While the federal government needs to balance the convenience and security aspects of cybersecurity, agencies also need to understand that as the complexity of systems increases, so will vulnerability, a U.S. Secret Service official said during a keynote presentation on cybersecurity at the 2016 GITEC Summit in Baltimore.
Ron Layton, special agent in charge of the White House Technology Liaison Section at the Secret Service, said that as convenience of using networks and systems goes up, security tends to decrease; and as security is enhanced, networks and systems become more difficult to use.
“And, for every instance that you might give me to the contrary, I can give you 10 that validate this model,” he said.
Issues in Cybersecurity Today
Layton said that technology is “incredibly vulnerable,” but if an organization employs moderate security protocols — and has IT workers who engage in sound cyberhygiene — then the agency should be in good shape. However, he said, human behavior can “really screw up technology” if people are lax in their security and do things like have passwords that are easy to guess.
Layton mentioned spear phishing, in which hackers use email messages that appear to be from trusted sources to gain access to users’ information once they are opened. “It’s gotten more sophisticated,” he said. “The fact that we’re still all falling for the same thing, it’s just kind of silly.”
Another problem presented by cybersecurity is that no one can agree on a definition of what it is, Layton said, and the definition has changed radically in the past decade.
“When you try to study these problems, it’s not like everybody is looking at the same thing,” he said.
Agencies need to manage risks because not all of cyberspace is safe, Layton said. Human behavior is a strong driver of risk. “How do I balance that with this robust experience I want to give my users?” he asked. “It’s hard.”
Moving to a More Complex World
Layton discussed the Secret Service’s Critical Systems Protection Initiative (CSPI), which he said the agency does not talk about much. Over time, he said, the agency developed the capability to track traffic between networks as part of an effort to stop counterfeiting. The service uses that kind of capacity to protect not only people, but also buildings, according to Layton.
The CSPI, which Layton said was first developed at the turn of the century, lets the Secret Service protect the IT and network infrastructure of buildings (including connected infrastructure and building systems) that people whom the agency is guarding enter into. The service works with the building owners and operators to shore up the cybersecurity of their systems.
That kind of operation points to increased complexity that will result from the Internet of Things, Layton said. He noted that 10 programming languages — such as C, Java and Ruby — account for 80 percent of the software running on all devices worldwide. “Some languages are incredibly vulnerable to certain types of attacks,” he said. “Each language has its own little quirk.”
Layton said the weakest link in a chain of 100 connected devices could compromise the whole system.
Layton said that as “complexity goes up, vulnerability goes up. That’s an issue for the future.”
The reason why it is not the same as the security/convenience dynamic, Layton said, is that “we can do all kinds of things to monkey around with convenience” and make systems easier to use. However, as more devices become connected inside and outside of buildings, he said, “we can’t do much about the complexity issue.”