The annual DC Cyberweek, presented by CyberScoop, brought together more than 10,000 attendees to over a hundred community events last week. As one of the main events of the week, CyberScoop hosted CyberTalks, a daylong TED Talk-style conference focusing on cybersecurity featuring a wide range of influential cyber leaders from both government and private sector. Throughout each of the thirteen talks and interviews, the speakers highlighted current issues, priorities, and advancements in cyber today.
Three themes emerged throughout the day: an urgent need for a greater cyber workforce, more efficient collaboration between agencies and the private sector, and the need to build in cybersecurity into critical infrastructure.
For many of the speakers, the most pressing threat to longterm cybersecurity was not a particular foreign adversary but rather the difficulty of staffing the gargantuan cyber workforce necessary to stay ahead of an ever-expanding ocean of threats. Representative Mike Rogers stressed the shortage of workers in the government, where he said there are currently over 3000 cyber jobs vacant. Rogers explained that in the context of the federal workforce, government salaries cannot currently compete with the salaries offered by tech companies. Also addressing the growing cyber job market, Matt Olsen, Chief Trust & Security Advisor for Uber, made a case for greater commitment to cybersecurity expertise, stating that there will be 3.1 million unfilled cyber jobs by 2021. Bill Rowan, VP of Federal Sales at VMware said, “Let’s build our [cyber] workforce, not just at the federal level, but also in industry, at a national level.” Meanwhile, over half the speakers addressed the urgent need for a larger and more expert cyber workforce, with an emphasis on the need to attract young people to the field.
In addition to a larger workforce, several speakers discussed ongoing and sustained tactics towards cybersecurity efforts, both from a large-scale perspective as well as from the role of the individual. Suzette Kent, the Federal CIO at the Office of Management and Budget, proposed a shift in the way we thing about cybersecurity, from discrete one-off attacks to a constantly shifting “digital battlefront,” in which skirmishes are fought on a daily basis. Kent claimed, “We will win on this digital battlefront. We’ve proven that we can win.” Matthew Dunlop, VP and CISO at Under Armour, and Toke Vandervoort, SVP Deputy General Counsel at Under Armour, talked about making users into better “cyber citizens.” They stated a need for more effective cybersecurity training programs because 99% of errors are user mistakes. When it comes to practical application of defense strategies against cyberattacks, such as a ransomware attack, Gary Brantley, the CIO of the city of Atlanta, emphasized the theme of “preparing for the inevitable.” That it is not a matter of if, but when, the next cyberattack will occur, making it important to train a “muscle memory for disaster.”
As one way to address the battle against cyberattacks, many speakers underscored the need for better and more efficient collaboration, both within the government—between agencies—and the need for both industry and government to work together. To this end, Chris Krebs, the Director at CISA, discussed the need to pull together broader threat feeds to provide real-time advice. “Context is king,” said Krebs, explaining that information sharing is much more than compromise; rather, information sharing in appropriate contexts can make all the difference when dealing with a cybersecurity threat. This sentiment was echoed by other speakers who called for better methods of information sharing and establishing structures that increase the speed and quality of information sharing. Anne Neuberger, Director of Cybersecurity at the NSA, reiterated that it is essential for information to be shared quickly and in an unclassified way, adding that it is critical to work with the private sector, as “we all have pieces of the puzzle.”
A main concern regarding cyberattacks is not just the speed of the threat, but also the scale. Tonya Ugoretz, Deputy Assistant Director for the Cyber Division at the FBI, showed how sometimes the scope of cyberattacks are hard to comprehend. Ugoretz shared some numbers to try to capture the scale of cybercrime: in terms of business email compromise—which is only one type of common cybercrime—all 50 states and 157 countries have been affected, totaling losses of more than $26 billion globally. Additionally, ransomware attacks to date have cost $7.3 million with attackers targeting hospitals, schools, and first responders—those who can least afford to be offline.
In discussing the role of critical infrastructure in cybersecurity, many speakers stressed the need to directly build in cybersecurity at the infrastructural level, rather than adding it on later as an afterthought. Chris Johnson, Google Cloud’s Global Compliance Product Lead, argued that we are at a pivotal moment, as many companies and organizations are in the process of moving infrastructure. He explained that to achieve better outcomes in cybersecurity, there is a need for better “buildings”—that is to say, cybersecurity needs to be “built in, not bolted on.” Speaking to the importance of data resiliency, Teresa Shea, VP of cyberwarfare and mission innovations at Raytheon, explained that “it’s all about the data,” estimating that by 2025, the collective sum of the world’s data will be 175 zettabytes.
Similarly, Shea lamented the degree to which security struggles to keep pace with innovation, “We’re in a race to get our tech into place before the bad guys,” she explained, indicating that the ability to get the technology in place involves two key components: (1) taking tech into the backend process and (2) fixing current laws and policies, which have not kept pace with the telecommunications world. Here Shea emphasized the importance of “modernizing law and implementing it in dynamic ways.”
Overall, a key takeaway from CyberTalks was a call for greater collaboration between various government agencies as well as coordination with the private sector. Cybersecurity is an ongoing, daily issue and so there is a need for a larger, expert cyber workforce and an attention to engineering cybersecurity into critical infrastructure. As Grant Schneider, Federal CISO and Sr. Director for Cybersecurity Policy on the National Security Council, stated, when it comes to cybersecurity, “everyone has a role to play.”