The United States is facing many cybersecurity challenges: Ransomware attacks; critical infrastructure vulnerability; exploitation of flaws in widely used software packages such as SolarWinds; potential Russian cyberattacks resulting from invasion of Ukraine; shortage of cybersecurity talent which leaves many government and private sector positions vacant; and many more. Homeland Security Review and Homeland Security News Wire interviewed Georgetown University’s Frederic Lemieux, a recognized expert in the fields of global threats and homeland security.
Frederic Lemieux currently serves as Professor of the Practice and Faculty Director of the MPS in Applied Intelligence at Georgetown University. He is a recognized expert in the fields of global threats and homeland security. Lemieux has helped create and manage several leading academic programs in intelligence, policing, homeland security, and cybersecurity. His research interests focus on intelligence, national security, homeland security, and cybersecurity.
Lemieux answered questions from Ben Frankel, editor of the Homeland Security News Wire.
Ben Frankel: Most of the U.S. critical infrastructure is owned by private companies. Cybersecurity is a public good: should governments, in addition to setting cybersecurity standards, also use taxpayers’ money to help subsidize the implementation of these standards by private companies?
Frederic Lemieux: Because the U.S critical infrastructure is so decentralized and composed of a myriad of private actors, the federal and state governments should play a key role in incentivizing private companies, who are a part of the critical infrastructure, to invest in implementing standards. These incentives could be tax break or deductions for eligible cybersecurity expenditures. Also, in certain key sectors like energy, telecommunication, and transportation the government should increase the cost of not adopting cybersecurity standards like fines and suspensions of accreditation, licenses/permits, and contracts. Both the carrot and the stick should be used.
Frankel: Where do you stand on the question of banning Chinese technology companies (e.g., Huawei) from Western countries’ critical infrastructure?
Lemieux: I think this is a very short-term approach and the U.S government has to develop a more comprehensive strategy regarding critical technologies and its components. It’s not just about computer, phones or networks. Don’t forget that in 2021, China produced a record breaking 140 billion semiconductors for the world to consume. Additionally, in an economy largely impacted by a disrupted supply chain, especially for semiconductors, the U.S will have to seriously reconsider where it intends to find the supply of these sensitive technological components and better control the production. Because just banning Chinese companies will not improve the situation.
Frankel: There are hundreds of thousands of vacant cyber security jobs in the United States, in both the government and the private sector. Can the U.S. educational system be capable of producing enough cyber security talent to fill this ever-growing need?
Lemieux: Overall, there is approximately 400 Cyber Security programsbased on the Center of Academic Excellence (CAE)database designated cybersecurity programs by the NSA and DHS.But this is clearly not enough. In fact, we observe that giant tech companies are starting to develop and offer professional certificates and stackable short trainings in the field of cybersecurity. Students can earn skill badges that demonstrates some key competencies in cybersecurity for a very low cost. For instance, Google offers a cloud security engineer learning path and Microsoft offers all sort of certifications in cybersecurity (security administrator, security operation analyst, azure security engineer, etc.). The private sector is clearly stepping up to address their own needs in terms of skilled cybersecurity workforce.
Frankel: Where do you stand on the issue of allowing more cyber talent from other countries to come and work in the United States?
Lemieux: I believe that the United States has a long tradition of attracting and importing talents. However, the demand for skilled cybersecurity workforce is very high around the world and the supply is low. This has two major consequences. First, the U.S has to compete with many other western countries to attract cybersecurity talents and these countries offer very competitive socio-economic benefits. Second, this international demand for a skilled workforce put several developing countries and emerging economies at risk because they cannot compete to retain their cybersecurity talents. An obvious consequence of this is that tech companies in Latin America, India, and Asia developing technologies for the U.S market do not have access to the same pool of qualified cybersecurity workers, which impact the security of the devices manufactured abroad and sold in the U.S.
Frankel: We are on the verge of the IOT era: Many devices and device components, which will be part of IOT, are not produced in the United States. How do we ensure that these devices are cyber secure?
Lemieux: According to Statista, the number of IoT devices deployed in the United States will almost double between 2019 and 2025, increasing from 2.8 billions to a projected 5.4 billons devices. In order to ensure some level of security and protection of IoTs and their supporting networks, the National Institute of Standards and Technology (NIST) has issued a series of guiding principles for manufacturers, federal agencies, and consumers. For the manufacturing industry these guides address the security of IoT in conception phase, design, development, testing, selling, and service support for IoT devices. The IoT Cybersecurity Improvement Act of 2020 mandates NIST to provide guidance to the federal government on several aspects including but not limited to the selection, acquisition, deployment, and use of IoT technologies. This law also extends to federal government’s supply chain management practices and private contractors. Also, the Executive Order on Improving the Nation’s Cybersecurity(14028) address the multifaceted security risks including the IoT. The executive order specifically stipulates that “NIST shall initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs”. These legal and executive dispositions as well as standards provide a cybersecurity baseline for IoT devices and devices components.
