VARNER: When you are attacked you might not even adversary is interested in targeting you because there is informa- know it; the data is still there. They take a copy of it; they don’t tion that they want specifically from you. And they will take time take the data. It’s a lot different from physically breaking into to get it. They go in and grab what they want, they take it, and a building and stealing something, where you notice, “Hey, my you may not realize that it’s gone. stereo system is gone.” You may not know that somebody has Often we see this happen after the fact. We have forensics taken your valuable intellectual property. teams that will go in and investigate, and a company or organi- MARCUS H. SACHS: Let me mention a real-world case here. zation will realize that they have been breached. And it some- The RSA Corporation, as many of us are aware, is at the top of times turns out that the initial entry was more than a year ago their game when it comes to cybersecurity. Devices, software, and the adversaries have had that much access before they are consulting services, they’re all over. But yet they got breached. finally noticed. And it kind of reflects back on that very first question: What then you have the class of attacks that are very noisy, like keeps you up at night? Here you have the best, and they get denial-of-service attacks or flooding attacks. The target may be an broken into, even though they’re doing everything right. organization like a bank or a government, or it may just be any- ELIZABETH A. HIGHT: So 10, 15, or 20 years ago, we thought if we body who happens to be connected to the Internet. Those are like could protect the outer perimeter, we could keep all the bad guys out. a flash; here today, gone a few moments later. But they can still As a matter of fact, in 2005, the Department of Defense really be very visible. cracked down on two-factor authentication and required everyone And we face this all the time, particularly with high profile to log on to the network with their CAC cards—something that Web sites. This is the hacktivist problem we’re talking about, they knew, something that they held in their hands that could where in the past you might go up to whomever you didn’t like not be stolen by someone who was putzing around in a network and spray paint your message all over their glass wall. Today, you looking at the password file. go online and maybe deface their Web site, or cause a denial-of- So those defenses were developed, and then we went on to service attack so their customers can’t get there. phishing. And now we’re into spear phishing, and the human

2001 1997 1998 Launch of first pre- Google search Internet Corporation commercial trial 3G network engine invented of Assigned Names (packet-switch) by Nippon and Numbers (ICANN) Telegraph and Telephone 1997 established 802.11 International 1999 1999 2000 2001 Standard agreed upon 1998 U.S. Space Command In-Q-Tel established HTML accepted DoD Quadrennial Defense PDD-63 Critical assigned military to help government as international 2000 Review renews focus on 1997 Infrastructure Cyber Offense-Defense innovate standard ISO: 15445 Y2K information Eligible Receiver Exercise Protection Policy Mission responsibility operations focuses DoD and IC on 1999 2000 2000 vulnerabilities of U.S. 1998 1999 DCI agrees to use same National Academy DDoS attacks against 2001 infrastructure and Solar Sunrise DoD Melissa Virus sets stage definitions signing out of Sciences: Trust e-commerce affect Wikipedia foreign IO programs penetrations realized for rapid infections DCID 7-3 in Cyberspace Amazon, Ebay, CNN created

1997 1998 1999 2000 2001

Achiever | University of Maryland University College Cyber-Speak Glossary

CAC Card is a common access card Exfiltration, also known as extrusion, tive sources asking for passwords and issued by the Defense Department is the unauthorized transfer of data other information that will grant them that allows entry to government from a computer or network. access to classified information. buildings and computer networks. About the size of a credit card, it Hacktivists are people who break into Stuxnet is a computer worm believed has an embedded microchip that computer systems for politically or to have been developed by the United has a digital image of the card- socially motivated purposes. Their States and Israel that was used in 2010 holder’s face, two digital fingerprints, motives are usually not to steal infor- to attack the supervisory control and Social Security number, and other mation but to alter a targeted Web site data acquisition systems of Iran’s identifying data. or hamper the organization’s ability to nuclear development program. operate online. DARPA is the Defense Advanced U.S. Cyber Command was created in 2009 Research Projects Agency, an Spear Phishing is an attempt to gain in the Department of Defense to plan, independent research branch of the unauthorized access to an organization’s coordinate, integrate, synchronize, and Department of Defense created in information by targeting specific individ- direct activities to operate and defend 1958 that funded a project that led uals in that organization. Unlike regular the department’s networks. When to the creation of the Internet. Its phishing, which is typically carried out directed, the Cyber Command con- mission is to think independently by random hackers, spear phishers know ducts military cyberspace operations to of the rest of the military and to exactly what information they want and ensure the United States and its allies respond quickly and innovatively who can provide access. They send mes- freedom of action in cyberspace while to national defense challenges. sages that appear to be from authorita- denying the same to its adversaries.

