Why Is Consistent Cybersecurity So Difficult?: A Podcast with Former NSA Director Mike McConnell
In a recent edition of the Early Adopter Research (EAR) podcast, EAR’s Dan Woods spoke with Mike McConnell about a crucial topic in cybersecurity, authentication. McConnell is the former head of the NSA, and an expert in cybersecurity, especially in getting governments and nations to do a better job. He is also one of more than 30 contributors to the upcoming book from Fortinet CISO Phil Quade called The Digital Big Bang: The Hard Stuff, the Soft Stuff, and the Future of Cybersecurity. The Digital Big Bang book puts forth a big history style explanation of cybersecurity. Phil Quade proposes a framework for creating a truly scientific approach to cybersecurity. Quade’s ambition is to find a way to systematically address many of the problems that have risen up because cybersecurity was not properly incorporated into the design of the internet. Woods is a technology analyst and founder of earlyadopter.com, a research publication that focuses on high value use cases and how to create multi-product platforms to implement them. He played the role of editor for Phil Quade’s book, which came out in preview at Fortinet’s Accelerate conference in April 2019 and should be published by John Wiley by August. Their conversation covered:
* 4:30 – Why authentication is the most important cybersecurity building block
* 11:00 – The four dimensions of cybersecurity communications
* 22:00 – The need to be proactive in cybersecurity
Listen or read an edited Q&A of the conversation below:
Woods: When you were director of the NSA, the internet changed the landscape. You explained in your contribution how you were focused at that point on what the NSA was all about, which was intercepting radio signals to get foreign intelligence or to get intelligence on foreign entities. How did your attention move from intercepting radio transmissions to capturing data at rest and creating code to protect critical infrastructure?
McConnell: The National Security Agency has two basic missions: break code, read the other guy’s mail, make code, keep the other guy from reading our mail. So that’s its history. You can go back to World War II, in collaboration with the British, we were breaking Nazi Germany codes, US breaking Japanese codes. Historians say it shortened the war by as much as two years, saved 10 to 12 million lives. When World War II was over, we had a Cold War. Now we had to sustain the intelligence apparatus. Historically, we build it, tear it down, build it, tear it down. But in the Cold War we had to sustain it. There was an experiment with a joint command, it didn’t work. And the commission recommended the president establish the National Security Agency. It was established with code breaking as its primary focus. And some might say, wait a minute, we’re vulnerable too. Who should be doing the code making to make sure that the Soviet Union can’t exploit our communications? And the NSA was given a second mission of code making. Now, if you think about this period, early ’50s, nuclear weapons, mutually assured destruction. Who has control of nuclear weapons? The president. What is the single most important thing that would happen, given we reached the brink of nuclear warfare, is to authenticate that it’s really the president giving the order.
You said that the more you focused on creating code and when we think of code, we can think of not only cryptography, but we can also think of software code as well.
It is done in software as well as in hardware. But basically it’s math.
Whether it’s software or whether it’s with the math. But you said once you started thinking about this, you inquired as to people who knew about cybersecurity at the time and they said that the backbone of cybersecurity are five things, authentication, data integrity, nonrepudiation, availability, and confidentiality.
Those are the five basic building blocks.
You realized that authentication was the most critical. Why is that?
What I realized as the new director of the National Security Agency—relatively young, been an intelligence officer all my life focusing on foreign intelligence, and all of a sudden, I’m the new director of the National Security Agency. Cold War is over. Internet’s about to explode. This was 1992. And one of the more senior advisors came in and said, “Mr. Director, do you realize that you’re responsible for the integrity of the nuclear command and control system of the United States.” I said, “I beg your pardon?” He said, “You’re responsible for the integrity of the nuclear command and control system.” And I said, “Well, oh my goodness. I didn’t understand that. Maybe I should understand it better.” And then the senior member walked me through the basic building blocks. What he was describing was, during the height of the Cold War, mutually assured destruction as our policy, the one person that could order a strike was the president. The most important thing for the executors of the order to know is it’s really the president, authentication. And you achieve that with mathematics, with cryptography and so on. The second most important thing was data integrity. If you moved a digit, you hit the wrong city or the wrong country, so pretty important mathematics. Again, we’re seeking mathematical certainty. The third part was nonrepudiation. Given it was a false alarm and the president said, “Well, that wasn’t me that sent that.” Well, you get mathematical certainty it tracks it back to him. Availability means it works the same way for infinity. And then confidentiality, meaning do you want it protected from some outside exploitation. But confidentiality—I went into the discussion thinking that confidentiality was the most important thing. It turned out, in that scenario, it’s the least important thing.
