Deciphering an Evolving Threat Environment
Frank Cilluffo at the Center for Cyber & Homeland Security is striving to bring a little science to the art of decision- and policy-making.
The Center for Cyber & Homeland Security at George Washington University in Washington, D.C., is a “think and do tank,” says Frank Cilluffo, its director. “We try to ground our policy and research in a practitioner-focused environment to provide those on the front lines with the knowledge and ammunition to defeat some of these threats.”
For example, the Center hosts dozens of seminars and meetings a year with global and national security and policy leaders, conducts joint case studies and research with Europol and other agencies, and provides guidance for private sector security leaders, law enforcement and policymakers about the real threats facing American interests in the world today.
Security magazine sat down with Cilluffo for a series of discussions about the state of cybercrime, terrorism and how the evolving threat landscape is impacting private enterprises.
Security magazine: How are cyber threats evolving right now, and how can enterprise security leaders be proactive?
Frank Cilluffo: Increasingly you’re seeing cybercrime converging with traditional crime as well. If it’s happening – good or bad – in the real world, it’s got an analog in the virtual world, and an increasingly those two are converging. Obviously the Internet of Things, the Internet of Everything, will play a major role in providing exponential connectivity in the 40-something billion devices connected in the next few years, but that also means you got a massively expanded attack surface, and the need to get security right – where it’s not just a footnote, where it’s not just a bolt-on after-the-fact, but actually to design systems that are relatively cyber secure – is important.
I think that when you look at the threat spectrum, it comes in various shapes, sizes and forms. Obviously at the very high end of the spectrum are nation-states. Not all nations are created equally; some are more capable than others, some have greater intent than others.
But think of it this way: how many companies went into business thinking they have to defend themselves against foreign intelligence services? Not many, and that is precisely the unleveled playing field we’re dealing with now, both with intelligence-collecting purposes and attack purposes.
The threat comes in all shapes, sizes, flavors and forms. What we are having a hard time with – starting at the time of an incident – is attribution, to know who’s behind that clickety-clack of the keyboard. The most sophisticated actors are going to use all sorts of conduits and proxies to stymy investigations, and nation-states are increasingly invested in this business, and I think it’s a pretty unfair playing field for businesses to have to defend themselves against these actors.
How does this knowledge affect policymaking?
Cilluffo: I feel like conducting “business as usual” and following the status quo is doomed for failure. It’s inherently reactive, and unless we bring some new energy, some new thinking and some new authorities to this fight, we’re at best going to be reacting to a threat that keeps changing. We’re never going to build high enough walls, protected with wide enough moats and locked with big enough locks; it’s doomed for failure. It’s reactive, and we’re never going to get ahead of the game. We’ve seen some major initiatives in terms of improving information-sharing, and we’ve got to redouble those efforts. But we’re also going to be seeing a place in time where companies can better defend their own systems, more proactively. I’m not advocating for hacking back, but I am advocating for a lot of steps they can and should take – some are technical; they should be able to tag all of their information (similar to dye packs on cash) and identify it if it appears somewhere it shouldn’t be… We should be able to get a little more creative in this.
I think one thing I’m excited about that the Administration demonstrated in its recent executive order (on cybersecurity, released May 2017): The need to articulate and demonstrate a cyber deterrence strategy, and I think we’re at the early stages there, but that could have some very positive net effect.
When it comes to information-sharing, is there a model or example that has proven to be most successful?
Cilluffo: The FS-ISAC (Financial Services Information Sharing & Analysis Center), for me, is the gold standard for information-sharing. Any center is only as good as a) the information that is shared, and b) the trust that these entities have working with one another. The FS-ISAC has been lightyears ahead, not because they’re doing it out of the goodness of their hearts, but because it’s hitting their bottom lines. It’s having a significant effect in their business.
The significance here is the big companies are spending money. JP Morgan spends $600-million-plus a year on cybersecurity. Let that sink in a little; that’s big money. And they have well over a thousand people devoted to cybersecurity. The big entities have the money, and they know they have to spend the money because they know their integrity, confidentiality and reputation relies on cybersecurity and on online operations. When you get to smaller banks, they’re much more vulnerable and susceptible.
Now all 16 of the Critical Infrastructure groups (designated by DHS) have an ISAC, but they’re not all as robust as the FS-ISAC. There are a lot of these initiatives, but what I think is lacking is a cross-cut – the interdependencies of all these infrastructures. If you secure all your banks, how do you do that without ensuring your telecommunications are up and running, your power is up and running, etc.?
The dependencies are complex, and what you need is an entity for these lifeline sectors in addition to their own centers. You can get an office, you can get a staff, but it’s all about sharing risk, sharing information and sharing trust. The answer is not just creating another center; it’s making sure they actually work.
We’re seeing more physical-cyber convergence happening in larger enterprises; do you feel that’s helping with enterprise risk management?
Cilluffo: Some of the most insightful U.S. companies have come to conclude that they can’t completely bifurcate their cyber team from their physical security team. Granted, they have very different needs, workforces and skills, but at the end of the day, they’re going to have to come together because this is an enterprise risk issue. There’s some good activity occurring, primarily in financial services, where you’re seeing the CSO and CISO converging and putting their shops under one roof.
