Cyber Author Says Attack Could Cripple 70% Of U.S. Power Grid
'TF7' Guest Explains Risk Mitigation Efforts
Oct. 1 was the 50th episode of “Task Force 7 Radio,” VoiceAmerica’s insightful cyber security program aimed it debunking cyber myths, providing actionable advice for enterprise professionals and discussing nation-state trends.
Host George Rettas was joined by Sami Saydjari, Founder and President of the Cyber Defense Agency. Saydjari is also the author of “Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time.” The hour-long program was expansive in its coverage, using a rapid-fire format to touch upon the entire cyber spectrum.
To kick off the episode, Saydjari spoke about trends in the space, saying, “Attackers are getting more sophisticated. They used to attack simple things at the application level – and it was not very well hidden. As time has progressed, attacks are stealthier, and they’re weaponized – for organized crime, nation-states… They’re more sophisticated and attacking operating systems, or software below the operating system.”
The guest also pointed to “collusion” between nation-states and organized crime, with organized crime doing the bidding of some type of arrangement with a nation-state.
A number of these variables caused Saydjari to write the aforementioned book. He said a part of the motivation was because “gaps” exist in the cyber security literature out there. He said there are good books on theory and a lot on practices within cyber security (“mechanisms”), but few about the “principles” of the space – in how disparate pieces come together holistically.
On sabotaged systems and recurring access, Saydjari said there are important things to consider: prevention, detection and “toleration.” He compared a good defense to the way ships have bulkheads – and can take damage and remain afloat.
“Cyber security is the same way,” he said. “You have to modularize, and (create a) partition.”
For reasons like that, the “TF7 Radio” guest believes there exist too many “holes” in today’s cyber literature. “(We have to) teach people to understand how to evaluate and prioritize risk,” he said. “And the other big value is in orchestration and weaving together the many technologies… (This means) understanding how to weave together the firewall, antivirus, intrusion detection (etc.), link it, and configure it… It’s defense in depth and defense in breadth.”
Saydjari also compared defense in depth with the cyber security kill-chain, saying that they’re actually quite similar. He said while the “castle and moat”-type defense is certainly outdated, one must think of defense in depth across the entire attack space. That means in the case of an attack, you won’t have one mechanism stopping it, but others to detect it and “tolerate” it.
“That’s what depth is to me,” he said. “It’s not obsolete, it’s a timeless principle.”
The featured guest then took some time to answer a question about all-out cyber warfare. “If current trends continue, it could look pretty bad,” Saydjari said. “Power grids, telecommunications, finance, oil and gas – they are all vulnerable infrastructures. And there doesn’t appear to be a societal incentive to secure them, because the cost is borne by the people developing them… It’s a ‘tragedy of the commons,’ in that it’s a common risk for all of us, but we’re asking people to bear the risk of a nation-state attacking them.”
He added that on our current course, 70% of the U.S. power grid could go down for as long as six months. He emphasized that cyber-attacks impact physical items and processes. He called cyber warfare an “existential threat to the sovereignty of nations, including the U.S.”
Out Of Sight, Out Of Mind?
On what it might take for people to “wake up” to the cyber issue, Saydjari said: “One of the problems is from a psychological perspective. If you have not experienced pain from some event, it’s ‘not real.’ We’ve seen the suffering from a nuclear attack, and we want to avoid it… Cyber-attacks can be that devastating on a national scale… Imagine the breakdown if you lose 70% of power for six months… We saw it in Hurricane Katrina, and imagine that times 1,000… (Despite dozens of wake-up calls), policymakers have failed to really address this as a priority – a national security, existential threat. It may in fact take a sub-lethal event before we will wake up.”
Where are companies going wrong? Saydjari said that they “underinvest because they don’t understand the stakes.” He added that the average company invests about 3% of its IT budget to security, when analyses suggest it should be up near 10%. “That (makes them) underinvested by a factor of three,” he said.
Also, he claimed enterprises are not “being systematic in their approach.” Instead, they opt for the latest “shiny object” which they hope will answer all of their questions.
“The C-Suite doesn’t really understand the breadth of the cyber security problem,” Saydjari said.