element is so unpredictable. A very well-documented case that the somehow trade sanctions? Or is the somehow just a demarche involved an effort to hack into an international company was really or a public outing? I think that’s a public policy problem we have engineered around calling a system engineer overseas and claiming here in Washington. We don’t have that answer. to be a member of the company. It was very late in the evening, L. WILLIAM VARNER: Of course, that brings up the whole issue of and the system admin overseas said, “Sure, I can reset your pass- attribution, which, in my opinion, is the most difficult problem word.” And the hacker actually got into the system that way. in cybersecurity. You need to be pretty certain who launched the attack before you strike back. In reality, many attacks originate GIL KLEIN: Is there a level of cyber attack that you think would warrant right here in the United States; they are just routed through a traditional military response? Or could we even figure that out? other countries. ELIZABETH A. HIGHT: I think with technology today, there are some MARCUS H. SACHS: We have a very clear policy about the use of who can figure that out. And as a citizen of the United States, if nuclear weapons, for example. There is no ambiguity about what an organization or an individual actually turned off my power, the United States’ response would be if somebody fired a nuclear or poisoned my water, or caused an airplane to crash, I certainly weapon at us. We have a very clear policy on invasion. But we hope the United States would respond somehow. don’t have a clear national policy that says, “It is the policy of the MARCUS H. SACHS: That somehow is the question. Is the somehow United States to do the following if there is a cyber attack that diplomacy that ultimately finds its way into the military? Or is meets such-and-such a threshold.” I think we have to have that.

2003 CA State Data Breach Law: Businesses must report 2002 breach of PII 2006 2002 U.S. Strategic Facebook forms Department of Homeland Command assigned 2003 2004 2005 2001 Security assumes Critical military Cyber LinkedIn: Business applica- DoD IO Roadmap Choice Point first breach 2006 Council of Europe, Infrastructure Protection Offense-Defense tion of social networking programs more than of personal identifiable Congressional Testimony Cybercrime Convention Mission Mission responsibility $1 billion in new funds information (PII) NSA outlines closer (treaty) 2003 to normalize IO coordination with DHS 2002 DoD Transformation Planning 2005 2001 DoD 3600.1 policy Guidance formalizes Net 2004 NERC announces 2006 Nuclear Posture Review 2002 is reissued with Centric Warfare EW Roadmap to standards for Hengchun Earthquake calls for replacement of Social networking new definition focus DoD’s efforts cybersecurity for (Taiwan) affects nuclear weapons with technology takes off for Information 2003 to provide electronic reliability of bulk- undersea cables and non-kinetic weapons with Friendster Operations Skype (beta) debuts attack options power systems Internet for 49 days

2002 2003 2004 2005 2006

www.umuc.edu | Achiever LEFT TO RIGHT: Marcus H. Sachs, Elizabeth A. Hight, and L. William Varner at the National Press Club in Washington, D.C.

