2019 is already off to an interesting start in terms of government cybersecurity—we’ve had a 35-day government shutdown and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recently issued its first emergency directive about Domain Name System tampering activities. On this week’s episode, Forcepoint’s George Kamis (CTO Global Governments & Critical Infrastructure) along with Raytheon's Brett Scarborough (Senior Manager, Cyber Business & Strategy Development) join Eric and Arika for a discussion about the most pressing cybersecurity issues for government in 2019—and what agencies can do to protect against them.

… and don’t forget to sign up for upcoming episode alerts!

How to Listen

Welcoming back George Kamis

Arika: Hi and welcome back to episode 19 of to the point cyber security. I am one of your hosts Arika Pierce and also we have with us as always Eric Trexler.

Eric: Good evening Arika!

Arika: Hi Eric! And we have a guest that has been on before so George, you are actually our first guest that's been a repeat guest. George Kamis!

George: Alright! My pleasure this is exciting! Thank you for having me back!

Arika: Well you had so much fun that you came back for more, so we appreciate it. So George, a couple of weeks ago you were on a Forcepoint webcast that talked about Forcepoint's 2019 cyber security predictions.

If you haven't listened to it will include the link in our show notes, but I thought it was a great, great webcast because, you know sometimes when you hear about these prediction report it's the same old, same old right? They'll say oh there's going to be moves to Cloud in 2019, or things like that. Things that you know are pretty obvious.

But I thought that the Forcepoint report did a really good job of going a little bit deeper and almost will I say being a little bit provocative in some of the prediction stat the report made. So excited to dive into those cybersecurity predictions on this podcast and get the take from both you and Eric about some of these, some of the things that may or may not happen in 2019.

George: Alright!

Arika: Okay are we ready guys!? Ready Eric as well?

Eric: Let's do it!

No real AI in government or cyber security

Arika: So the first one is interesting because just last week, we had on our podcast Dr. Cular and we talked about machine learning and so this prediction that's on the report is that there is no real AI in government or cyber security I should say. Nor is there a likelihood for to develop in 2019. So this one could be a little bit debated. Will start with you George, what's your take on this prediction and especially as it relates to government.

George: Ah, alright, so I think government and commercial market are very similar. I think the challenge here is people are confusing AI with machine learning there is not a real good definition between the two. You know, when you look at AI, at least the way I look at it, it just mimics human behavior. Everything that we do from planning, problem solving etcetera but the reality is I think we doing machine learning and that's a machine that's looking at a specific data set that learns from that data set and adapts it algorithms to do a better job in finding out information.

Where AI is on the hype cycle

George: I think that's where we are. I think personally AI is a big over blown marketing term that is maybe suffering from the Gartner hype cycle, or it's hitting the point of disillusionment. So that's just my personal opinion, but I think the good news out of all of this is that generally everyone agrees that computers need to do a better job at looking at data making better decisions on the data and that being a machine learning instead of artificial intelligence.

Eric: Which is really pattern recognition and looking for noise or signal within the noise. I mean that's machine learning.

George: Machine learning and then adjusting based upon that.

Interchangeable terminology

Eric: It's interesting. Every single customer I go to talks about AI and machine learning interchangeably. It's always on the top of their priority list. And I agree with you George, they really, they really intermingle with the terminology and I see it very differently.

George: Right. And I think that's part of this prediction Rafi did an excellent job outlining it. It's just making it or at least showing the market that Forcepoint believes that AI is somewhat hyped at this point and it's truly machine learning and we are actually doing a great job at machine learning in our behavior analytics lab that Rafi is running.

Eric: So when I look at the topic here the prediction, there is no real AI in cyber security, nor any likelihood for it to develop in 2019. That's a safe prediction in my mind but we are going to go to RSA in a couple of months and AI will be..

Arika: Everywhere!

George: It will be everywhere.

Eric: So my prediction is we will continue to talk about AI and as an industry try to profit on it.

George: Absolutely.

Eric: But it's really not there and I agree with you Rafi.

George: Mm-hmm (affirmative).

Arika: Not there yet.

Eric: Okay, lets hit another one.

Attackers will disrupt industrial internet of things

Arika: Okay so the second prediction in the report was attackers will disrupt industrial internet of things, devices using vulnerabilities in Cloud infrastructure and hardware.

