That’s the grim news from the cyber 1.2 program that launched the first day of the 28th annual National Space Symposium. No one is safe — not the Department of Defense’s secret network, known as the SIPR net; not the CIA’s networks; not even the Joint Worldwide Intelligence Communication System, known as JWICS, which is supposed to be the most secure network in the world.
In fact, the DoD is attacked 1 million times a day, 400 million times a year. Banks, defense contractors, small businesses — none are immune from foreign nation — state attacks or local hackers trying to get to people’s credit card information.
It doesn’t mean the cyber industry hasn’t made strides in the fight against theft and attacks on networks. But it does mean that there’s still work to be done. And there’s no time to lose, say the experts who gathered in Colorado Springs to discuss the latest news and give advice on the way forward.
“We’ve made some inroads,” said Gen. Trey Obering, a retired missile defense agency commander who is now a senior vice president at Booz, Allen, Hamilton. “We have a long way to go. Our recognition has grown considerably about what our cyber vulnerabilities are, where the threats are — from hackers to nation states. We’ve ramped up considerably in terms of awareness. And now we’ve begun to take action. We need to be faster.”
Companies need to respond faster because hackers are moving faster, and there are more of them.
“Did you know 120 countries are engaging in information war systems?” asked Deborah Westphal, managing director of Toffler Associates.
That means 120 nations are engaging in cyber warfare, stealing money, intellectual property and national security secrets.
And there’s a very real cost to all this covert activity. John Higgenbotham, executive chairman of the Blue Ridge Networks, says companies spend about $300 per employee to protect their networks, but the nation lost about $15 trillion in intellectual property stolen by cyber thieves.
“There are other costs,” he said, “costs to careers, to reputations, to national security.”
Because those costs are so high, networks should be dynamic, able to protect themselves instead of responding after they are attacked, Obering said.
“We need protection that changes constantly, something similar to changing your password every second,” he said. “That way, if networks are constantly changing where things are, by the time a cyber thief figures out where something is — then it’s moved again. It’s got to be fast; it has to be dynamic.”
And it has to cover every aspect of the network: applications, transit of information and access to that information.
While there are some network protections like that — Booz, Allen, Hamilton sells one and Blue Ridge Networks has its own as well — there should be more and the technology should be widely available.
Businesses should learn as much as they can and then they should engage experts to aid them in discovering cyber solutions to their network security holes.
“Businesses need to realize that their networks are constantly at risk, and they need to respond to that risk,” he said. “They need to create systems that keep the human strengths and frailties in mind — because sometimes there is a real human issue that has to be resolved.”
He tells a story of a man who worked at a high-security computer company. He left the office, turned off and secured his computer — and then went back to his desk from the parking lot. He noticed the computer that he had just secured was turned back on. He called the IT desk, and eventually the company called the FBI.
“They told them that this happened many, many, many times,” he said. “It’s just one example of how fast cyber crime can occur.”
In order to combat the ever-growing ranks of cyber thieves and nations who want to undermine national security, experts say that the current business-as-usual model needs to be turned on its head.
It has to be faster — when computer experts say faster, they mean nanoseconds. That’s how long it can take for someone to break in and steal valuable, sensitive information. But the nation isn’t moving that fast, they say. Instead, they are relying on decades-old ways of doing things, hampering innovation and possibly aiding the enemy.
“Young people do not want to study computers and have to go back 20, 40 years,” said Glenn Veach, chief technology officer for Relevant Security Corp. “They want to innovate, with the current system, we’re taking people who think outside the box and putting them back in.”
Veach is talking about the certification process for security software, which he says is both expensive and unnecessary.
“The government is taking all this history, 40 years, and making a test for it, and making people answer the questions in order to get the certification,” he said. “That’s the old way, we need to be faster.”
One way to be faster is to take into account cyber security at the front end of creating networks, Obering said.
“When I was a young officer, they designed aircraft for operations,” he said. “The design didn’t take into account maintenance and logistics — support was done after the fact. Now we need to address the cyber security issue up front. It needs to be built into the system; so we can stay ahead of the threat.”
It’s an absolutely critical mission, he says, because the world isn’t suddenly going to become less dependent on the digital, cyber world.
“I think we’ve only scratched the surface of how involved we’re going to get with Internet, satellite communications, cloud computing,” he said. “And the Chinese — who are one of the biggest threats — they see the dependence on it for communications for war-fighting as a weakness they can exploit.”