ELIZABETH A. HIGHT: And I think that is one of the great things so this is an ongoing debate here in Washington. Maybe we about the UMUC curriculum. There are courses where need to just keep talking about this, not wrapping it up behind students are challenged to think critically about those policy classified doors, because it is a very serious policy matter that we issues. And that area is ripe with opportunity, whether you’re have to start discussing openly. a student, a private citizen, or a member of the legislative or ELIZABETH A. HIGHT: I think one of the things to consider is the judicial branch. Those discussions need to happen before we foundation of our own country. I mean, individualism and actually wake up one day and discover the catastrophic effect privacy and all of those concepts that our country was founded of a cyber attack. on really fly in the face of cyberspace. Because a lot of people L. WILLIAM VARNER: And the interesting thing we’re all saying here would say there is no privacy in cyberspace, and others would is that cyber technology is more advanced than cyber policy. say that there is all kinds of privacy, it just depends on how MARCUS H. SACHS: And of course cyberspace doesn’t belong to you use cyberspace. anybody. It belongs to everybody. It’s really a metaphor; it’s MARCUS H. SACHS: If you start with the Constitution, everybody not really a thing. It’s not like dirt or air. It’s this made-up and understands the First Amendment. Freedom of speech, we want synthetic thing that humans have built. that; so, okay, we check that off. Then you get to the Second So when we ask the question, “What should the military do?” Amendment and things get very awkward. What does it mean to it really depends on whom you’re asking. Because a network owner have the right to bear arms in cyberspace? What is an arm? And and operator would say, “The military has no role here, other than we’re only on the Second Amendment! We haven’t even gotten perhaps protecting my physical assets. The actual essence of cyber- to Three or Four. [Laughter.] So, again, this is the debate we have space is a business; it’s not a military battleground.” got to have. What does this stuff mean?

2008 2008 Cable cut(s) in RBS World Pay $9 million Mediterranean stolen in 30 min., 49 cities dramatically slow down 2007 Internet and Egypt USAF establishes a 2008 affected badly 2009 2009 Cyber Command 2007 President announces Heartland Payments 4G offered via WiMAX Estonia DDoS highlights modernization program breach demonstrates standard (Sprint) speed 2007 use of force (wartime (Smart Grid, Next Gen that compliance does 2009 improvement of 10-fold Comprehensive National applications with con- FAA, Health-IT, not equal security Move to cloud Cybersecurity Initiative scripted computers) Broadband to America) 2008 computing 2009 (CNCI) Conficker Worm 2009 Operation Aurora 2007 2008 requires unprecedented Cyberspace Policy 2009 coordinated attack on 2007 Joint Staff, National Georgia-Russia conflict international cooperation Review: Cyber is eco- National Research many high-profile TJ Maxx breach Military Strategy for demonstrates cyber in and operational nomic and national Council Report: Cyber companies targeting (exploits Wi-Fi) Cyberspace Operations warfare response security priority Attack Capabilities intellectual property

2007 2008 2009

Achiever | University of Maryland University College We’ve pushed the government right now not to regulate us, but to let us innovate. Let us find our way out of this security problem by being creative. That’s what Americans do best. We are the world’s best innovators. —MARCUS H. SACHS

GIL KLEIN: The United States and Israel apparently launched a success- asymmetrical warfare, and the barriers to entry are small. They’re ful cyber attack known as Stuxnet against Iran’s nuclear development the cost of a laptop or a PC and an Internet subscription; that’s program. Is that the type of low-level warfare we can expect to see that all it takes. It’s just an inordinate cost to defend against what an avoids actual firepower? Do you see an offensive use for the U.S. military? attacker can do almost for free. ‟ELIZABETH A. HIGHT: Well, I wouldn’t call trying to disable a coun- MARCUS H. SACHS: But do you know the good news in all of this? try’s nuclear arsenal “low level.” I think that as we evolve in this There really are basic, simple things people can do to protect arena, we will continue to see operations of certain types until we themselves. Oftentimes we do get wrapped up in the, “Oh dear, have case law or legislation that defines that. cyberspace is so dangerous; I think I’ll just unplug and go farm I think one of the most important things to realize is that it’s not for the rest of my life.” just U.S. citizens that are thinking about conducting defensive or But it turns out there are a lot of very simple things that any- offensive operations. This is a global domain; there is no state line or body can do to reasonably protect themselves, much like in the real national border. And these conversations need to be held globally. world. We’ve learned that as humans and as part of society. I think MARCUS H. SACHS: It’s hard for the United States because we’ve that’s the piece that we’re hunting for with cyberspace: What are always been ahead of this game when it comes to technology— those basic things individuals can do? Because you’re always going from airplanes to spaceships to nuclear weapons. to have threats, and you’re always going to have attackers. But enter cyberspace, and we just assume we’re in charge. We assume we have more capabilities than others. That may not be GIL KLEIN: What is the responsibility of the private sector in providing the case. And that’s very awkward for us, because now we have a level of security? And what is the responsibility of the federal govern- worthy adversaries. But they’re not necessarily countries like China ment in making sure that it is meeting that responsibility? or Russia. An adversary could be an individual, a corporation, a ELIZABETH A. HIGHT: I think cybersecurity has moved out of the loosely affiliated group or a terrorist group. It could be a cause. computer operations center and into the boardroom. The boards that’s what makes cyberspace so interesting. When we say and senior management teams who take the time to become what offensive is, we try to go back to our classic industrial think- educated in the risks associated with cybersecurity realize that ing of tanks and planes and ships and invasions. But offensive in there is a real reason to understand cybersecurity. cyberspace may be completely different. A wonderful SEC guidance came out recently saying that if you And I think Stuxnet is a great example, but it’s like a biplane have a significant risk to a public company, it has to be reported, and compared to a strike fighter. This is so basic, to do a Stuxnet-type that includes cyber risks. So I think that’s a step forward in educating thing. And the history books will record this. Play this tape back both the boards and the senior management teams of industry. even 10 years from now. Look at how we will refer to Stuxnet and MARCUS H. SACHS: Cybersecurity is now emerging as one of those say, “Wow, in its day that was pretty cool. But that’s so simple. areas where you’re actually better off if you’re outsourcing it and We issue that capability to our kids; we show them how to do using what’s emerging as managed security services. that to each other.” [Laughter.] This has become so complex and so technical and so specific that it may be better as a business leader not to try to do it all yourself. GIL KLEIN: So is this asymmetrical warfare taken to a new level? L. WILLIAM VARNER: This calls for a public/private partnership, L. WILLIAM VARNER: That’s an excellent question, because it is along with a way to share information about attacks that may be

2010 Intel Corporation 2010 SEC Filing Court rules in favor of Comcast; 2011 Net Neutrality debate heats up 2011 Epsilon breach: 2010 on Internet regulation Libya cuts off Internet High profile Texas bank sues and social networking customers exposed 2010 customer over cyber-theft 2010 sites from citizens NATO Strategic Concept Standup of U.S. 2011 2011 Review highlights cyber 2010 Cyber Command 2011 2011 Hackers break into RSA/EMC Corporation UK Data Protection Law: 88 percent of 2010 The Netherlands, France, Canada’s Treasury system SEC filing (SecureID $500,000 fine for lost Egyptian Internet 2010 NATO declares cyber and Germany publish breach) protected data cut off from citizens Smokescreen, online defense a priority cybersecurity strategies 2011 virtual reality game, UK states that cyber- 2011 2010 guides teenagers 2010 2011 attacks and cybercrime G8 discusses that Stuxnet Worm strikes through dangers of Market shift: Proliferation of 2011 IPV-4 address are among its top five laws need to apply Iran’s nuclear facilities social networking handheld wireless devices NASDAQ penetrated allocation exhausted security issues to the Internet

2010 2011

www.umuc.edu | Achiever I use this phrase: “Hug an ethical hacker.” Start thinking about how to protect your systems by thinking like a bad guy. One of the new industries that has sprung up is ethnical hacking courses for senior government and industry executives. —ELIZABETH A. HIGHT

occurring so that both government and industry can benefit. In fact, GIL KLEIN: So how much rigorous scientific experimentation is going on now there are activities like that under way that we’re all part of, and they that will lead to security breakthroughs? are having some success. ELIZABETH A. HIGHT: I think there’s a lot going on, both in govern- ELIZABETH A. HIGHT: I think we have been talking about public/ ment and in industry. As a matter of fact, DARPA [the Defense ‟private partnerships for years. But in my view, most of these Advanced Research Projects Agency] has recently released a discussions are just far too general. They are not taken seriously fraud area announcement for some really exquisite defenses. And by most people who are in control. Those individuals may DARPA has hired some of the best-known hackers in the United like control, but they don’t understand that in fact they don’t States to turn their tradecraft into a defensive mechanism. have the expertise to keep up with this incredibly, remarkably so this is a well-recognized problem that academia, govern- dynamic, complex space. ment, and private industry are all trying to solve. MARCUS H. SACHS: Often when we say cyberspace, we really mean GIL KLEIN: Along that line, former CIA Director James Woolsey said the Internet. But the Internet is just a piece of cyberspace. Air hackers are stealing us blind by breaking into company databases and traffic control and interbank transfers don’t go over the Internet, taking secret development plans. How big a threat is this to U.S. busi- for example, but they’re part of the communication infrastructure. ness? And how adequate is the response? the Internet today is largely based on the explosion of per- MARCUS H. SACHS: That’s probably the number one threat to our sonal computers back in the 1980s, followed by the explosion in country right now. It’s death by a thousand paper cuts. We are the 1990s of the Internet itself, as everybody became familiar with leaking—what’s the estimate?—trillions of dollars annually, it and as faster networks and laptops came along. intellectual property that’s just going out the door. We look in the past five to 10 years, a new wave known as wireless has at our current economy, which is kind of sputtering, and one come along. We’re beginning to see a different type of device, of the factors we never talk about is cyberspace. What about different applications, different ways of thinking. And in fact, that the leakage of all this intellectual property that’s gone to other wireless world is now bleeding into home security systems. It’s countries who can now compete against us because they stole all in your car, thanks to Bluetooth. of our know-how? so there’s opportunity here. Where the old Internet is largely built on a string of wired PCs and hard drives, we now have a GIL KLEIN: Is it possible to give an example? new cyberspace that’s coming out, largely Internet-centric, but L. WILLIAM VARNER: One estimate by people who are generally well with pieces that aren’t the Internet. And in fact, right behind that regarded in the intelligence community is that at least one tera- is this new thing called cloud computing. byte per day of U.S. intellectual property is being exfiltrated to So just like any other technology, we have waves of innovation. other countries. So to put that in perspective, the written material And what I think some are seeing is that each wave gives us the in the Library of Congress comprises about 10 terabytes. opportunity to add security that wasn’t there in the previous wave. general Keith Alexander, the director of NSA and head of the so cyberspace can in fact get more secure as we go forward. U.S. Cyber Command, has stated publicly that he believes this is Because we tend to build in new resiliency. We build in new the largest wealth transfer in the history of the world. safety features. We kind of build on previous mistakes. continued on page 18

2011 DigiNotar certificate breached 2011 2011 Microsoft acquires 2011 2011 Anonymous targets NATO 2011 Skype for $8.5 billion IMF penetrated and Citigroup breach; 200,000 Sony PlayStation net- severs connection accounts accessed 2011 2011 work breached; initial 2011 to World Bank as a Federal Financial 2011 CERT–EU opens clean-up, $170 million Austria declares precaution 2011 Institutions Examination Singapore announces cyber defense a Syrian Electronic Army Council (FFIEC) issues it will stand up a 2011 2011 national priority 2011 (SEA), a pro-government supplemental guidance National Cyber Security International Code of 65 percent of Syrian EU increases computer attack group, on risk management: Centre headed by the Conduct for Information Internet removed from 2011 penalties actively targets political “Authentication in Singapore Infocomm Security brought to routing tables (40/59 New Zealand publishes for opposition and Western an Internet Banking Technology Security the 66th UN General networks) cybersecurity strategy cybercrime Web sites Environment” Authority Assembly

2011

Achiever | University of Maryland University College One estimate by people who are generally well regarded in the intelligence community is that at least one terabyte per day of U.S. intellectual property is being exfiltrated to other countries. —L. WILLIAM VARNER

