LAWRENCE – FBI Supervisory Special Agent George Schultzel pulled hundreds of people to the edge of their seats Friday during a meeting at the University of Kansas to explore how government, industry and researchers could work together to improve cybersecurity in the United States.
He took part in a panel discussion with executives from Garmin, T-Mobile and the Federal Reserve Bank of Kansas City addressing the technology challenges to raise the bar for cybersecurity.
“Now we’re going to get to the part of the panel where I scare the living, uh, fill you,” Schultzel said.
He raised the implications of the distribution of the malicious Stuxnet computer worm, which targeted supervisory control and data acquisition systems to harm Iran’s nuclear program. Reports have indicated that the cyberweapon was built by the United States and Israel during the administrations of President George W. Bush and President Barack Obama. Stuxnet has infected some 200,000 computers and destroyed 20% of Iran’s centrifuges used to refine nuclear fuel. Iran responded by engaging in a cyber attack program.
“Iran took it as, ‘Okay, we’ll start recruiting and start causing havoc.’ Fast forward and Saudi Aramco goes down. It has a huge impact on oil production worldwide,” Schultzel said. “In a sense we move into the future and countries realize that they can influence world events, they can influence their opponents, they can negatively acquire technology “.
“All of these things, I think, change how we look at the world and how we need to be able to move forward. This, I would argue, is the biggest national security challenge of cybersecurity. I have a hard time falling asleep thinking about it,” she said.
KU hosts a National Center of Academic Excellence in Defense and Cyber Research designated by the United States National Security Agency and the United States Department of Homeland Security.
“We need more experts”
Less than 1 percent of global gross domestic product has been dedicated to stopping cyber breaches, said Jason Rogers, chief executive officer of Invary. The startup emerged from the university’s Innovation Park and is dedicated to identifying hidden malware in operating systems. Invary has advanced by relying on the expertise of the KU School of Engineering and technology developed by the NSA.
“We need more experts,” said Rogers, who recommended expanding collaboration between government, education and business. “Are we collaborating more than our opponents?”
Currently, he said, the average time between the identification of a breach and its containment is 304 days. The average cost of a data breach was $4.3 million. But the average cost of a mega-breach of more than 50 million records has exceeded $400 million.
Lyle Paczkowski, senior technology strategist at T-Mobile’s advanced and emerging technology division, said improving cybersecurity in the US requires a much larger workforce.
He said 4.7 million people worked in cybersecurity in the United States, but another 3.4 million would be needed to cover the basics. Staffing supply cannot keep pace with existing demand for skills, much less create a talent pool for the future, she said.
“Honestly, there are a lot of scary things to contemplate,” Paczkowski said. “Particularly around digital twins and things that can replicate you as a person or a machine over the network.”
Dan Hein, security architect at Garman International, said obstacles to cybersecurity require the involvement of interdisciplinary researchers. The job should include understanding people outside the traditional cybersecurity realm of computer science and computer engineering, he said.
“Appreciate what you don’t know,” said Hein, who has a doctorate. “We know the basic block and contrast, to some extent, of cybersecurity. Where should we go next?
New technology, new threat
Mark Schmidtberger, head of information security at the Kansas City Federal Reserve, said the rapid pace of technological evolution means future cyberattacks will come in forms that are hard to imagine right now. People involved in cybersecurity need to focus on narrowing the window between where a cyberattack was identified and where someone exploited that threat, he said.
“We should be aware, just accept it as concrete, that there will be new technologies out there. And whenever there’s a new technology, there’s probably going to be threats,” she said.
Cybersecurity threats wouldn’t be solved solely by law enforcement, said Schultzel, the FBI special agent.
He said the FBI demonstrated nearly a century ago a keen ability to track down notoriously violent bank robbers. However, he said, killing or throwing those men and women in jail did not end bank robbery as a lucrative occupation. This was achieved as banks collectively raised investments in security with armed guards, time-operated blast doors and bulletproof glass.
The same could be said of the problem with the ransomware crime, Schultzel said. The FBI and European law enforcement agencies shut down Hive, but not before the ransomware operation extorted more than $100 million. Hive allegedly collaborated with independent hackers to encrypt the target’s computer system and request payments to provide a key to unlock them.
Certainly the hive shutdown did not eliminate ransomware as a criminal activity.
“We are good at going after these guys and bringing them to justice, but that won’t satisfy the cybersecurity problem as a whole,” Schultzel said. “It is we as individuals, as companies, as educational institutions that go that extra step to educate and provide that extra security.”