That was the most surprising things about your chapter, how you said that they might even purposely send such an order in clear text as a warning.
Exactly right. If you think about banking, all the rules apply. A hundred million dollars going from A to B, authentication, you want to make sure both parties are who they represent themselves to be. Data integrity, you don’t want it to be a billion instead of a hundred million, because neither side can say, “It wasn’t me.” And then availability, it works. And then confidentiality may or may not be a desired feature. You might want to apply it, you might not. Most people start with security thinking the confidentiality part. I’m just arguing the front end of the assurance of the communication is even more important. As the new director in the early ’90s and we’re sort of searching for our future, the internet explodes. And then our whole thinking, our paradigm for how we do foreign intelligence had to shift. And so when I was grappling with those issues is when I realized all of a sudden, we, the United States, at that point in time, 90% of all email traffic in the globe passed through the United States. And that gives you an opportunity from an exploit potential—NSA, foreign targets—but it also makes you realize the United States is the most digitally dependent nation on Earth. Therefore, we have more vulnerability than anyone else.
Some of the books I’ve read about cybersecurity explain how the least vulnerable country in the world is North Korea. Because they have zero infrastructure.
There’s no connection. Right.
But then your contribution also explains that after you started thinking about this, you realized that a huge amount, 90% to 95% of all of the infrastructure that mattered, all of the things that needed to be protected were in private hands. And then you then started trying to think of how you could convince both the government and the private sector to do a better job. And this has appeared to be an uphill battle.
An absolutely uphill battle. First of all, let me say something about 90% to 95%. I don’t know. I made it up. But it’s amazing to me how an idea who was suggested by someone in a public speech must be true. Over and over. Now I’ve gone back to verify it and it is around 85%, 90%—but the point is it’s a high number—owned and operated by the private sector, independent of the government and the government’s influence, except in some potential regulatory areas. So if you go back to my time, military Cold War, the US government owned and operated a global communications system. And the decision was made in the ’80s, for cost reasons, to get rid of it and use the commercial system.
That was a big boost to the IP-based technologies.
Absolutely. And I remember the Defense Advanced Research Projects Agency—or Advanced Projects Research Agency in its day—created the internet. The idea was collaboration among scientists that could coordinate ideas and so on and also exhilarate our ancillary idea was assured communications, that you would go the path of least resistance for potential natural disaster or nuclear war. All of that was bubbling and I’m the new director and I’m trying to sort out the future. How do you do signals intelligence? How do you make code? My mentor who came in with the five basic principles was adamant about one thing, no code in software. I said, “Excuse me?” He said, “You cannot have trust and confidence is code is put in software.” And I said, “Well, why is that?” He said, “Well, because it’d be reverse engineered or changed. It has to be in hardware.” Today almost all code is in software. And it has to evolve.
The battlefield now of cybersecurity is defined by four dimensions of communication. You mentioned to communicate, to exploit access to the communication, to defend the communications, and then to create or destroy the communications. You also point out that there are really strong disagreements among the world leading powers about how to use all this technology.
Could you describe a little bit of the battlefield in terms of those four dimensions?
