What keeps the Department of Homeland Security on its toes when it comes to cybersecurity?
For Douglas Maughan, director of the Cyber Security Division in DHS' Science and Technology Directorate, software engineering, mobility and cyberphysical systems are high on his list.
Speaking at a recent event co-hosted by the U.S. Cyber Challenge and the Association for Federal Information Resources Management (AFFIRM), Maughan highlighted where his directorate is focusing its cybersecurity efforts.
Software and software engineering
“We’re doing a terrible job in our schools, up and down, in teaching kids how to write software and secure software,” Maughan said. “We have a lot of activity going on in software engineering, and we need to do more.”
Maughan said software developers must constantly analyze their programs to ensure that security is built in correctly.
“You can’t write software once and assume it’s done,” he said. “Heartbleed is a great example. They’ve been working on it; it’s been around for a long time. One change in one upgrade caused the whole problem. If they’d continually done the analysis, maybe they’d have caught it.”
Heartbleed is a vulnerability in OpenSSL software that exposes servers to hackers. Its effect has been felt throughout government.
Distributed denial-of-service (DDoS) attacks
“We are getting killed [by DDoS attacks],” Maughan said. He estimated that today’s DDoS attacks, which seek to cripple Internet sites and services by flooding them with network traffic, are capable of generating 400 gigabits per second of data. Five years ago, he said, that figure was 40.
“So an order of magnitude [increase] in five years,” he said. “If that happens again, what are we going to do with 4 terabits a second?”
“The volume of devices is just going to go up,” Maughan said. “It’s all going to be mobile, and most of it’s not secure.”
Last year, DHS headed up a team spanning the federal government to develop the first Mobile Security Reference Architecture. The department also launched the Mobile Carwash, a cloud-based system for vetting the design, security and engineering of mobile applications. The Carwash is available to other agencies.
In other words, the Internet of Things. “We are betting our lives on what we call cyberphysical systems,” Maughan said. “Your car is nothing more than a computer on wheels. There’s no security in the design of that system. Your medical device? Computer. Smart grid? Computer. UAV [unmanned aerial vehicle]? Computer. All of those systems are vulnerable.”
According to the cyber security division chief, a significant security risk is the lack of control over how the disparate products and technologies that are connecting to the Internet are manufactured. How can we know whether a device that connects to the network is 100 percent secure?
“A lot of it is the supply chain,” Maughan explained. “Ford doesn’t build the car; they just integrate everything they get from other people.” It’s important to be able to trust the production of Internet-connected devices.
“We are the weakest link in this chain,” Maughan said. “It’s not just education; it’s awareness, training, usability.”
Maughan believes that modern-technology solutions — including security solutions — are still too difficult for many people to use correctly. And if they can’t use the technology, they won’t.
“Many of you don’t use your device because it’s really hard to use,” he said. “You don’t add security or use security because the guy who did it was a Ph.D., and he thought everybody would be able to figure it out. Most of the security that does not get deployed does not get deployed because it is not easily usable.”