Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Out at Sea, With No Way to Navigate: Admiral James Stavridis Talks Cybersecurity

The former Supreme Allied Commander of NATO gives Dark Reading his take on the greatest cyberthreats our nation and its businesses face today.

(image by evannovostro, via Adobe Stock)

Figure 1: (image by evannovostro, via Adobe Stock) (image by evannovostro, via Adobe Stock)

By any standard James Stavridis has had a remarkable career, beginning with graduating from the US Naval Academy (with a degree in electrical engineering), rising through the ranks of officers to commander of the US Southern Command and US European command, to taking on his final position as Supreme Allied Commander Europe.

During his career, Stavridis earned a Ph.D. in law and diplomacy. After retiring from the Navy, he became dean of The Fletcher School at Tufts University and began a publishing career.

Stavridis serves on the boards of a number of organizations and is a frequent speaker on international politics and technology, most recently at last month's RSA Conference. Following the conference, Dark Reading's Curtis Franklin had a chance to talk with the Admiral by phone for a conversation that touched on the cybersecurity issues that are at the top of his mind for both governments and the enterprise. It's no surprise that Stavridis has thought quite a bit about cyberthreats to the US. What may be more surprising is his take on what the government's role should be when it comes to helping companies defend themselves against some of the same threat actors that bedevil national security agencies.

What follows is an edited transcript of their conversation.

Dark Reading: As you survey the cybersecurity landscape, what concerns you the most?
James Stavridis: In cyber, we see the greatest mismatch between level of threat and level of preparations. In the physical world, we had a lot of threats. You know, Russia, Afghanistan, Libya, the Balkans, piracy — lots of threats, but we were pretty well-prepared to deal with most of them. Unfortunately, in cyber, there was a real gap and I think there continues to be a real gap. I see a lot of concern in the geopolitical space. And I see a lot of concern in the national electoral space. Those are my two areas of real concern and focus right now.

Dark Reading: When it comes to nation-state adversaries, are they something that only our defense department should be concerned with, or should all commercial organizations be concerned?
Stavridis: It is the latter. I often say this about cybersecurity: that we're still on the beach at Kittyhawk. We're still figuring out how this is going to work. To shift metaphors to the oceans, it's as though we're out at sea, we're in a bunch of boats, but we haven't really put in place buoys and navigational aids, and we haven't really defined who's going to protect us.

So if if I'm a commercial ship at sea, I know the US Navy is going to come and defend me if I'm an American ship and I'm under attack. And in fact, we actively discourage merchant ships from mounting their own defenses. The defense requirements, I think, ought to be vested in the state.

But in the world of cyber, realistically, if you're a commercial entity, particularly a target-rich kind of environment like financials or critical infrastructure, say electric grid, the government so far has not really stepped up to that task of broadly protecting you.

Yeah, you can get some help from the NSA and some help from the FBI and some help from the CIA. But broadly speaking, you are going to have to have some mechanisms, at least on the detection and on the defensive side.

I'll give you a practical example. The eight largest banks in the United States got together and created something called the Financial Systemic Analysis & Resilience Center (FSARC). They hired an absolutely terrific cybersecurity expert [to be president and CEO], a guy named Scott DePasquale [formerly partner at New York based venture capital fund Braemar Energy Ventures]. And they're hiring people from the FBI, CIA, DOJ, DHS. And they are building, effectively, a community of defensive measures and information sharing, just like the title says, analysis and resiliency. We as citizens ought to be encouraging the government to do more of this. In the meantime, I think that many of these commercial entities are going to have to find ways to defend themselves better.

Dark Reading: There are industries where there is some concern about how the government will view sharing information between potential competitors in an industry, whether this creates some sort of anti-competitive environment. Is this the kind of area where we need to continue to evolve the way that regulators look at the activity, or are we on top of this?Stavridis: We are not on top of it. It needs encouragement, and I think this has to be driven within the industries themselves. They need to understand that they are stronger together in that if they try and stand as lonely citadels protecting themselves, they will lose. This is a team sport.