Frankel: We have witnessed SolarWinds, Log4J, and other massive failures of software used by thousands of companies and government agencies. Is there a better way than what is currently in use to ensure the safety of such vital software packages?
Lemieux: The approach to security must change for companies, developing not just for these particular software packages, but I would argue most of them. You don’t want a weak link in your systems. An integral part of injecting security into processes is for organizations to integrate security solutions at the onset of the deployment and development cycle of new software and technology. DevSecOps was created in response to security concerns generated by the DevOps timeline in which security considerations were left until the very end of the software development cycle. The idea was to resolve security problems by addressing security at every stage of the software development cycle. However, this approach was flawed because the security solutions were left in the hands of software developers who were poorly equipped to address these issues (lack of tools and knowledge). Then a fairly new approach was recently incepted: SecDevOps. This approach requires security to be at the forefront of every stage of the software development cycle by promoting secure coding and embedding security measures into the planning, analysis, design, and deployment stages in addition to traditional implementation and testing stages. In addition, changes in software application code are tied to security requirements related to deployment procedures.
Frankel: About 10 years ago, Israel and the United States were able to damage Iran’s uranium enrichment program by unleashing the Stuxnet virus, which did damage to Iran’s enrichment centrifuges. The gates of two small dams in the United States were opened by malware planted in their control system – in all likelihood by Russian intelligence. Experts saw in it a dress rehearsal for attacks on U.S. infrastructure. Can such attacks be thwarted?
Lemieux: In my opinion, these attacks will be very difficult to stop, and the U.S is particularly vulnerable to these attacks for several reasons. First, let’s remember that about 85% of the U.S. critical infrastructure is own by thousands of private companies – to put it in cybersecurity language: the attack surface of the U.S. critical infrastructure is practically infinite. So, the exposure is far greater than the sum of counter-measures currently deployed. Second, according to IBM (2020), it still takes an average of 228 days for companies to detect a breach in their information systems and an additional 80 days to contain the breach. Of course, these statistics varies from one critical infrastructure sector to another, but you understand my point. Third, many companies do not report breaches and attacks to authorities and therefore there is a large number of attacks that authorities don’t know about. That means two things: (a) our statistics on attacks and breaches are significantly skewed and (b) cyber threat intelligence effort is seriously hampered by this low reporting rate. In other word, we are flying blind in certain sectors and industries. Finally, most companies that are part of the U.S critical infrastructure did not yet adopt a culture of active cybersecurity risk management and they see compliance requirements (if any exist in their industry) as a simple “check the box” exercise. For these reasons, I believe the U.S. could be critically impacted if a foreign country with cyber capabilities like China, Iran, North Korea or Russia decided to engage the U.S. in an aggressive cyber warfare. I don’t even want to envision what could happen if two or more of these countries would coordinate an attack against the U.S. I don’t want to downplay the U.S. cyber offensive capabilities and the powerful deterrence of a cyber retaliation against a cyber aggression, but our cyber defense would be most likely outgunned.
Frankel: The recent revelations about the Pegasus spyware from the Israeli company NSO raise this question: Is privacy dead in the digital age?
Lemieux: The use of Pegasus spyware is believed to go back to 2014. A report from Amnesty International (2021) alleged that the spyware can be deployed from a click on a link (embedded in text, email, encrypted message applications) or with “zero-click” interaction. Once deployed in a mobile phone, Pegasus provide access to all the digital content and physical components of a phone like camera and microphone. While NSO did not share the names of its clients and their targets, a recent news reportalleged that hundreds of cases of infected phones with the spyware have been confirmed. Among the targets, U.S. government officials and journalist. Despite this extreme case of unchecked violations, I would argue that privacy is not dead yet. In Europe, we have witnessed the inception of the General Data Protection Regulation (GDPR) in 2016 and addresses integrity as well as confidentiality of personal data. In the U.S., California, Colorado and Virginia have adopted legal frameworks to address data privacy of their constituents and several other states are currently taking similar legal approaches (mostly consumer data privacy regulations). However, it is accurate to say that there is a national and international inequality in terms of protection of data privacy. The lack of specific legal frameworks and enforcement mechanisms in many U.S. states and foreign countries leave people with little to no protection of their data in the cyber space.
Frankel: More and more experts talk about a need to formulate an international cybersecurity convention — similar to conventions governing nuclear, biological, and chemical weapons. What should be the main do’s and don’ts of such a convention?