What I’m trying to say is that all is not bad. We may paint a very i think it would be wonderful to shine a light on some of our horrible picture here, but we want to make sure people under- heroes in cyberspace. And I think keeping everything behind the stand it is not the end of the world. As new technologies come classified green door is a mistake. along, new vulnerabilities are introduced—don’t get me wrong I guess if I were across the table from the president, now ‟there—but we are making some remarkable changes. that he has won a second term, I would say, “Take a chance. but for anybody who is interested in this area, the field is wide Look at the issues that need to be developed. Look at the lack open for new ideas, new concepts. My company and your com- of case law. Let’s think about what that means to our econom- panies, we all have open doors for innovators, for new ideas, for ic future and our personal privacy. Let’s look at those issues, fresh concepts and fresh ways of doing things. now that you’re in a position to take that risk.” And I would And to kind of wrap this up, we’ve pushed the government say, “Go for it!” right now not to regulate us, but to let us innovate. Let us find L. WILLIAM VARNER: Right, so we would stress just exactly how our way out of this security problem by being creative. That’s important it is to develop that cybersecurity policy to the level of what Americans do best. We are the world’s best innovators. the policy and the doctrine we used to have, for example, in the ELIZABETH A. HIGHT: And when you’re at UMUC, or in any college days of the Cold War. We don’t have that for cyberspace. environment, that is the time to take your innovative ideas and tinker with them and mature them. And then offer them to the GIL KLEIN: You mentioned cybersecurity heroes. Can you give me a case greater good. Because cyberspace is open to all of us. So when study or a story? Can you tell me a story about cybersecurity, or is it all you innovate, you’re helping all of us. still classified? ELIZABETH A. HIGHT: Well, I know a lot of heroes who man network GIL KLEIN: So if you could get the ear of President Barack Obama or of and security operations centers around the world for the United Congress, what would you tell them? States military and for the Department of Homeland Security, MARCUS H. SACHS: If the president were sitting right here, I would and for some of our industry partners. like to know, first, what he does to protect himself as the leader of I know local and state government heroes that are doing that the most powerful nation in the world. What does he do personally job every day. They’re sort of like firefighters and policemen. Until in cyberspace? It may be a bit of an embarrassing question, because something terrible happens, you just don’t know about them. it catches a lot of people off guard: What do I do? Because I can pontificate all day long about what everybody else should do, but GIL KLEIN: I was hoping you could give me a real name here. what do I do? That might lead to a very interesting discussion. MARCUS H. SACHS: There was a book called The Cuckoo’s Egg, by now, the president might get it right, and might actually Cliff Stoll. Cliff was an astronomer in a university and recognized have a lot of insight. In which case, Mr. President, please stand up that there was a problem in one of his computing systems, where in front of the bully pulpit and start preaching. [Laughter.] But we the accounting was off by a few pennies. Now, computers are don’t know where the president comes down on this. precise. They should be exactly correct. ELIZABETH A. HIGHT: I think what you’re really saying is, “Be a role And when he found that they were off by a few pennies, he model.” That’s one of the barriers to getting our young people began to ask questions. Come to find out, there were intruders in really excited about these careers. there. And the intruders were changing the logs. continued on page 20

2011 2011 EU TLD registry makes ISO formally ratifies it easier for registrars ISE/IEC 27035:2011, an to use Internet secu- information security best 2011 rity protocol Domain practices process for 2011 Kenya launches informa- Name System Security 2012 incident reporting NCIX Report: Foreign tion security master plan Extensions (DNSSEC) WEF ranks cybercrimes Spies Stealing U.S. to safeguard public infor- as #1 technological risk Economic Secrets in mation on the Internet 2011 2012 Cyberspace Cyclone Dagmar affects 2012 An Israeli IDF Team power supplies to elec- INTERPOL announces launches an attack 2011 tronic communication net- 2011 stand up of Global against a Hamas Web 2011 SEC guidance to 2011 works in Nordic countries; South Korea leads Complex for Innovation site (qassam.ps), Blackberry public companies: United Kingdom millions of users left with- the world in ICT in Singapore focused knocking it offlline outage affects Cybersecurity Is a publishes new Cyber out telephony or Internet development and peer- on digital security and to protest the site’s millions of customers Material Risk Security Strategy for up to two weeks to-peer botnets cybercrime anti-Israeli stance

