O. Sami Saydjari | Weak spots on cyberdefense

 

Connecting state and local government leaders

After a 20-year career at government defense agencies, O. Sami Saydjari likes to think strategically about cyberdefense.

After a 20-year career at government defense agencies, O. Sami Saydjari likes to think strategically about cyberdefense. Despite growing attention to the security of the nation's critical infrastructure, the United States' increasing dependence on interconnected resources has left us more vulnerable than ever before, he says, and neither government nor the private sector has the means to solve the problem alone.Saydjari spent 13 years with the National Security Agency, where he was an NSA fellow in 1993 and 1994. And for three years, he was the information assurance program manager for the Defense Advanced Research Projects Agency. Today Saydjari is CEO of the Cyber Defense Agency, a private research and consulting organization headquartered in Wisconsin Rapids, Wis., focused on defending high-value systems such as the power grid from cyber-attack. He talked to GCN about the state of cybersecurity.SAYDJARI: The attacks over the last 15 or 20 years have been increasingly sophisticated, and the quantity of attacks has grown exponentially. By sophisticated, I mean they are more stealthy, they are more complex and they are targeting more complex layers, such as operating systems and networking protocols. That makes them potentially more dangerous.The payloads of the attacks often are fairly minor, compared to what they could be. We haven't seen a lot of attacks that have been optimally malicious. A lot of them seem to be experiments or games that are being played by hackers.SAYDJARI: Yes. I would call that the criminalization of hacking, where the criminal element is beginning to employ these techniques.SAYDJARI: Twenty years ago, the infrastructure operated separately from the Internet and other open networks. So in some sense, the level of vulnerability has gone up simply because the level of interconnectedness has gone up significantly. This is excellent for productivity but creates a propagation of vulnerabilities.At the same time, security in the end systems also has gotten better in the last five to seven years. There are some good trends here. More security products are coming out, firewalls have gotten a lot better and virus detection is quite good. So there are improvements in defenses, but if you compare it to the trend of increasing interconnectedness and dependence, overall the vulnerability has gone up substantially.SAYDJARI: I would say it's identical. The government in many ways mirrors what is going on in industry. There are a small number of agencies that are doing quite well, and there are others who do quite poorly. On average, I would say that defenses are less than they could be, and our risks are higher than they need to be.SAYDJARI: The two things I would suggest are risk management and risk management. I think industry is immature with respect to the state of system engineering, figuring out how to manage your security investment for optimum risk reduction. Parts of industry have begun to manage their risk in a way that is an engineering discipline. They measure their risk, they measure what they are doing to limit it and they insure their residual risk.What is missing from the IT security community now is an understanding of which security mechanisms, which policies and procedures, what kinds of management decisions will have a major impact on security, and which ones simply are a sink of resources that don't have a major benefit. Decision-makers don't have the kinds of tools and techniques they need to make those kinds of decisions.SAYDJARI: Hackers have very limited resources at their disposal. They can develop very sophisticated attacks, they can reuse their toolkits and do interesting things. But in terms of massive damage, that is highly unlikely. To accomplish that kind of damage, you have to do military-style campaign planning. It will require insiders to cooperate and install some malicious software. It will require, in some cases, years to accomplish this and quite a bit of money to buy the equipment, test beds and experiments that will be needed to orchestrate the complex of attack steps that would necessary to have a strategic, damaging effect.SAYDJARI: The current national policy talks about the critical infrastructure providers doing a better job of defending their systems, and it makes a good set of recommendations for them to follow. But it falls short in that the commercial infrastructure providers can only be asked to do what is commercially viable, and no more. We can't ask them to defend against nation state adversaries just because they happen to be on the front line of a cyber-war. We are going to have to find a way as a country to invest in hardening our infrastructure that goes beyond what companies are commercially incentivized to do. We have to look at ways of subsidizing these companies through tax breaks or other kinds of relief systems to help them make the investments they need because it is so critical to our economy.The second thing that is needed is the government has to step in to provide situational awareness that crosses industry domains. We have no way of correlating attack information and watching the situation across domains. We need a capability to do that, and we need to develop strategies and mechanisms for sending out commands when situations develop, and the critical infrastructure providers need to be able to execute those commands quickly to stop those attacks. We need eyes and hands to defend ourselves, and that would require an investment in government programs.SAYDJARI: Our preparedness is approximately zero in terms of recovery. I don't think that has gotten the attention it requires from the government or the critical infrastructure providers. We have to figure out how not to have a situation like Katrina happen in the cyberworld. I think adversaries are going to take advantage of that and look at how to damage our infrastructure to maximize how long it takes us to recover from a disaster.SAYDJARI: A good trend in the last 20 years is that the government has become aware of the problem. The fact that I have had conversations with Congress members is a good indication that education has been successful. People are beginning to understand the issues.SAYDJARI: Senators and congressmen who have some relationship to the cyberarena. This is just the start of a process for others. The idea is to help them understand the role they play in cyberdefense and to discuss our national policies and where it can be improved.SAYDJARI: I found them very receptive. In addition to those I talked with, there are a number of other senators and congressmen who are concerned that the resources and level of priority we are giving to cyberattacks in this country are inadequate. They are very interested in finding ways to improve that situation.For example, we don't have any program to develop the eyes and hands of cyber-defense that I mentioned earlier. Such a system would take a minimum of three years to develop, and in the middle of an attack is not the right time to begin that development. The lack of cyber-recovery is another example. There are many places where we can make improvements over existing policies.

O. Sami Sayjari, CEO Cyber Defense Agency





GCN: What trends are you seeing in cyberattacks?





GCN: Have you seen that attacks are becoming more targeted on financial gain?



GCN: How vulnerable is the U.S. critical infrastructure?





GCN: How does this compare with the security of U.S. government systems?



GCN: What are the two things industry and government could do to improve security?





GCN: What are the differences between nation state and non-nation state adversaries?



GCN: So how do we go about defending ourselves from nation states?





GCN: How prepared are we to recover from a cyberdisaster?



GCN: Are federal officials focusing on the right things?



GCN: Whom have you been speaking with in government, and what where their concerns?



GCN: Are they receptive?




X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.