UNIVERSITIESTEACHING HACKING

Courses that instruct on how tobreak into computer networks are

raising ethical questions. Page AA2

WHO IS GETTING HIT?A list of recent attacks and what is

being stolen. Page AA2

EXPERTS SPEAKHighlights of what top

government and businessofficials are saying, includingthe basic steps to prevent 80

to 90 percent of attacks.Page AA4 and AA5

YOU LOCK YOUR CAR.WHAT ABOUT YOUR IPAD?

Human error, not malicious intent,can expose valuable data and

personal information. Page AA3

THE WILD WESTThere are a lot of outlaws and nosheriff in cyberspace. Page AA3

KENNY PARK FOR THE WASHINGTON POST

WEDNESDAY, OCTOBER 8, 2014 . WASHINGTONPOST.COM/REGIONAL EZ EE AA1

AA2 EZ EE THE WASHINGTON POST . WEDNESDAY, OCTOBER 8 , 2014

U.S. companies and thegovernment are spendingbillions of dollars to tryto lock down valuableinformation they store incomputer networks, butthieves and spiescontinue to stealeverything from credit

card numbers to plans for next-generation military firepower.

Every week we hear of a new breach.The recent cyberattacks againstJPMorgan Chase not only gave hackersaccess to tens of millions of e-mails andhome addresses of its customers, butmay have been aimed at trying todisrupt Wall Street. Home Depot, Targetand other merchants recently have beenhit and chief executives have moved

cybersecurity to the top of their agenda,according to speakers at TheWashington Post’s CybersecuritySummit on Oct. 1. Excerpts from thatforum are on pages 4 and 5 of thisspecial report.

Arati Prabhakar, the director of theDefense Advanced Research ProjectAgency (DARPA), the governmentagency that brought the world computernetworking, said a $2 million prizeawaits the winner of the Cyber GrandChallenge, a competition aimed atbuilding an automated system that cansecure software and detect harmfulflaws.

Today’s attackers have the upper handbecause they have the “inexpensive taskof finding a single flaw to break asystem,” DARPA says. “Defenders, on the

other hand, are required to anticipateand deny any possible flaw — a goalboth difficult to measure and expensiveto achieve. Only automation can upendthese economics.”

As we await a better system to secureour networks, the current “patch andpray” approach is a gift to the bad guys.Hackers in Russia and China are behindmany of the attacks on the U.S.government and companies, say cyberexperts, including James Lewis, whosearticle in this report says the Wild Westof cyberspace needs law and order —and needs it now.

House Intelligence CommitteeChairman Mike Rogers (R-Mich.) saidthere is a lot of debate about howaggressive the U.S. government shouldbe in using its offensive cyber power.

“You don’t want to reach overseas andflick somebody in the forehead if we’renot exactly 100 percent sure that thatwas the perpetrator of that particularevent,” he said. “If you start this digitalvigilantism about, ‘Well, I got hacked.I’m going to go do something about it,’you could create a storm here, of whichthe rest of the network — that85 percent [controlled by the privatesector] — is not prepared to handle.”

By the end of this year, the UnitedNations estimates that 3 billion peoplewill be online and as each of us putsmore and more of our lives incyberspace — including bankinformation and health records —everyone has a stake in the race to makethe Internet more secure.

mary.jordan@washpost.com

EDITOR’S NOTE

Cyber attackers have the upper hand

BY ELLEN NAKASHIMAAND ASHKAN SOLTANI

At the University of Tulsa, professorSujeet Shenoi is teaching students how tohack into oil pipelines and electric powerplants.

At Carnegie Mellon University in Pitts-burgh, professor David Brumley is in-structing students on how to write soft-ware to break into computer networks.

And George Hotz, a largely self-taughthacker who became a millionaire in partby finding flaws in Apple and othercomputer systems, is now back in school,where he’s one of the stars on CarnegieMellon’s competitive hacking team.

Shenoi, Brumley and Hotz are playersin a controversial area of technology: theteaching and practice of what is looselycalled “cyberoffense.” In a world in whichbusinesses, the military and govern-ments rely on computer systems that arepotentially vulnerable, having the abilityto break into those systems provides astrategic advantage.

Unsurprisingly, ethics is a big issue inthis field. Both professors say they buildan ethics component into their curricu-lum; Shenoi won’t even accept studentswho don’t promise to work, if hired, forthe National Security Agency, the EnergyDepartment or another U.S. governmentagency.

But some experts say the academiccommunity is not taking ethics seriouslyenough, and professors are not acceptingresponsibility for the potentially danger-ous skills they are teaching.

The very nature of hacking means thata lot of its skills and standards evolveoutside academia. (Hotz, known in techcircles by the handle “geohot,” says helearned most of what he knows on theInternet “and from playing with things.”)This leads advocates of teaching cyberof-fense to say that the “good guys” have tokeep up — which in turn raises morequestions about whether such educationis morally right.

