Mr. Brad Boston - Senior Vice President, Cisco
Mr. Brad Boston
Cyber Security and the Spreading Challenges
To answer Bob Lentz’s original question of whether the good guys or the bad guys are benefiting from the information revolution, the bad guys do have an advantage because they do not play by any rules. Governments, enterprises, and companies often play by too many rules, and you have to figure out whether they are the right rules, regulations, or standards to adopt in order to be able to deal with the constantly changing threat. In an area that has a constantly changing threat, we spend way too much time deploying static defenses, and as a result those defenses cannot adapt to the attacks as rapidly as the attackers change them. We need to spend much more time thinking about how to deploy proactive technologies, tools, and defenses that can help us learn as the attacks are modified. Some of that technology is being developed today.
FOCUSING ON THE ENTIRE PROBLEM
We also currently focus on a subset of the problem, and that is usually whatever just happened to us. While a lot of the industry focuses on denial-of-service attacks and viruses as Minister Aaviksoo indicated, there are a lot of other potentially more damaging ways of attacking our information infrastructure, especially for defense, government, and private sector organizations. The bad guys want to do one of four things:
(a) Interrupt your operation so you cannot operate—that is the traditional denial-of-service attack.
So we have to think much more about the whole problem instead of just about what we dealt with yesterday.
UNDERSTANDING HOW TO DEPLOY TECHNOLOGY
One challenge we see when we talk to government customers around the world is that they do not know how to deploy a lot of the tools and technologies they already own. We need a better public–private partnership so that we can learn how to deploy those technologies in a way that will strengthen our defenses. Once you get those basics deployed, then you can start spending more time on some of the proactive technologies that exist today. So our defenses have to become much more proactive, we need multiple defense-in-depth approaches, and we also need to know how to operate through an attack. At Cisco, we take most of our business through the Internet, and we get attacked at the end of every quarter of every year, which is the last day of business. I dare you to figure out what the last day of our quarter is, because we have a very bizarre fiscal calendar year, yet the bad guys know it, and on the last day of every quarter we get an enormous, vengeful attack on our Web site that we have to learn how to operate through. There are a number of things that we do ourselves or in partnership with our service providers that provide our connections to the Internet, and we need to be able to operate through an attack.
LOOKING AT THE BIG PICTURE
Concerning the four problems that can occur, we need to stop thinking about specific technologies or techniques that have consumed us in the past, such as viruses and denial of service, and step back and take a look at what is common to all the attacks. What is interesting here is that all the attacks exploit some software in your computer, in your router, in your switches, and so on. The bad payload that activates whatever the weakness is can be delivered through a number of different ways. We focus primarily on the Internet, so a bad payload can be delivered via the Internet; by e-mail, which also comes through the Internet; by a Bluetooth connection that is wide open unless we have it secured; through removable disks; from USB devices, which are memory sticks and have major potential exposure. And with the one and a half trillion or whatever the number is mobile devices that will be on the Internet, let me ask how many of you take your cell phone and plug it in with the USB connection into your PC? Payloads get delivered in a number of different ways, and they are going to continue to increase.
We need to start looking at what happens once a payload has been delivered, what it does to compromise your system. It can compromise your system in only a couple of specific ways, and tools have been developed by Microsoft, Symantec, McAfee, and others that look at certain activities that are traditionally used to cause damage to a system. If we can start alerting people that something bad is about to happen, and if we can stop whatever is happening, protect your machine, and become more proactive in your defenses, only then will we be able to get ahead of the curve. There is a lot we could be doing, but I think we are thinking about the problem in the wrong way.
MANAGING THE SUPPLY CHAIN
I would now like to talk about the fact of globalization. We heard about the China issue with the manufacturing of semiconductors, and a lot of discussion has been going on in my country and with NATO and NATO members about the impact of globalization on the supply chain. In my company we do R&D and manufacturing all over the world, and we outsource components all over the world. But there are now a lot of activities bent on anchoring things down—the thought is, Let’s build everything in our country and we will be safe, or let’s move the supply chain and the factories all back to the U.S. and the problem will go away. The reality is that this does not solve the problem; if we try to put in secure supply chain techniques, our adversaries will still be able to deliver that modified piece of hardware whether I made it in my factory in the U.S. with all U.S. citizens or whether I made it overseas in China.
So we need to think about the problem in a much different way, and we definitely need to work with governments on the threats so that we, the technology providers, can help figure out solutions to those threats. The U.S. government wants to do three things concerning cyber security:
(a) Buy the best technology available, made anywhere in the world at a commercial price—they don’t want to pay a premium anymore if they can avoid it.
There are a lot of good intentions about how we should manage the supply chain, but until we have a more specific technical conversation with the appropriate authorities who understand the threat, we in the industry cannot do the things we must do to fix the problem. We need to have government partners who will work with us on the specific threats so that we can work on solutions to help mitigate, reduce, and eliminate those threats.
THE EFFECTS OF LEGISLATION, CERTIFICATION, AND STANDARDS
Regarding legislation, regulation, and certification, we understand the intent of certifications and why everyone wants to create legislation, national cyber security strategies, and policies. Here again we need to work very closely with governments in order to develop those. The certification processes we carry out today for security products in particular are often longer than the life cycle of the products we are certifying. That guarantees that you will not use current state-of-the-art defenses in your network.
The serial nature of many certifications makes that problem even worse. In the U.S., a number of people in Congress have become very excited about the issue of cyber security because of the Google incident and other incidents that have happened. They are well intended, but they are uneducated on the issue, and we are spending a lot of time and energy working with them to help them understand the unintended consequences of the controls and legislation they propose. In our case, if they implement some of the current drafts of legislation in the Senate, we would in effect be developing a Maginot Line for information security. We would be basically guaranteeing that we will be way behind the times, because we will have too many rules that will make it hard to keep up with the pace of technology and we will fall farther and farther behind the bad guys. So, again, we have to work very closely with governments to understand the need for these things, and the need to have things that you can trust, that you can put into your operations. But we have to go about doing that in the right way.
Finally, I would like to talk about standards. Standards are a very interesting concept and there are many standards out there. Open standards are very good because they allow things to interoperate. But I know a number of organizations that have thousands of standards, and if the standards are not enforced or cannot be enforced, they are merely suggestions. Then all of the time and effort, and the energy and dollars, that were put into developing them are all wasted; instead of having thousands of standards to allow the ultimate flexibility, you end up having thousands of standards that limit your flexibility. So you need to step back and take a look at a half dozen to a dozen high-level technical standards or decisions you can make that you can ruthlessly enforce to give you a chance.
Another problem we encounter when we deal both with legislation in Congress and with acquisition authorities in governments all over the world is that too often you tell us how to do things as opposed to what you want to do, which results in our giving you what you asked for instead of what you really want. So, again, we need a much better dialogue between government and industry as to what the problem is and how we can develop a solution for it.