Eric: So George you really went out on an edge here with this one.

George: So this is a little bit different. We've been doing these Forcepoint cybersecurity predictions for the past 4 years and we did something similar to this last year but we want to come out of at a different angle. And I like this one cause I'm the author of it, but what we are doing is, we looked at the attack surface a bit differently. Everyone is concerned about IOT devices on the edge point being attacked, and certainly that is the case.

Eric: And some may argue nobody is concerned about it and therefore we have very limited security, but go on.

George: But yeah it's certainly an attack vector but you know if you start attacking IOT devices I have to go to company A, company B, company C, company D etc. to do a coordinated attack or go to your house, go to my house, go to Arika's house to attack those devices. What's easier is attack the whole subsystem or the whole system at that Cloud.

Vulnerabilities at the cloud level

Eric: There has to be storage or the computational side.

George: Right, so all these IOT devices are reporting back to the Cloud and the Cloud controls them, there are some very good benefits from being connected to the Cloud, like getting live real time updates to systems to address vulnerabilities, but what if a sophisticated attacker attacked that Cloud instance and automatically has control of all those devices at once.

Eric: So we saw something similar to this with the ring door bell product line couple of weeks ago, right where they were sharing video data with some Ukrainian developers but they really live data so anybody using a ring door bell or their security cameras could have had it. But what you're saying is hey if you wanna get somebody's security video, you can literally hack in to Ring which is using I believe Amazon and control all of it. You have access to all the videos. You wanna watch a bot, you have all that computer power from central location.

George: And then pull this a little further from what we said is okay how do we attack that Cloud instance, maybe we attack it from a neighborhood or a neighboring process within the Cloud.

Eric: So why haven't we seen this? It seems so easy.

Cloud providers are currently doing a great job

George: You know, to be honest a Cloud provider is doing an excellent job

Eric: They do.

George: Of separating virtual incidents in customer's data, however you know I am sure that nations are looking at ways to exploit that and take a manage of it. We've seen some attacks that are relevant to the Cloud, which is spectrum meltdown you know it's done at the hardware processing level so there is certainly a possibility there, we just haven't seen it. It's going to be interesting when there is a big Cloud attack, what happens.

Eric: I am very scared.

George: Yeah.

Arika: Well I was going to say is, I think it's also just such a great example of when we think about internet of things and so many different innovations happening. I know there's been lots of talk for example about security around the driverless cars and the fitness devices and things like that and so you don't always think about the cyber security issues that can come with all of these new innovations that happen and especially as they are being used by organizations in agencies and such so.

2019 court cases about data breaches

Arika: Good to get a take on that one. Okay, so this is an interesting one, the prediction and the report is 2019 we will see a court case in which after a data breach an employee claims innocent and an employer claims deliberate action. And I would be particularly interested to think about if this could happen in a government scenario, I can definitely see how it can happen in the private sector especially with an employer saying you were responsible for a data breach and you know punishing their employee or letting them go and employee then responding by a lawsuit.

But I am wondering if there is a scenario where this can happen on the government side. George I know you had a few comments about this when you spoke on the webcast.

George: Yeah, there is many different angles on this. What about stolen credentials?

Arika: Right.

George: What if someone in the government stole another person's credentials and started an Xville data out or stealing data out of the government and basically pinning it on someone else. So from an audit point of view it would like..

Eric: I did it.

George: You did it.

Eric: But you took my credentials.

George: Exactly.

Eric: You impersonated me.

Tracking behavioral data

George: Exactly, and this all gets back to the purpose of the prediction in the underlying theme is that we need to do a better job as an industry to collect information on human behaviors, because if I stole your credentials Eric and acted as you, I would act completely different than you.

Eric: Right.

George: I would not act like you at all and it would be clear that it was someone else that stole your credentials that took the information because the behaviors are completely different than you are.

Eric: Only if we are looking at behaviors though.

George: Correct.

Eric: If we are not, you appear to be me.

George: And that is the key. So we need to look at the behaviors to make sure that you know that I was stolen credentials and I think we also need to look at human behaviors and this is certainly something that we are really focus on at Forcepoint to make sure that a person hasn't also gone rouge or gone bad too.

