How will wars be fought in the future? Are we keeping up with the times in cyber warfare as a nation? As these questions linger, one thing we do know: the U.S. has woefully under-resourced the country’s cyber defense as we have not decided which critical assets need protection. Former advisor to Homeland Security Michael Balboni shares insights with CRITICALSTART’s SVP of Managed Security, Jordan Mauriello, on cyberwarfare and what the U.S. needs to do to prepare.
JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.
JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.
JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.
MB: Thanks for having me Jordan, and thanks for your service to the country in the military.
JM: Thank you very much, sir. I appreciate your support.
JM: How do you think specifically when we talk about how wars are going to be fought in the future and we look at it what national defense mechanisms we have and how those have to change. How do you see that evolving and do you think that we’re staying up to speed and with the times from a cyber warfare perspective as a nation?
MB: I think that we have woefully under-resourced our cyber defense. The reason why I said that is because we have not decided what are the critical assets we need to protect. You can decide that there’s a triaging of national assets and national vulnerabilities that we need to fix collaboratively, that the private-public partnership should and is the model, particularly if you adopt some of the standards like that NIST standard we referred to before. At the same time we haven’t really decided, “Well, is it power plants we need to really focus on? Is it healthcare?”
MB: We’ve seen the “WannaCry” ransomware attack and the Ryuk attack that have convinced the world, “Boy, it’s pretty easy to get a worm into a network, be able to search across the entire network, find vulnerabilities in that.”
MB: In the case of WannaCry, of course it was the Windows program that had been unsupported, unpatched and then spread throughout the world, throughout the globe, and have potentially dramatic impacts on how things happen. Of course, whether it was the British hospital network, whether it was the Maersk shipping where ports actually were close to being shut down, these things that have a global impact, we have not figured out first of all how to classify them. Is that an act of war? If you knew, if you could really prove that a particular nation-state perpetrated this act, is that an act of war? Do you go from the digital to the kinetic? In addition, our intelligence community, we want to know who is attempting to get at us.
MB: We want to know their level of sophistication. We want to know what assets they have available to them. We want to know where they’ve been beforehand because everybody in the cyber world understands that it’s not like you weaponize a payload, distribute it into a network, and then immediately begin executing commands to either steal data or to interrupt the operating network. They may lay dormant, dwell time is what we call it, where they’re going to wait and they’re going to basically surveil the operating environment and see what other vulnerabilities exist to see what other assets they could go after. Map that and then get that information out to their controllers to say “So, here’s what you could go after. You tell me where and when you want to go after.” There’s no immediacy of the attack and response.
MB: The last piece is we walk around with our cell phones and we have more computing power on our cell phones than they had on the first lunar lander.
MB: It’s ubiquitous computing. Matter of fact, there’s a statistic that by 2023, I believe it is, there will be 7 billion phones on the planet. Much more than obviously the population of the earth. Each one of them has the ability to communicate, to calculate, to transmit data, and therefore, become a single point of entry into a network.
MB: How do you secure all those endpoints and how do you make sure that people are aware of the fact that they have a vulnerability that they’re walking around their pocket with? A lot of information needs to get out there. A lot of understanding, awareness, and then strategies and solutions.