“There’s a very large stigma aroundsaying we do anything offense-related,”said Tyler Nighswander, 23, a computerscience graduate student at CarnegieMellon. “It’s certainly understandablethat you don’t want to say your schoolteaches offense — ‘Oh, you mean youteach kids how to break into computersand steal stuff?’ ”

Some academics note that it may betoo late to stop the worldwide expansionof offensive cyber tools and techniques.

“There is an escalating arms race incyberspace as governments, companiesand malicious actors are all going on theoffensive, most of it under a shroud ofsecrecy and absent any meaningful po-litical oversight,” said Ron Deibert, di-rector of the University of Toronto’sCitizen Lab.

Seeking ‘vulnerabilities’No more than a handful of professors

have the knowledge and resources toteach cyberattack skills at the level ofBrumley or Shenoi, whose students areheavily recruited for government andindustry positions.

At Tulsa, Shenoi, 54, obtains permis-sion from energy companies for his stu-dents to attempt to hack into them,infiltrating the systems that run gaspipelines or power grids and gainingaccess to critical U.S. infrastructure.They also do penetration testing forother companies, finding “vulnerabili-ties,” or flaws, that enemy hackers couldexploit.

“We have a class where we teachpeople how to write things like Stuxnet,”Shenoi said, referring to a computerworm, reportedly developed by U.S. andIsraeli scientists, that was found in 2010and damaged about 1,000 centrifuges inan Iranian uranium-enrichment plant,delaying the country’s nuclear program.Stuxnet, whose deployment is often con-sidered the first true use of a cyberweap-on, was built around an unprecedentedfour “zero-day exploits” — that is, attacktools based on previously unknown soft-ware flaws.

Shenoi began teaching courses on of-fensive computer techniques in 1999, hesaid, and by 2008, Tulsa was offering anentire program. Now, he said, there are“four courses in reverse engineering, two

in cyber operations, two in offensiveSCADA [supervisory control and dataacquisition], and one on malware analy-sis and creation.”

Shenoi said that the potential power ofoffensive cyber techniques is so greatthat he accepts only students who intendto work for the government and whohave records that would qualify them forgovernment security clearances. He in-terviews all the applicants as well as theirparents. He sends 15 to 20 students ayear, he said, to work at the NSA or theCIA.

“In order for me to teach these real-world attack skills, these students have tobe trusted,” he said. “They cannot go towork for the private sector.

“There’s no reason to teach private-sector people how to use Stinger mis-siles,” he continued. Similarly, he said,you don’t teach them to use cyber weap-ons.

Brumley, 39, has taught offensive cy-ber skills since 2009. A self-described“patriot,” he says he discusses ethics inhis classes at Carnegie Mellon — anintroductory computer security courseas well as more advanced vulnerabilityanalysis. Some of Brumley’s studentswork for the government, but most go tostart-ups, big companies such as Googleor defense contractors.

To develop their skills, Brumley en-courages his students to compete inhacking contests. In August, a recre-ational team he advises called PPP, madeup of about 20 current and formerCarnegie Mellon students, won the ulti-mate U.S. showcase of hacking skills atthe DefCon hacking conference in LasVegas — a “capture-the-flag” competitionin which 20 teams tried to break into oneanother’s computers.

PPP’s top gun is Hotz, who gainedfame in 2007 for “jailbreaking” thepreviously impenetrable iPhone. He leftCarnegie Mellon as a 23-year-old sopho-more to work on his own, and is nowback as a junior at 25. Hotz is so skilledthat he has won some contests solo — asin July, when he beat nine teams to win$30,000 at the SecuInside competitionin Seoul. He earned $200,000 in Aprilfor finding bugs in Google’s Chrome-book computer and the Firefox browser.Brumley calls him “a machine.” Hotzboasts that he is “maybe the best hackerin the world.”

A question of profitObviously, these students are develop-

ing valuable skills. Shenoi says his stu-dents never make money off the vulnera-bilities they discover or exploits theydevelop. They give the information forfree to the companies whose systemsthey are testing, or to the government.Intelligence agency officials fly every sooften to Tulsa to be briefed on the flawsthe students have found.

Brumley agrees that it is dangerous toshare vulnerabilities or exploits withanyone but the software vendor or the

U.S. government.“If you’re selling exploits in a free

market,” he said, “then you’re potentiallyselling them to the adversary.”

Nighswander, a former student ofBrumley’s, said that he has never sold avulnerability to a software vendor, butthat he thinks it’s ethical to do so, saying,“When you think that finding a vulnera-bility can take weeks and months, youcan understand that the person wants toget compensated.”

Hotz declined to say whether he hassold an exploit (although he was caughtlast year on a surreptitiously recordedconversation appearing to broker a$350,000 deal to sell exploits to jailbreakthe iPhone to a Chinese company).

