In less than a decade, cyber has evolved from an issue that didn’t warrant inclusion in threat assessment briefings to the leading threat to U.S. national security. Addressing that threat will require heightened defenses, new federal policy, a cadre of experts and robust innovation from the private sector.
That was the message from Matt Olsen – Co-founder of IronNet Cybersecurity and Former Director of the National Counterterrorism Center – to more than 200 participants at the Fort Meade Alliance’s 5th Annual Industry Day.
As recently as a few years ago, the Director of National Intelligence did not mention cyber in his open threat briefing to Congress, Olsen said.
“The past three years, cyber attacks have been the number one threat – above terrorism, above Russia, above China,” he said. “We now know this has become an urgent national security crisis for our country.”
Both the number and nature of attacks has changed dramatically in recent years, making cyber a complex and dynamic threat.
Attacks have ranged from Russian hacking that interfered with the 2016 elections to the data breach (reportedly by China) at the Office of Personnel Management to the data-destroying attack on Sony by North Korea.
Attacks on corporations have become “increasingly easy to pull off and cheap,” Olsen said. “Reports are that the malware used in the Target attack cost about $2,000 to buy on the Internet.”
Sophisticated organized crime operations are launching more frequent ransomware attacks on companies while state actors are demonstrating the ability to inflict heavier damage through their cyber campaigns.
In late 2016, a cyber attack reportedly executed by Russia crippled part of the Ukrainian electrical grid, leaving tens of thousands of people without power in the dead of winter.
“In 2012, more than 30,000 computers inside Saudi Aramco were destroyed by an attack… Turned the hard drives into bricks,” Olsen said. “Reports are [the attack] likely came from Iranian actors.”
Another harsh reality that cyber experts have recognized in recent years is “the offense almost always wins,” Olsen said. “Attacks happen fast. About 90 percent of breaches took attackers a minute or less. Then the average time from the breach to get administrative rights, to move up that chain, was three days… In 83 percent of cases, companies took weeks or longer to identify that they had been breached. The average time from breach to detection, according to one study, is 150 days.”
Furthermore, the cost of those attacks is staggering. The cost of recovering from a single data breach averages $5.5 million.
Combatting cyber threats is fraught with multiple challenges.
First, “the Internet was not made to be defended,” Olsen said.
By some estimates, there will be 30 billion devices connected to the Internet by 2020 – a major security issue considering that most denial of service attacks involve printers and cameras.
Second, the U.S. does not yet have adequate policies to address cyber even though it has become a “weapon of statecraft.” Federal legislators need to determine how to best organize civilian, military, homeland security and private sector efforts to defend against cyber threats.
Finally, government needs to foster extraordinary collaboration on cyber efforts with the private sector which runs most of America’s critical infrastructure.
“The reality is the solutions are going to come from the ingenuity of our private sector and the market forces that will help drive us toward better solutions,” he said.
FMA Industry Day featured a panel discussion with three individuals who are deeply involved with contracting that expertise: Tony Davis, USCYBERCOM Acting Command Acquisition Executive; Diane Dunshee, NSA Deputy Director of Business Management & Acquisition and Deputy Senior Acquisition Executive; and Douglas Packard, DISA Director of Procurement Directorate & Chief of Defense Information Technology Contracting Organization.
Panelists discussed a range of federal initiatives that are impacting federal contracting for cyber services. Those include the NSA 21 Initiative – an extensive review and tailoring of NSA programs and spending to align all efforts with NSA’s culture and strategic goals. NSA 21 is expected to start impacting the agency’s budget and contracting in FY ’18.
Panelists also discussed the challenges and trends affecting cyber contracting.
Traditional government contracting models are challenged to keep pace with rapid changes in the technology landscape, Davis said. Consequently, some agencies are accessing funds to conduct rapid prototyping of technologies and tailoring some contracts to enable the inclusion of emerging technologies.
“With a businessman as president of the United States,” government is expected to continue contracting private companies for many services, Packard said. And that contracting may follow a particular theme in the next few years. The administration of President Barack Obama stressed transparency in contracting arrangements.
“For eight years transparency was the first word you used on a slide to brief any department official,” Packard said. “For the next four years, the word will be innovation.”