And I think the government also has a significant role to play. I'll give you an example. The Congress two years ago finally passed the Cybersecurity Information Sharing Act, which takes a baby step in exactly the direction you just outlined. It formalizes the idea that companies should share information to best protect themselves. Let me give you an example. You probably fly around frequently. You probably flew to [the RSA Conference], so you willingly put yourself in a metal tube, went up 35,000 feet flying three [to five] hundred miles an hour. Holy cow.

That doesn't sound very safe, does it? And yet that's one of the safest things you can do. That's safer than walking across the street, and it's a lot safer than driving in your car on the freeway. We all know that. And that's why we don't have a shred of discomfort getting in that metal tube and flying around at high speed.

Why is that? It's because the airline industry is an example of what the cybersecurity industry should be doing, what what financial should be doing, what the electric grid company should be doing, what the water utilities should be doing. They should share information.

What happens when a plane crashes? Everybody descends on it. It's totally transparent. If the left aileron on a 777 was out of place, inexplicably, what would happen? The whole fleet would be grounded globally until we figured out what happened. All that information is transparent and it's shared. What happens in the cyber side of things, too often, is when companies are attacked, their instinct is to hide the ball.

Why is that? Because their share price will fall. And there are no incentives built into the system to be open; the incentives go in the other direction, whereas in the airline industry, the massive incentive is that if people lose confidence in flying in those planes, the whole industry is toast. So I think that the cyber side of industry needs to look more like the airline industry.

(continued on next page) 

(page 2 of 3)

Dark Reading: Your example was an industry with a very active role for government. Are there ways in which the government should be more active in cybersecurity?
Stavridis: I think the government could provide, for example, indemnification against damage. We have national flood insurance, which makes a lot of sense: It spreads the risk and cost of a particular event. 

Why don't we have national cyber insurance such that, for a company that's attacked, it's like the point in a hurricane: It's indemnified at least from losses that are incurred when they reveal it and when they reveal exactly what happened and where the attack came from. We need to change the incentives. And I think if we do that, we'll have a much better, broad-area zone defense than we have now trying to play man-to-man.

Dark Reading: Do you also see a more significant role in government sharing technology from the labs at agencies like NIST?
Stavridis: I do, 100%. And it's got to be collaborative because some of the best work, as you know, being done on cybersecurity is not being done by the government -- it's being done by relatively small private-sector companies. Those private-sector companies understandably and correctly want to get to market first with the best set of tools. And they want to be vendors and sell those tools. And I understand that.

But as long as the government develops something and shares it equally in the commercial sector, that's all to the good, in my view. And there's a very rough analogy here from biology and the development of drugs. I think companies ought to have the ability to reap respectable profits when they develop an initial drug, but they shouldn't have monopoly rights so that the price of it is driven up over time. Generic solutions have to be developed, and I think the government can help in this analogy.

Dark Reading: You have talked about election security being a huge concern. Where do you think that danger is coming from, and how should we respond? 
Stavridis: As all of the intelligence communities have said, Russia intends to interfere and is beginning that interference. And I think they're doing it in three ways.

First, Russia is strategically coming after us on social networks, fake sites, deepfakes, and misinformation. They're doing that, not specifically to support President Trump or to support Bernie Sanders or to denigrate Joe Biden, they're doing it to divide the country, to sow real division between us. This is, of course, what they did superbly, I hate to say it, but superbly in 2016.

Second, operationally, when the two candidates are named and these campaigns are in full flower, watch for the Russians to go after those campaigns, to go after e-mails, to go after transmission of information, to try and find embarrassing nuggets that can be displayed. Here, the object would be to discredit the candidates. Both sides, I think, will be subject to this.

And then third, I think the Russians will attempt some tactical attacks. In other words, they will go after precincts, voting machines, ballot counting. I mean, there are 3,000 counties in the United States that are battlegrounds.