“I have never worked with any countryaside from the U.S.,” he said. He says hedoesn’t dwell on issues of morality, say-ing, “I’m not big on ethics.”

Brian Pak, 25, who created the PPPhacking team while studying underBrumley and now works for a start-up hecofounded, said that sometimes,noodling around on his own, he findsbugs in software and discloses them tothe software vendor. He said he has neversold information about flaws, althoughsome vendors offer “bounties” of up toseveral thousand dollars. He holds ontosome vulnerabilities for use in research— a practice common among securityresearchers, he said.

“I also don’t think it’s unethical toprovide vulnerabilities or exploits to theU.S. government,” Pak said. “I trust theU.S. government. The government pro-tects me. As long as it’s not used againstour own people, I see less of an issue.”

But some experts disapprove of pro-viding previously unknown or “zero day”vulnerabilities to the government —whether for free or for profit. They worrythat, rather than disclosing these zerodays to vendors, the government is stock-piling them for use against adversaries.Doing so would leave the software ven-dors ignorant of dangerous flaws in theirproducts, making the Internet less se-cure, they say. They also charge that thegovernment is using these tools with fartoo little public debate, for example, inthe controversial area of domestic lawenforcement.

Christopher Soghoian, chief technolo-gist for the American Civil LibertiesUnion, said the government should havea policy of promptly disclosing any bugsit discovers so that software companiessuch as Microsoft can fix them beforethey cause damage. Not doing so canundermine network security, he said.

But Brumley said such a blanket policywould be unwise.

“The obvious example is Stuxnet,”which destroyed Iranian centrifuges, hesaid. That, he said, was “an opportunityto use an exploit for good.”

“Twenty years earlier, that would bethe thing that we flew in bombers andbombed factories for, and people woulddie,” he said.

Dual-use tools

Selling exploits and vulnerabilities isnot illegal, per se, but selling them withthe intent that they’ll be used to hacksomeone else’s computer is a crime.Software is a classic “dual use” product. Itcan be used to do something as innocu-ous as unlock an iPhone to allow consum-ers to switch providers or as destructiveas causing an adversary’s nuclear centri-fuges to spin out of control.

Some academics say the teaching ofhacking techniquesshouldremain limited.

“I’m personally against the wide-spread or wholesale teaching of offensivecyber,” said Arthur Conklin, associateprofessor of information and logisticstechnology at the University of Houston.For one thing, he said, vetting studentsfor trustworthiness, as Shenoi does,would be impractical on a mass scale.

Giovanni Vigna, a computer scienceprofessor at the University of Californiaat Santa Barbara, warned that not teach-ing offensive skills is “not a very smartoption because the bad guys are going todevelop them anyway.” He added, “Thekey is to make the students understandwhat are the lines that cannot becrossed.” So he integrates into his courseson offensive cyber “a very substantialchapter on ethical issues.”

Some experts argue that the govern-ment should regulate the sale and use ofoffensive cyber technology — but others,including Shenoi, say regulation will onlydrive the market for such products deep-er underground. At this point, the U.S.government is in the process of placingexport controls on some hacking andsurveillance tools. It already has forbid-den the sale of such technologies tocountries with particularly egregious hu-man rights records, such as Sudan andIran.

Meanwhile, interest in offensive cyberskills is growing. Experts estimate thatseveral thousand personnel in privateindustry work at finding bugs and build-ing exploits. More companies are train-ing employees in offensive skills, andmore people are competing in hackingcompetitions.

In this context, Soghoian of the ACLUfears that universities are teaching stu-dents high-end skills without a solidethical foundation.

“The academic computer securitycommunity has not yet realized the rolethey are playing in cyberwar,” he said.

Shenoi said that, above all, he wants toimpress upon his students the responsi-bilities that come with their technologi-cal prowess.

“They have great power to do harm.They have power to intimidate. Theyhave power to accrue money illegally,” hesaid. “What I tell them is, ‘You may belearning some potentially deadly skills.But use them gently and wisely, and usethem for the good of society.’ ”

ellen.nakashima@washpost.comashkan.soltani@washpost.com

The ethics of Hacking 101

ASHKAN SOLTANI/FOR THE WASHINGTON POST

Brian Pak, left, founder of a recreational hacker team called PPP, made up of current and former Carnegie Mellonstudents, participates in the DefCon 22 “Capture the Flag” competition in Las Vegas. His team won.

cybersecurity: A Special Report

Recentcyberattacks

Oct. 2JPMorgan Chase sayse-mails and personalinformation from83 millionhouseholds andbusinesses werecompromised whenhackers infiltratednetworks.

Sept. 18Home Depot sayshackers may have put56 millioncardholders injeopardy.

Aug. 18Hospital groupCommunity HealthSystems says ahacking group believedto be from China usedadvanced malware tosteal the personaldata, including SocialSecurity numbers, of4.5 million patients.

