“If we were in a cyber shooting war, if our adversaries decided that they were going to fire zeros and ones at the United States to cause disruptive activity, we would lose. Think about that for a minute. We. Would. Lose.”
As a CNN National Security Commentator, advisor to IronNet Cybersecurity, and former Congressman and Chairman of the House Permanent Select Committee on Intelligence, Mike Rogers certainly knows of what he speaks.
Data is in the Crosshairs of a Cyber War
Though it may sound like the stuff of science fiction, some of the most influential conflicts to come, ones that will reshape the face of world superpowers, will be fought online.
And it really shouldn’t come as much of a surprise, should it? Over the past several months, we’ve witnessed some landmark cyberattacks on U.S. soil that sent ripple effects throughout our society. Rogers urges us to understand the dire threat these cyberattacks pose, whether waged against corporations (criminal activity) or government (nation-state activity).
What Incentivizes Data-Driven Cyber Criminals?
To understand the recent uptick in cyberattacks, one must understand what drives these criminal behaviors. Otherwise, it’s challenging to enact strategies to prevent or contain these attacks.
Whether targeting corporations or governments, cyber criminals aim to collect and use sensitive data in nefarious ways. Bad actors steal data to sell, leak, or disrupt, and the line between the activity of criminals and nation-states is quickly blurring. To date, we have seen disruption of service in education, healthcare, transportation, fuel provision, and even financial services. Whether politically or economically motivated, the result is the same; these acts have far-reaching consequences for private citizens, as well as the national economy, infrastructure, and even democracy.
Understanding How Attackers Operate
When cyber criminals successfully access systems, it’s often through a well-developed social engineering campaign. Attackers have become experts at phishing by crafting what appear to be authentic emails. They collect enough private information to understand an individual profile—personal information, employment details, location data, communication style—so they can generate accurate phishing emails to scam other parties.
Phishing attacks trick victims into giving up sensitive information by falsely posing as a trusted individual or platform. When individuals fall prey to a phishing attack, they can inadvertently provide access to their organization’s secured IT infrastructure, leading to a major breach or ransomware attack.
According to Rogers, “Most of these criminal organizations are getting better and better at crafting that social-engineered phishing email to get into the heads of your employees to let them in.”
In July 2020, when attackers hacked Barack Obama’s Twitter account to get people to invest in cryptocurrency, it was resolved fairly quickly. Attackers used the same message to target Bill Gates, Joe Biden, Elon Musk, and others. Today, tactics have evolved, cybercriminals are getting more sophisticated, and the attacks are more personalized, more subtle. Access to data contributes to an unprecedented scale of possible threats, and Rogers posits that when we think about how data drives criminal behavior in the world and nation-state activities on the Internet, “I don’t think, candidly, [we] fully understand [the threat] just yet.”
Balancing Privacy and Security
Data security is critical to prevent personally identifiable information from being stolen, which can then allow illegal access to even more than personal systems. “Protection of data in total is outrageously important. I don’t care if it’s in the cloud or data in motion, it’s going to be very, very important for us to pull together in order to make this defensive capability work,” says Rogers.
Today, government agencies protect themselves, and the private sector is on its own in developing data security practices. Rogers believes that a unified approach to data security could be the key to protecting the U.S. from these looming cyber threats.
Rogers firmly states, “You can’t have security without privacy, and you cannot have privacy without security. Somehow, people have decided that you have to pick one or the other. And this has been slowing the debate about how we protect that data and how the government can help us protect that data.”
The solution is for the government and the private sector to collaborate across multiple fronts to help protect data. To those who worry that a unified approach would entail giving up personal information to the government, Roger rebuts, “That is just not true. There are ways we can protect [the] private information of individuals and still provide exceptional security. And we can share threat information in real-time, machine to machine, so nobody’s actually reading anything.”
Bringing the private and public sectors together to share information surrounding data breaches or malicious attacks and implementing unified policies and procedures to limit the risk associated with sensitive data may be how we gain the upper hand over those trying to cause political and economic turmoil in the United States.
Driving Positive Change to Fight Cyberattacks
As we strive for a safer tomorrow, Roger pointed to President Biden’s executive order as “a good start. It’s going to drive some change.” He illustrates four areas of focus that will drive positive change in the fight to mitigate the consequences of these exploitative cyberattacks.
Policy – The federal government must enact a comprehensive approach to enhance its internal cybersecurity strategies and fortify its security parameters against these modern exploits.
Remove Barriers to Sharing Threat Information – Remove the internal repercussions an agency may sustain from a breach. Discussing these exploits will be encouraged, radically shifting the perspective around internal government data breaches.
Modernize Federal Government Cybersecurity – Build more resilient and secure internal data security structures using strategies like zero trust architecture to limit the likelihood that cyberattacks cause significant damage.
Enhance Software Supply Chain Security – Enact new stipulations on how software is sold to the government to increase transparency and security.
In addition, though it took Rogers about 18 months of study (back in the 2012-2013 timeframe), he eventually became and remains a huge proponent of the cloud as the ultimate secure environment. Rogers emphasized, “It’s really, really important to make that migration. And the private sector is going to be dragged along through that, as well… I think this is a good thing and it’s going to help our security and it’s going to help you manage your data and protect privacy and security all at the same time.”
Despite his dire warning about our current lack of readiness, Rogers encourages optimism, because the federal government is taking great strides to enhance the security of the United States. This unified approach and swift action will ensure the United States is protected in tomorrow’s cyberwars.
He also has a call to action for those viewing his presentation: “This is a war we can win. We can protect data. We can come up with standard management of data and with a standard privacy standard across the country. But you’re going to have to get involved in that. This isn’t just going to happen.”
In closing, Rogers notes, “Remember, laws, rules and authorities need to align to a threat, and public opinion needs to align with the threat. And I think today is probably the best day for that.” He goes on to acknowledge Okera: “Thanks for the work you guys are doing. It really is state of the art on governance and privacy and security, specifically the cloud. And so, as companies are emerging there, I think your role is going to be even more important.”
Watch Roger’s keynote presentation here: