Hacking power grids; hacking elections; hacking ATMs and the financial system; hacking the key cards for hotel rooms: The cybersecurity problem is vast and daunting.
"The scope of the critical infrastructure cybersecurity problem is so big that we're mostly paralyzed as a nation on how to solve that problem," said Phil Quade, former director of the NSA's Cyber Task Force and newly named CISO at Fortinet, during a talk at the 2017 RSA Conference in San Francisco. "What we need is a new way to approach that."
Rather than allow the breadth of the problem to overwhelm, Quade suggested a coordinated approach that breaks the challenge into less-daunting pieces.
"It's about deconstructing a very, very large problem into manageable parts," he said.
He outlined such an approach using four broad categories modeled after the moonshot in the 1960s – a comparable challenge that ended with the U.S. landing men on the moon.
The first step is to establish the ultimate goal of such an endeavor, Quade said. He framed suggested goals in five categories:
"Our goal is to … sustain economic competitiveness – our companies that we all earn money from or are otherwise dependent on, their viability depends on available, secure and reasonably-priced infrastructure. Our national security depends on secure and available infrastructure … Privacy and civil liberties – a fundamental value of the U.S. – depends on secure and trustworthy infrastructure. Public safety, often a euphemism for law enforcement and Homeland Security, guess what it depends on: Secure and available infrastructure; as does our pursuit of happiness," he explained.
The next step, according to Quade, is to set the horizon: View the full scope of the problem and set a window – say, 10 years, as in the case of the moonshot – in which to achieve it.
"There're lots of challenges ahead of us," he said. "Some of them are mountains, some of them are valleys, some of them are forests. There's a lot to traverse."
Looking out into such a horizon is often when the immensity of the task sets in. But, just as a journey of a thousand miles begins with a single step, Quade believes he knows where to start.
The First Steps
In Quade's assessment, there are three steps that can be taken now, and it all starts with sharing information.
"It's big enough to be meaningful but not so big we're trying to boil the ocean," he said.
There are many initatives currently underway with regard to information sharing, including DHS's automated information sharing program, sector-specific Information Sharing and Analysis Centers (ISACs) and among cybersecurity companies and researchers.
The second step is consequence-based engineering. Rather than working to predict every vulnerability and patch every hole, those developing critical systems should work to "engineer out bad consequences," as Quade put it. If adverse effects are impossible, there's nothing for a bad actor to target.
Quade's final first step is boosting the cyber workforce.
The federal government – in which Quade worked for some 33 years – has gotten very good at encouraging the early stages of workforce development, incentivizing colleges and universities to start and expand cybersecurity programs and promoting STEM early in young students' education. But the focus on later stages – the journeyman and master levels – has been lax, with fewer resources put into career-long training.
"What are we doing as a nation to, at scale, move people from the apprentice to the journeyman and what are we going to do move the journeymen to the masters?" Quade said. "And do this in a sustainable way so we have a constant influx of people from bottom to top?"
All the Steps
After the first steps comes the long journey.
"I don't know what those 1,000 steps are that it's going to take to get to a secure and resilient critical infrastructure state," Quade said. That will be a group effort among stakeholders, he added, like the ones present at RSA and working in the trenches in the public and private sectors.
"What I'm proposing here is that people self-organize to commit to taking the thousand-mile journey … but in the meantime let's break this down."
Quade expressed optimism in the nation's ability to meet this challenge, referencing the moonshot once more.
"We rocked it, as a country," he said, an example that we "can do heroic things. I think that same analogy applies to securing critical infrastructure."