Aug. 4Restaurant chain P.F.Chang’s confirms athreat detected by theSecret Serviceinvolving stolen creditand debit cardinformation at 33 of itslocations.

July 23Six people are indictedin connection with thehacking of more than1,600 user accountsand fraudulentpurchases worth morethan $1 million on theticket-reselling siteStubHub.

June 24The Montana HealthDepartment notifies1.3 million peoplethat their personal datawas stored in a statecomputer hacked ayear ago.Compromised recordsinclude Social Securitynumbers, bankaccount numbers,health diagnoses anddrug prescriptions.

May 21EBay advises its145 million users tochange theirpasswords afterattackers stoleencrypted passwordsand gained access toits corporate network.

Jan. 10Retailer NeimanMarcus confirms that itis working with theSecret Serviceregarding a breach ofcustomers’ credit cardinformation. Theretailer lateracknowledges that thehacking occurred forseveral months andinvolved 1.1 millioncredit and debitcards.

Dec. 19Target confirms a databreach of credit anddebit card informationof up to 40 millioncustomers. Thecompany later says thethieves may have liftedinformation from up to70 million morecustomers.

— Compiled byMeena Ganesan

MaryJordan

WEDNESDAY, OCTOBER 8 , 2014 . THE WASHINGTON POST EZ EE AA3

BY JAMES ANDREW LEWIS

When Americans think about cyberse-curity, they tend to focus on symptomsrather than causes — it’s a symptomwhen almost every month a major com-pany is hacked and millions of personalrecords are stolen. We pit weak defensesagainst skilled opponents. Changing thiswon’t be easy, because there is no auto-matic fix, no new technology and noprivate action that can stop cybercrimeand tame the Internet’s Wild West.

First, we must recognize that mostmalicious actions in cyberspace directedagainst the United States come fromhackers in two countries: China andRussia. These nations encourage theirhackers to go after networks, data andmoney in the United States, and theyprotect them from prosecution. Russiaallows criminal groups to steal fromWestern banks (Russian-speaking cyber-criminal gangs can perform hacks as wellas most intelligence agencies). The Chi-nese prefer to use military units to stealintellectual property for everything fromthe plans for the F-35 fighter jet to theformula for house paint.

That the United States’ most activeopponents in cyberspace are China andRussia (along with up-and-comers Iranand North Korea) is not a coincidence.These countries are our military rivals.Cyberspace creates opportunities to ex-ercise national power, and these nationshave seized those opportunities. Viewingthe United States as their opponent, theyskillfully exploit the Internet to gainadvantage. This is not a cold war. In fact,it is not war at all. Our opponents havebeen careful not to use hacking for realattacks on the United States, as doing sowould trigger a damaging response andget in the way of business.

In turn, these and other countrieswould say the National Security Agencyis equally at fault. The problem is thesame for everyone. All countries nowdepend on cyberspace, as it is built intoevery important part of the global econo-my. Better cybersecurity requires thatnations agree on the norms and rules forresponsible behavior in cyberspace, bothfor states and for powerful companies.Agreement is possible even among ad-versaries, as there is shared interest inmaking our digital economic backbonestable and more secure.

The idea of formal cooperation amonggovernments is anathema to the old-school Internet community. The fear isthat rules will harm the “free and openInternet” to which all kinds of miracu-lous economic powers are ascribed. It’strue that the global network has broughtus immense economic benefits and offersstill more. However, the free and openInternet is long gone. Consumers are

locked into vendors’ “walled gardens”where choice is restricted, and privacyvanished well before former governmentcontractor Edward Snowden leaked clas-sified NSA information. Hacking re-mains far too easy and its costs are risingfar too rapidly to stick with the laissez-faire approach.

To make cyberspace safe, we needsomething like Bretton Woods. Afterrepeated financial crashes (the last ofwhich, in 1929, led to global depressionand war), the United States and its alliescreated the Bretton Woods system toestablish transnational rules, norms andinstitutions to manage and reduce riskfor global finance and trade. We can dothe same for cyberspace. This does notmean creating a one-ring-to-rule-them-all Internet body, nor does it mean anall-government approach. It meansagreement on a collective approach toreduce risk and follow principles forstability. The Bretton Woods system wasnot perfect, but it was better than thechaotic national approaches that preced-ed it. Some countries will balk at follow-ing the rules — as they balked at rulesagainst nuclear proliferation or money-laundering — but the right blend ofincentives and penalties (such as indict-ments in U.S. courts) will help changetheir minds.

Agreement on rules would ultimatelyreduce risk, and in a perfect world,international accord on cybersecuritywould be enough to protect us. But

reaching such an accord won’t be easy orquick. The same way that banks rely onthe police but still need vaults andguards, companies will need to do moreto protect themselves and their custom-ers. Most network breaches still requireonly simple hacking techniques.