Although some animals communicate at some level, the significance of human beings is we communicate at an extensive level and we can think abstractly about those ideas, capture them, and so communication is almost inherently the human quality that makes us different. And so we could communicate by having a discussion. We can write something down. We can take a walk in the garden for privacy. And there’s all sorts of ways to think about communication. And along the way, we learn to communicate over great distances with wireless, we learn to communicate on wire. As soon as humans can communicate and some other party had a reason to be interested in those communications—whether it was the ear at the door or tapping out a line or intercepting the information—was to exploit that communication. It doesn’t change it. You just exploit it, meaning you capture it and you understand what it says, to understand what it means to you based on the communications of some two other parties. And the things about that in terms of intelligence, if one district of the Russian military is talking to another district about mobilization, that may be a very high interest topic for the National Security Agency, so that would exploit that. Didn’t change it, didn’t interfere with it, just exploit it. The third piece was defense. We didn’t want them to have the ability to exploit our communications; therefore, we built code and process and so on. The new concept that’s been introduced, particularly with networks is that you can interfere with communication, destroy communications, change communications, even go into a computer system and degrade it or the things it controls, like critical infrastructure. So that’s why I put it in these four dimensions. Most people say, “a computer attack” when they mean exploitation. Most of these malware activities will be a criminal taking something, not changing it, just taking something of value. I just like to discriminate between to communicate, to exploit, to defend, or to degrade and destroy.
And then if you look at what’s going on with the nation states, they are trying to do one of those four things.
There are five permanent members of the United Nations Security Council. France, UK, and the US promote the internet for exchange of ideas, free flow of information, commercial services, accelerating business and so on. The other two permanent members, China and Russia, have a different point of view. They want to control the information that their citizens get. They don’t want them to have access to the internet, the free flow of information. Great Wall of China is probably the best example of that. They also have passed laws that basically say that any time a company has information or information passes through China or Russia, then the Russian or Chinese government has access to that information. So it’s just very different philosophies that have to be addressed if we’re going to have a global system of the full power of capability of the internet for exchange of information.
You mentioned earlier that financial services was one of the areas that’s most mature because they’ve been forced to be. What do you think the rest of the world, other industries, other sectors can learn from what financial services has done well?
They won’t, by and large. Usually it’s pain because to invest in cybersecurity, people think of it as not an advantage or more efficiency, it’s adding burden or weight or so on. I particularly like the way Ken Xie is thinking about this in the future, it’s making it a part of the fabric of the infrastructure so it’s empowering or enabling. So build it in at the beginning. When communications first started or internet was thought about or created, there were no consideration of security. It has to be built in. So banks were forced to go there because criminals were attacking the ones and zeroes to extract value. Other critical infrastructures are gradually going there. And usually it’s a result of some gigantic exposure. I’d use Target 2015 as my example. One-third of the people in the United States had accounts compromised, email address, credit card number, so on. And that was a huge impact, a hundred million people. Now you think about what happened to Target. The CEO was fired, some of the board members were replaced. So it was a big thing. Well, that caught the attention of a lot of large businesses. “Wait a minute, could that happen to us?” The answer is yes. And then the question is, “What do we do about it?” And so gradually, we’re getting there. I would be more pleased if there was some leadership or forcing function to cause us to go there more briskly.
You said that one of the great things about the financial services industry is how they have such tremendous information sharing about security practices.
Yes. They were forced to. The White House, in the Clinton administration, set up the idea called ISACs. ISACs stands for Information Sharing and Analysis Center. Basically, we have to collaborate to graduate here. Let’s share the information and make us more resilient. And so of the various ISACs—I think there are 17, 18, 19 of them, whatever the number is—the one that started that became the most mature, the most robust, and the best is financial sector. Again, they were forced to do that. And so they exchange information. The corporate information security officers know each other, they talk and collaborate. Slowly over time, bank CEOs have come to understand they have to do this. I personally visited with CEOs of the major banks and they—this is as late as 2008. I told the president about this, he said, “Well, you’ve got to go talk to these guys.” I did. Their response was, “Thank you for your interest in national security. Have a nice day.” Their attitude is a little different today because what I told them was coming, in fact, happened. Russian criminals, East German criminals took major sums of money and they said, “Whoa.” And they started to spend significant amounts on cybersecurity. Bank of America was attacked by Iran for political reasons. JP Morgan was attacked by criminal elements. And virtually all banks have been attacked at some level.
