How government can be a cyber target that is hard to hit - Ep. 22
This week Dickie George, who worked at the National Security Agency (NSA) as a Cryptologic Mathematician for over 40 years in the Information Assurance Directorate, talks about his experience of being a government "cybersecurity target," and how government is a cyber target that is hard to hit.
Meet Our Guest Dickie George
Arika: Hi everyone. Welcome to Episode 22 of To The Point Cybersecurity. I am one of your hosts, Arika Pierce, along with my co-host Eric Trexler. How are you doing Eric?
Eric: I am doing well. I'm doing well Arika.
Arika: So good. So today we have a guest that Eric, I'm actually gonna let you introduce. It's a very impressive guest. I'm gonna turn it over to you.
Eric: Yes. So I've known Dickie, Dickie George for the last almost 10 year, coming up in 10 years now. Last seven years at Johns Hopkins Applied Physics Labs as the senior adviser on cybersecurity matters. Prior to that, 41 years in technical and management roles at NSA, protecting this country and working with cybersecurity, crypto, you name it.
Dickie: Hi, thanks for the nice intro. Great to be talking to you today.
The good guys and the bad guys
Eric: So Dickie, welcome to the show. You've got quite a bit of experience dealing with what we were just talking about, the good guys and the bad guys. Most recently, I guess in the last couple decades in cyber security, and you've got a lot of experience around being a cyber target. Can you elaborate a little bit about that?
Dickie: Sure. Yeah, for the audience, when I talk about good guys, those are the people that are playing defense, the bad guys are the people that are playing offense. So lot of my good friends are bad guys, and some of my friends are good guys. So what it means, well, when you're in the cyber game you have to understand that you are a cyber target, and that means that you live your life in a slightly different way.
You have to be careful because you know that you have things that people want, and they're gonna take every step they can to get those things.
And so living your life as a cyber target and understand that there are people out there that view you that way. You're gonna be a target, you can't make yourself not a target, but you can make yourself a cyber target that's very hard to hit.
Who are the cyber targets?
Eric: And are we targets as individuals, as employees, as government employees, and how would you define cyber target?
Dickie: Yes, yes we are. Every entity in the country, government, industry, and industry covers cyber security producers, it covers financial, it covers critical infrastructure and individuals, because every one of those has information that somebody else wants. Whether it's intellectual property, financial information, personal information, or for the government, strategic and tactical plans. All of that if valuable information for some adversary to obtain.
Eric: So we're all targets?
Dickie: We are.
How not to become a cyber target
Arika: Yeah, I thought, you know, we did a little prep before we started the podcast, and so one of the questions we had for you Dickie was how not to be a target, and you said,
"That's impossible, everyone is a cyber target."
So I think that's something, I guess I never really looked at it like that. I always think of how you can stop something, but you're saying you can't exactly stop being a cyber target, because as long as you have something that some adversary or someone else wants, they're going to find a way to try to get at you.
Dickie: Right. And the way we used to think about it back in the '70s was that there were rules of the game, and as long as you followed the rules and knew that you were doing the right things, you were safe. So at that point in time, it was really the strategic government that was a cyber target, and you were a target, a personal target, if you would allow someone to gain access to that information. So you lived your life in a way knowing that if you made a mistake, someone would be there to take advantage of that mistake, whether it's a lousy password, or whether it's drinking too much, getting in debt, anything that someone could take advantage of against you, they would do. And so you lived your life understanding that.
How you have to play the game
Dickie: It's like in today's world, if you see a crossing sign on a street, you assume the cars are gonna stop and so you walk across the street. However, if you're a cyber target, those cars that are coming at you are going to speed up, not stop, and that's the way you have to play that game. You have to play the game that every time you sign on, somebody is looking to take advantage of that. Somebody's going after you and you have to be careful.
What would someone do to become a cyber target?
Eric: Take us back to the Cold War days then. What would someone do to become a target? Define some of the rules, if you would, or an example.
Dickie: The rules were as long as you didn't make any errors, anything that someone else could use against you, you were safe. You lived your life well, you didn't get in debt, you didn't have a drinking problem, you didn't have a drug problem, you didn't have something that they could, anything else in your life that they could blackmail you for.
If you look back over time, it was people that had character flaws that were taken advantage of.
Walker needed money, [inaudible 00:05:29] felt that he wasn't appreciated. Anything that anyone else could play up to. "Clearly they don't appreciate you, you're a brilliant person. You should come over to our side. We understand how brilliant you are." If you are susceptible to that, then you are going to do things that are not good for your own country. And by the way, it's not necessarily this country or that country, it's any country. Everybody is a cyber target. We just happen to be the best target.