The Obama administration favors avoluntary, standards-based approach (atime-honored American solution) to cy-bersecurity using the National Instituteof Standards and Technology’s new Cy-bersecurity Framework, but it has hintedat regulation if companies do not act. Theframework sets minimum levels of cyber-security, and companies can expect au-diting firms to evaluate how secure theirnetworks are and use that information inannual audits and shareholder reports.

Company liability also will create pow-erful incentives. A hacked companycould face lawsuits from shareholdersand customers if plaintiffs can show thatit did not implement the framework. Theframework has inspired other countriesto set cybersecurity standards, and asingle global approach to cybersecuritywould be better than having each coun-try design its own.

Like it or not, the pioneering days ofthe Internet are over. In the iconic Ameri-can film “The Man Who Shot LibertyValance,” a mild-mannered lawyer sup-plants a larger-than-life cowboy whopioneered the West. There’s an under-standable reluctance in the movie to seeheroic, self-reliant cowboys replaced by

lawyers, but there also is a recognitionthat society has outgrown the pioneerphase and that it’s time to move to aworld ordered by the rule of law. Andthere is a similar reluctance to acknowl-edge that cyberspace has matured andthat taming the cyber Wild West meansextending the rule of law — internation-ally and domestically, existing laws andmaybe some new ones — and creatinginstitutions to enforce them. This meansframeworks, international agreements,standards and formal oversight.

Getting the rule of law in cybersecurityrequires collective action, nationally andinternationally, and for now, that stillrequires U.S. leadership. Unfortunately,this may be impossible in Washingtontoday. The political consensus that letthis society build superhighways and theInternet is fractured. Until a new politi-cal consensus is forged, progress in cy-bersecurity will be slow. Cybersecurity isa good test of whether the United Stateshas the resolve and the skills to maintainthe world order it created decades ago.We may fail, in which case cybersecuritywill be just another part of a largerunraveling of international peace. WhileWashington struggles to redefine its so-cial contract, we should expect uncertainresponses, half-measures and morehacking.

JALewis@ csis.org

Lewis is senior fellow at the Center forStrategic and International Studies.

Lassoing the Internet’s Wild WestTaming lawlessness is toughamid worry that rules willharm ‘free, open’ Internet

BY AMRITA JAYAKUMAR

As head of a Michigan-based cyberse-curity firm, Larry Ponemon has studieddata breaches including the hacking ofTarget credit cards, and Chinese andother international cyber espionage. Buthis favorite incident, he says, was small,avoidable and probably victimless.

It involved a doctor and a tablet (tabletas in iPad, not medication). The physi-cian’s health-care network had just up-graded its data storage system, and hewas given an iPad that he could carryfrom the hospital to his home in whichhe collected patient information thatwould go directly to a cloud-based bankof medical records.

Then, a few months ago, he lost thetablet.

Even more unfortunately, the devicewasn’t protected by a password. Thatgave anyone who found (or had stolen) itaccess to what Ponemon calls “a treasuretrove” of personal data on as many as1 million patients.

Why no password? “Doctors and clini-cians have a history of not using pass-words because they’re busy people,”Ponemon said. The health-care net-work’s IT people had “jailbroken” thetablet’s software to eliminate its pass-word requirement, making it easier forthe doctor to use. And easier for crimi-nals to abuse.

That illustrates a conflict of interestnot only in the health-care sector, butthroughout the worlds of business andgovernment. Management loves that itcan get flexibility, mobility and efficiencyout of new technology, and that tabletsand smartphones mean employees canwork from home — or anywhere.

But every mobile device is a potentialchink in the armor of an entire organiza-

tion; any security lapse places at risk notjust the device owner’s private data, butpotentially sensitive information abouthis or her company and other patients,customers or clients the company serves.

Employees often take shortcuts for thesake of convenience. And often compa-nies, which benefit from increased pro-ductivity that mobile devices give theiremployees, don’t effectively install orenforce security measures.

In 2013, Verizon analyzed more than63,000 “security incidents” in 95 coun-tries and found that the loss or theft oflaptops, USB drives, phones and otherdevices, coupled with human errors —including sending sensitive e-mail to thewrong address or uploading private datato a public server — were responsible for39 percent of the incidents. In its annualData Breach Investigations Report, Veri-zon said that many of the rest of theincidents were malicious, but only 2 per-cent resulted in someone accessing thestolen data for criminal purposes.

The doctor who lost his tablet did havea “kill switch” that was activated when hereported it missing. That meant thehospital network would be alerted if thedevice was turned on.

Health-care records contain valuableinformation: the patient’s name, SocialSecurity number and date of birth. Soanyone who got access to the recordscould, for instance, use that informationto try to open a line of credit, submit fakeclaims for benefits, or sell the data toothers for those purposes.

“So many of the breaches we study areso complicated,” Ponemon said. “In thecase of the doctor and the iPad, it wassuch a low-tech issue, but had potentiallyvery significant ramifications.”

