The Need for New IT Security StrategyFBI Leader Highlights Current Critical Flaws, Solutions
Cybersecurity threats and concerns are so great that the FBI recognizes its falling behind on the problem. So what needs to be done to hold back the flood of cyber criminals? FBI cybersecurity leader Steve Chabinsky has some ideas.
Chabinsky, deputy assistant director of the FBI's Cyber Division, hears this notion by many that it's getting "darker and darker out there," referring to cybersecurity. And with the Federal Bureau of Investigation constantly being looked at as a security leader, it's time to reassess what needs to happen to mitigate the risks to the public and private sector.
"What it ultimately is about is deterrence," Chabinsky says in an interview with Information Security Media Group's Eric Chabrow [transcript below]. "If the bad guys know that you can catch them, it stops most of them."
But that's the problem, he says, as most organizations continue to turn to tools and processes to protect themselves, not looking closely at hardware and software that can be modified anonymously. "It invariably comes down to the fact that in this environment, the bad guys haven't consistently been seeing the penalties," he says.
Risk management and security continue to take a backseat to technology innovation, and as significant security concerns remain within software and hardware, critical infrastructure in turn remains highly vulnerable.
So, what needs to happen? According to Chabinsky, support needs to be gathered among organizations, businesses and government who need to come together as a consortium to address these issues and improve critical infrastructure security, while at the same time encouraging innovation.
"Because of the interoperability issues, because you have appliances and networks and standards and operating systems that have to talk with each other, it's a complicated business to think about alternatives, to start thinking that way," he says. A consortium, he argues, is definitely needed to wade through the complexities.
In the interview, Chabinsky explains why:
- Market forces drive information security rather than risk management;
- Assailants feel they can get away with digital assaults;
- Fostering discussions on alternate architectures for the Internet could prove crucial as organizations move to cloud computing.
As deputy assistant director, Chabinsky helps manage all FBI domestic and international investigative and outreach efforts focused on protecting the United States from cyber attack, cyber espionage, online child exploitation, Internet fraud, intellectual property rights theft and other high technology crimes.
Chabinsky also has served as acting assistant deputy director of national intelligence for cyber, chairman of the National Cyber Study Group and director of the Joint Interagency Cyber Task Force. In these roles, he led national intelligence efforts to coordinate, monitor and provide recommendations to the president regarding implementation of America's cyber strategy. Prior to his Office of the Director of National Intelligence tour, Chabinsky served as chief of the FBI's Cyber Intelligence Section, where he organized and led the FBI's analysis and reporting on terrorism, foreign intelligence and criminal matters having a cyber threat nexus.
ERIC CHABROW: What is an alternate Internet and how would it work?
STEVE CHABINSKY: That's a good question and I think that when we discuss this, I would prefer to talk about alternatives. I don't think there's really an alternate Internet that's just waiting to be designed. What we're really trying to do is foster a dialogue about alternative architectures. Right now, I think that it's fair to say that notions of risk management and security are playing second seat to notions of first-to-market. We have a lot of examples where software and hardware are hitting the market with significant security concerns that are acceptable to some users, and for some uses, but really entirely unacceptable for users and uses, like in the critical infrastructure or in a company's trade secrets or the government's classified secrets.
So when we talk about alternative models, what we're really trying to discuss is whether or not protocol design is taking into account the full risk spectrum, and the full risk spectrum includes threat mitigation. And not to put too fine of point on it, I don't know of any security model, meaning in those instances where security is paramount, I don't know of any security model that can work without being able to determine who the bad guy is.
Right now, what we're seeing is the predominance of security in the Internet or in technology security - to even broaden the concept more - focuses on vulnerability mitigation. Vulnerability mitigation is important. You have to make sure that your systems are as clean as possible, that software is patched. You have to look at the end-to-end protocols for allowing different people on your networks to have identity management privileges. That's all very important. The discussion that really needs to take place, not just in the United States, but globally, is how much are we going to consider issues of assurance and attribution in protocol design in line with the overall communication architecture, so that if someone does try to break into a system, it's noticeable that it occurred, and it's possible to determine who did it; and in that manner, be able to have threat deterrence.
Successful Security Models
CHABROW: I'm trying to visualize this in a way, because you're talking about different alternatives; you're talking about architecting a network of some sort. Would this be something that would be on top of the existing Internet, or would this be something entirely new, and how do organizations go about doing that?
CHABINSKY: Well I don't think that it would be entirely new. And I don't think that would be a helpful model. Ultimately, the most successful models in how you go about doing it are going to respect innovation and competition and ensure trust and security at the same time. So you want interoperability, you want to come up with standards that could be easily deployed by the greatest number of users who have that demand.
One of the notions is that really this challenge is not meant internally for the FBI. Actually, I don't know that it's meant for the government at large, although I'm sure that research and development money would be important. But ultimately, it's the technologists and the economists, not dissimilar from the way the Internet grew originally. There were just different success measures when the Internet was originally conceived. When the original planners of the Internet were looking at network design and protocols and architectures, they were doing their best to ensure that systems of different manufacturers - there weren't even operating systems even back then - the modeling that was being used to operate those different systems ... were all proprietary, that these different networks could actually speak with each other. So this notion of interoperability was paramount.
Over time, there were other issues that became predominant in the research and development area of the setting of protocols, with interoperability always remaining paramount, but then bandwidth and speed becoming similarly paramount. And the areas of security, what tended to be the central themes were confidentiality, integrity and availability. Those were the common themes of security, but really what had not been a driving force in security were the notions of assurance, or trust, and attributions.
So what we're left with today are a number of increasing victims, some in very prominent businesses that are well resourced, so this is not just a problem for the little guy. It's happening for very well resourced companies and agencies, where they don't even know that their software or hardware has been modified. This notion of assurance really means that you can have trust in your software or your hardware or your data. That's not in the driving force of security, so a lot of software and hardware that are manufactured that goes through the paces to ensure that it does what it's supposed to do, it doesn't go through the paces to ensure that it doesn't do that which it's not supposed to do, and that those events would be observable - what the anonymous activity would be. So that's the assurance issue, and the attribution, of course, being that if you know something has been intentionally interfered with or changed, you'd be able to get back to ground on who did it.
And what our experience has been, and why we want this dialogue to be fostered, is that we're recognizing that vulnerability mitigation has not been an effective strategy for a lot of highly secured - or those systems that need to be highly secured - users and uses. So we asked ourselves, "Why not?" And it invariably comes to the fact that, in this environment, the bad guys haven't consistently been seeing the penalties that are driven by attribution.
A way to look at it in the physical world is with intercontinental ballistic missiles. If you would think of a missile striking any major city in the world, think about how likely or unlikely these scenarios would play out if governments couldn't tell the trajectory of the missile, where it just lands and you have no idea where it came from. It essentially gives your adversaries free bites at the apple, this ability to attack, and the consequences are minimal. In response to that threat, all you do is vulnerability mitigation, [trying] to make sure that the missile doesn't get through, or create some force field. You're essentially telling the adversary that you could try all day and all night; you could try to escalate your measures so that they outpace our defenses. At the end of the day, that typically works where it's easier create an offense for a defense, and as many times as you try, the worst case scenario, is that you're just not successful. The worst case scenario is not that you'd be caught and that they'll be some justice; it seems to most people that a world in which threat actors are not deterred has enormous consequences to our stability.
I think the nuance here is that it's not the same for all uses and users of the Internet. The risk model, the cost-benefit analysis that's being done today, where you have early adoption of new technologies actually is working for some uses and some users of the Internet. So it's not as though the Internet as it exists now isn't following market-driven principles for certain uses and users. The real problem is the efficiency and effectiveness of today's networked environments has become so enticing to other areas. The Internet was never envisioned to support these highly secured models that we're seeing on those edges, where this is an unacceptable result for certain businesses and certain agencies.
When you say, "What would it look like," I'm tempted to say, "I don't know." But there are technologists and economists that I believe that if that were the goal that they were after - this notion of highly secured models and architectures that allow for assurance and attribution - if success was measured by those types of results, invention and innovation would answer those questions. Because as much as it did with today's Internet, where you're driving towards makes a difference, there was time - only 40 years ago - that people could have never envisioned how wildly successful the Internet is. There were a lot of naysayers back in those days that it would be too expensive, or wouldn't work. But when people put their minds to it, and understood what success looked like, what the goals were, what the standards were that they were seeking to build towards, things got done. And I think that this notion again, that even models of high security that have assurance and attribution are not inconsistent with notions of innovation, competition and interoperability. One can have free and open standards for assurance and attribution, where everyone drives towards that goal for certain users. This is not only possible, but, perhaps, becoming more likely in today's environment of cloud computing, where society is growing to rely less on creating their own solutions, and more on adopting frameworks that are being paid for through a commons of users. The economic model of cloud computing really could support this notion of driving alternative architectures.
CHABROW: Do you see any type of organization or groups of businesses and government getting together to do what you're suggesting here?
CHABINSKY: I'm hoping that's what will happen. I haven't seen a drive towards that yet, and I think only because it hasn't been placed at the forefront of cybersecurity efforts. To date, all of the cybersecurity efforts have been focusing on vulnerability mitigation. If the notion of threat mitigation and threat deterrence, and assurance and attribution, were put on the international agenda of security, most certainly it would have to involve the private sector and government agencies. In fact, it might not have to involve government agencies. I give a lot of faith and confidence that there are a lot of market-driven solutions here, that the market actually - for certain users and uses - wants this. They don't know where to go. It hasn't been available to them. I think that the market could drive this, but the problem is that the solutions in the space, because of the interoperability issues, because you have appliances and networks and standards and operating systems that have to talk with each other, it's a complicated business to think about alternatives, to start thinking that way. In order to get this done, it really will require a consortium.
CHABROW: Why is the FBI interested in this and do you see a role for the FBI in this consortium?
CHABINSKY: The FBI's interest is to let the population know what it's seeing. People rely on the FBI and other government agencies for their security. That's appropriate. But what's also appropriate is for the FBI to let the public know when it's falling behind on a problem. So what we're seeing in the FBI is an increase in growth of cyber victims. We're seeing, at the same time, an increased reliance on technology-enabled products, all the way down to bio-medical devices that allow for remote diagnostics, and we're seeing that the FBI and other law enforcement agencies are - what we would call - becoming less effective. And there's this notion that it's getting darker and darker out there, that our visibility into what the threat actors are and our ability to get back to them, especially in those areas where financial motivation is lacking, is getting harder in this space. And I don't think that surprises most people when it's told. But I think that it needs to be told. I think that there's that level of transparency. It would be, I think, more routine for agencies not to show or discuss where things are getting more difficult, but I don't think that's in the public's interest.
The FBI's equity here is that we've been given this enormous mission and trust by the public and through Congress and the President - through the establishment of laws - that we're supposed to execute a number of those laws. And the criminal codes are being violated daily by people who are misusing the cyber environment; and our ability to prevent and respond to those types of crimes are becoming increasingly more difficult, and that trend appears to be continuing. The public, I think, is at a crossroads where we really have to start discussing - in a very nuanced way - where this type of security matters and where it doesn't, and where we want government capabilities to be enhanced, and where we don't.
But also, I would say that it's not just about enhancing government capabilities. Because what it ultimately is about is really deterrence. And if you have proper deterrence, if the bad guys know that you can catch them, it stops most of them. And so, it's not about the government having more capability in actuality if it doesn't have to use it, because it cuts down a lot of the crime problem. But that capability has to at least exist, so that the bad guys don't continue to act like this is the heyday of crime and espionage, and of course, there are people who are rightfully discussing that the Internet and networked communications are not just the province of spying and crime, but also are the next battle space. That is becoming increasingly destabilizing.
I've spoken with a lot of people that share this concern, but there's always going to be a group that looks at this as fear-mongering, that will say that if it's as bad as you're saying, how come it hasn't happened yet. I would like to have the luxury to be able to wait for things to get that bad before I start talking about the issues that we're facing, but we don't have that luxury, and we shouldn't. Our job [at] the FBI, and appropriately so, is to let people know, and to prevent issues. I'll never forget: the 9/11 Commission Report very strongly stated that one of the failures on September 11th was the government's failure of imagination. And when I read the papers every day, and I see what's happening, it doesn't even take imagination for me to recognize what the art of the possible is, and also to recognize that criminal groups of modest sophistication are having enormous impact. When you see that often enough and you see our vulnerabilities expanding by continued rapid adoption of less-than-secure platforms, it's time to speak out, and that's what we're doing.