Cybersecurity is an increasingly prevalent issue in every board meeting; you know directors that, for no other reason than to protect their own hides, are starting to ask lots of questions. Some moves to convergence have been internally driven, but some have been driven at the board level and C-Suite level because they want to treat it as a risk issue, which it is. What you’re really talking about is managing risk.
How are terrorism and cybersecurity intersecting?
Cilluffo: Many foreign terror organizations are using cyber and various forms of technology to recruit, to fundraise… There is concern about some terror organizations turning to cyber as a weapon, both independently (as a standalone cyberattack or disruption) or as part of their broader operational planning to include physical – using cyber to perform surveillance on targets and for communication purposes, and in a worst-case scenario to blind and deafen companies by taking down companies’ communications to stymie their ability to respond to a physical attack as well.
How is the physical threat environment evolving, especially in light of the recent attacks in the UK?
Cilluffo: Most of those who wish us harm would not attempt to defeat the United States tank-for-tank, plane-for-plane in a traditional war on a traditional battlefield. Obviously, our military, economic and political supremacy is too great, but they’re turning to terrorism to achieve some of their objectives.
Asymmetric threats of all sorts are front and center. Clearly, the terrorism threat is blinking red at the moment, notably in Europe, but obviously the U.S. is not immune either. The threat environment has changed to one extent or another. We’re dealing with a more decentralized threat, flat organizations that include homegrown, Islamist-inspired terrorism, and if you look at the global trends and trajectories, there’s been a huge spike in Westerners, foreign fighters, fighting alongside ISIS and jihadists in Syria and Iraq and elsewhere, and obviously the pace of the threat environment facing Europe right now is unprecedented, not only from foreign-directed threats but also by those inspired by ISIS’s grotesque ideology. So we’re dealing with a hybrid set of threats. Unfortunately, the threat environment is diffuse, it’s accelerating, and that is something we need to factor in, not just the government and the agencies responsible for countering terrorism but also the private sector.
What can the private sector do to prepare for terrorist incidents like those in Europe?
Cilluffo: Public-private partnerships matter more today than ever before. So if you’re a multi-national company, get to know the local security community, the local law enforcement leadership, and also try to plug in at the national level. Secondly, put in place response plans, inform your workforce on best practices in terms of how they can be protected should an event occur, but also put into place your own crisis management/incident response plans and try to plug into the local authorities over what their broader incident response plans. Whether you’re dealing with natural disasters, whether you’re dealing with cyberattacks, whether you’re dealing with kinetic, physical attacks or terrorist attacks… you want to make sure your critical resources are protected and you’re as resilient as possible. And unfortunately, these situations are becoming more and more commonplace.
There are many technologies available now, from facial recognition to drones to AI, designed to help with counterterrorism. Do you think the future of counterterrorism lies in technology?
The way you respond to these sorts of incidents demands the use of new technologies, but never to be a slave to technology. At the end of the day, nothing replaces the human being making the decisions and responding to these sorts of threats. I think we need layered defenses, I think companies increasingly need to turn to technology. If you look back to the horrific attack at the Ariana Grande concert (in Manchester, UK), sports arenas and the like increasingly need to not only prevent bad things from entering but also look at some of their exit plans, push their surveillance outward as well, consider the role of VaporWake dogs (trained service dogs that can identify IEDs, explosives, etc) and the like.
Technology is part of the solution, but I wish it were as easy as having a silver bullet. A well-trained workforce; a company that has strategies and plans – and not plans that stay in a binder – that are trained, executed and real; planning for various scenarios in terms of tabletops and more from an operational standpoint… these are important. We need to be as adaptive as our enemies are.
Why is this all important information for a CSO to know?
Cilluffo: Whether it’s the chief security officer, the chief information security officer, or the men and women who work for these individuals, they’re on the front lines, and they’re also driving a lot of the strategy on how you respond to these types of threats. Making sure that they have a say, making sure that the communities devising these solutions are aware of their priorities and pain points is really important.
In addition to ensuring the government at all levels is doing all they can to defeat these sorts of enemies in the threat environment we’re facing today, our goal is to ensure they’re doing so in a way that the private sector is not an afterthought or a footnote in some of our plans. This community genuinely has to be part of the solution.
Who’s Attacking Us Now?
According to research from the Center for Cyber & Homeland Security, U.S. enterprises are facing cyber threats from four major sectors:
Nation-States: Can range in capability (Russia, China) and intent (Iran, North Korea), with targets ranging from physical damage to intellectual property theft to economic impacts and more.
Foreign Terrorist Organizations: Might not have enhanced, sustained cyberattack capabilities, but could purchase or rent attack tools from the Dark Web to use in a standalone attack or in conjunction with a physical attack.
Criminal Enterprises: Still primarily focused on financial services, but shifting toward health care fraud.
Individuals: Can include hacktivists or other individuals whose aim is primarily to embarrass or cause reputational harm to an enterprise or individual.