From computer camp at eight years old to graduating from the U.S. Merchant Marine Academy, Alexander J. Fry got a head start in an industry that finds itself in a new type of arms race. The scale of damage Americans feared as the result of nuclear weapons can now be inflicted via cyberspace.
Ever since personal computers were relatively new, Fry has been approached to resolve technical problems. From designing firewalls to securing critical applications, his hands-on approach and experience eventually led him to building information-security programs.
As president and principal security consultant of Strong Crypto Innovations since 2006, Fry and his team have provided IT security to the Department of Homeland Security, Internal Revenue Service, Social Security Administration, NASA, Department of Labor, Department of Commerce, Department of the Army and the Department of Housing and Urban Development.
With hacks occurring almost daily in both the private and public sectors, the Washington Examiner asked Fry about current and future challenges the United States faces as it develops a comprehensive cybersecurity strategy. The interview has been edited slightly.
Washington Examiner: Even though President Obama has said the cyberarena "poses the most serious economic and national security challenges of the 21st century," it is one that we have proved to be ill-equipped to handle.
As former CIA Director Michael Hayden put it, "Rarely has something been so important and so talked about with less and less clarity and less apparent understanding ..." What do you want lawmakers and government agency officials to understand about cybersecurity?
Fry: First, in order to compete, you must have hiring practices that attract and retain the best talent. You want the experts to want to contribute. If you don't give them any incentives, they will remain in the private sector. Second, there are only so many security experts who understand hacking from a hacker's point of view. So you have to hire hackers. You need the best hackers to find and fight the next generation of hackers.
You're not going to build a 'catch them all.' I see a lot of security that is compliance-based but doesn't meet strategic objectives. Some government initiatives would be quickly vetoed in the private sector because it doesn't meet strategic goals. The government has to think long term, define outcomes and measure progress along the way.
The strategy needs to be transparent so that everyone understands how a budgeting conflict could delay progress or cause failure. When an institution or government agency or even a small business reviews their security protocols, they have to assume the hacker already has the keys to the castle.
They are already inside your network, your server and your data. Now what? How do you defend yourself now? For that, you need the best talent and experience.
President Obama has said the cyber arena "poses the most serious economic and national security challenges of the 21st century." (AP Photo)
Examiner: A 2014 study by the Ponemon Institute, which measures data collection and information security in the public and private sectors, revealed that computer hackers have infiltrated and exposed the personal information of 110 million Americans — nearly half of the U.S. adult population. I've also read that more than 90 percent of Fortune 500 companies have been hacked. Why are so many cyberattacks successful?
Fry: First, I'd like to provide some clarity on the vocabulary we typically use to describe successful attacks in the information-security industry. An incident is a security event that compromises the confidentiality, integrity or availability of an information asset. A breach is an incident that results in the confirmed disclosure of data to an unauthorized entity.
Where attacks were successful, the organization often didn't have the right defenses in place for the threats that they face. For example, email is a common attack vector that both attackers and defenders understand well. There has been a continuous arms race to defend the end point from malware that is downloaded through email, via so-called phishing attacks, for more than 20 years.
It's an arms race because attackers test their malware against these same defenses, and so they know in advance if the attack is going to be successful. And defenders update their products after malware is seen in the wild, i.e., often after an attack has been successful.
Many organizations are still using the same static signature-based antivirus product they bought years ago to defend against attacks that continually defeat these products. Some of these antivirus products also contain vulnerabilities that can be exploited by attackers, so the security software itself is weakening the security posture of the organization.
That is not acceptable — there needs to be a focus on future proofing security. This will require advanced technology that adapts by learning so that it can protect against unknown threats ...
I think that historically, at least since the advent of computing, technology changes rapidly in bursts followed by a time when security has a chance to catch up. Likewise, threats seem to adapt to the changing technology landscape and come in bursts as well. I think the only way to keep up is to design security technology that can be trained to deal with the unexpected.
"Historically, at least since the advent of computing, technology changes rapidly in bursts followed by a time when security has a chance to catch up." (AP Photo)
Examiner: Beyond thieves looking for customer data, what other types of attacks should we be aware of?
Fry: Attacks that focus on the typical end user are a major problem because the user is the weakest link. For example, ransomware attacks have been growing at double-digit percentages every quarter. Ransomware is malware that infects a system and encrypts the data on the system, and keeps the data hostage until a ransom payment has been made.
The user is targeted via email or web browsing and the ransomware typically exploits known vulnerabilities. From the perspective of a criminal enterprise, the ransomware business model is attractive. The attacks lure users onto compromised or fake websites that can steal information or serve ransomware.
The criminal organization doesn't have to penetrate an organization's security defenses — the customers come to them instead, and ransomware doesn't have to be stealthy. By definition, it is the opposite of stealthy so that the victim knows they have to pay the ransom to get their data back. Typically, files are encrypted for 72 hours, and victims are threatened that if the ransom is not paid in that time, files will be deleted.
The most effective way to combat ransomware is employing next-generation endpoint-protection technology that understands the behavior that ransomware takes when it executes on a device and can stop it in its tracks. That and improving security awareness among users, but since the criminals will come up with different approaches to trick users, the best solutions take users out of the equation as much as possible.