One of the things that you also touched on in your contribution is the role of open and agreed upon standards. And so why is it so important that we have standards of operating in the cybersecurity realm?
It’s like standards in anything else. If you’re a mechanic in any level, an agreed standard means your tools work. You think about electrical appliances, way back when, they were made, manufactured, people got hurt, created the Underwriters Laboratories to certify they met certain standards. So standards across any segment of industry or capability need to be established so that you have some commonality that people can depend on. Now standards evolve, but some process to establish standards—there are internet protocol standards and there’s some fairly robust capability in getting there so that the protocols work, they can move information from one side of the globe to the other at the speed of light. Building in cybersecurity, agreeing upon cybersecurity standards is essential to make the network more robust. Now when the Obama administration proposed that the National Institute of Standards and Technology create a set of standards, the most adamant group against that process was the US Chamber of Commerce. And so I couldn’t understand that. I went down, I said, “Why are you opposed to this?” They said, “Slippery slope.” I said, “What do you mean?” “You create a standard, that means it will lead to regulation.” I said, “I can’t quite get there.” She said, “Well, if you create a standard, then there’s going to be a breach. And then there’s going to be a civil suit. And then the question will be did this large corporation follow the NIST recommended standard. And de facto, it becomes the standard. It piles more regulation on the businesses of the United States.” So there’s always push and pull against agreed standards or not. And everybody represents their own point of view. I’m suggesting that this security fabric for the global internet is so important, we need a way to get to agreed upon standards. And most people agree that standards in things like the metric system or even our own metrics based on inches for tools or the safety of electrical equipment or whatever, those are good things. But it was painful to get there.
In Phil Quade’s book, he argues that the world that we live in now, many of the problems we have happen because security wasn’t incorporated in the original design of the internet. The original design of the internet was about speed and connectivity. And then that enabled collaboration. And then as time went on, it became more and more open and more and more cybersecurity problems rose up. And we’ve had some things that have developed that have really helped us, with cryptography and authentication and other things. And then we have fundamental problems that will never go away, like human frailty and things like that. But what he’s fundamentally arguing is that we can take a more scientific approach towards solving these problems. And I’m assuming you agree. How can we get to that more scientific approach so that we don’t leave our keys in the car and the doors unlocked and we’re much more protected and we’re making really good decisions about technology and policy?
I think it takes leadership. When I first went to the Congress, in the Senate, to present this as an issue they needed to think about, the average ages of the US Senate was over 70. And I said, “We need to talk about cybersecurity.” And the answer was, “Cybersecurity, does that have something to do with computers? I don’t do computers. You have to talk to my grandchildren. I do yellow tablets.” The point I’m trying to make is digital native understanding, getting someone at the most senior level—the president of the United States, the vice president, secretary of defense—whoever it might be that takes a stand that we have to go down this path for better standards and more security and so on to make the case in a compelling way. Otherwise, we get there through trial and error and catastrophe. We don’t pro-act in the United States, we react. Once in a while, with the right kind of leadership, we can pro-act. And so I agree with Phil’s principles in his book comparing it to the Big Bang. And basically we had physics and chemistry and people studied that, but think of how long it took. We studied the fundamentals of physics, determining what gravity, you know, all those things. It took hundreds and hundreds and hundreds of years. Now, Phil’s trying to make the case that we need the fundamentals of security built in this global fabric, which operates at the speed of light on a global basis. And it’s essential that we get this right. It is not easy. And there is no one taking leadership at a most senior enough level with the right kind of influence to lead us in a more gentle path. My worry about this is that it’ll be a lot of trial and error and mistakes. The capabilities are being developed. It is possible to solve this problem. We can solve it in the United States. We can solve it among allies. Solving it globally with potential enemies or frenemies is going to be the challenge.