The Atlantic dubbed July 8, 2015 “the day the computers betrayed us” as systems supporting the NYSE, United Airlines, and the Wall Street Journal all suffered crashes. Those events served as a fitting backdrop to Department of Homeland Security Secretary Jeh Johnson's remarks on cybersecurity at CSIS.
While administrators worked to get the systems back online, Johnson rushed to assure his audience that the outages were unrelated and stressed the DHS’s efforts to protect civilian and government data from security threats.
At the same time, Johnson acknowledged that in the war against hackers, the need to protect privacy and connectivity makes the web security a difficult operating environment.
“I can build you a perfectly safe city, but it will look like a prison,” he warned.
As DHS Secretary, his goal, he said, was to harmonize the need for security and the preservation of “the freedoms we expect as Americans.”
“Cybersecurity involves striking a balance,” he said. “I can build you a perfectly secure email system but your contact will be limited to about ten people and you would be disconnected entirely from the Internet and the outside world.”
As more and more devices connect to the Internet, this balance becomes more difficult to maintain. Today there are more devices connected to the Internet than people alive on Earth. And with increased connectivity comes increased threat of attack, both from nation-states and hackers motivated by ideology or money.
The reality of the threat is something Johnson was forced to directly acknowledge, in light of the recent data-breach at the Office of Personnel Management, in which sensitive personal information about more than 4.2 million people was compromised.
“Our federal cybersecurity is not where it needs to be,” Johnson admitted, before stressing that the agency was taking action to get there.
Unfortunately, this process begins with a 30-day review of current policies, followed by to-down recommendations.
“We must drive change from the top,” he said, speaking of the binding operational directive he issued to various government agencies, which stressed the need to identify lax security policies and quickly act to mend these gaps.
This approach of identifying and sharing weaknesses was the focus of NCCIC, a federal database which shares information on cyber threats and attacks on both government and civilian networks. The hope is that as companies see and block more hacking attempts, they will be better able to identify malicious threats and drive out a hacker in the event of a breach.
“The key, even if you have the best technology, is information sharing,” said Johnson. “You can’t act in a vacuum. You don’t want to be out there all alone.”
While useful from a network administrator perspective, the database cannot account for one of the biggest weak points in cybersecurity—users themselves.
“What amazes me when I look into a lot of intrusions, including some really big ones by different types of actors, it that it very often starts with the most basic act of spearfishing [an attack where an employee clicks on something that they shouldn’t have],” Johnson said.
But that’s a problem even “Einstein,” new multi-layered system to protect government networks, can’t solve.