The quality of the data may be onereason the health-care sector suffered

the largest share of cyberattacks in 2013,more than any other sector such as retail,education or finance, according to areport by the Identity Theft ResourceCenter, a nonprofit organization thattracks data theft.

Two laptops stolen from a New Jerseyoffice of medical insurer Horizon BlueCross Blue Shield last year containedunencrypted data on more than 800,000patients. No incidents have been report-ed as fraud, but patients were offeredfree credit monitoring and identity theftprotection services.

Last month, the Cedars-Sinai MedicalCenter in Los Angeles disclosed that theunencrypted records of 33,000 patientshad been stored on an employee’s laptop,which was stolen in a burglary over thesummer. The unprotected informationincluded names, driver’s license num-bers and Social Security numbers.

Despite the increasing use of mobiledevices outside the workplace, few or-ganizations have clear policies for datasecurity, a recent Ponemon Institutesurvey found. Of the 618 IT managerssurveyed for the report, 29 percent saidtheir organizations had no strategy toensure mobile device security. Others

said their strategies covered only certaintypes of devices or operating systems.

One method that organizations use tosecure mobile devices is known as “sand-boxing.” That means employees are al-lowed to work only within secure,walled-off sectors — or sandboxes —when using mobile devices.

Another approach is “virtualization,”in which the mobile device doesn’t storeany information while performing a task.Virtualization software uses the mobiledevice the way a projector uses a screen:While an employee is logged on, informa-tion from the company’s servers is “pro-jected” onto the screen, but none of it isstored there. When the task is completed,it’s as though the projector has beenswitched off — so if the device is hacked,there won’t be any information to steal.

David Wennergren, senior vice presi-dent of technology policy at the Profes-sional Services Council, a trade group,said the big question now is, “How do weallow people to share the informationthey need versus protecting privacy andsecurity? The smart money is on findingthe sweet spot between security provi-sions and convenience.”

amrita.jayakumar@washpost.com

With mobile devices,firms playing Russianroulette on security

cybersecurity: A Special Report

JUSTIN SULLIVAN/GETTY IMAGES

3billionThe number ofpeople who will beonline by the end ofthis year, accordingto the UnitedNations

Verizon analyzedmore than63,000 “securityincidents” in95 countries andfound that theloss or theft oflaptops, USBdrives, phones —such as the AppleiPhone, picturedabove, and otherdevices, coupledwith humanerrors, wereresponsible for39 percent of theincidents.

MICHAEL S. WILLIAMSON/THE WASHINGTON POST

The FBI buildingin Clarksburg,W.Va., houses theNational InstantCriminalBackgroundCheck System.These back-uptapes are part ofthe system, whichcan perform8 million checksper day.

AA4 EZ EE THE WASHINGTON POST . WEDNESDAY, OCTOBER 8 , 2014

Arati PrabhakarDirector, Defense Advanced Research Projects Agency

The moon shot for cybersecurity in my view is tofind techniques that scale faster than this explo­sion in information. . . . A combination of funda­mental advances has the potential to get us to a

place not where we never have a cybersecurity problem,but where it’s manageable and we can get on with ourlives.

Our mission today is still about breakthrough technol­ogies for national security. What we’re asking about

cybersecurity is, “What are the technology concepts thatcould fundamentally change the ground rules and give usa way to get out ahead?”

We’re working on ways to build unhackable embeddedsystems. I hope you will see that rolling out into automo­biles in the commercial sector and UAVs [unmannedaerial vehicles] in the national security context. I hopeafter our Cyber Grand Challenge that you start to seeautomated cyberdefense systems that become commer­cial products that people who are worried about their owncybersecurity can purchase and start using.

Building the unhackable system

cybersecurity: A Special Report

Sharing information faster

Michael McKeownSupervisory special agent, Cyber Division,FBI headquarters

A couple of years ago [when a Russiancrime ring was targeting banks], we hada threat against the financial sector. Webrought in a lot of the largest financialentities and gave them essentially whatwe would call clearance for a day . . . toshare information that would help themin real time. So we’re getting better atgetting that information out in acontrolled structure to sectors, topartners. The key being real-timeinformation .

Sparking global interest

Christopher PainterCoordinator, cyber issues, StateDepartment

The consequence of cyber being thenew black [in the United States] —where everyone cares about cyber andeveryone wants to talk about cyber — isincreasingly happening around theworld. As you get countries doingnational strategies around cyberspace,as you get them paying more attentionto this, as you get them reaching out andsaying, “How can we build these morecooperative frameworks against thesethreats?” I think that’s helpful to us all.

Now people understand it’s a majornational security issue . . . an economicsecurity issue, human rights issue andforeign policy issue. Getting othercountries to get to that same level is oneof the challenges. But more and morecountries are.

PHOTOS BY KATE PATTERSON FOR THE WASHINGTON POST

Dana Priest, a national security reporter for The Washington Post, interviews, from left, government cyber experts ChristopherPainter, John Carlin and Eric Rosenbach as part of The Post’s Cybersecurity Summit.

