DETROIT — Gov. Rick Snyder says the state of Michigan gets attacked by hackers half a million times a day, so he’s got a reason to be worried about cybersecurity.
Monday, more than 500 people shared those concerns — and
best practices in keeping data safe — at the North American
International Cybersummit at Cobo Center.
In a keynote speech, Snyder worried about a future in which
autonomous vehicles and web-connected pacemakers could be
hacked. “The threats we have today are only going to
exponentially increase,” he said. And he said that while Michigan
has taken steps to get better prepared for cyberattack, “we’re ill
prepared today compared to how we need to be prepared.”
Snyder said the state has created a Cyber Command within the
Michigan State Police to monitor the web for hacker attack. And
it’s created the Michigan Cyber Range, a virtual environment
where “we can essentially attack one another, where we can
safely test things.” (He thanked the nonprofit Merit Network Inc.,
the Michigan National Guard, the state’s universities and the
private sector for creating the Cyber Range.) And Snyder touted
the creation of the Michigan Cyber Corps, a group of private
sector IT experts who can be pulled together in a cybercrisis.
Snyder said government doesn’t have the resources to staff up
to protect against all online threats — and should instead model
its actions on the American citizen soldier concept from wartime.
The scope of the challenge is clearly enormous. In a panel
discussion, Lt. Gen. Edward C. Cardon of the U.S. Army
Cybercommand said the military’s IT infrastructure is “like the
land of 1,000 tribes,” with many proprietary systems that must
be brought to heel on security issues.
In another keynote, former U.S. Homeland Security Department
secretary Michael Chertoff, said even kindergarten isn’t too
early to start talking to children about “cyber hygiene and your
responsibilities when using the internet.” He said recent attacks
against J.P. Morgan, the White House and the U.S. State
Department show “a target rich environment for bad people.
How do we secure ourselves in a way that doesn’t interfere with
the benefits of a connected world?”
Chertoff said the effort isn’t about eliminating cyberattack, but
managing the risk of those attacks. The internet by its nature is
designed to be an open, resilient system — parts of its
predecessor systems were designed to work after a nuclear
war, after all. But that means the system was also designed to
assume other users are trustworthy, a dangerous assumption in
Chertoff said overt criminal acts on the internet get the most
publicity, but stealing identities and tricking people into engaging
in fraudulent transactions isn’t much different from crimes that
have been going on for generations. What is new is the scope
of what’s available for theft — corporate intellectual property is
now on systems that can be breached. The other difference,
Chertoff said, is the rise of activists willing to mine for personal
information to intimidate or embarrass their political opponents.
Nation-states are frequently the biggest threats in today’s cyberbattles, Chertoff said. And he said the recent return to near-Cold War tensions with Russia means they may decide to, for example, hack into other nations’ oil refining systems to boost the price of oil.
There’s also huge economic opportunity in cybersecurity. “We now have negative unemployment in the cybersecurity area,” said.Rand Beers, Deputy Assistant to the President and Deputy Homeland Security Advisor on the National Security Council Staff of the White House, another keynoter at the event. “What that means is that there are more jobs in this field today than there are people trained to do these jobs. Basic economics tell us that this will eventually be sorted out, but we need people in these jobs, we need this done today.”
In another panel, Albert Kinney, director of the cybersecurity practice at the U.S. public sector business of Hewlett-Packard, said top management frequently doesn’t know the extent to which a business is dependent on IT for its operations — and that there are also “interdependence” risks operating on the internet — for example, a cruise ship cutting a fiber optic cable may cause the web to reconfigure to send data through countries where it’s vulnerable to theft. He agreed with Chertoff that it’s remarkable that the internet keeps as much information secure as it does, given that the network “was designed to share information, not protect it.”
And, panelists said, an employer’s No. 1 investment has to be the training and skill of its IT staff. Investing in automation of security and finding an organization to benchmark against were other recommendations.
In a later breakout session, panelists explored the parallel tracks of cybersecurity, the military and connected vehicles.
“The security implications of connected cars are enormous,” said Karl Heimer, senior research director of the cyber-innovation unit of the research institute Batelle. “It will touch every area of our lives. It will touch our national security.”
Heimer said it’s critical to build a pipeline of new young talent in the cybersecurity industry — which the industry has done with an event called the Cyber Auto Challenge, in which high school and college students are challenged to hack cars by the automakers. And they’re able to — using the infotainment system as an entry point.
Richard Wallace, director of transportation systems analysis at the Center for Automotive Research, noted that General Motors has promised at least a partially self-driving car by 2016.
And cars are increasingly complex Michael C. Dudzik, president and CEO of the IQM Research Institute, said today’s auto has almost as many lines of software code as an F-16 fighter jet.
Dr. Joe Adams, vice president of research at Merit Network, who
runs its Michigan Cyber Range cyberattack training center, said in a later panel on work force development that he’s emphasizing retraining veterans for IT security roles, because they’re accustomed to dealing with security. And Sanjay Rai, president and CEO of the Bloomfield Hills security consultants Securely Yours LLC, said he’s not sure there’s a shortage of IT security talent — or whether more of them are now just being recruited to work for the bad guys. “We’re starting to see a trend that the dark side is becoming stronger — the nations, the drug cartel,” Rai said.
Benjamin Scribner, Program Director, National Cybersecurity
Professionalization & Workforce Development Program,
U.S. Department of Homeland Security, noted that “it’s very hard
for employers to fill the cybersecurity opening that they’ve got.”
He said the department wants educators to align programs to
specific jobs, and employers to set out better defined career
paths and opportunities for cybersecurity professionals. “We don’t have clearly defined roles that feed into a clearly defined job market” at this point, Scribner said. More about Scribner’s office at www.niccs.us-cert.gov.