How the rules of the game changed
Eric: So it's 2019 now.
Eric: How have the rules of the game changed?
Arika: That was my exact question Eric. I can see we're in sync.
Dickie: So it's interesting.
Eric: Once again, we're in sync Arika.
Arika: Yeah, took the words out my mouth. How have the rules changed?
Dickie: In about 2004 I was on a panel at Georgia Tech and the topic was new attacks, and as the panel progressed, I was that they weren't really talking about new attacks. [inaudible 00:06:29] attacks that I had seen for 15 to 20 years. So what they really were was not new attacks, but new targets, and the methods have changed quite a bit. The rules have really loosened. Every new actor that enters the game loosens the rules. People aren't anywhere near as careful. I mean, careful in an offensive way. The offense takes much more risk today than they did back then. Back then, if you were caught doing something, it's a bad thing.
We're now on a completely different game
Dickie: Today we catch people everyday doing things, and it's really hard. An example is, if you were trying to target an individual in the '70s, you would meet them in a bar and try to establish some kind of a personal relationship. That's risky because you're in a foreign country trying to meet a person, or if you get caught, you may have trouble doing it again. In today's world, you send 10000 emails and see who responds. There's absolutely no risk. It's a completely different game.
Eric: Is it easier?
Dickie: It's much easier for the offense for a lot of reasons. If you look at the cyber world, these laptops allow people into our homes. That didn't occur in the 70s. People didn't have laptops. Somebody who was coming after you had to meet you some place in person, or talk to you on the phone, or meet you at a conference, something like that. They didn't have this option of doing it impersonally through a laptop and trying to take advantage of you that way. Not to mention the fact that all that information that they would have great difficulty in getting from you personally, is sitting on your laptop, and the laptop isn't smart enough to really know how to protect it. You have to tell the laptop how to protect it.
And so when you get a button that says, "You probably need to push this so you can reset your passwords." You have to think about that and say, "Really?"
'Cause that might not be a true button to help me. That might be somebody trying to take advantage of me.
"Don't click something that you don't trust."
Dickie: If you look at all the training we get, they tell you, "Don't click something that you don't trust." Well, that's like telling people not to eat meat that they know is spoiled. Who eats meat they know is spoiled? The whole point is to get you to trust that button so that you will push it and you will be hacked.
Eric: And you don't know the difference?
How to change our mindset so we can protect ourselves
Arika: Well and how do we even get back to that previous mindset where we did have that hesitation. I actually, I received an email last week that probably had everything that I'm taught to not click on, to not open. It had all of that and I still clicked it just to see.
Dickie: Because of a Nigerian prince.
Arika: Yes, right, right, that had millions of dollars. And then afterwards I'm like, I know I should not open this. This was probably not a good idea, but I don't know if it's just that curiosity or just that trust, and we've talked about trust a lot on this podcast, but that it's probably okay. How do we change that mindset so we can better protect ourselves again?
Dickie: So it's gonna be really, really hard to do that, because don't forget it's not just the three of us that are targets, it's the five year old that is watching videos of animals, because that's the same laptop that his mom and dad use to do their banking on. And so if I think of my kids, my grandkids, my parents, it's very different for me and for my kids than it is for my grandkids, and my grandparents, and my parents. They are much more susceptible to that, you know, the five year old, he wants to watch his animal video. If there's a button that says, "You get to see a neat animal here." He's gonna push that button. And my parents, very trusting. It's hard to explain to them that the people are really out to get them.
You are sharing the risk
Eric: But there are bad guys out there.
Dickie: There are bad guys out there, and they are willing to take on any cyber target, and that's all of us. And not necessarily because they want you, but they might want all of your contacts. When you make a risk management decision to take a risk, you are sharing that risk with everybody you're connected to, and those poor people you're connected to don't even know that they're getting that risk.
How can we protect ourselves
Eric: You spent 41 years in NSA, a good number of them as the senior technology director in IAD, the information assurance director.
Eric: What's your guidance? What's your advice? How do we protect Arika from herself?
Dickie: The big thing we have to do is be more aggressive on defense. Right now, if you see somebody attacking people in this country, there is no danger of retribution of attack back. We have to make it clear that attacking this country is a serious mistake. One thing I would love to see is, you have a lot of things in your car, like seat belts, lane detectors, automatic braking, things that help the car protect you.
In the cyber world, it's all about you protecting the computer.
I would love to have seat belts, warning signs in this computer to tell me when I'm going to the wrong place. Very simple, if you go to wrong domain, if you're going to .con instead of .com, a warning light should flash. You've got a typo there that could get you in trouble. The computers need to be built to protect the users, not rely on the users to protect the computer, because there are plenty of users out there who will not be able to protect the computer against the kind of adversaries we face every day.
What's our Volvo?
Eric: It's interesting, I was reading an article about the seat belts, which were created by Volvo, and there was a debate back in the day whether they release that or not because it could save so many lives, and Volvo as a corporation decided to forgo monetary gain to release seat belts to the world to save lives.
Eric: What's our Volvo, or who does that?
Arika: Good question.
Dickie: Yeah. You'd love to think that there are people out there that understand how dangerous this world is for the average user and will take that step. And I think that there are already tools that can do some of these things for big companies, for companies that know how to take advantage of those tools, but the average home user doesn't know how to do that. It's gotta be somebody who can make that into a service that's worthwhile for the average consumer, and there are a lot of really smart people out there. I see them at every conference. This young generation that lives in this world will automatically know more about it than anybody in my generation, and one of them is gonna make this change.
The role of the government in protecting us
Arika: And Dickie, given your government experience, what is the role of government in that, I mean, in terms of protecting us? We've done a couple of podcasts that have talked about how government has different roles in protecting us from things such as diseases and such, and natural disasters, but what is the role of government in protecting your average consumers as well as itself from essentially cyberwarfare that we're seeing, specially from our adversaries right now?
Dickie: So government can take on a lot of roles. You've seen the newest framework, that's certainly a big step. They did a really nice job on laying out guidelines for people. "You should do these things to make yourself safer." That's one thing they can do.
They can encourage research, they can give grants, they can even have tax breaks for companies that do a good job at cybersecurity.
They can ensure that people that are contracting the government ... In contract with the government, are doing the right things from a security point of view to encourage that behavior. There are already programs where they're trying to raise awareness, certainly in the younger people, the K through 12 because it's important to do it early. But the big thing they can do is let other countries know that we are tired of being a cyber target and there's gonna be some retribution.
The big guys are the biggest cyber target
Eric: Aren't we all tired? I mean, other countries are being attacked just as much as we are.
Dickie: Not just as much as we are, but they are being attacked, and everybody's having problems. We're the best cyber target. When you're the big guys, you're the biggest target, more people are gonna aim at you.
Eric: So is this a United States problem? Is it a global problem? Do we solve it ourselves in the United States or does the world have to come together and decide on some standards or capabilities or some defensive ability?
Dickie: I don't believe that the world will ever come together on this issue to decide that we're not gonna hack each other. That's just not gonna happen. I think that it is a global problem.
There are people in every country who are targets.
This country has a great history of leading the world in innovation. I think that we have to be leaders in this area. We need to come up with the defensive strategy that will work for the world, but we are the people that can do it. We have the universities, we have the companies, we have all of the ingredients needed to really build that defense. We just gotta do it. That comes back to funds. For companies, is it profitable to do it? For academia, is that a good thing to do for my career? And for the average person is, do I want to accept the risk or do I want to make my life online harder, more cumbersome and less fun because I'm not gonna click on these links that look really neat.
The course the government will take over the next few years
Arika: Well and I think the approach that we see the government take over the course of the next few years will be interesting, because we have seen in the past, couple of months actually, strategies come out from department of defense, as well as DHS that have said the US now has the tools to actively react and have more of a defense when it comes to any cyber attacks, but I don't know yet what that looks like, but we at least have seen, at least the framework for policies to really take more action than we have previously seen.
Dickie: Yeah, that's exactly right, and I was really excited to see that happening. I can't wait to see what really happens.
Dickie: I hope it's going to work, but that is a really fun thing to see.
Reality Check: John F. Kennedy vs. the raise to the moon
Eric: Dickie, give me a reality check here. I wrote an op-ed piece a couple weeks ago comparing the John F. Kennedy and the raise to the moon, the moon shot, to the effort that we, The United States government in this case, probably needs to make in cybersecurity to secure our people, to secure our companies, to secure the government, to secure the world quite frankly. Am I crazy?
Dickie: Yeah, pretty much.
Eric: I'm telling my wife I'm good, guys.
Arika: Affirmative, yeah.
Dickie: The problem with that analogy, and I hear it a lot, is that-
Eric: That's why I wrote about it, you hear it all the time.
