Greater understanding of cyberspace and government support for improving cybersecurity are urgently needed, according to a panel of cyber experts who spoke Oct. 17 as a part of the Washington, D.C. CyberWeek.
The panel in the Healey Family Student Center Social Room featured David Fahrenkrug, a former U.S. Air Force analyst and current director of strategic planning at Northrop Grumman; Meredith Burkart, an assistant professor in the Center for Security Studies in the School of Foreign Service; and John Wood, the CEO of Telos Corporation, a private technology consulting company. Suzanne Hall, a managing director at PricewaterhouseCoopers, moderated the discussion.
D.C. CyberWeek is a weeklong festival that gathers leaders, experts and decision-makers from public and private sector technology communities.
The panelists emphasized the need for more experts in the cyber field. Wood, whom Gov. Terry McAuliffe (D-Va.) appointed in 2014 to serve in the Virginia Cyber Security Commission, said that he was particularly struck by the discrepancy between the requirements and the reality of cybersecurity experts’ capabilities for the United States’ current needs.
Wood said that the Chinese government has trained “cyber warriors” to fight for the country’s covert national interests. This gap is only exacerbated by the lack of interest that students in the United States have for science, technology, engineering and mathematics.
“In 1999, the Chinese government made the decision that they couldn’t beat us militarily, and they couldn’t beat us financially — and that remains to be seen — but they decided to build a cyber-warrior program, and this past year, the Chinese government graduated just under 2 million cyber warriors,” Wood said.
That program, coupled with the discrepancy between government spending on cyber funding and funding for other defense areas, has put the United States at a distinct disadvantage, according to Wood.
“We mentioned that the military made the decision — rightfully — that it’s not just air, land, sea and space that we defend, but there was a fifth domain called cyber,” Wood said. “If you look and see what goes into cyber, it’s less than what JPMorgan Chase [& Co.] spends on defending its own bank from a cybersecurity perspective.”
President Donald Trump’s 2018 fiscal year budget proposed $1.5 billion for the Department of Homeland Security to defend federal networks and infrastructure from cyberattacks, constituting 3.4 percent of the department’s total $44.1 billion budget.
Wood said he considers three necessities to catch up with other leaders in this field: leadership at the state and federal levels, investment and passion from the public.
“We need to have courage to make investments,” Wood said. “We need a race to the moon because we are falling behind.”
Burkart stressed the importance of communication between the government and the private sector and among private sector corporations susceptible to cyberattacks.
“In the last decade, we’ve learned the value of people talking to each other, of information sharing, and then following up on information that’s shared,” Burkart said.
In the seven years that she has worked for the government in the cybersecurity domain, Burkart said that she has seen a slow shift in the extent of the federal government’s engagement with the private sector. She said the lack of a single method to store data after a cyberattack is a major obstacle.
“It might take days; it might take weeks; it might even take certain teams offline to employ the methods to normalize that data and compare the two data sets to see what’s going on between them and get back to each other,” Burkart said.
Wood said the federal government still largely programs in Cobol, an outdated programming language, while the private sector has updated its programming systems.
The importance of data sharing lies in the discovery and prevention of attacks, according to Burkart. Burkart said the financial service roundtable, an agreement between major banks to share information after an attack, provided that the other parties do not use the information publicly to their advantage, was created in 2000 to foster collaboration in preventing new threats against cybersecurity.
Fahrenkrug said that the military must address foreign cyber threats, even if that includes monitoring personal data.
“The military’s role — and the national government’s role — is to address that: What are the actual threats to the country?” Fahrenkrug said.
Burkart said that cybersecurity defense should be built into a company’s business model, because costs associated with security are losses companies would prefer to spend now rather than later.
“As costs accrue, and more bad actors enter this space — and, by the way, more bad actors are capable of entering this space because the bar is much lower these days — there will be more threats to the private sector,” Burkart said. “And the potential cost will increase, and with that cost, I believe that more resources will be put forth to defending against it.”