Russ Nelson
As part of the Distinguished Lecture Series at The University of Alabama in Huntsville (UAH), Dr. Ron Ross, a Fellow at the National Institute of Standards and Technology (NIST), delivered a sobering perspective on the state of cybersecurity threats. The talk was presented on the UAH campus, a part of the University of Alabama System, centering on the proactive steps needed to meet the ever-evolving cyber challenges faced in the United States on a daily basis, and how the U.S. must continually rethink methods and strategies in a rapidly shifting security landscape.
Ross heads the NIST Systems Security Engineering Project to develop standards and guidelines for the federal government, contractors and United States critical infrastructure. He also supports the U.S. State Department in its international outreach program for cybersecurity and critical infrastructure protection, focusing on computer security, systems security engineering, trustworthy systems and security risk management. The speaker has been inducted into both the National Cyber Security and Information Systems Security Association Halls of Fame.
“At West Point we were studying tank warfare in Europe while Vietnam was going on,” Ross, a 21-year veteran of the U.S. Army, explained. “We’re always fighting the last war. But the world has changed dramatically, especially in the last 10 years. How do we change our current cybersecurity strategy? We have 50 years of experience on this problem. The biggest threat today is system complexity. Complexity theory dominates everything. How much trust can you put into a system? How are those functions built? When you have trillions of lines of code, it’s amazing how well it does work.”
The speaker repeatedly drove home the point that 21st-century warfare has changed radically. “Kinetic warfare, like 911, was so different from what we have today. Cyber threats have always flown under the radar. The impact is not obvious until they pull the trigger. It’s kind of like cancer – the invisible enemy that spreads from one cell that multiplies. Bad things are happening, but you really don’t know what is going on below the waterline. The original thought was, keep the bad guys out. But we’ve found that your systems routinely get breached. They’re crawling all up and down your networks. Our view of cybersecurity has been one-dimensional. We’re trying to make it multidimensional. Once we are sure the adversary is in your system, that’s where you start. Damage limitation.”
Ross declared that the primary challenge in fighting a cyber war is recognizing that threats must be repulsed at many levels. “Once they’re in your house, they escalate privileges. They go for the low-hanging fruit first, then go for what is next. Now they have to work harder to get into your resources. Segmentation is important, where you break things down into smaller and smaller pieces to protect critical resources with a lot more granularity. Now we’re able to refresh software very quickly to re-virtualize those components. If I can’t stop them in the front door, I’m going to make their lives miserable once they’re inside and reduce their time on target.”
The essential challenge as Ross sees it is to integrate cybersecurity from the onset of a new project rather than waiting to safeguard resources once that project is complete.
“We don’t really have a cyber problem, we have an engineering problem. For example, we have a NASA project, and we’re going to work with the systems engineers from the beginning – what is the mission of the satellite? How do we protect the technology? What kind of things can the adversary do? You can’t go back and protect stuff after the fact. We want to get on the left side of the life cycle. We will get the systems engineers to work with the security engineers. It’s not about us, it’s about supporting the mission.”
Ross closed his remarks by lauding UAH and the role of academics in safeguarding the future.
“You have a great academic institution. You have great companies here who need you. Mentoring the next generation is like building a football team – you’re getting grounded in the fundamentals. Our country rolls on innovation. It’s in our DNA. Every problem the DOD has in the supply chain is now all our problems. Somebody paid it forward for me, I need to do the same. UAH is the model to aspire to. Unlike World War II where the fight was over there, the war is here.”
No comments:
Post a Comment