LAWRENCE — FBI supervisory special agent George Schultzel pulled hundreds of people to the edge of their seat Friday during a gathering at the University of Kansas exploring how government, industry and researchers could work together to improve cybersecurity in the United States.
He was part of a panel discussion with executives from Garmin, T-Mobile and the Federal Reserve Bank of Kansas City who grapple with technological challenges of raising the bar on cybersecurity.
“Now we’ll get at the part of the panel where I scare the living, uh, stuffing out of you,” Schultzel said.
He brought up ramifications of deploying the malicious computer worm Stuxnet, which targeted supervisory control and data acquisition systems to damage Iran’s nuclear program. News reports indicated the cyberweapon was built by the United States and Israel during the administrations of President George W. Bush and President Barack Obama. Stuxnet infected an estimated 200,000 computers and ruined 20% of Iran’s centrifuges relied on to refine nuclear fuel. Iran responded by dedicating itself to a cyberattack program.
“Iran took that as, ‘All right, we’re going to start recruiting and we’re going to start causing havoc.’ Fast forward and Saudi Aramco goes down. It has a huge impact on the oil production across the globe,” Schultzel said. “We kind of move into the future and countries realize that they can affect world events, they can affect their adversaries, they can adversely acquire technology.”
“All those things, I think, change how we look at the world and how we have to be in a position to get ourselves going forward. That, I would say, is cybersecurity’s biggest national security challenge. I have a hard time going to sleep thinking about it,” he said.
KU hosts a National Center of Academic Excellence in Cyber Defense and Research designated by the U.S. National Security Agency and U.S. Department of Homeland Security.
‘We need more experts’
Less than 1% of the global gross domestic product was dedicated to stopping computer breaches, said Jason Rogers, chief executive officer of Invary. The startup emerged from the university’s Innovation Park and is dedicated to identifying hidden malware in operating systems. Invary made advances by relying on expertise at the KU School of Engineering and technology developed by the NSA.
“We need more experts,” said Rogers, who recommended broadening collaboration among government, education and business. “Are we cooperating more than our adversaries?”
Currently, he said, the average length of time between identifying a breach and containing a breach stood at 304 days. The average cost of a data breach was $4.3 million. But the average cost of a mega-breach of more than 50 million records topped $400 million.
Lyle Paczkowski, senior technology strategist at T-Mobile’s advanced and emerging technology division, said improving cybersecurity in the United States required a much larger workforce.
He said 4.7 million people worked in the field of cybersecurity in the United States, but 3.4 million more would be needed to cover the bases. The supply of personnel cannot keep pace with existing demand for expertise much less create a reservoir of talent for the future, he said.
“Honestly, theres a lot of scary things to contemplate,” Paczkowski said. “Particularly around digital twins and things that can replicate you as a person or a machine on the network.”
Dan Hein, security architect at Garman International, said cybersecurity obstacles required involvement of interdisciplinary researchers. The work should include insight of people outside the traditional cybersecurity realm of computer science and computer engineering, he said.
“Appreciate what you don’t know,” said Hein, who has a doctorate. “We know the basic blocking and tackling, to some degree, of cybersecurity. Where do we need to go next?”
New tech, new threat
Mark Schmidtberger, information security manager at the Federal Reserve in Kansas City, said the rapid pace of technological evolution meant future cyberattacks would come in forms difficult to image at the moment. People involved in cybersecurity must focus on shrinking the window between the point a cyberattack was identified and the point at which someone exploited that threat, he said.
“We should be aware, just accept it as concrete, that there’s going to be new technologies out there. And every time there’s a new technology there’s probably going to be some threats,” he said.
The threats of cybersecurity wouldn’t be resolved exclusively by law enforcement agencies, said Schultzel, the FBI special agent.
He said the FBI demonstrated nearly a century ago a keen ability to track down notoriously violent bank robbers. However, he said, killing or throwing in prison those men and women didn’t end bank robbery as a profitable occupation. That was accomplished when banks collectively raised investments in security with armed guards, timed vault doors and bullet-resistant glass.
The same could be said of the problem with ransomware crime, Schultzel said. The FBI and European law enforcement agencies shut down Hive, but not before the ransomware operation allegedly extorted more than $100 million. Hive purportedly collaborted with independent hackers to encrypt the target’s computer system and demand payments to provide a key to unlock them.
Mothballing Hive certainly didn’t eliminate ransomware as a criminal activity.
“We’re good at going after these guys and bringing them to justice, but that’s not going to satisify the cybersecurity problem as a whole,” Schultzel said. “It is us as individuals, as companies, as educational institutions taking that extra step to educate and provide that extra security.”