Lemieux: Actually, the concept of an international cybersecurity convention is not a new one. In the early years of the European Union, the Council of Europe adopted the “Budapest Convention” in 2004. Most countries member of the EU did signed and/or ratified the convention. In a nutshell, the convention’s main goal was to harmonized legal frameworks related to cybercrimes across EU countries and abroad. More recently, in 2019, the United Nations has adopted a motion introducing the creation of a global treaty on cybercrimes led by Russia and supported by 69 other countries including China. Most western countries were opposed to the motion for a few key reasons: (1) Divergence of views on how to define cybercrime, views from democratic countries seems to be at odd with those of more authoritarian nations. (2) Could lead to the legitimization of the use of information technology by governments to spy and persecute political opponents. (3) Investigative procedures of cybercrimes differ significantly between countries, especially where the rule of law is not established as guiding principle, leading to significant tension in intelligence sharing and evidence collection. In other words, the current negotiations to establish a are highly tainted by political ideologies and continue to raise tension between democratic and non-democratic values.
Frankel: One of the problems in responding to cyberattacks is the issue of attribution. But if attribution is a problem, how can an international treaty be enforced?
Lemieux: This is thorny issue. First, if a cyber-attack is perpetrated by a non-state actor like a criminal group that is not in cahoots with a government, I believe there will be less challenge to the attribution process and less resistance to enforce the convention. However, if an attack is perpetrated by a state actor or a private proxy, then attribution can become more opaque and more difficult to obtain consensus on the perpetrator. The possible way to handle a situation where the attribution is challenged by a nation state is to establish a sort of international tribunal like we have for international trade. Then, based on the accusation under the articles of the cybersecurity convention, the tribunal could decide if a state has or not violated the treaty and could face reparation fines or international sanctions. This could only work if the legitimacy of the treaty and the tribunal is recognized by the country accused of conducting cyberattacks or harboring those who committed such aggression. Otherwise, nothing would be different than the current situation.
Frankel: Where do you stand on the proper balance between defensive and offensive cyber measures a country should take vis-a-vis its adversaries?
Lemieux: I tend to support a more punitive approach or strategy that will rise the risk for the perpetrator and diminish the gains from the cyber operations. Here I mean to stay away from preemptive cyberattacks on adversaries. Too many mistakes have been committed in the past regarding “preemptive strikes” to start committing the same mistakes in the cyberspace. However, the application of robust punitive actions comes with a few caveats: (1) punitive measures should be proportional or lesser to the aggression to avoid escalation or backlash from allies; (2) the punitive measures should never be a country’s most advanced cyber capabilities to avoid being overcome in the next attack or just reveal to other potential adversaries the extent or limit of your cyber capability; (3) always consider non-cyber offensives measures as a part of the punitive strategy.
Frankel: There is a school of thoughts among cyber experts which argues that corporations should hide damaging malware among their most sensitive files. That way, if a hacker – say, the intelligence service of another country, or hackers working on behalf of a rival corporation – manage to breach the company’s security and steal sensitive files, the hacker would infect its systems with the malware hidden among the files stolen from the hacked company. Would you advise American companies to adopt this strategy?
Lemieux: No. I don’t think that the cyber equivalent of the “Castle Doctrine” is a viable option for American companies. I can see how it makes a great conversation in the business lounge but I am thinking about all the legal liabilities of being in possession of malware, insurability of a company if this goes out of hand and the malware deploy within the company own systems, the messiness of the attribution if a government investigation takes place, and last but not least, I would not recommend to a company to get involve in a cyber conflict with an intelligence service from a foreign country … the ripple effects of such situation goes far beyond the company’s own interest.
Frankel: We are told that one of the more serious problems in the cyber security field is the low rate of retention – cyber security employees tend to leave their jobs sooner relative to other specialists. Is this the case? What can be done to correct it?
Lemieux: While there is a massive gap in the cybersecurity workforce, it is good to know that this gap is reducing slowly but steadily. Nonetheless, a 2021 study conducted by ISC2 on the cybersecurity workforce shows that the current need for cyber professionals is estimated at 4.19 million worldwide but 2.72 million job positions are not yet filled. This workforce gap also affect significantly the United States. In other words, the job market is highly competitive for employers. To address this shortage of talent, companies and government agencies are increasing budget for professional training, increase the quality of working conditions, and invest in workforce diversity. They also turn toward technology solutions like using cloud services to secure data, deploying AI solutions to automate some critical cybersecurity tasks, and involve cybersecurity professionals earlier in third-party relationship. Despite these measures, it will take sometimes before we reach an equilibrium between demand and supply of cybersecurity talents.