2011 2012

Achiever | University of Maryland University College But enter cyberspace, and we just assume we’re in charge. We assume we have more capabilities than others. That may not be the case. And that’s very awkward for us, because now we have worthy adversaries. But they’re not necessarily countries like China or Russia. An adversary could be an individual, a corporation, a loosely affiliated group or a terrorist group. It could be a cause. —MARCUS H. SACHS

so an entire book has been written about this. It would make But I think it’s a system that the entire world depends on. It a fascinating movie. would be very difficult to imagine living without it. So I think we’ve made tremendous strides, and we just have to continue to work very, GIL KLEIN: Bill, have you got any heroes out there? very hard to deal with all the security issues that come up. ‟L. WILLIAM VARNER: I think of some of the former directors of some ELIZABETH A. HIGHT: This is a journey. A secure cyberspace is not of our major agencies—General Kenneth Minahan, for example, necessarily a destination. With technology comes vulnerabilities. the former director of NSA [National Security Agency] and DIA Our ability to recognize them is incredibly important. [Defense Intelligence Agency]. He was involved in the very early i use this phrase: “Hug an ethical hacker.” Start thinking about beginnings of the Internet and working with Microsoft when how to protect your systems by thinking like a bad guy. One of some of the early vulnerabilities were discovered. the new industries that has sprung up is ethnical hacking courses Bill Crowell is another cyber hero, I think. He’s now a venture for senior government and industry executives. capitalist, but he was a former deputy director of the NSA. this is a continuum that we will be on forever, long after we’re i think there are numerous people who have taken advantage no longer here. of the positions that they had to make enormous strides in getting us to where we are today. GIL KLEIN: Marc, do you have any final thoughts? MARCUS H. SACHS: Cyberspace being a metaphor, it is also an GIL KLEIN: Just to wrap up here, what I’m reading about is the next extension of the human mind and human society, what we think phase of the Internet; it’s so unbelievable, when you get into the cloud and what we do. There’s opportunity for the bad guys to take and you get into artificial intelligence. Do you see greater threats here? advantage of it, and there’s opportunity for the good guys to do it At some point you were saying, “No, this could actually be better for right. And there are opportunities for governments, for the private us.” We’ve come through 20 or so years of the Internet and the world’s sector, for academics. still here. What are we doing right? right now, we’re at the beginning of something really, really L. WILLIAM VARNER: In my opinion, Gil, we’re in a wonderful cool. And we’re the only generation that gets the first bite of the position. We have more technology than anybody ever dreamed apple. Subsequent generations have to put up with our thinking. we would have. We’re using it. My car sends me e-mails just when historians look back on our legacy, I hope they will say, to let me know how it’s doing. “These guys got it right. Facing this complex challenge, they got And I do think we have the opportunity to make it even it right.” Shame on us if hundreds of years from now they’re still more secure, especially when we move into cloud environments. fixing the problems that we come up with here. Because when the Internet was developed, security was just not a i think that’s our challenge. That’s a challenge we can meet. consideration; it was about communication and convenience. But can we lead? Can we cause these changes so that future we have tacitly made the assumption over all of these years generations can build on what we’ve done? that we value the convenience and the efficiency that we get from today’s Internet and all of cyberspace, and we’re willing to work GIL KLEIN: That is a terrific way to end this. Marc, Bill, and Betsy, thank really hard to develop the security that we need to be able to con- you so much for being here. We certainly appreciate all the time you’ve tinue to use it. given us. Thank you. G

2012 Shamoon used against Saudi Aramco and 2012 damages some 30,000 Presidential Policy computers (attack aimed Directive 20 establishes at stopping oil and gas national guidance for 2012 production at the biggest operations in cyberspace 2012 Google announces OPEC exporter) World Conference new privacy policy 2012 2012 2012 on International Distributed Denial-of- Hurricane Sandy affects U.S. Congress releases Telecommunications 2012 Service against U.S. power supplies and com- a report on national 2012 (WCIT) updates and ISO/IEC 27032 publishes financial institutions munication networks in security issues posed Syria shuts off revises the International international guidelines peaks at 60 gigabytes/ northeastern U.S. for up by Chinese telecom Internet access Telecommunication on cybersecurity second. to four weeks companies across the country Regulations (ITR)

2012

Achiever | University of Maryland University College