Five Issues in Cyber
That Cause Sleepless Nights

Whether it's national security, health solutions, energy and environment, or critical infrastructure, "SAIC's position on cyber," he said, "is bake it in early. You can't build a network anymore without cooking in security features."

It's only been very recently that cybersecurity has gained much of a foothold in the national consciousness, according to Giesler. "If you did a LexisNexis® search of the current literature, I think you'd find cybersecurity spiking massively in the last year. It's in the national consciousness now where it previously wasn't even in the public dialogue."

That previous lack of discussion was because, he said, businesses and government agencies "don't want people to know that their systems have been hacked or that they're vulnerable. The coin of the realm is trust." That pervasive silence "represses the market for security. If you don't see it, why would a corporate risk manager say, 'We need more resources for security?' "

Since the signing of the Comprehensive National Cybersecurity Initiative (CNCI) in January 2008, "the demand signal is going up. People are now talking more." For example, both the McCain and Obama presidential campaigns disclosed that their networks had been compromised last year. President Obama recently highlighted the penetration of his campaign's computer systems at a White House speech on cybersecurity. And it was recently disclosed that secrets of the F-35 Joint Strike Fighter may have been compromised.

That these security breaches are being discussed is the good news; the bad news is that there is no shortage of things to keep corporate information security officers (CISOs) and chief information officers (CIOs) up at night.

Invisible heists that make the millions stolen in even the most storied robberies look like lunch money may already have cost the United States billions of dollars — or more. But that's not the only thing that keeps Bob Giesler up at night, as he explains here in his own words.

1. IP Theft

Theft of intellectual property, or IP, by foreign actors with or without state control is a massive, unseen disease, and if you don't talk about it nobody's going to start planning for it.

What people are going for in penetrating networks now is intellectual property. I think that's far more egregious, and far more of a concern for this country long term, than what you hear in the popular press about potential hacking of critical infrastructure. The theft of intellectual property is a current problem, and it's happening a lot. Intellectual property is hard to put a value on. It's hard to say that I lost X number of millions or even billions of dollars in IP, I think, because I haven't actually seen it leave.

Many times, when your network has been penetrated, you don't know what's been lost. In the current state of the practice, good network hackers will encrypt everything they steal. All you will know, in the best case scenario, is that they stole a petabyte of data, or a terabyte of data, or a gigabyte of data. But you'll have no idea what they really stole, because it's encrypted on the way out.

If you talk to senior officials in the Department of Defense or Homeland Security, their number one concern, the thing that keeps them awake at night, is not attacks as they're characterized in the press. It's the loss of the information. And even worse, not even knowing what was stolen.

2. Cyber Threats to Critical Infrastructure

Somewhat more distant, but no less real, is the threat to critical infrastructure, although it's not nearly as great in its capacity to damage the national economy as the loss of IP. I would say that in the next several years, the Smart Grid (the nation's next-generation electric power grid) will become the largest concern in cybersecurity, and that's because everything will be connected — demanding that we design in cybersecurity before devices are deployed to the field.

Smart Grid is a blending of IT, energy infrastructure, and cybersecurity. What is starting to happen with Smart Grid is that you're going from [utility] companies that are old iron, with largely proprietary control systems that only current industry personnel understand. Very little of it is connected today. Once the industry starts to standardize, you will find that these companies will transform from old iron to IT companies, and revenue will be based on how well they execute their IT architecture as opposed to just pushing energy downstream to the consumer.

You'll start seeing devices with built-in command-and-control nodes to communicate with the grid. You'll start seeing renewable energy sub-networks communicating with the grid so that they can, on demand, either start or stop supplying energy to the grid. So there's going to be a massive amount of data flowing both up- and downstream. And how you secure that data is going to be critical. You have the potential for massive fraud, the potential for massive disruptions and network outages, the degrading of performance of critical systems, because it's not only going to be talking [and listening], it's going to be commanding as well.

If we don't get security right at the design phase, and we go about it as we traditionally have, applying it after the command-and-control capability is delivered, then we're going to find that there are massive holes.

With the company's expertise in IT, energy infrastructure, and cybersecurity, I think the ability to address all of those simultaneously will be a discriminator for SAIC in that market.

3. Data Integrity

I don't think people often realize just how much data they depend on every day. A hacker doesn't have to jam the network if all he has to do is convince a commander, or somebody who needs that data, that he can't trust it anymore.

In addition to IP theft, the other thing that keeps military planners awake is data integrity. You can very easily affect behavior if a person who has normally trusted data suddenly questions whether it's legitimate. If you were told to deliver 400 tanks to a seaport of debarkation in Seattle, for instance, and that data gets flipped, and instead that train is delivering it to Houston, where there are no ships waiting for it, pretty soon you're going to say, I'm just not going to use my network. That's a very real concern.

I can't take down the whole air traffic control system, but what happens if I can get into one operator's radar data and show an airplane where it isn't? Once trust in the data is lost, then all data and all services that depend on the data have to be questioned. They effectively have to drop the entire air traffic control system and manually start controlling 5,000 airplanes that are in the air at any given time. This has nothing to do with damaging the network at the transport layer, but damaging the data itself, thereby disrupting the trust between the human and the data.

SAIC is working with customers to provide them the means to have trusted networks without necessarily having trusted hardware on those networks. This is accomplished using techniques such as ubiquitous encryption, network resilience, and a strong identity management system.

4. Lack of Proper Workforce Cyber Training

The best return on investment [in cybersecurity] by far is training the workforce. Where traditionalists might say that we need to spend more on technology such as firewalls and intrusion detection systems, the best investment you can make, hands down, is training your workforce. That's generally your greatest range of threat vectors — social engineering, or simply bad user practices.

The most obvious case of social engineering is the disgruntled insider, and that's hard to protect against. But there's a variety of ways that you can ensure that, for instance, an individual employee doesn't have access to everything on the network, and can't get into sensitive parts of the network like HR and payroll systems. That's just sound network hygiene.

Another aspect is the human element and educating the workforce on how they are likely to be used [by someone else] to gain access to the network. SAIC has a world-class training application for internal use (iSecure), and every employee has to go through it every year. This is necessary to constantly remind everyone on the network that the user is one of the most dangerous cyber vulnerabilities. For example, how many times have you clicked on a link sent to you via email from someone you may or may not know? How many times have you plugged someone else's thumb drive into your computer? Using simple social engineering techniques, a hacker can introduce code that immediately circumvents all your perimeter defenses, perhaps passes your host defenses, then begins communicating with individuals that do not have the interests of the company in mind.

5. The Importance of a Federal Regulatory Regime

There are no overarching federal regulations, or even common processes, for reporting of network intrusions or data breaches. There are requirements, now, for reporting intrusions against companies that comprise the defense industrial base to the Department of Defense. Those didn't exist a year ago. Compounding the problem, it was unclear, a year ago, who you would call if you had an intrusion or data breach. Is it local law enforcement, the FBI, your customer, or all the above? Some of the things that the CNCI [Comprehensive National Cybersecurity Initiative] is doing is to try to normalize that and make it clear what industry's and the government's responsibilities are, particularly those companies in critical infrastructure.

As far as reporting on the loss of health or personal information, there's a more robust regulatory and statutory environment. But for just simple network penetration — say I found a tool on my network that is used to extract data — if you don't know what data was extracted, if you can't show any audit trail that says, we lost X amount and to whom, then there's really nothing to show that anything was lost. So who do you talk to in that case?