|Mary Jordan, Arati Prabhakar|
(Washington, DC) In the face of cybersecurity threats that seem to breed like bacteria, a conceptual fix is to speed up cybersecurity development to outpace the rapid-fire evolution in technology, the head of the Defense Advanced Research Projects Agency (DARPA) said today. Speaking at a cybersecurity summit hosted by the Washington Post, Arati Prabhakar, Director of DARPA, said "we are trying to wrangle this problem while the information revolution is exploding. The moonshot for cybersecurity in my view is to find techniques that scale faster than this revolution."
One key problem is that the Internet was developed--under DARPA's auspices-- at a time when the current kinds of security threats were unimaginable. If DARPA had a clean slate to rebuild the Internet to make it more secure, one concept would be to apply a biological model to network security, she said. "Under the hood there is a lot of diversity among individuals [s]o one attack cannot wipe out the human race," drawing parallels between the efforts DARPA spearheads to help the public health community outpace infectious diseases and its simultaneous efforts to develop automated cyberdefense systems.
The scariest cybersecurity threat is a potential take-down of the power grid. But that's an unlikely prospect for the typical IT hacker, Andy Bochman, Senior Cyber and Energy Security Strategist at Idaho National Laboratory, said. "The communication protocols and the types of processors and the amount of memory is often wholly different" for the energy sector's industrial control systems. "For the standard hacker, it would be a strange place."
Still, to the extent that power companies are putting into place new technology, there is a "tremendous opportunity" to minimize risk. "The more that electric utilities and stakeholders include security requirements into their RFPs, [t]hat gives signals to the manufacturers that what wasn't important before is suddenly something they should pay attention to," Bochman said.
It's unlikely that Congress will step in with its own solution during the upcoming lame duck session, Rep. Mike Rogers (R-MI), retiring Chairman of the House Intelligence Committee, indicated. "We have a very small window to get this done [pass a cybersecurity bill]," he said. "The political challenges in the Senate make the odds pretty high," with Rogers blaming the failure to pass a bill on "political tantrums."
Only 15% of networks are owned by the U.S. government and thus benefit from the cybersecurity protection of the military and various federal agencies. "By doing nothing in Congress, we are telling these 85% of private networks 'you are on your own,'" mainly due to the difficulties in sharing information between public and private groups, a knowledge gap that most cybersecurity bills aimed to minimize.
Meanwhile, the federal government is doing what it can to help raise the level of cybersecurity practices around the globe. Federal agencies are increasingly coming together to work with other nations in securing the necessary infrastructure against the "less deterrable" threat actors, such as Iran and Korea as well as terrorist organizations. "The good thing is that more and more countries are taking this seriously," Christopher Painter, Coordinator, Cyber Issues at the State Department, said.
Around 60 countries are looking to build cyber command operations, Eric Rosenbach, Assistant Secretary of Defense for Homeland Defense and Global Security for the Defense Department, said. The U.S. government is helping some of those countries, particularly in Europe and Asia, build that capacity. "There are a small group of countries that we are advising. [W]e only do it with our very closest partners, mostly because we want to make sure it's being done right."