Is cyber security a technological problem, or a human issue? The “TF7 Radio” guest said, “Cyber security was invented by research engineers – some 35-40 years ago now – so it tends to be technologically focused… At first only ‘geeks’ had computers, so it was natural that it was a tech problem. But it’s also a sociological problem… We need an interdisciplinary approach, and the origins (of each subset of cyber security) get in the way of that sometimes.”
Does that mean a Deputy CISO should join the team and bring business-specific skills, while the CISO remains more of a technologist?
Saydjari suggested enterprises embrace some “out-of-the-box thinkers,” or folks who are technologists but who understand the nature of sociology and psychology.
An ‘Existential Threat’
Rettas’ guest for the 50th episode of “TF7 Radio” also invoked Sun Tzu’s “Art of War” in discussing cyber-threats. He said that, upon a wide-scale blackout, cyber becomes a pervasive threat that “tears at societal fabric.”
“We saw this in Katrina, where law enforcement stayed home to protect their families. There were dead bodies floating in the street,” Saydjari said. “Even the best military in the world (couldn’t contain this issue). (It’s at the) heart of the country and controlled by the civilian sector. So, what is the military going to protect? The country (would be) existentially damaged.”
Saydjari again drew upon historical references to explain the evolution of encryption (early military recon) and eventually computer security, access control and intrusion detection. “Cyber security developed its own niches,” he suggested. “They have their own languages, and they didn’t communicate with other communities… We didn’t borrow from other communities, and ended up with a disparate set of solutions that don’t integrate very well.”
Saydjari took some time to discuss the solutions landscape, admitting that it’s certainly a “complicated one.”
“The physical world has three dimensions, four if you include time,” he said. “Cyberspace is hyper-dimensional – with hundreds of dimensions. So it’s hard to understand all of (them). The solution space is equally complicated, as it (attempts to) address all the hyper-dimensionalities…”
Because a 14-year-old can spend four hours and steal $1 million, it’s an “asymmetrical effect.” Because of this complication, now even today’s designers fail to understand the systems. So, attackers find “unusual avenues” and “come through the weeds.”
“That’s a part of the hyper-dimensionality,” Saydjari said. “You have to understand that space in order to cover it.”
The “TF7 Radio” guest then outlined red-teaming efforts, pen-testing and other initiatives to help bolster resiliency. On that topic, he said: “It’s good to have a theoretical risk analysis, or a top-down view of where your risk is. Then it’s useful to have the attack experience team come in behind that and say the risk is a probability but, ‘Here’s how we did it to you.’”
Overall, he called today’s businesses “under-educated on” cyber risk, in part because they have other tasks on their plate. However, Saydjari said the C-Suite must be able to grasp the nature of these problems and the damage that can impact their mission.
Rettas’ guest said that the C-Suite needs to be involved in risk mitigation efforts from the get-go, and make sure they understand the “nature of the harm.”
“If you don’t understand the risk, multiplied by consequences, then you don’t know the number, and what to invest,” he said. “(If you have that knowledge), you can have lower-level IT experts draw up attack trees and say, ‘Here’s 15 ways attackers can accomplish that…’ This gives you a systematic way to invest and make the system better.”
The conversation segued to the Internet of Things (IoT), and projections for the future – including multiple “computers” on one’s person, and monitoring them for medical purposes. However, he called for governments to step in to create liability laws (which he called “fire codes”) for at-risk systems.
In the show’s final segment, Rettas and Saydjari discussed mentorship, ammunition for adversaries, entering the industry and learning from mistakes.
On mentorship in the criminal underworld, he said there are two classes of this: informal organized crime (and its hierarchy, including mentorship in various forums) and a formal structure (e.g., tens of thousands of Chinese cyber security attackers who’ve come up through the ranks).
Also, while he admitted that books, shows, blogs, etc., give attackers some “ammunition” as they discuss defense efforts, the benefits of educating the cyber workforce far exceed the negatives (in providing a slight advantage to hackers about a previously unknown area of the attack surface).
Saydjari also called for new professionals to “understand the breadth” of the space before entering, and to read about principles for a holistic view (versus a narrow or specialized one).
The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes of "Task Force 7 Radio," click here.
Connect with Saydjari on LinkedIn, here.
Be Sure To Check Out: Security Execs Talk Facebook CSO, 'Single Pane' & Strategy