Although President Barack Obama made only a passing reference to cyberthreats in his State of the Union speech on 28 January 2014, the almost daily instances of high-profile (and mostly successful) cyberattacks on U.S. commercial and governmental organizations demonstrate a growing threat in the borderless digital landscape. From Target and Neiman Marcus to popular web services such as DropBox and Drupal – in addition to government agency websites – the number of compromised organizations continues to grow.
Cyber – A Growing Threat
In 2012, during a speech at the Intrepid Sea, Air, and Space Museum in New York, then Defense Secretary Leon E. Panetta warned of a “cyber Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.” He was referring to simultaneous cyberattacks coupled with physical attacks on the nation’s critical infrastructure and military that could devastate U.S. operations. Once thought of only as a compelling story for movies or television shows, the U.S. government, corporate leaders, and the public at large are recognizing the real-world implications.
Cisco Inc., a multinational corporation headquartered in San Jose, Calif., noted in its 2014 Annual Security Report the continuing growth in cyberattacks against the infrastructure of the Internet itself – including data centers, web-hosting servers, name servers, and large Internet-supporting corporations. Cisco’s monitoring of suspicious traffic from some of the largest multinational organizations shows evidence of ongoing internal compromise, meaning that network penetrations have gone undetected over long periods. The report noted the evolving cyberthreat in 2014, “Simple attacks that caused containable damage have given way to modern cybercrime operations that are sophisticated, well-funded, and capable of causing major disruption to organizations.”
After attacks on the electronic industry, the next four highest “industry vertical” malware attacks occurred in the agriculture and mining, pharmaceutical, energy (including oil and gas), and aviation industries, demonstrating that attacks are originating from an organized and mature cybercriminal network. Chief Security Officer John N. Stewart noted in Cisco’s report that all organizations need to improve cybersecurity using tools that include, “verification through certified products, integrated development processes, [and] innovative technology,” while making it a priority to, “verify the trustworthiness of the technology products they use and the vendors that supply them.”
Of course, the ability for organizations to implement these strategies is wholly dependent on human resources with the talent and training to do so. Unfortunately, Cisco noted in its report that, “The sophistication of the technology and tactics used by online criminals, and their nonstop attempts to breach network security and steal data, have outstripped the ability of IT [information technology] and security professionals to address threats.” More troubling is Cisco’s estimate that there is a shortage of approximately one million security professionals with up-to-date skills in computer science, adding that, “Most organizations do not have the people or the systems to monitor their networks consistently and to determine how they are being infiltrated.”
The University-Government-Private Sector Connection
This growing threat highlights the critical need to create the security workforce of the future, both in terms of skill and in the sheer numbers of professionals available to support government and industry. Universities are paying attention to this need; corporate and government agencies are even enlisting universities to improve the knowledge, skills, and abilities in cybersecurity to the next generation of graduates.
The University of Maryland’s Cybersecurity Center (MC2) is one of many new university-based organizations building programs in partnership with government and industry to develop the future cybersecurity workforce through undergraduate and graduate programs, including a masters program that offers mostly evening es designed for practitioners. Director Jonathan Katz stated in a phone interview on 7 February 2014 that the focus today is, primarily, on research that can be used to develop future standards. However, he recognizes the ultimate need is for “mandatory standards” with “consequences for breaches,” adding that, although Target’s reputation may suffer from the loss of client data, they may not have any actual legal exposure under current federal law.
Carnegie Mellon University’s Cylab in Pennsylvania is another successful partnership between higher education, commercial, and government organizations working collaboratively to close the “talent gap,” while at the same time increasing awareness and understanding of current and future cyberthreats among students and practitioners. The National Security Agency (NSA) has recognized Cylab as a Center of Academic Excellence in Cyber Operations, thus helping to protect the nation’s infrastructure through the development of cybersecurity professionals.
A PBS NewsHour story released on 19 January 2014 highlighted Cylab’s partnership with NSA, including NSA’s engagement of Cylab students to develop a computer game to help teach high school students develop hacking skills, and thereby getting even younger students interested in cyberprotection. In October 2013, Cylab joined an alliance between the Army Research Laboratory, Penn State, the University of California (Davis and Riverside), and the University of Illinois to increase cyberthreat detection, manage risk, and achieve the maximum cyberprotection benefits at the lowest possible cost. Although one aspect of the multiyear effort is to support the development of future system capabilities that can automatically respond to attacks, human intervention and decision-making will always be required.
In addition to university-based programs, other continuing education organizations also are putting cybertraining at the forefront of their offerings in order to meet the need for cyberindustry talent. The SANS Institute has been offering computer security for more than 10 years, including online and room trainings on topics including hacker techniques and incident handling to es focused on students acquiring Global Information Assurance Certifications (GIAC) – for example, GIAC Security Essentials Certification (GSEC). Other professional training organizations, such as the ITT Technical Institute, offer formal degrees and individual training events in cybersecurity and information security. These organizations recognize the training opportunity that the cyber “talent gap” represents.
Legislation & Personal Motivation
On 30 January 2014, U.S. Senators Dianne Feinstein (D-Calif.), John Rockefeller (D-W.Va.), Mark Pryor (D-Ark.), and Bill Nelson (D-Fla.) introduced the Data Security and Breach Notification Act (similar to legislation introduced in prior years), which: establishes security standards for corporate databases where confidential information is stored; requires strict consumer notifications following breaches; imposes civil penalties for violations of the law; and imposes criminal penalties for corporate personnel found to be deliberately concealing such breaches. On 4 February 2014, Assistant U.S. Attorney General Mythili Raman testified in support of the legislation and similar proposals previously recommended by the Obama administration to strengthen the existing Computer Fraud and Abuse Act.
Separately, in the U.S. House of Representatives, a bipartisan group of members has been working on a new Cybersecurity and Critical Infrastructure Protection Act (HR3696) designed to consolidate and strengthen civilian cybersecurity authorities within the Department of Homeland Security and rename the National Protection and Programs Directorate to the “Cybersecurity and Infrastructure Protection Directorate.”
On 12 February 2014, the Obama Administration through the National Institute of Standards and Technology (NIST) released a new voluntary Framework for Improving Critical Infrastructure Cybersecurity, designed to strengthen the security and resilience of critical infrastructure through an expanded cooperation between government and the private sector. The Framework incorporates a risk management approach and provides examples on how organizations can implement strategies toentify and work to mitigate cyber threats. The Framework, based on a year-long collaboration between the White House and industry representatives, also seeks to establish a common vocabulary for cybersecurity risks, which should be helpful to the education community when developing new cyber curriculums.
The recent high-profile data breaches at Target and Neiman Marcus may provide sufficient incentive for Congress and the Administration to secure passage to one or both pieces of legislation. All that will be needed is the human capital to implement it. Fortunately, the bells are ringing for students young and old who are interested in learning more about cyber.
Rodrigo (Roddy) Moscoso
Rodrigo (Roddy) Moscoso is the executive director of the Capital Wireless Information Net (CapWIN) Program at the University of Maryland, which provides software and mission-critical data access services to first responders in and across dozens of jurisdictions, disciplines, and levels of government. Formerly with IBM Business Consulting Services, he has more than 20 years of experience supporting large-scale implementation projects for information technology, and extensive experience in several related fields such as change management, business process reengineering, human resources, and communications.