The 2013 Washington Post Cybersecurity Summit will convene leading national security officials, industry experts and journalists to discuss cyber theft and cyber espionage. Watch this page from 8:30 a.m. – 12 p.m., Oct. 3, for updates from our live stream.
We’re wrapping up our 2013 Cybersecurity Summit. Video clips from the program will be posted throughout the day, and a full special report will be online Oct. 10.
Some takeaways from our speakers:
“Something like this will happen,” says former deputy secretary of defense William J. Lynn of Washington Post Live’s simulation cyber attack. “We’re seeing an escalation of the impact of cyber intrusions.”
Lynn recounts that the threat used to be theft of information and theft of money. “We’ve now moved up to disruption,” he says. “The third level is actual destruction. I think it’s reasonable to believe that we’re moving in that direction.”
Whether the actors are a dozen guys in flip flops with red bull getting stuff on eBay or terrorist groups, there’s a greater maliciousness, according to Lynn. “How long it’s going to take, when it’s going to happen, how it’s going to happen. Unclear.”
Lynn says the focus should veer toward how government improves its sharing, both within private and public sectors. “The threshold to gaining sophisticated destructive abilities is lower than it is in conventional military — similar in the sense of IT as a domain of warfare.”
Former deputy secretary of Homeland Security Jane Lute says the status quo is unacceptable. “If you think of the 93 member states of the United Nations, no two are handling this the same way … We need to take action. 80 to 90 percent of the critical infrastructure in this country is in private sector hands. When you think about power in cyberspace, it’s the power to connect, not the power to protect, that matters.”
Former National Intelligence General Counsel Ben Powell tells the audience we need to think about government’s role in cyberspace. “One question is how are we getting ahead of this in terms of indication and warning,” he says.
TASC Intelligence vice president Terry Roberts says “industry is the leading actor in this stage, where government’s role is in helping set the framework” — defining the skills needed and promoting private-public partnerships in those third party entities.”
Wrapping up our 2013 Cybersecurity Summit, Ronin Analytics president Mark Young adds, “In the United States, we invented the information age … We need to update our processes and infrastructure in the information age.”
Cyber attacks are relatively new territory. Today, in the form of a fictional war game, we demonstrate the plausibility of a real life cyber attack and its potential impact on the United States.
Scenario Role: Secretary of Defense
Scenario Role: Secretary of Homeland Security
Scenario Role: Director of the FBI
Scenario Role: Private Sector Interests
Scenario Role: Director of National Intelligence
Scenario Role: Various Cyber Attackers
Scenario Role: Facilitator
Only 3% of Cyber Intrusions caught by static (signature-based) devices and antivirus - Ronin #cybersec2013
Bob Stasio of Ronin Analytics says that on average "a threat lives on a network is 350 days before it’s caught." #cybersec2013
Visa’s Ellen Richey says the payment industry is not waiting for, but, rather, working with law enforcement.
“We’re pretty vulnerable,” says former deputy secretary of homeland security Jane Lute. “For a long time, we’re chasing the shiny new widget. We need to stay on top of the critical controls. We also need to focus on manpower. You can ask, [at your business], ‘are you talking to your CTO?’” The response generally, according to Lute, “‘I don’t speak dolphin.’” Lute reiterates that managers and executives need to talk to their technology personnel.
Washington Post Live editor Mary Jordan asks Richey who she should contact in the case of a breach. ”We call the Secret Service,” says Richey. “We know they’re effective in coordinating, in a multinational perspective.”
Former White House cyber czar Howard Schmidt notes that none of these things are localized. “The time to engage Secret Service and the FBI is not in the middle of an incident.” Schmidt says that companies should build relationships with government agencies before becoming a victim of a cyber incident.
Lute notes the need for best practices in reducing risk. “We’re suffering from the fog of more. It’s hard to know what works … no one knows what to do first.”
Our second panel, “Reducing the Risk of Cyber Attacks,” is on our live stream now.
“In our industry, that’s payments, we’re more worried about the economic side,” says Visa’s Ellen Richey. Richey says though we’re aware of these hackers and nation state actors, law enforcement aren’t responding, shutting down crime, properly or diplomatically.
Visa has 30,000 transactions a second, 56 billion transactions a year, according to Richey. “In the neighborhood, the payment industry is losing $10 billion a year from theft.”
Former deputy secretary of Homeland Security Jane Lute nods at a summit theme — we’re not talking about prevention anymore. “There are a number of things we can do way off stream, and they’re easy to do, relatively easy to do — basic hygiene we can do, but we’re not doing.” She adds, the awareness of the financial sector is incredible. “In the sector of critical infrastructure, not all are up to speed as the financial sector … there’s still a lack of knowledge, and a lack of practice.”
Microsoft's Craig Mundie on access to backdoors/vulnerabilities: "We don't engineer any backdoors into our products." #cybersec2013
Rogers "still hopeful" cyber legislation will pass despite the "white water rapids" that must be overcome #Cybersec2013
“This is a very dangerous time for us, an incredibly dangerous time for us,” says Congressman Rogers, on the live stream.
Gen. Michael Hayden says of cyber defense, “You can’t do this with just a shield, you have to have a sword.”
Microsoft’s Craig Mundie says that the last 12 months have been about qualitative change. “Unlike conventional weapons, anytime anyone shoots something in the world, all the bad guys in the world watch, and then figure out how to clone it.” The era of a purely defensive mode is over, says Mundie.
“While i think hygiene is important, people now have to be much more disciplined to figure out how they’re going to protect their personal information, as well as their core assets as a business,” Mundie says.
Mundie cites a health space analogy for what companies and government bodies need in a vulnerable cyber world. He says we need a World Health Organization equivalent for networks. ”This is where I think government has a role to play,” Mundie says. “If all governments are late to the party, you do have the tendency for the private sector to come forward. In the U.S., it’s vigilantism, it’s illegal to chase bad guys up the wire and certainly illegal to shoot back. In this country, we expect the government … It’s kind of crazy, as a society we’re going to have to figure out some of these things.”
Rogers responds that the U.S. network is different. “I am very concerned in getting into the notion of unleashing companies to go into an offensive posture …we don’t have the capabilities to handle what’ll come.”