Protecting the electrical grid

Andy BochmanSenior cyber and energy securitystrategist, Idaho National Laboratory

The [electrical] grid is not all onething. It’s many different pieces, and it’sdesigned to be resilient in the face ofnatural disasters and storm activity thathappens all the time to it. It’s not nearlyas simple as saying]one very intelligenthacker can come in and start to takecontrol of things. There are a lot oflayers of protection, some of themvestigial from the way the grid wasdesigned, even before computers cameto the fore.

Thinking like hackers

Tiffany RadSecurity researcher and lawyer

There’s always a trade-off betweensecurity and convenience. When wehave “bring your own device to work,”there are vulnerabilities that can beexploited in someone’s home and thenbe brought into the corporate network.When it comes to that type of trade-off,what I teach my students is to think likehackers. While that may sound scary tosome, we’re graduating students wherethey’re writing code and they’reconsidering the security implications ofevery line of code they write. It’s not just“How fast does the algorithm run?” but“How secure is the stuff that you’reproducing?”

So when the students graduate andthey go out into the workforce and workfor all of you in private industry, they aredesigning things that are more secure.We like to think that this is going to bechanging through the graduates that wehave in the United States, taking jobshere in the U.S. Maybe they’ll raise theirhand in company meetings and say,“Hey, I think there’s a different way thatwe could do this that would make itbetter and more secure.”

Going after the money

John CarlinAssistant attorney general for nationalsecurity, Justice Department

I’d say the top threat are those whowould not be deterred. If they had thecapability, they would use it. To mymind, that’s the terrorist organizations.

As a nation, and like many countriesin the world, we have put almosteverything we value into cyberspace. Weput our personal information. We putour financial information. We put theway we operate our criticalinfrastructure. It’s digitally stored, andmost of it is connected to the Internet.The flip side of that means all the samebad guys and all the same activity thatwe’ve seen for years in the brick-and-mortar world is going after where themoney is, where the secrets are andwhere they can cause damage. As we putmore of what we value, we’re seeing thenumber of criminal groups that aretrying to target it increase. We’re seeingnation states develop it as part of theirstrategies.

Taking diplomatic approach

Eric RosenbachAssistant secretary of defense forhomeland defense and global security,Defense Department

We’ll work with other nations’militaries. There’s a lot of demand in theworld right now for people trying tofigure out how to build their equivalentof a cyber command. And the reason wedo that is we want them to do that in aresponsible way. There’s some thingswe’ve learned that we didn’t do as wellas we could have. How you balance thatwith respect for civil liberties within thelaw . . . executive oversight of militaryorganizations.

Offensive operations are somethingthat are always an option. But it’s onlyone of many tools that you haveavailable on the policy spectrum. Beforeyou would ever take offensive action,you would want to work diplomaticchannels first.

WEDNESDAY, OCTOBER 8 , 2014 . THE WASHINGTON POST EZ EE AA5

cybersecurity: A Special Report

washingtonpost.com

6The excerpts on these pages are from Washington Post Live’s Cybersecurity Summit, which was sponsored by Lockheed Martin in partnershipwith the Cyber Security Policy and Research Institute at George Washington University. The Washington Post maintains full editorial control

over the content of the conference and this special report. Video of the Oct. 1 event can be found on WashingtonPostLive.com.

Alejandro MayorkasDeputy secretary, Department of Homeland Security

in fact, becoming more and more sophisticated, our

prevention capabilities are growing in sophistication, our

detection capabilities are growing in sophistication, our

response and remediation capabilities are escalating as

well.

The cyber threat is real and I think it will be a growth

industry. We in the government, specifically in the

Department of Homeland Security, have a number of

tools and resources to deploy to protect a dot-gov

environment.

Issuing a call to action

Businesses working together

Brian DodgeRetail Industry Leaders Association

There’s enormous brand risk to thebusinesses that are hacked and the cost,ultimately, is something that’s sharedbetween all the players. It’s sharedbetween merchants, banks and theinstitutions across the paymentsecosystem, which is why we have arguedthat the solution to these problems isone where all those players worktogether.

Basic cyber hygiene

Jane Holl LutePresident and chief executive, Council onCyberSecurity

We know what to do for basic cyberhygiene. We’re just not doing it. Basichygiene will prevent 80 to 90 percent ofall known attacks today. Do you knowwhat’s connected to your network? Doyou know what’s running or trying torun on your network? Do you know whohas administrative permissions tochange, bypass or override yourconfigurations? And do you have anautomated system in place like DHS’s[Department of Homeland Security]continuous diagnostic and mitigationthat allows you to be alert tovulnerabilities when they happen andpatch them and take appropriateremediative action? Those top five of the20 critical security controls constitutebasic hygiene. We’re broadly not doing itand there’s no excuse now for why we’renot. Let’s use some common-sensethings. Do you know who’s getting onyour networks at home? Pay attention.Secure it.

