Report Panel I
Lessons from the OPM hack
The first panel of the afternoon discussed the ‘lessons learned’ from the Office of Personnel Management (OPM) data breach. In June 2015 the OPM announced that they had been the target of a large data breach, stealing the classified and personal records of several millions of people. James Comey, director of the FBI, put the number at a dazzling 18 million.
Michael Riley – a Bloomberg journalist with extensive experience on cyber operations – chaired the panel in which included Logan Brown (President, Exodus Intelligence), Aamir Lakhani (Fortinet) and LTC Scott Applegate (Current Operations Chief for Defensive Cyberspace Operations for Army Cyber Command). The panel discussed how instruments of the Department of Homeland Security, such as Einstein and CDM can protect civilian agency networks. Main questions in the panel focused on the lessons learned from the OPM hack, and potential integration and upgrades of new technologies, such as moving ‘to the cloud’.
The experts on the panel started off with a question that was introduced by Michael Riley: “Just as a thought experiment, how could this breach have happened?” The three experts on the panel agreed that the hackers probably infiltrated one of the (sub-) systems and then stayed in the system – without tripping sensors that would set off alarms – exploring their credentials. It was their belief that once you are in one system, it is pretty easy to infiltrate into deeper, connected systems.
A key in finding a solution to these infiltrations (or at least to do everything possible to protect your vital interests) is to identify an organization’s ‘crown jewels’. According to Logan Brown, this step is largely overlooked and not at all easy. Once the crown jewels are identified, proper security layers can be designed to protect them. At the moment, the panel believes that we should become more proactive rather than simply reactive. This is important because you can never stop an attacker; you can only make it hard for him to damage your vital interests. This was illustrated by the following quote: “A hacker can try and open a thousand doors, and only needs one to get into the building”. Aamir Lakhani compared our current, reactive policy as permitting a thief to ‘be in our house for over 200 days, before we detect them and call law enforcement’. The takeaway of this part of this panel was to never challenge the actor, but rather become fully prepared.
A couple of solutions were introduced to tackle these problems and to protect the crown jewels. It is important to work on monitoring systems, segmentation of networks, installing sensors and introduce automatic anomaly detection systems. In order for these safety procedures to work, it is important to map who is actually our potential adversary. This is where cyber intelligence comes in.
Special information was given regarding a specific threat to our system: the problem of social insecurity. Hackers constantly try and send malicious e-mails with for example dangerous links they want people to click on. Once someone clicks on one of the links (the e-mails most of the times looks completely legitimate), credential harvesting can start. It is an operation of ‘land and expand’.
What was interesting to see in this panel, is that most panelists disagreed with an argument made by Admiral Barrett in her keynote on the costs of entry to the cyber battlefield. Where Admiral Barrett stated that costs of entry are generally really low (‘as much as $150’), Logan Brown countered by stating that ‘hacking is becoming more and more the business of nation-states’.
All panelists noticed the American government and the DoD openly acknowledged the threats in the cyber domain. They agreed it is time to continue the work we have done so far and start acting proactively now.
Further Reading Section:
- Conference – Cyber Security: Risk, Recovery, and Resilience
- Cyber Escalation: A Military Planer’s Blank Slate
- It is Time for a Cyber FDIC
- Event Recap: The Keynote Speech | Cyber Security: Risk, Recovery, and Resilience
- Event Review – Panel 2: Cyber Security & Consequences for the Military
- Event Review: Panel 3 | Defense, Diplomacy and Deterrence