Modern field guide to security and privacy

How an offensive strategy could transform cybersecurity

At a Passcode event in Washington, Carnegie Mellon University cybersecurity expert David Brumley said digital defenders need to attack their own systems to discover the flaws.

Michael Bonfigli/The Christian Science Monitor
Dr. David Brumley, the Director of CyLab, Carnegie Mellon University's Security and Privacy Institute and Passcode deputy editor Sara Sorcher speak at a Christian Science Monitor event in Washington on December 14, 2016.

As cybersecurity firms prepare for another year that could be full of high-profile breaches, they're looking for fresh ideas to keep criminal hackers out of computer networks.

On Wednesday, as news of suspected Russian tampering with the US election dominated headlines, Passcode gathered experts from government, academia, and the private sector to discuss how digital defenders can respond to the scourge of incidents. David Brumley, head of Carnegie Mellon University’s CyLab, a cybersecurity research and education institute, had one idea: Prepare for hackers by invading your own network.

“For years it’s been defense, defense, defense. That’s only part of the equation,” Mr. Brumley said at the event in Washington. That chanting might sound good in a football stadium, but in cybersecurity, “we owe it to ourselves to have the best hackers break into our networks,” he says.

Brumley is at the leading edge of research that may one day make this kind strategy more commonplace – and even autonomous. The Carnegie Mellon professor led ForAllSecure, a team of computer science graduate students, to victory in the Cyber Grand Challenge – an automated cybersecurity competition at this year’s DEF CON hacker conference in Las Vegas hosted by DARPA, the Defense Department’s in-house technology incubator.

“There’s this great promise of defense at internet speeds,” he says. “But when you can break everything at internet speeds, that’s really dangerous.”

Many companies that are targeted with cyberattacks, such as financial institutions, healthcare organizations, and government agencies, have begun to deploy so-called penetration testers, professional white hat hackers who simulate cyberattacks on sensitive computer networks.

But Brumley thinks an era in which automated machines take over cybersecurity from humans might be at least 20 years away. In the interim, governments are looking for new ways to insulate themselves from criminal hackers, known in the cybersecurity community as “black hats.”

“The extent to which all defenses are vulnerable to human error and anything that relies on single end users doing the right thing is flawed from the start,” John Nicholson, first secretary of cyber policy at the British Embassy in Washington said at Wednesday’s event. “There’s a range of lines of effort where we think there’s a legitimate role for government to work with industry.”

To that end, the British government released a “National Cyber Security Strategy” in November that sets out a roadmap to kickstart the country’s digital security efforts by 2021. London plans to invest more than $2 billion to boost cybersecurity in the next five years, and has established a National Cyber Security Centre (NCSC) to coordinate digital defenses.

Around the world, governments are also championing the development of computer emergency response teams – known as CERTs – technical experts that analyze and respond to major cybersecurity incidents, and mutual legal assistance treaties such as the Budapest Convention that make it easier to prosecute cybercrime cases internationally. 

But although experts at Passcode's event praised global efforts to facilitate the flow of intelligence on cybersecurity, some cautioned against putting too much stock into information sharing.

“It’s possible to put too much emphasis on [information sharing] in the policy environment,” said Robert Sheldon, director of policy at Business Executives for National Security, a Washington-based nonprofit. “If the government isn’t going to be fairly aggressive about it, then they might not add value over what’s happening in the private sector.”

And as Donald Trump and his team prepare to take up residence in the White House next month, Carnegie Mellon's Brumley hopes the new administration continues to invest in automating cybersecurity efforts to catch up to the quickening pace of the threat.

“If we’re relying solely on manpower we'll lose. We need to automate security to assist these people," he said.

“We just showed you the equivalent of rockets,” Brumley said of this summer's DARPA challenge. “Let’s go to the moon.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.