Examiner: How do you perceive the state of cybersecurity in the next 10 years? What should we prepare for? Software failures? Market failures? Do you think the market will not deliver adequate security and that some blend of incentives and regulation is needed to change this?
If we consider all the different ways our actions are tracked in the modern world we may find ourselves on the side of greater privacy, Fry said. (AP Photo)
Fry: There has been a tremendous amount of private-sector investment in security technologies in recent years. This is good but comes with its challenges. The positive is that we have an influx of ideas from different fields like data science and analytics.
We have seen breakthroughs in software security with technology that integrates well in existing development processes, provides better and more accurate vulnerability identification and protects applications in production ...
Security processes are being automated, and that frees skilled human analysts to automate more and focus on problems that require lateral thinking, that is best suited to humans. The Defense Advanced Research Projects Agency (DARPA) is even sponsoring a tournament for autonomous hacking systems.
The autonomous hacking software must be able to attack the other team's vulnerabilities as well as find and fix weaknesses in their own software — all while protecting its performance and functionality, without human intervention.
The challenge with all the new technologies on the market is the large number of vendors offering similar products with equal promises. This saturation makes it difficult for information security officers to weed through the offerings from competing vendors. Fortunately, the industry has developed novel approaches to this problem. For example, Security Current (securitycurrent.com) offers the Security Shark Tank.
CISO sharks are all potential buyers and early adopters of technology, and the vendors are referred by [chief information security officers] who believe that their peers should and would be interested in the vendor's technology. Everyone benefits from the information sharing, and this helps accelerate the adoption of promising technologies.
In general, there is a sense of urgency and an existential threat brought on by successful cyberattacks, and this has fueled the demand for new approaches to combat the root causes of vulnerabilities. And I think the industry tends to recognize the best technologies and weed out the bad. So I don't see the need for new regulations or incentives in the private sector.
However, since federal agency security programs are mostly compliance-driven, I think revised regulations could help the government do a better job at addressing the threats it faces. For example, the No. 1 cause of data breaches is weak software security practices. Software runs the world and is the first line of defense.
It automates our business processes and workflows and will only continue to grow as we convert paper processes to digital and automate our lives. The government outsources most of its software development. The companies that create software for the government need to build secure software.
Agencies should have a software security program that verifies that software is being securely coded and they should implement continuous application security testing and protection of their applications.
Examiner: How big is the disparity between the current state of investment in security and what would actually be effective?
Fry: I think organizations that understand that a strong security posture is a key enabler and competitive differentiator will invest in security.
For the government in particular, I think the focus should be on contracting reform, to specify security requirements in contracts and provide greater entry to vendors who are proven performers in the private sector, and also provide incentives to the agencies to allow them to more easily adopt or pilot promising security technologies.
One of the biggest problems organizations face in all industries is the large amount of time it takes to adopt a technology and fully realize its potential. And if it turns out that something better comes along, the organization has made a huge investment, and now has to go through the same lengthy procurement process again.
The incumbent vendors have an advantage because the organization has already invested and been trained on their solution and the establishment doesn't want to change and the incumbent provides incentives so that they don't change. This doesn't help improve security. Fortunately, there are vendors coming on the market who emphasize how quickly and easily it is to install, scale and uninstall their products.
The security products that are easiest to install and manage and are made as transparent as possible to the business processes and workflows will have a future competitive advantage.
As president and principal security consultant of Strong Crypto Innovations since 2006, Fry and his team have provided IT security to the Department of Homeland Security, Internal Revenue Service, Social Security Administration, NASA, Department of Labor, Department of Commerce, Department of the Army and the Department of Housing and Urban Development. (AP Photo)
Examiner: There's code in a lot of software right now that prevents people from modifying currency. Should 3D printers have code to prevent the manufacturing of weapons parts?
Fry: No. First of all, trying to regulate all the uses of an emerging technology like 3D printers would stifle innovation before it even gets started. Second, that type of regulation would have to extend to other industrial equipment that could equally build weapons parts, e.g., CAD/CAM machines. And there are entire industries, [such as] defense contractors, which could be using automation to build weapons parts.
Also, going back to the currency example, the bad guys know that counterfeiting is illegal and that color laser printers have yellow dots that trace where counterfeit money was printed. They have managed to crack this code and also find different approaches to counterfeiting. If this would solve the problem, the government would not have to keep introducing new security features in currency.
Examiner: Could we have stopped the slide into mass surveillance? Shouldn't we have seen it coming?
Fry: I think many people contribute to the surveillance state by not being conscious of the harm we could be doing to ourselves and lack of concern for its consequences. For example, we enjoy taking selfies and know full well that photographs are sometimes automatically encoded with map coordinates, and then we post them on social media.
Maybe if more people knew this, some people would have more discretion and take steps to preserve their privacy. If you stop to think about all the different ways your behavior and actions are tracked in the modern world — e.g., credit card spending habits, GPS tracking on mobile phones, web site browsing history — you may find yourself on the side of greater privacy.
