Views on Hackers and the Need to Rethink Cybersecurity From David Brumley, Director of CyLab, Carnegie Mellon University

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Despite growing cybersecurity threats, there is an inadequate pipeline of talent to fill the necessary jobs and hackers are still considered to be criminals rather than potential resources.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Jimmy H. Koo posed a series of questions to David Brumley, director of CyLab, associate professor at Carnegie Mellon University and a member of Institute of Electrical and Electronics Engineers, on President Obama's Cybersecurity National Action Plan and the need to close the knowledge gap between lawyers and cybersecurity professionals.

Bloomberg BNA:

What are your thoughts on President Obama’s announcement of the Cybersecurity National Action Plan, which requests more than $19 billion in cybersecurity funding?

David Brumley:

I commend the president for this. Our nation deeply needs to dedicate more resources to securing our growing cyberspace in which nations, organizations and individuals communicate, shop, and store private information. But if we want to become the cybersecurity-aware nation that we need to be, we need to start with removing the stigma from the cybersecurity profession.

First off, we need to stop equating hackers with criminals. The hackers I know aren't criminals; they are ultra-curious, highly imaginative professionals who can find the unexpected holes in the protective wall. While some hackers go rogue, those aren't representative of the field as a whole.

Second, we need to start differentiating cybersecurity from information technology (IT); IT can’t just be rebranded as security. In this profession, we’re always in competition with highly intelligent, potentially powerful adversaries. We need to be thinking one step ahead of the attacker, thinking like an adversary.

Third, we need to start recognizing that cybersecurity is important to everyone, not just software developers or the banking industry or any institution dealing with sensitive information. Everyone needs basic cybersecurity and privacy hygiene, and until we create an entire cyber-aware generation, we’re all vulnerable.

We need to stop equating hackers with criminals.

Bloomberg BNA:

You mention that there’s an inadequate pipeline of talent to fill the necessary public and private sector jobs. Do you think Obama’s action plan, which includes a $62 million investment to create scholarship programs for cybersecurity education and develop a cybersecurity core curriculum, will help fill that void?

Brumley:

President Obama’s proposal focuses on only filling government jobs in cybersecurity. We also need to address the larger gap for non-government jobs. Every unfilled position represents a risk, and in a connected world, that risk isn’t quarantined to just government or just industry; they’re interconnected.

Pushing cybersecurity education at the undergraduate level is critical. It’s a huge field, a huge talent shore. One great thing about scholarship programs is that they can also start filling the race and gender gap in the field. But we need to go beyond this because the talent pool isn’t an “our government doesn’t have enough people” problem, it’s an “everyone doesn’t have enough people” problem.

We need to see, as a national priority, cybersecurity put at the same level as STEM (Science, Technology, Engineering and Mathematics), at the same level as learning math or arithmetic. Often there are week-long programs in cybersecurity, but we need more. What’s more important to someone: understanding security and privacy, or a typical chemistry class where you learn a reaction? Both are critical but one is going to be more applicable every day.

Bloomberg BNA:

One of the areas of your research is developing better software security. How do you address and terminate cybersecurity threats without getting into a cybersecurity arms race with the bad guys? Or is that the name of the game?

Brumley:

The goal that we’re going after with software security is to be able to automatically check the world’s software for exploitable bugs. To me, there are two critical words: automatic and exploitable.

If you don’t have people thinking like an attacker, you can’t have defenses defending against those people.

We need a computer system that tirelessly checks other computers for vulnerabilities hackers can use. Some of the vulnerabilities are truly hard to spot, and more research is needed to automatically find them, but the sad fact is there are tons of problems we already know how to automatically find, and tons of programs that have the same bugs because the code is copy-and-pasted. We need to start systematically addressing the situation, and it’s not just high-end problems, it’s the everyday, we already-know-how-to-handle-it problems that are killing us.

Second, we need to address the incentive structure. Right now if you download and install a vulnerable program, you pay the price when the hacker breaks in, but it’s the software company that made the mistake! We need to change the incentive structure so that both companies and users work together to help. There are some really big leaders in this—companies like Microsoft Corp. and Google Inc.—who are trying to get out of this arms race by bringing the best people who would typically find those vulnerabilities and rewarding them so it’s more economical to them to go to Google and win a contest like pwn2own than to sell it to a bad guy. If you can change the economics of it—if you can change the incentive structure—then you can beat the bad guy. There’s always going to be criminals, but we want to make the intelligent choice working with the good guys.

(Click image to enlarge.)

Brumley

Bloomberg BNA:

What are some of the ways that connected devices have changed the cybersecurity landscape?

Brumley:

The Internet of things is going to be a huge challenge because they are seen as devices, not computers. For example, when Apple Inc. or Microsoft find a security problem, they can roll out an update quickly because phones and computers are connected and usually attacked only over those connections. IoT devices are different: they may not always be connected, and people interact in much more subtle ways. One challenge is updating these devices. Your home computer can probably automatically apply updates when security problems are found, but IoT devices are different. Connectivity is a huge problem.

For lawyers to better interact with cybersecurity professionals, we need to close the knowledge gap. In some cases, it’s not that the lawyers aren’t there, it’s that the laws aren’t there.

We also need to start thinking about the privacy implications. The mobile phone was a game-changer for privacy because people carry their phones wherever they go and see them as personal devices. How are things going to change when computers penetrate every public place and you don’t own the data?

Bloomberg BNA:

What can lawyers do to better interact with cybersecurity professionals and does your view change if the interaction is in an in-house context, such as in-house counsel interacting with the CISO or CTO or CIO?

Brumley:

I think law is a critical aspect of cybersecurity in the policy landscape as far as—especially at the contract level—understanding questions such as what are the principles that people are going to use when forming relationships? What is trust? And what sort of cybersecurity measures can companies expect between each other? That’s huge. This is due diligence. I think for lawyers to better interact with cybersecurity professionals, we need to close the knowledge gap. In some cases, it’s not that the lawyers aren’t there, it’s that the laws aren’t there. The laws need to catch up.

It’s also important to emphasize that this is a two-way communication. Both sides need to understand what the law says, what the law means. Lawyers are fantastic, but they’re interpreting the laws that are there. Cybersecurity professionals need to understand how the law works and often we don’t. We’re technology people, not legal people. And vice versa, lawyers need to understand that when the law says X, what are the different ways that that can be interpreted from a security and privacy technology perspective.

For example, the Wassenaar Arrangement restricts a number of different goods and technologies from being exported, including software exploits. The problem here is that exploitation is an essential part of computer security: one must think like an attacker. But this law would make exploits expert-controlled, meaning we wouldn’t be able to talk about fundamental security concepts to undergraduates because we don’t know if they’ll export the exploit. If you don’t have people thinking like an attacker, you can’t have defenses defending against those people. There is a clear misunderstanding here between law and cybersecurity, and better two-way communication between policy makers and cybersecurity professionals would help.