Using behavioral information

So make sure that we can monitor them, make sure we collect the right data that we can track their behaviors, make sure that their own right thing. If their credentials are compromised we can detect that. Or if that person goes rouge or gets misaligned with the organization we can also detect that and also have a record of that as well. So we could take it to court and do the correct prosecution.

Eric: Very aligned then commercial government really doesn't matter same problem, same outcome.

George: Exactly and you can say whistle blower in the government but we also see whistle blower cases in the commercial market too.

Eric: Absolutely we see data theft in both.

George: Exactly. And one person's hacktavism or whistle blower could be another, some else view it as

Eric: Patriot.

George: Yeah the corporate espionage patriot. So what we need do is really look at what that human has done, what the data, how they have, what was their intent.

Eric: Intent. Yeah. The what and the why from what we talk about last week from machine learning!

George: Yup.

Isolationist trade policies will cause cyberattacks

Arika: It all connects the dots. Yup, okay. So let's jump around little bit in the report and go to prediction number 5. Isolationist trade policies will incentives nation's states and corporate entities to steal trade secrets and use cyber tactics to disrupt government critical infrastructure in vital industries.

Arika: That's quite the prediction.

George: It's quite the prediction but if you look at history it was really, really bad a number of years ago, so much that government's side the cyber accord where the U.S and China pledged not to steal each other's trade secrets and after that happened actually we saw the number of attacks from China decreasing quite a bit. However, with the new administration we've put some new trade constraints in place which has caused further disruptions and we are seeing the kick up again so. It's going to happen as long as that there is data there for our one country to take from another country it will occur. All we can do is of course put defenses in place from preventing from happening and put other trade packs in place.

Cyber Espionage

Eric: Yeah, I think this week we just saw the heads of the U.S intelligence agencies and DNI report back to congress. Cyber espionage is one the most potentially damaging consequences from cyber security perspective they were going to deal with us as a society.

George: And the government can get ahead of us.

Eric: We have ton to lose.

George: Yeah, and the government can get ahead of this with establishment of cyber com, so cyber com will set up protect the DONAIN, DOD information networks it was also set up to defend the United States in case of cyber attack.

Eric: But even commercial companies there are reasons for countries to take our intellectual property. It's a lot cheaper to steal it.

George: Absolutely.

Eric: Then to innovate and create it. I saw the other week, I think the DOD's are in e-budget with something like 95 billion dollars.

George: Wow.

Arika: Oh wow.

Eric: Imagine what you're RND budget needs to be to steal everything from the most capable country out there that has IP.

George: And it happens regularly and talking to folks on the commercial side, health care.

Eric: Same problem.

George: Same problem. There's a ton of research done in the health industry that gets stolen on a yearly basis.

Eric: Well some of these countries have some of the largest health problems in the world, so protecting their national interest there's an incentive there.

George: Absolutely.

Eric: Yeah.

George: So I don't see this going away, it's a pretty easy prediction, so I will stop.

Eric: Yeah I agree with that one. I would say that's a little bit softer.

Arika: Okay.

Eric: Go ahead Arika. Want to do one more?

Edge computing to enhance privacy

Arika: Alright, we'll do one more! Okay, concern about breaches will cause government to further embrace edge computing in order to enhance privacy. Designers will face significant head wins with adoption due to low user trust. I'll say this, there is a quote that I seen quite a bit, I believe it's from Max Everett from department of energy CIO and he says the mission starts with the edge. He said that about a number of times when he was talking about cyber security. So curious to get your take on this one.

George: So from a government point of a view, I think the DOD and ICR are doing a pretty good job at trust at the edge they have cap card, common access card, hip card that contains a digital certificate that they physically insert to a machine, they authenticate using a secret that they have or PIN code to get access. So that's putting some edge at the trust. So you have some confidence that it is Eric Trexler or Eric logging onto a machine so we do have some trust at the end or at the edge which is a big advantage over many on the corporate side, I think the government is a little better position in that, but I would be curious to get your thoughts Eric.

Understanding where the edge is

Eric: Yeah, I don't know if I agree, I think most organization's government or private sector really struggle to understand where the edge is.

George: Yep.

Eric: You know consumers have a gained a lot of power over the last decade as things have moved to mobile IOT, you name it and those aren't typically solutions provided by IT you got to the ATT, Verizon store, Apple store where you buy your mobile device you gotta a lot of data there.