It seems like urban areas in particular are becoming highly monitored environments. I think the rationale for the monitoring needs to be proven, i.e., does it aid in preventing crime and catching criminals? And we should balance this with maintaining the privacy of ordinary law-abiding residents.
There are several technologies in general that should be given more scrutiny and laws modernized as to where and how they are used, such as cell-site simulators, automatic license plate readers and automatic facial recognition.
Where I don't think we have enough surveillance and physical security in general is in electrical substations, which are part of the U.S. critical infrastructure. Although there has been news recently concerning the Ukrainian blackout, about the vulnerability of the electrical grid to cyberattacks, the physical security of the energy grid is of equal concern.
Physical substations could be an entry point for attackers intent on taking down the grid and have a history of unauthorized entry. The Federal Energy Regulatory Commission published a report in 2013 that concluded that the U.S. could suffer a nationwide blackout if nine of the nation's 55,000 electric transmission substations were shut down by attackers.
What is important to realize is that some parts of the grid are more vulnerable, and attackers could target a city or metropolitan area, not just the nation as a whole, and perhaps these substations are not as well protected. Electricity is the foundation of our modern society, and protecting our electrical infrastructure should have outsized importance on where we focus our security spending.
"Privacy is cherished and considered a constitutional right in many countries." (AP Photo)
Examiner: Is privacy dead? Should we just get over it?
Fry: No, I don't think so. Privacy is cherished and considered a constitutional right in many countries. However, in the U.S., I think we need to fight to maintain the division of private and public spaces, and the freedoms that we have over our expression in those spaces. I think the problem is that individuals may have an expectation of privacy in some contexts where it is not possible.
For example, most email is sent in plain text, and can be forwarded by anybody. You should not write anything in an unencrypted email that you wouldn't want somebody else to read.
Examiner: FBI Director James Comey said during a Senate hearing that strict rules put in place against cannabis use has drastically reduced the applicant pool for the thousands of positions the bureau has to fill to meet the mounting cybersecurity challenges posed by hackers. The most talented hackers are regularly taking more lucrative and more weed-tolerant positions at private cybersecurity firms. What are you thoughts on this?
Fry: I am certain that the U.S. government is competing with the private sector for the same talent. Many cybersecurity professionals are civil libertarians — they do not want their lifestyle choices legislated by government. In addition, 25 states and D.C. have enacted laws to legalize medical marijuana.
Unfortunately, if the government insists on screening candidates based on cannabis use, they will be losing out on some of the best candidates, many of them based on principle alone. The government should hire the best candidates and help them reach their potential, and focus less on choices that don't have any bearing on their individual performance.
I think it's important to speak about the shortage of cybertalent in the government, and what could be done about it. The duty to serve one's country will draw a small set of talented candidates. Beyond those individuals, the government needs a multi-pronged approach and a paradigm shift in thinking to level the playing field.
For starters, the government should focus on transitioning highly motivated technicians and analysts from the military to federal government while they are still in the military as part of a transition plan to civilian life. There are educational organizations that can facilitate this transition such as Security University.
The government should also institute a graduate hire program to attract students who are completing degrees in computer science, information assurance and similar fields for a performance-based trial employment period, modeling temp to perm arrangements in the private sector. Finally, in reference to the paradigm shift, the government should adapt a strategy from the high-tech industry for hiring and retaining top talent.
There are four key ways to do this: Embrace remote, pay well and offer a great opportunity, culture is king,and be innovative. The government has to tackle each of these problems:
1) Embrace remote: Cybersecurity professionals are being offered 100 percent remote positions in the private sector. Cybersecurity positions that don't require everyday face-to-face interaction would be good candidates for remote. Also, responsible proven performers would be good candidates to go remote.
2) Pay well and offer a great opportunity: Overall compensation parity is essential for government to even begin the conversation with most candidates, who may otherwise be happy with what government employment has to offer. The government has begun to tackle this problem, but it's a setback every time funding is cut or not renewed for programs that help retain talented people.
This is an issue that has to be elevated above the budget and election cycle, to a matter of strategic importance. There also needs to be a clear path to career advancement. To achieve this goal, the government workplace needs to transform into a meritocracy where the best performers naturally rise to the top.
The government should adopt tactics from industry such as performance or milestone-based bonuses and raises tied to key performance objectives.
3) Culture is king: There should be a focus on intrapreneurship and rewards for innovators.
4) Be innovative: If performance is valued over compliance, the government will become more invigorated with entrepreneurial individuals who will come forth with ideas for how to improve the government's security posture.
Alexander J. Fry holds the following certifications: SANS GIAC - GSE, GCPM, GPEN, GMOB, GCIA, GCIH, GSEC, GSSP-JAVA, GWAPT ; EC-Council - LPT, ECSA, CEH ; (ISC)² - CSSLP, ISSAP, ISSEP, CISSP ; IAPP - CIPP/E, CIPP/US, CIPT ; Red Hat - RHCE ; Microsoft - MCP ; Cisco - CCNA. ; CompTIA - CompTIA Network+, CompTIA A+ ; Sun - SCJP1.1 and SCJP2.