I want to be clear: I don't think they would go after these with extreme precision, for example, nine counties in central Ohio and four counties in Florida, and falsify returns and thus flip an election. I don't think they're that sophisticated. But I do think what they'll seek to do is create doubt about the outcome.

It's also applications, which are a myriad, that are being used at every level. Some states are using terminals like Clear [the traveler identification program], and they're very sophisticated and serious. Others are just, you know, paper and pencil checkmarks. It's when you aggregate votes, how do you sort them? There are applications that do that. These are not like the applications for the US nuclear codes. These are pretty unsophisticated, eminently attackable, and, yes, highly vulnerable.

That's what the Russians are about here. It's not a particular candidate. It's denigrating our trust in the electoral system, and thus our trust in our government, and thus our trust in ourselves. And I think that is really what's top of mind for me, that in a national security sense going into the election, that is squarely the responsibility of government. By the way, not just federal government, but state and local governments as well.

(continued on next page)

(page 3 of 3)

Dark Reading: Are there specific threat actors or specific types of threats outside the election that you think are most critical right now?
Stavridis: There are both, and this is probably a good one to close on. Russia is highly capable of two other things that ought to concern us. One is very specialized offensive tools that can be used against our electric grid. And they have demonstrated the efficacy of those tools against Ukraine, dropping about half of the Ukrainian electric grids.

Second, Russia has a very active, I would say, innovative system of cybercriminal activity wherein they effectively license cybercriminals, give them what Queen Elizabeth would have recognized as a letter of marque, which she would give to, for example, Sir Francis Drake, saying, "Go forth and pirate in the name of your nation."

This is happening in the Russian government, which taxes those actors and also uses them as a secondary deep bench to implement offensive cyber operations. So Russia, I think by far, is the top of my worry list.

China's very different. They certainly have capable offensive cybertools, but here I'm more concerned about espionage, notably commercial intelligence theft. I'm sure you're very aware of the recent acts of Chinese industrial espionage or intellectual property theft directed against both defense, US military kinds of systems, and against commercial actors like Airbus.

On the next tier down. North Korea is all about the money and the ego of Kim Jong Un. The good example is when a rather stupid movie comes out, The Interview, he's offended by how he's portrayed in the movie and he attacked Sony Pictures. He does hundreds of millions of dollars of commercial and business damage to that entity because he's offended by portrayal.

More seriously, he goes after cybercriminal activity that puts hard cash back into the North Korean economy. North Korea is more a commercial entity — think of it like a mafia gang. It's all about the money and the ego of the boss.

And then you've got to throw in Iran, which is not certainly at the level of any of the first three I mentioned, but getting better, deploying cybertools against our allies in the region, against Saudi Arabia, the Gulf states, and against Israel. Israel can certainly take care of itself there, at least as good as Iran and North Korea probably combined.

But you will see Iran also looked to see how they can hurt the United States: We've seen probing attacks. They would like to have the ability to at least damage our critical infrastructure. And they certainly have made some forays against our financial sector from time to time.

By the way, cyber is the ultimate equalizer. It is the ultimate asymmetric weapon. You don't have to build a B-1 bomber to attack the United States. If you can attack us through the cyberworld, even smaller nations than those I've mentioned will gradually find these tools.

So first we've got to be sharp on our defenses. We have to establish a regime of deterrence. We have to show other nations we're willing to counterattack if they come after us in this space.

Next, we need to work with our allies, partners, and friends because, just like I said earlier, companies are stronger together, and nations are stronger together in this regard as well. And I'll close, by the way, saying our partnership with Israel in this regard is peerless. We work together very closely with the Israelis. It's no coincidence that many of the top cybersecurity companies in the world come out of Israel. There's a very porous membrane between the United States and Israel in this regard. That's a good thing.

Related Content:

 

About the Author

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights