WASHINGTON: In real-world warfare, troops and tanks maneuver to take advantage of the terrain. In the looking-glass world of cyberspace, however, “maneuver” may mean changing the terrain itself. If the enemy’s invading your country, you can dig a trench or blow a bridge, but otherwise you go to war with the landscape you have.
If the enemy’s invading your network, however, you can rebuild it in an eyeblink to block their avenue of attack — provided you know how they’re getting in. You can reject incoming data from suspicious IP addresses, for example, or disable your users’ ability to download files (a common Trojan Horse), or, in the worst case, shut everything down before too much damage is done.
There are lots of options — too many, in fact, for the human brain to track of all of them, let alone decide which one is best, the Pentagon’s chief cybersecurity officer said Thursday. Think of all the different settings you have on whatever device you’re using to read this article. It’s not just about the obvious options like whether you accept cookies and block pop-ups. It’s not even the configuration of your firewall (you do have a firewall, don’t you?). It’s every program that has can take data from the Internet. Think of trying to choose the right settings across all those programs — keeping in mind how they all interact! — to stop a specific attack. Then do it again the next day when a new threat shows up. Now multiply that by thousands of computers interacting in a global network.
“We want to be able to maneuver in some useful way in response to cyber attack,” said Richard Hale, the Pentagon CIO’s deputy for cybersecurity. “‘Maneuver’ sounds good, but what that really means probably is tinkering with the settings of complicated pieces of equipment. Operating systems have a lot of settings: thousands and thousands. Firewalls, geez, we have firewalls now in the Department, I can’t believe I’m saying this, we have hundreds of thousands of rules on some of these things.
“No human being can understand this,” Hale said bluntly. “There is no way any human analyst has a prayer of taking all of thousands of settings multiplied by thousands of settings and making sense of that.”
We need computers to understand our computers, Hale told the audience at the Security Innovation Network (SINET) forum. That means some kind of software tool that understands not only what all the different settings are currently but how they interact and what the impact would be of changing them. “[That] is the kind of tool we don’t have right now,” he said. “Help in managing this complexity is going to be fundamental.”
Better cybersecurity is going to require a lot more automation, agreed Peter Fonash, chief technology officer in the cybersecurity branch of the Homeland Security Department. “The first technology that I would want to have is a capability to do automated decision-making and automated courses of action,” he told the SINET conference. Instead of waiting for a human to perceive a threat, make sense of it, and decide on a response — let alone wait for higher-ups to authorize it — we need software that can perform all those functions by itself, moving at the same speed as the attacking malware.
But that’s not all. Fonash also argues for automated information-sharing between organizations, feeding into a big data analysis program that can connect the dots and come up with trends and warnings. In short, his vision of cyberspace maneuver moves so fast that software has to handle the intelligence, the battle, and the after-action review. With the right technology, “you can actually not have the human in the loop, but have the human on the loop,” he argued. “The human is watching what’s going on.”
So with the software waging the battle at electronic speeds, what can the human beings actually do? Maybe they have time to think about winning the war. Let the computers handle the trees, the argument goes, so the humans have time to focus on the forest.
“The stark reality is there are finite [human] resources,” said Carey Frey, a cybersecurity official at Communications Security Establishment Canada (CSEC, also know as CSE), the Canadian equivalent of the NSA. “There’s a finite resource of security analysts that we can find and who actually be effective at the job.”
Today, “those people spend a lot of cycles looking at a lot of information and get roped into doing incident response; what we really need them to be doing is threat detection and discovery,” Frey said at SINET. “They need to be freed up to focus on that mission.”