How an offensive strategy could transform cybersecurity

At a Passcode event in Washington, Carnegie Mellon University cybersecurity expert David Brumley said digital defenders need to attack their own systems to discover the flaws.

As cybersecurity firms prepare for another year that could be full of high-profile breaches, they're looking for fresh ideas to keep criminal hackers out of computer networks.

On Wednesday, as news of suspected Russian tampering with the US election dominated headlines, Passcode gathered experts from government, academia, and the private sector to discuss how digital defenders can respond to the scourge of incidents. David Brumley, head of Carnegie Mellon University’s CyLab, a cybersecurity research and education institute, had one idea: Prepare for hackers by invading your own network.

“For years it’s been defense, defense, defense. That’s only part of the equation,” Mr. Brumley said at the event in Washington. That chanting might sound good in a football stadium, but in cybersecurity, “we owe it to ourselves to have the best hackers break into our networks,” he says.

Brumley is at the leading edge of research that may one day make this kind strategy more commonplace – and even autonomous. The Carnegie Mellon professor led ForAllSecure, a team of computer science graduate students, to victory in the Cyber Grand Challenge – an automated cybersecurity competition at this year’s DEF CON hacker conference in Las Vegas hosted by DARPA, the Defense Department’s in-house technology incubator.

“There’s this great promise of defense at internet speeds,” he says. “But when you can break everything at internet speeds, that’s really dangerous.”

Many companies that are targeted with cyberattacks, such as financial institutions, healthcare organizations, and government agencies, have begun to deploy so-called penetration testers, professional white hat hackers who simulate cyberattacks on sensitive computer networks.

But Brumley thinks an era in which automated machines take over cybersecurity from humans might be at least 20 years away. In the interim, governments are looking for new ways to insulate themselves from criminal hackers, known in the cybersecurity community as “black hats.”

“The extent to which all defenses are vulnerable to human error and anything that relies on single end users doing the right thing is flawed from the start,” John Nicholson, first secretary of cyber policy at the British Embassy in Washington said at Wednesday’s event. “There’s a range of lines of effort where we think there’s a legitimate role for government to work with industry.”

To that end, the British government released a “National Cyber Security Strategy” in November that sets out a roadmap to kickstart the country’s digital security efforts by 2021. London plans to invest more than $2 billion to boost cybersecurity in the next five years, and has established a National Cyber Security Centre (NCSC) to coordinate digital defenses.

Around the world, governments are also championing the development of computer emergency response teams – known as CERTs – technical experts that analyze and respond to major cybersecurity incidents, and mutual legal assistance treaties such as the Budapest Convention that make it easier to prosecute cybercrime cases internationally. 

But although experts at Passcode's event praised global efforts to facilitate the flow of intelligence on cybersecurity, some cautioned against putting too much stock into information sharing.

“It’s possible to put too much emphasis on [information sharing] in the policy environment,” said Robert Sheldon, director of policy at Business Executives for National Security, a Washington-based nonprofit. “If the government isn’t going to be fairly aggressive about it, then they might not add value over what’s happening in the private sector.”

And as Donald Trump and his team prepare to take up residence in the White House next month, Carnegie Mellon's Brumley hopes the new administration continues to invest in automating cybersecurity efforts to catch up to the quickening pace of the threat.

“If we’re relying solely on manpower we'll lose. We need to automate security to assist these people," he said.

“We just showed you the equivalent of rockets,” Brumley said of this summer's DARPA challenge. “Let’s go to the moon.”