George: Yep.

Eric: I think that organizations in general are struggling to provide capability and trust users, and a lot of isn't even about trust in someways. To me it's more about, you know do you have an educated user to they understand the risks or are they just trying to do their jobs. We have a lot of good people out there government or private sector just trying to their job and they may download a piece of software which has malware in it or has back door of some sort that's filtering the data of, and that is a, I think that's a clear concern so when you hear Dr. Ford talk about that, he talks about organizations making little headway due to broken trust. I don't know that we are communicating effectively yet.

The addition of mobile

George: You bring up a very, very good point that it's a really hard problem to today cause you know 5, well 10 years ago we just had to protect the PC's at the end point now everything has gone mobile. You got.

Eric: Data's everywhere.

Arika: They're everywhere.

Eric: The perimeter is literally non existent.

Arika: Right.

George: Mm-hmm (affirmative), and the days of protecting your physical computers and the physical location with the firewall between you and the internet are not. Right? Everything is Cloud compute, mobile devices so you are right, it is a difficult problem to solve.

Eric: I think one of the, one of the things of the components we need to really look at is the actual data itself.

George: Mm-hmm (affirmative)

Eric: And kind of where it is in the flow. If you go to the device level that data could be on any device at anytime or any number of devices. So really understanding the data and understanding how users are interacting like with it. How you know users who should not have access are interacting with it that's probably the best answer I can think of. But this is a really difficult problem. You don't want inject friction into the business process. To lock all of that down, business wouldn't even function anymore.

Arika: Right frustrate the end users.

George: Do you work today without your mobile device? No. You would be far less efficient.

Eric: I'd be a hell of lot less productive.

Cybersecurity predictions from Eric and George

Eric: So it's a big problem, we are not solving that in 2019. That is my prediction for the day.

George: Ha ha.

Arika: Good, good. Any last cybersecurity predictions that we did not have on the list from either of you.

George: Wow curve ball huh?

Eric: I'll throw one out there.

Arika: Okay.

Eric: I think all of this cyber activity we are seeing is going to especially with at the nation state level, I think it's going to get out of control. I think it's almost like a chemical, biological weapon somebody releases with some level of intent, but you really can't control certain weapons like that. I think we are going to see a lead into more of kinetic, at least limited conflict at some point.

Arika: Oh interesting.

Eric: Something is going to get out of control from a cyber perspective, somebody is feeling somebody's population is going to get hurt and the, they're going to resort to some level kinetic activity and that may actually draw a line in the sand that helps us curtail the amount of cyber activity. Right, you can't step into foreign nation's state territory that encourages is breaking international law and causes problems. With cyber security today, countries are doing it all the time.

George: Yup, and it's easy.

Eric: It's super easy. It's really difficult to detect.

George: And you'll have to face your enemy in the, you'll not have to look at your enemy, you can just do it.

Eric: Yeah and they can't even look back.

George: Yup.

Eric: Anyway that was mine!

Stay tuned for our scorecard next year

Arika: Alright, very good! Well thank you George for being on. Will you come back next year so we can see which predictions that you guys got right?

George: I would love to come back next year and talk about our predictions for 2020.

Arika: Right we will do a little score card to see what we got right and what we got wrong.

George: And actually that's a good point you bring up. Forcepoints unique we do predictions many companies do predictions but we also score them

Eric: Score them.

Arika: Mm-hmm (affirmative)

George: And we have a report card online about our previous predictions, we've done quite well. I think we've squirm, we will give ourselves an A plus but we will also give ourselves a C or B minus as well.

Eric: Now we need to fix some of the problems.

George: Let's do it.

Eric: Alright so we will let you guys go so you can get busy being the solution a driver so. Thanks everyone for being on the, to both of you for being here this week, and to all our listeners for tuning in and please do a continue to subscribe to the podcast give us a rating and to let us know what you want us to hear us talk about. Thanks so much and will see you next time on to the point.

Speaker 1: Thanks for joining us on to the point cyber security podcast. Brought to by Forcepoint. For more information and show notes for today's episode, please visit www.forcepoint.com/govpodcast and don't forget to subscribe and leave a review on iTunes or the google play store.