was co-chair of the Center for Strategic and International Studies Commission on Cybersecurity for the 44th Presidency.
2 CONNECTIVITY
“The convenience of IoT devices comes at a cost: a vastly expanded attack surface.”
Brian Talbert, Alaska Airlines
“The drive to connect is an unstoppable force within cyberspace.”
Chris Inglis, Former Deputy Director, NSA
Enabling and protecting safe connectivity is the core mission of cybersecurity. At its most basic definition, cybersecurity is about allowing or denying access to information. That is how information is protected. And while the extraordinary adoption of the Internet may certainly have been powered by recognition of the incredible benefits of connectivity, it comes with risk.
The triumph of collaboration and connectivity coded into the core of the Internet has been manipulated to attack it. As the connectivity of the early Internet broadened—and with it, new targets—so too did the breadth and depth of the attacks. Every cyberattacker has at least one substantial advantage. As Sun Tzu succinctly stated in The Art of War, “In conflict, direct confrontation will lead to engagement and surprise will lead to victory.” Threat actors can choose when and where to strike.
When they do attack, they strike from multiple places, focusing their multifaceted approaches on your points of weakness—discovered through relentless attempts to breach the infrastructure that houses whatever data is most valuable for their own intent.
Each attacker may learn from other attacks about what worked, what didn't, and where the valuable data resides. This is one reason attackers often hold an advantage over defenders.
An integrated defense—a staple of high-end security strategies in all other areas and fields of protection—is an often-neglected cybersecurity fundamental. Too many point solutions offer insufficient defenses that leave the network vulnerable once penetrated. Maginot Line–style defenses, no matter how sophisticated, that focus only on keeping attackers out of the network are doomed to fail just as their namesake failed in 1940—only much, much faster.
The necessity of connectivity mirrors the importance of speed in cybersecurity: Less integration creates more vulnerabilities. For effective cybersecurity, defenders should take the same integrated approach as the architects of the early Internet did (and the attackers who soon followed). The architecture that underpins security must match the cooperative fabric of flexible integration mechanisms of the Internet as a whole. Cybersecurity architects must design security that leverages the connectivity of all defensive components. By leveraging the connectivity among defensive components, defenders can field an entire team of security players from within and beyond their organizations.
Just as security must utilize and enable speed, it must also have and empower strong connectivity.
With properly designed security, defenders can achieve the core mission of cybersecurity: Enabling and protecting safe connectivity and allowing or denying access to information. Defenders who adopt such an integrated defense will gain an advantage.
MANAGING THE INTENSIFYING CONNECTIVITY OF THE IOT ERA
Brian Talbert, Alaska Airlines
Over the past several years, the reach, scale, and depth of digital connectivity has intensified so dramatically that it has fundamentally changed our conceptions and definitions of what being connected even means.
While many outside the fields of security and information technology still talk of greater levels of digital connection in the context of human beings communicating with one another, chief information security officer (CISOs) and their teams understand that that is merely a small, visible ripple on the very surface of today's hyperconnected world. Things and machines connecting with each other is the bigger picture of connectivity—which gets exponentially bigger each day and now borders on the immeasurable and the unimaginable. And, as many IT teams can attest, it is also increasingly unmanageable—at least by people alone, anyway.
That's because, as the Internet of Things (IoT) grows, the majority of connectivity today occurs between devices. With aims of greater efficiency, cost savings, and convenience, everything from cameras to lightbulbs to household appliances is being augmented with digital capabilities, allowing these things to connect to the Internet and to each other to share relevant information.
It is a level of new-normal functionality that creates a momentum powered by consumer demand: As more smart devices are manufactured, more people come to expect a new device to have that capability. And more companies scramble to enhance their product lines with technology—whether or not they have experience with it.
Today, the IoT comprises more than 8.4 billion devices—with a projection of 20.4 billion deployed by 2020.
What consumers and manufacturers often don't realize, though, is that the convenience of IoT devices comes at a cost. And that cost is a significant one: A vastly expanded attack surface comprising millions of devices with minimal security—manufactured by companies with little experience in securing digital technology.
Many IoT devices can be easily compromised to gain access to a network, or they can be chained together to create a huge increase in attack power. Layer in cloud services for managing these devices, and what results is a level of vulnerability that is ripe for attack. Because of the minimal security of the devices themselves, that attack can be incredibly destructive with little expertise required. You don't need to be a civil engineer to topple dominos, and you don't need to be a master cybercriminal to harness the IoT into a botnet.
Take the Mirai botnet, for example. In October 2016, a massive denial-of-service attack left most of the East Coast of the United States without Internet access. The attack was so large and so disruptive—a digital tsunami of 1.1 TB of data per second—authorities first suspected it was an act of war by a rogue state or enemy nation. It turned out to be a couple of college kids with novice-level hacking skills and the desire for more competitive advantage in Minecraft.
And that gives an indication of the scale, power, and risk of today's landscape of connectivity.
Mirai harnessed the combined power of IoT devices—specifically routers, cameras, DVRs, and printers—by scanning for open ports, then taking over the devices with a few lines of code that cycled through 61 common unchanged default passwords. In the first 20 hours, it captured 65,000 devices—doubling the amount every 76 minutes, growing to a peak of up to 300,000 infections. All told, 164 countries were hit.
As the IoT continues to spread, IT teams are now faced with two primary connectivity challenges within their organizations. They must contend with devices brought in by casual end users, such as connected speakers that someone puts on their desk. And they must also secure business-use devices such as security cameras, office equipment, and facility equipment.
As enormous a challenge as this presents, it is important for IT teams to recognize that for the most part people are not using these devices with disregard for security. It is a new technology, and people simply don't know the risks it presents. Still, regardless of intent, IT has
