BY HAROLD RAVECHE AND MICHAEL WYNNE, OPINION CONTRIBUTORS
February 9, 2017
Making the U.S. “cyber safer” is a multidimensional, long-term challenge. Threats are varied, they are inexpensive to carry out and can originate from anywhere. The perpetrators can hide or camouflage their identities. Motivations vary from seeking classified military and intelligence data and intellectual property of businesses to theft of personal identities and executing illegal financial transactions or simple vandalism.
Prosecution of cyber criminals is difficult, as they are digitally elusive, often working their trade with near complete anonymity. Laws differ around the world, making a coherent effort against cyber criminals a complex problem. Hackers have proven to be increasingly successful in piercing current software-based security measures, with developing evidence pointing to the Advanced Persistent Threat. Some are state sponsored, while others operate alone and in rogue groups. WikiLeaks and the recent hacking of Secretary Clinton’s email serve as a reminder that hackers are also disruptively opportunistic.
The explosive global use of mobile apps, chat groups and social media offer hackers new gateways to obtain sensitive organizational as well as personal data. Suppliers of look-alike WiFi connections use their signals to gain entrance to mobile devices. Even technologically sophisticated companies such as Apple, Facebook and Twitter have been hacked. Last year, Yahoo announced that it had previously suffered attacks wherein one billion active user accounts were compromised. Also in 2016, Hewlett Packard Enterprise Services reported to the US Navy that one of the company’s laptops was breached, revealing the personal identities of more than 134,000 current and previous sailors.
In 2013, the Wall Street Journal reported that $100 billion may have been lost by US companies due to cybercrime. The Center for Strategic and International Studies estimated in 2014 that $445 billion may have been lost in the global economy. In January 2016, Forbes estimated that by 2019, as much as $2.1 trillion may be lost by the world’s consumers to cybercrime.
Technology alone is not sufficient to make cyber safer, as evidence mounts that Cyber Hygiene can be a very large issue. Snowden’s work, with damage to national security that is incalculable, was primarily a fault of sloppy policies for insider threats. The same applies to Bradley (now Chelsea) Manning, who was convicted of espionage for revealing sensitive military information.
Data from the U.S. Office of Personnel Management was hacked. As a result, our government was forced to warn 21.5 million current and previous federal employees, including military and intelligence personnel, that their personal identities may have been stolen.
Joint Chiefs Chair General Joseph Dunford and Army Chief Mark Milley warn that cyber attacks are serious threats to secure military operations. An Army test-exercise had to be shut down due to a ruse involving a thumb drive. Director of National Intelligence James Clapper warned in Congressional testimony that “Foreign Intelligence Entities continue to quietly exploit our nation’s public and private sectors in the pursuit of policy and military insights, sensitive research, intellectual property, trade secrets and personally identifiable information.”
The path forward
Educational policies are needed at the local, state and federal levels to inform, enlighten and convert anxiety to more careful use of the Internet.
With social media usage beginning as early as grammar school age, cyber education should start in the 6th grade. Just as driver’s ed prepares high school students for safer driving, “cyber ed” will better prepare them for safer use of the Internet. Community colleges should include cyber awareness courses for adult education in the evening.
At the college and university levels, cyber education can be offered as a one-credit elective, as is often done for physical education. In this way, we better prepare our citizenry for continued growth of mobile apps, social media and what is certain to become the use of cell phones for banking. Importantly, cyber education grooms a new talent base for careers. The Internet of Things has already arrived, and enjoying its benefits might prepare us for the downside.
More educational policies are needed. Our nation’s federally sponsored service academies, West Point, Annapolis and Air Force, should offer majors in cybersecurity, as they do in engineering. The National Guard should be trained in cyber, just as they are trained for disaster relief.
If we are to reap the many social and economic benefits of “work at home,” training and technology for safer use of the Internet will make a difference. Such initiatives could also give regions of the U.S. a competitive edge in winning more jobs for call-centers and business process operations.
There is a national shortage of talent in the important field of cyber analytics to push the science of informatics and cyber investigation. Companies are turning to post-high school students, with two years of cyber technical education, for on-the-job training and financially rewarding careers. This is an excellent opportunity for inner-city high schools to offer non-college bound, and so-called at-risk students, hope for good-paying jobs beyond the fast food industry.
Tax policies and regulatory relief are needed to encourage business and industry aggressively to improve their cybersecurity capabilities. They often face sunk cost issues for changing IT resources. Corporate stagnancy is a sure path to being hacked, as hackers are ever more skilled in penetrating software approaches to cyber protection, which points to the requirement to address integrated circuit hardware in conjunction with software. Tax credits for plant infrastructure and R&D are needed to spur continuous corporate and infrastructure spending in defending against ever-more skilled cyber criminals.
More promising approaches to cybersecurity are coming from startups and new enterprises. Current and highly cumbersome U.S. government procurement practices and certification processes are major barriers for the small, agile suppliers who have neither the time nor the resources to fight their way through lengthy and bureaucratic procurement practices, as do the major prime contractors.
If government agencies want to improve cyber capabilities, they must rapidly improve their anachronistic practices. President Trump and our Congress must reform government procurement now to encourage America’s techno-entrepreneurs to develop out-of-the-box and more effective cyber technologies. Small grants to encourage bold approaches and applications will help. These entrepreneurs also need patient investors who are not fixated only on short-term gains.
Effective technological strategies for cyber security are multifaceted and not limited to acquiring the latest anti-virus and malware protection. Specialists in security analytics are needed to enable organizations to develop and enforce effective cyber practices, such as limiting the use of USBs and access to proscribed email addresses, and to also analyze data for insider threats.
Expertise in deep, and within limits, active, analytics is critical to better understand who is hacking and what they are hacking for. More pinpoint geo-location technologies are necessary to more narrowly identify the locations of hackers. Redaction methods are required to allow corporations and government agencies to share only specific information and data while protecting privacy and conforming to the law. As demand for mobile Internet access grows, technologies to ensure the integrity of WiFi sources become more necessary.
America can become cyber safer with a multidimensional strategy, encompassing education, a diverse cadre of experts, tax incentives, streamlined government procurement and encouraging techno-entrepreneurs to develop the next cyber generation software and hardware defensive technologies.
Harold J. Raveché, Ph.D., is president of Innovation Strategies International, Leader of Global Markets for Janus Technologies, and a former president of the Stevens Institute of Technology. Hon. Michael W. Wynne served as the 21st Secretary of the U.S Air Force. He also served as Under Secretary of Defense for Acquisition, Technology and Logistics under President George W. Bush.