The 8th Annual Billington CyberSecurity Summit. The Summit is an annual conference held in Washington DC. Attendees include cybersecurity professionals from both the private and public sectors. The agenda consists primarily of panel discussions where industry leaders provide insight and observations on current trends in the field. Military officers, intelligence veterans, CISOs, and political leaders serve as keynote speakers. This year’s speakers included Director of National Intelligence Daniel Coats and Special Assistant to the President Robert Joyce. The event also provides a great opportunity to network with professionals from major tech companies such as Lockheed Martin, Cisco, and Northrop Grumman.

The panel discussions and keynote addresses cover CyberSecurity topics where both government and corporate interests align or overlap. For example, threats to America’s infrastructure were a major point of discussion. David Hogue, Technical Director of the NSA’s CyberSecurity Threat Operations Center, describes attacks on America’s power grid as “relentless.” Cyber-based attacks on “the grid”—the series of power plants, substations, and municipal utilities that keep our lights on and our toilets running—could be devastating. Imagine what a power outage could mean for Boston in the dead of winter, or Phoenix during peak summer heat. Christopher Krebs, a senior DHS official, expressed some optimism on the subject, saying the power companies’ response to physical disasters are “truly a thing of beauty.” The trick is duplicating that efficiency in response to digital disasters.

Billington CyberSecurity Summit annually meets in Washington DC

CyberSecurity Threats

In the case of the power grid CyberSecurity threats were once found only in the pages of Tom Clancy novels, but became nonfiction in 2015, when hackers attacking power substations in the Ukraine caused a major blackout. Elements of the Ukrainian power grid are comparable to ones in the United States. It is suspected that Russian actors were responsible for the attack in Ukraine, but it is unclear if the operation was state sponsored.

As expected, Russia frequently came up during discussion. On whether Russia was responsible for hack of the Democratic National Committee’s servers, Rick Ledgett, the former Deputy Director for the NSA, asserted, “I am as certain of this as I am of gravity.” He also expressed certainty that this was done “with intent to influence the election.” The recent recommendation from the Department of Homeland Security to remove any and all Kaspersky Lab software from US government-owned systems also drew some questions. Special Assistant Joyce claimed that Russian law mandates that any company headquartered in Russia must comply with demands from the FSB, the Russian CIA equivalent. This was deemed an “unacceptable risk.” Posting on LinkedIn, Eugene Kaspersky, the company’s CEO, has since labeled his firm “the first victim of U.S. latest witch hunt.” It is unclear at this time if other companies with ties to Russia will face similar action.

Bring Your Own Application

Panelists explored the increasing trend of BYOA (bring your own application) and the associated risks. Most IT security professionals are already cognizant of the risk of BYOD (bring your own device). A policy that permits employees to use personal devices at work can reduce costs and increase flexibility. But personal devices may include legacy technology or insecure operating systems. This challenge is further compounded by users installing a diversity of personal software products, each of which may violate compliance or become exploitable. As both hardware and software diversity widens, the complexity of the network grows, and this increases the number of vulnerabilities the security team will have to mitigate.

“Complexity is the enemy of security,” observed Philip Quade, the CISO of Fortinet. Internet of Things (IoT) devices can exponentially increase network complexity. Virtually any appliance imaginable can be made internet capable. But you being able to reach anything at any time means everything can reach you from everywhere, and therein lies the danger. Director Coats joined with several other voices urging manufacturers to build devices that are secure by design. An internet-capable coffeemaker, for example, should be made in such a way that it cannot also behave as a mail relay. Mr. Quade suggested administrators implement “earned trust” policies for IoT devices on the network, where permissions are gradually rewarded to machines for good behavior.

Enhanced cooperation between corporate and government interests is becoming imperative; greater inter-connectivity means we all increasingly face the same threats, regardless of organization type or size. “We must improve information sharing between the government and the private sector,” Director Coats asserted. Rep. William Hurd (R-TX) shared this sentiment. Federal agencies share threat intelligence among one another rather effectively. However, Rep. Hurd called for better “vertical sharing” between federal departments and local actors. “Name me one great piece of information that you got from the federal government,” he asked the crowd. After a moment of awkward silence he continued, “That’s the usual response.”

It’s not too late to hear from some of the speakers yourself. Several of the keynote addresses from this year’s summit are currently posted on YouTube. Search for the “Margaret Mcdonald” channel to find talks given by General Joseph Votel, Conrad Prince, Rep. William Hurd, and Dr. Tobias Feakin. The next Billington CyberSecurity Summit will be September 6, 2018.

Author: Louis Papa
Silent Storm Security Contributor | Security Engineer​