The persistence of cyber threats carried out against U.S. governmental and military systems will increase over the next decade and attacks are inevitable unless vulnerabilities are identified according to Belfer Center for Science and International Affairs Senior Fellow Dr. James N. Miller speaking at a Brookings Institution panel on Tuesday.
The Brookings Center for 21st Century Security Intelligence held a panel on the topic of growing threats from cyber weapons, which was moderated by senior fellow Michael O’Hanlon and included Miller, Palantir Business Development Engineer Sam Jones, Deloitte Cyber Security Architect and IT Risk Manager Anil Ramcharan and Raytheon [RTN] Director of Government Cyber Solutions William Leigher.
Much of the conversation focused on findings from the Defense Science Board’s (DSB) “Task Force on Cyber Deterrence” report published earlier this year February.
Miller opened the discussion stating three strategic problems that account for the DSB’s assessment that cyber threats will persist over the next ten years or further. These include the combating of malicious attempts along the lines of the Russian interference in the U.S. election or the Sony hack by North Korea, identifying major strategic vulnerabilities exploited by lesser actors such as Iran, and pushing the military to solve existing cyber vulnerabilities.
The DSB’s two-year report called for the creation and implementation of a major cyber deterrence plan over the next decade to combat significant cyber threats by tailoring specific responses to potential attacks, devoting Department of Defense resources to bolstering the cyber resilience of U.S. strike systems and enhancing the cyber foundation of critical infrastructure.
“We became significantly vulnerable because we took advantage of the information revolution, especially in our military,” Miller said, when asked how the U.S. left itself open to potential threats within the cyber space. “As a nation we have been slower than I would like at addressing our cyber vulnerabilities.”
Raytheon’s [RTN] William Leigher, also a retired admiral, identified the vital need for all branches of the military to identify cyber attacks with the same level of response that they do other potential threats.
“When I talk with engineers who aren’t the cyber engineers, they don’t give much thought that there’s a hacker out there trying to get into their system,” Leigher said. “You’ll find tactical action officers that also don’t consider cyber threats or responses to cyber attacks.”
Miller emphasized the three steps he views as critical in shoring up a coherent plan to prevent cyber threats. First, the DSB showed the importance of integrating diverse systems to shore up defense capabilities and make it harder to facilitate cyber attacks, then governmental and military agencies must maintain a threshold for critical infrastructure that cyber-terrorists can’t penetrate, and lastly the U.S. must develop a comprehensive policy for responding to cyber attacks.
In the long term, legacy information technology (IT) systems which weren’t built with security in mind have to be phased out and replaced, according to Palantir’s Sam Jones.
“The Department of Defense has to get really aggressive about modernizing,” Jones said, emphasizing a goal must be to write more resilient code for the software used in these systems.
Anil Ramcharan from Deloitte discussed the change in landscape from conventional warfare to the threats made in cyberspace where the target landscape is much more broad.
“The norms of conventional warfare aren’t applied to understanding cyber attacks,” Ramcharan said. “With major cyber incidents, we can track them back to state actors but the attacks may have been carried out through a proxy.”
The rapid nature at which new problems are being created within the cyberspace calls for a nuanced, tailored approach to threat response rather than a uniform one, according to Miller.
“Deterring China is not the same as deterring North Korea, as it is deterring Russia or Iran,” Miller said. “The cyber threat to U.S. critical infrastructure isn’t peaking, it’s just going up and up.”