Dickie: [inaudible 00:18:33], the bomb, those are in some sense, offensive things, and it's easy to put a lot of money into an offensive thing that you can say, "Bang, we did it. Yay, let's go celebrate." This is not a bang, we did it thing, this is something where we've gotta do it every day for the rest of our lives, and that's much harder than a one shot deal when we can go off and celebrate that night that we had a success.
We're losing six trillion dollars a year from cyber attacks
Eric: Some reporters though would say we're losing six trillion dollars a year from the economic losses to cyber attacks.
Eric: We're all targets. Is that not enough? Six trillion dollars.
Dickie: That ought to be enough. It's money, and people don't feel that money. It's like taxes, you're used to living on part of your pay, not all of your pay because there are taxes. This is another tax on our way of life because the alternative is, we give up the internet and then we're safe. You can't do it. You can't do it. No one's gonna do it, and so we've either gotta pay the tax or find out a way to stop paying the tax, but it's not gonna be free to stop paying that tax, both in functionality, ease, enjoyment of life and in cost. We need some of the bright young people, and I see a ton of those people when I go around college campuses. Somebody's gonna make a difference.
How do we bring all these bright people together
Eric: How do we marshal them? How do we bring all these bright people together to make a difference? Who leads?
Dickie: I think that there are people out there that care enough about this topic, that they will try to do the ... You see all those start-ups that I see. There are a lot of people out there with great ideas. They've gotta have a great idea that works in this, and that's gonna be really hard. It's gonna be hard to make us not a cyber target. We're always the target. We're always gonna be the big target. We've gotta make ourselves a harder, harder, harder cyber target, and the fact that it's everybody in every instance, at home and at work. It's not just the big company that can afford it, it's the five person company that is a sub to that big company and can be viewed as an entrance to that big company's vault of information. And you've gotta get all those people.
What our cyber strategy looks like five years from now
Arika: So Dickie, if you had to forecast into the future, what does, specially from the government perspective, what does our cyber strategy look like just five years from now?
Dickie: Have you heard of Mad Max exercises where you look at different variables?
Dickie: Okay. So it depends on how those variables go.
Dickie: If something really bad happens, we know our critical infrastructure is vulnerable, let's say the terrorists change their mind a little bit and go after critical infrastructure and really do something terrible to the country, that's perhaps even really hard for us to recover from, then I can see us having to respond in a way that no one in the world wants us to respond. And that's the worst of all Mad Max worlds.
If things just continue as they are, we're getting a lot of paper cuts and I think it continues that way because I don't see the will to do anything. So that's a scary situation for me.
The scarier thing that may happen
Dickie: The scarier one is something bad happens and it leads to a nuclear response, and that's chilling just to say that, but I can see that happening if it gets bad enough. If we lose the power grid and we think we know who did it, I can see us responding in a way that will change the world, and that kind of thing might change the whole cyber target idea if someone sees that we've taken that kind of response. It also sets a precedent. Would we do it again and how bad a problem does it have to be? We don't have any rules of engagement right now to know how bad a problem it has to be to get us to respond in a significant way. Let's hope we never find out.
Arika: That's probably the biggest concern for me. One, I don't know that we have the right incentive yet to directly address this problem, and two, we don't have the rules of engagement in place, like you said, so nobody knows what's going to be allowed and what's going to cross a line or not be allowed and invoke some response greater than the expected.
Cyber espionage is important to every country
Dickie: In prior years, those rules of engagement, those laws, what you can do, what you should do, were more or less internationally agreed upon. I don't see this problem as ever being agreed upon. The cultural differences around the world, the importance of this activity to other countries. Cyber espionage is important to every country on earth, and I think everybody uses it in a slightly different way. No one is gonna agree that hacking is totally illegal, it's just not gonna happen.
Dickie: And that leaves us in this sorry mess where we are all targets.
Eric: Arika, what did we learn? We're all targets.
Arika: We're all targets.
Eric: I'm crazy.
Time will tell what will happen
Arika: I don't click on the Nigerian email. And yes, and time will tell in terms of what will happen. Either we'll be ... Status quo will continue or if something unfortunately very bad happens, then that's when the strategy seems like it actually might then pivot and change.
Eric: Dickie as always, you have a fascinating view into the reality of the world we live in. You're constantly opening up my eyes, so I appreciate it.
Dickie: No, thanks. This was a lot of fun. I appreciate the opportunity.
Arika: Yes. Thank you Dickie so much for being on the podcast. We appreciate it and we appreciate all of our listeners that continue to tune in every week, and please do subscribe to the podcast if you have not already, and also give us a rating on iTunes and feel free to drop us a line and let us know what you'd like to hear us talk about. And so with that, we like to keep it to the point. Thank you Dickie.