Cyberwar: Assessing the Geopolitical Playing FieldTom Kellermann, Richard Bird on How Government and Companies Can Win the Cyberwar Steve King (@sking1145) • September 29, 2022 25 Minutes
The United States is arguably involved in the first cyberwar - against Russia and China, Unfortunately, on the battlefields of intelligence, leadership, economics, technology and education, the U.S. appears to be losing.
In this episode of "Cybersecurity Unplugged," Tom Kellerman of Contrast Security and Richard Bird of Traceable.ai discuss what the U.S. government and companies need to do to win this cyberwar.
Digital transformation has made us more exposed to cyberattacks, in which the adversaries want to hijack that transformation and use it to disrupt government agencies or large companies, says Kellermann. "We need to begin with a counterinsurgency within our infrastructures and within our supply chain," he says.
While companies that have fallen victim to recent large data breaches say the attacks were sophisticated, Richard Bird says he believes the opposite is true. "The giant hole within cyber defenses today is just simply basics," he says. And Kellermann calls for "greater attention to defending from within" and not relying too heavily on encryption.
In this episode, Kellermann and Bird also discuss:
- The lack of human capital in cybersecurity and the loss of seasoned veterans through burnout or corporate poaching;
- The importance of mandating the CISO position and having CISOs report to CEOs and the board rather than to CIOs;
- The need for government mandates to set breach reporting requirements, modernize forfeiture and anti-money laundering laws, and address crypto markets that allow adversaries to transfer money through anonymous channels.
Kellermann, senior vice president of cyber strategy at Contrast Security, is the former head of cybersecurity strategy at VMware, as well as the former CEO of Strategic Cyber Ventures. He served on the Commission on Cyber Security for the 44th president of the United States and was an adviser to the International Cyber Security Protection Alliance. When he served as chief cybersecurity officer for Trend Micro, he was responsible for analysis of emerging cybersecurity threats and relevant defensive technologies.
Bird is chief security officer at Traceable.ai. He previously served as chief product officer for SecZetta. Bird has been a C-level executive in both the corporate and startup worlds and is internationally recognized for his expert insights, work and views on cybersecurity data privacy, digital consumer rights and identity-centric security. He's also a senior fellow with the CyberTheory Zero Trust Institute, a Forbes tech council member and the host of the "Who The Heck Are You" podcast. Bird has been interviewed frequently by media outlets, including The Wall Street Journal, CNBC, Bloomberg and the Financial Times and is known as the "father of identity management."
Anna Delaney: Welcome to Cybersecurity Unplugged, the CyberTheory podcast where we explore issues that matter in the world of cybersecurity.
Steve King: Welcome, folks. This is Steve King, the managing director at CyberTheory. Our episode today is going to talk about where we stand in the international cybersecurity geopolitical playing field. We're fortunate enough to host a couple of the industry's best and brightest to discuss that. Richard Bird, the chief product officer at SecZetta and former chief customer information officer at Ping. He has been a CIO and CISO for two of the world's biggest banks and a founding board member of the Identity Defined Security Alliance, and is a widely recognized expert in identity management and senior fellow at the CyberTheory Institute. And joining Richard now today is Tom Kellermann, the senior vice president of cyber strategy, Contrast Security, and the former head of cybersecurity strategy for VMware and chief security officer for Carbon Black. Tom served on the cyber investigations advisory board for the United States Secret Service and was appointed the Wilson Center's global fellow for cyber policy. Welcome, Tom, and thanks for joining us today. We are arguably in our first cyberwar. The daily cybersecurity events report that they are rarely positive. We continue to do the same things that have worked in the past. We see excerpts after excerpts from the White House, with lots of motion from the promotion from the CISO team but without any mandate power. Many of the seasoned smart guys who have been in the space for a while have started to grumble, and we're hearing from guys like the vice chairman of the Joint Chiefs of Staff, John Hyten who decided to scrap joint warfighting concepts that have guided the U.S. military operations for decades because we're facing defeats from the Chinese red teams. That took me aback. And Michael Bayer, a longtime Pentagon adviser, who led a recent review of naval cybersecurity said the cyberwar is aimed at a whole of society and the state, and we're losing that war. And Nicolas Chaillan, who is a polarizing personality and was also the first chief software officer for the U.S. Air Force and Space Force, and a former special adviser for cloud security and DevSecOps, the Department of Defense, recently resigned his post out of frustration that moving cybersecurity initiatives through the bureaucracies becomes impossible. So you get respected leaders like retired General Keith Alexander, who had now scathing comments about our inability to compete in the battlefield with either the Russians or the Chinese Communist Party. A book my publishers insist upon calling "Losing the Cyberwar" is due to be published in October. Our thesis is that there are five separate battlefields on which this war is being fought: information - which we call intelligence - leadership, economics, technology and education. And we're losing in each one today. I'm hoping we can discuss each battlefield and what you two think we need to do to prevail and turn the race back. Tom, why don't we start with you? Let's talk about education.