We need to be smarter consumers,smarter citizens, smarter members ofsociety when it comes to being online.But we also have a right to expect thatcompanies and enterprises with whomwe share our data are taking the basicmeasures. What expectation should wegive to manufacturers? Why don’t weget systems shipped with the securityconfiguration switched on? Why do weall have to figure this out for ourselves?What will the role of government be aswe distribute responsibility?

Let’s prevent what we can at costs wecan afford. That will reduce the noiselevel in the threat space and allowimportant, complex companies to focusprecious resources on those advancepersistent threats. But we’re not evenmaking it hard right now.

Disrupting terror recruiting

Rep. Mike Rogers (R-Mich.)Chairman, House Intelligence Committee

What we have seen in the past is thatal-Qaeda, ISIS and other organizationshave reached out and tried to findindividuals who have the rightcapabilities to put together acyberattack capability. We’ve never seenthem actually put it together to wherethey could penetrate or do some cyber-disruption activities. But we know theyhave the aspiration to do it. I don’t thinkthat we’re using all U.S. cybercapabilities to disrupt their ability tohave these recruiting tools that we seeare, candidly, very effective.

Part of the challenge is, the [U.S.]government has about 15 percent of thenetworks and the private sector holdsabout 85 percent of the networks.Contrary to popular belief, the NSA isnot monitoring those networks. It’s noton those networks. So, the only way thatthey see anything coming in is from theoutside. You don’t want to reachoverseas and flick somebody in theforehead if we’re not exactly 100 percentsure that that was the perpetrator ofthat [cyberattack]. If you start thisdigital vigilantism about, “Well, I gothacked. I’m going to go do somethingabout it,” you could create a storm here,of which the rest of the network — that85 percent — is not prepared to handle.

Attackers are getting betterPhil ReitingerVisionSpear

Over a period of time, somebodydevoting enough resources to get intoyour networks will.

The defenders are getting better. Butattackers are getting better, too. Thereare more of them, and there’s moreinformation available and valuableonline.

A lot of our technologies don’t scalewell. That means that if you can’t solve aproblem completely with technology,you’ve got to have the right people.

Warning about social sharingErin JacobsUrbane Security

Be careful what you share on socialnetworks. I have a lot of friends in thesecurity industry who are not on anysocial networks. But guess what? Theirwives, their friends, their family, theirkids — they are. And they’re tellingeverything about them. And also oursystem in the U.S. doesn’t help becausewe have so much public domaininformation. I think we need to dopersonal risk assessments of our owninformation and understand what’simportant to us and what we’re willingto share and what we’re not.

Informing responders

Eric FriedbergStroz Friedberg

The main challenge for us as critical-incident responders is whatcorporations need from lawenforcement not on day 20, not on day40 or not on day 60, but what we needon day one or day two. There’s a realstrain going on right now in the speed atwhich private incident responders areable to get that information from thegovernment.

It’s a cat-and-mouse game wherecompanies are often playing catch-up.

Protecting consumers

Ellen RicheyExecutive vice president and chief legalofficer, Visa, Inc.

In terms of who pays and whathappens when this breach might occur,wherever it might be, the first thing thateverybody needs to be clear on: Here inthe U.S., it is never the consumer — oronly very rarely the consumer — whosuffers any financial loss. That’s becausehere in the U.S., we have a zero-liabilitypolicy that I’m sure you’ve heard allabout, and your bank will take thecharges off if they are unauthorizedcharges.

Once [a breach] is identified, thishuge machinery goes into place wherethe payment brands such as ourselvesand our competitors get the informationabout the accounts that might have gonethrough that environment, and we getthat information out to your banks. Asconsumers, you know that your bankhas that information and can eithermonitor your account with specialscoring because they know it’s beenexposed and protect you from the fraud,or reissue your account.

Consumers are protected financiallyto avoid the hassle. I would suggest oneother thing you can do is sign up forreal-time alerts from your bank. You canbe in control of the use of your card theminute anybody is using it improperly.You’ll see it yourself and you can be theone who notifies the bank, not the otherway around.

I do not ascribe to a school of pessimism, and by that, I

don’t mean to belittle the magnitude of the threat, both in

terms of its gravity and its frequency of occurrence. I think

everyone understands that cybersecurity is a field of

growth. With respect to the security of the government,

and with respect to the security of the private sector, I

would take the alarm not as necessarily a cause for

concern, but rather as a call to action. While attackers are,

AA6 EZ EE KLMNO WEDNESDAY, OCTOBER 8, 2014

AT LOCKHEED MARTIN,WE’RE ENGINEERING A BETTER TOMORROW.

TODAY THERE’S NOTHING MORE VALUABLE THAN INFORMATION.

AND THE ABILITY TO SECURE IT.

© 2014 LOCKHEED MARTIN CORPORATION