Tom Kellermann: Well, let's talk about education. With that, let's talk about governance. From an education perspective, not only is there a lack of human capital in cybersecurity and a lack of desire, even for seasoned veterans to sustain any position for longer than three years, either because of burnout or because of corporate poaching. But you also have a tremendous governance issue. I still don't understand how CISOs if they exist in organizations, which hopefully they do, but not at all, why the position hasn't been mandated by law nor why the position continues to report to the CIO? Why is the defensive coordinator reporting to the offensive coordinator? Because part of the problem here, in addition, educationally, defense is dead; it's not effective, and in the world of digital transformation, modern applications, cloud computing, including multi-cloud, etc. So, the reason why we're losing the war is not just because of a lack of proactive public policy or more offensive cyber operations per se - by the NSA and others - that is also because of the nature in which the adversary exists within. We're dealing with a cyber insurgency that spans the Western world, one where the adversary has been allowed to, because of the lack of leadership, both within corporations and at the government level. They've been allowed to colonize wide swaths of our infrastructure and our supply chains as it relates to software and code. That's an interesting concept. Going back to your comment about why the CISO defensive coordinator reports to the offensive coordinator. What's your recommendation for the right role, location and leverage for that position? CISOs should be C-level, and they should report directly to the CEO and they should brief the board on a monthly basis. That happens in some proactive financial institutions and in the defense industrial base. Outside of that, it rarely happens, unless the company has been victimized by a massive cyber breach. But we also just need to appreciate one fundamental fact, which is, to the term colonization that I use, as we digitally transform, we're more exposed to cyberattacks. But more importantly, the adversary is not just trying to break in and steal and/or conduct ransom. The adversary wants to hijack that digital transformation, and then use your digital transformation as an attack platform against your constituency, whether it's a government agency or a large company, that's what the Russians and Chinese are so good at doing. So in order for us to even fight this war, we need to begin with a counterinsurgency within our infrastructures and within our supply chain.
King: And how do we do that?
Kellermann: Well a lot of ways, I think we need to begin with expanding threat hunting across that infrastructure - mandating reporting requirements for breaches, understanding that we need to defend from inside out, and believing constructs like intrusion suppression, where you can detect, deceive, divert, contain and hunt an adversary, unbeknownst to an adversary. And then much more needs to be done in the area of supply chain and application security, and being able to protect applications in runtime. It's been the last three years over the years, of zero days. They've expanded because of what you've described, that nexus between the intelligence services of Russia, China, North Korea and cybercrime cartels, where many of these cybercrime cartels act like proxies in the environment.
King: Yeah, this reminds me a little bit of the Reagan years and how we managed to get Russia to spend itself to death. So when we talk about economics in these separate battlefields, we're spending a fortune on this stuff. And it seems like it never ends. It seems like no matter what we spend, it has no impact - zero to no impact.
Kellermann: Steve, if I may interject here. We're spending. What is the total addressable market of cybersecurity? 130 billion? 150 billion? Whatever that is. Now, what's the total addressable market, the economy of scale and the darkweb, over a trillion. The majority of the proceeds of cybercrime get pumped back into rogue nation states that allow them to not only fuel the cyberwar that is occurring but also to directly offset economic sanctions that have been imposed by the West. So for them, this is a funding mechanism.
King: That's great. Yeah, I'm sure that's true. We've just discussed two areas in which we have no leverage. How do you reverse that?
Kellermann: So for the funding and financing leverage, I think we need to modernize forfeiture laws and AML laws, Anti-Money Laundering laws, so that greater seizures can be applied to virtual currencies and alternative payment systems that are complicit in allowing for money laundering associated with cybercrime and cyber spy. Also, greater offensive activity must be taken by Western law enforcement to shut down some of these nefarious payment systems and virtual currencies that are complicit in laundering the proceeds of cybercrime, child porn and drug trafficking - period. Use that money, almost like a super fund, to fund critical infrastructure protection in the West. That's just from financial lens. From a cybersecurity lens again, instead of trying to build a castle around our infrastructure, thinking that 100% prevention is possible, it should look a lot more like a prison or a supermax, where lateral movement is inhibited and the person is being observed at all time - the person being the entity, the data itself or even the code. And we need to continuously test and evaluate the security of that environment and be able to apply control and security in real time and within the infrastructure, because they will always have a footprint somewhere with them, whether it's through a rat or a zero day.
King: Yeah. Let's move on to intelligence or information. We live in a world where our enemies and adversaries always have more intel, more information about events and who's doing what, to whom, than we do and attributable or otherwise. I guess it doesn't seem to me that there's an easy way to combat that. And the less that we know about what's going on, the more open we are to attacks. What are your thoughts about the imbalance in the information section there?
Kellermann: Well, because we believe in freedom of the press and the First Amendment, I don't think we're ever going to win that fight. However, I think more of the constructs that were applied during World War II and the Cold War, vis-à-vis deception and disinformation, should be applied against our adversaries. Even from a cybersecurity perspective, I think there's a future for deception technology and deception grids per se. Beyond that, though, their worst enemy is transparency so facilitating as in not US corporations, but the U.S. government intelligence community, the DOD, the Five Eyes and NATO for that matter, should do a great job moving forward. So to break down kind of the cyber iron curtains around China and Russia to basically spread truth to those that are being victimized by those regimes.
King: Yeah. It's not easy to do in this environment. That's part of the problem. The part of the problem is we're dealing with adversaries who have an entirely different form of government. They can sort of do whatever they want; they don't need or have a constitution they have to satisfy every time they do something, and we do. So that puts us at a substantial disadvantage in so many different ways. And, the kinds of mismail and information and deception that we would have to conduct here, pretty nefarious it seems to me, and there's always going to be the actionable crowds around whatever angers whomsoever complaining about it. So it makes for a very difficult war, in terms of technology itself.
Kellermann: That's a good point you're raising there, Steve, look, let's just discuss the elephant in the room. Why has there been such a reticence to have productive public policy as it relates to cybersecurity and cyber defense for the United States. It's because the K Street - I'm from DC, K Street - and the major lobbying arms of various corporations and the most powerful corporations believe in laissez-faire economics. And as a result of laissez-faire economics, the market has failed. The market has failed here such that it has created an entire shadow economy and darkweb market, which has an economy of scale of over a trillion dollars. So when are we going to get away from applying laissez-faire economic theory to cyber defense and cybersecurity, given that it's an economic and national security imperative?
King: Yeah, when are we? And what's going to be the driver? I would just describe like four different mega problems here, moving any one of those would be a big deal and helpful. But all four are sort of depressing.
Kellermann: I would love to hear Rich's thoughts. How are you Rich?
Richard Bird: I'm doing great. I am enjoying this conversation so much.
King: Welcome, Richard. Thanks for coming.
Bird: Apologize for the delay in joining. But some trivial facts about Richard Bird. My academic background is in political science with a focus on international relations theory. And, you've gone over so many different, to use the old term, real politic, pragmatic, and truthful statements about the patterns of human behavior organizations, nation states, that is consistent throughout history. And I think, it's super fascinating. One of the things that you brought up about the behavior of both organized crime elements as well as nation states. It's not like we haven't seen these patterns before. It's not like we haven't seen the types of espionage stealing of intellectual property or the usurping of different channels of commerce to create cash flow, particularly in the organized crime sector. Yet we have no equivalent of the Eliot Ness days going on as it relates to attacking these problems from a law enforcement standpoint. From a policy standpoint, it's just a fascinating to me to see this massive loss of historical knowledge. Steve, you've heard me say this so many times, because for 40 years, we've ascribed this Harry Potter-esque mysticism to technology, when technology is just simply a digital plow. Yeah, we've gotten all of these. It's something that I've gone off about recently. The hacks that have been highly publicized over the last several weeks, every PR company and every PR organization have come out and said, we were the victim of a sophisticated hack. And you just minimally scratch on the surface; it literally is the exact opposite of a sophisticated attack. It is basic hygiene; it is poor configuration; it is being crushed because of poor management of your identity control; it is being crushed because of poor management of your threatened vulnerability controls. And yet, we've gotten ourselves into this cycle of intellectual dishonesty in every place in America that touches cybersecurity in the corporate suite, the government and every aspect of our day to day. We are choosing to be willfully ignorant about the causes and the drivers. And what you said was just so fascinating to me. Now, we have a situation where the bad actors are able to outspend the good actors by factors of 100 to one, and when you look at just the basic economics of that, we're 100 to one behind right now. And what does it take to even begin to close that gap? Because even if we only get 50% better, we're still down 50 to one.
Kellermann: And we're also forgetting about the motivations of the bad actors and what they're willing to do. They're very Machiavellian, which we are not. To that point, I'm very concerned about the future of cloud jacking and supply chain attacks that render integrity attacks and manifestation. They're willing to not only use deception and disinformation. But imagine when they hack your infrastructure and they begin to manipulate the value of the data, the integrity of the data, the value of time through Kronos attacks, etc. It's happening. It's not widespread yet, but they can cripple us in our economy that way, much worse than just stealing from us and being omniscient. They could become telepathic.
King: I like that. It's great. Well, from a technology point of view, we know we're way behind; we know the Chinese are way ahead in quantum. There will be a quantum player, it will be the Chinese, all of those medical record thefts and PII thefts over the last several years. That's all for future decoding of encryption. So what does that future hold, and why are we underspending by like an order of magnitude on technology?
Kellermann: Just a quick statement on this. One of the reasons why we're in this quagmire is because the leadership of the world presume that encryption would save us from this day and has overrelied on the utility of encryption. Without the comprehension of the flaws and weaknesses of encryption, even if it's robust, hardened encryption, if you hack the private entity, the endpoint that has the keys, you can ride that tunnel through. So one of the things that must change is a greater attention to defending from within when it comes to standards versus this defense in-depth posture that we've embraced for years, which overrelied on the efficiency and the adequateness of encryption. I don't think encryption has ever been the answer. I understand the import of encryption. But it's really, can you compromise the entity or the code that maintains the keys?
King: You're right. That's always been the case. This sort of leads us ultimately to leadership. Everything we've talked about here goes to leadership in one manner, way, shape or form and including, where's Eliot Ness when you need him? So Tom, any closing thoughts about what should we do?
Kellermann: So from a technological perspective, I'm embracing the construct of integrating network detection and response and endpoint detection and response, and conducting much more robust threat hunting so that we can eradicate an adversary that's already existing within our infrastructure. Given where I am now, I'm here for a reason because of the explosion of application API attacks. I think continuous monitoring must go beyond production and operations into development. And that should apply to software development, code development, etc. Because frankly, open source has a dark passenger and beyond. I think from a governance perspective, CISO position should be mandated by the SEC, and in every organization that CISO reports to the CEO and board from a public policy perspective. I think that we should give the NSA and law enforcement more leeway to go on the offensive to disrupt the forums, the alternative payment systems and the cybercrime cartels writ large, and for them to use disinformation operations to poison the relationship between the cybercrime cartels and Russian and Chinese intelligence services. I can keep going on. But we just have to keep our eye on the ball. And the ball is this adversary doesn't want to just steal from us, this adversary wants to hijack the digital transformation and use it to attack our constituencies. And God forbid the day the adversary chooses to do that and then uses it to launch destructive integrity attacks. So we have to defend against that now. But I'd love to hear Richard's thoughts.
Bird: It's hard to disagree with any single point that you make, Tom. I think that there are two pieces that I would grab a hold of in your windup there. The first is that the condition of the world and its lack of action in addressing the crypto markets. We'll use Eliot Ness as an example again. Eliot Ness hit him hard and hit him where it hurts, where it hurts is in the ability to transfer and move money around through anonymous channels. And allowing this crypto market to continue to develop and evolve on the same anonymous pathways that have caused the massive amounts of issues with political disinformation with social media is just again, frankly, irresponsible. And it needs to be addressed immediately. I would say when I kind of look at the future, I get a bit of a chuckle out of quantum because I've always found that the bad guys are, with the exception of nation states, a relatively lazy group. They will use the path of least resistance. So if I have access to quantum resources and I need to crack encryption, but somebody just leaves a port open, I don't need to worry about the next cool thing. And that goes back to the reality that the gate, the giant hole within cyber defenses today, is just simple basics. These hacks, breaches and exploits that are happening, very few of them are happening at some kind of Star Trek level. They're happening more at the Fred Flintstone level. That goes back to your points about CISOs and mandating security as an imperative within companies, organizations and agencies today. I do think technologically, there's an interesting development as it relates to decentralized architectures. And I do think that there will be a lot of development in that space, making it difficult for bad actors to get a complete picture, a complete profile, or a complete inventory of anything by fragmenting. I think that the speeds that are afforded to us, both internal to corporations, as well as external corporations relative to cloud technologies and networks, give us that opportunity. So it's not all doom and gloom. But there's just going to be quite a bit more hard road to travel here before we start making substantial improvements.
King: Well, we're at the top of the hour, and I know, Tom, you've got to go. And so Richard Bird and Tom Kellerman, thank you both for taking the time out today to help us with your unique view of the topic. And we know the situation that we're in here, and I'm afraid it feels like it's only going to get worse as time goes on. But we'll be able to get together again in a few months and talk about some more if you don't mind.
King: Alright guys, thanks so much. We'll talk soon.
Delaney: Thank you for joining us for another episode of Cybersecurity Unplugged. You can connect with us on LinkedIn or Facebook at CyberTheory, or send us an email at firstname.lastname@example.org. For more information about the podcast, visit cybertheory.io/podcast. Until next week. Thanks again.