Time and again I have heard a declaration that is typical of the sweeping statements of the digital age.
“We need a cybersecurity moonshot!”
Vision without a strategy, however, is no more than ear candy. A smart person once said that leap-ahead progress is one percent inspiration and 99 percent perspiration. To achieve a moonshot, you need a lot more than just the moon. And, more often than not, those who throw this phrase around with regards to cybersecurity have little else.
In 1961, President Kennedy threw down a gauntlet: “This nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the Earth.” At the time, what Kennedy proposed seemed impossible. And then we did it, in a public-private collaboration that drew from the best strengths of government and industry.
This is the kind of vision and determination to which we should aspire. Calls for a comprehensive cybersecurity moonshot are too often vague cries to “make the internet safe.” I’d like to re-claim the moonshot term to resolve a national problem that impacts lives and the future of the digital economy.
It will demand a shared vision that is achievable, yet bold enough to push us collectively and ambitiously, with a timeline aggressive enough to demand focused, sustained action. The challenge must be real, and we must be as pragmatic as we are ambitious. And we must make a commitment to achieving this goal swiftly – within a year. Not only will this allow for maximum input and commitment across a wide range of organizations, but it will also allow for a more manageable cost model. It will prime us to expand such moonshots for future, more ambitious achievements.
The counter-DDoS moonshot
I propose eliminating Distributed Denial of Service (DDoS) impacts, leveraging the combined strengths of industry and government to create a national counter-DDoS capability that serves all.
DDoS attacks take websites and entire organizations down by flooding them with massive amounts of data or commands and they have become more destructive and more common over the past several years. And yet, even the most consumer-facing brand, no matter how large or small, is expected to stand up to the cyber might of activist groups and nation-states.
In 2016, a team of Iranian hackers launched sustained DDoS attacks against dozens of U.S. banks, costing losses in the millions. The hackers also used the DDoS attacks as a distraction while they attempted to remotely take control of a dam in Rye, NY, just 25 miles north of New York City. For the FBI and the U.S. government, the hack of the dam was a game-changer that made real the talk of the widespread risk of the nation’s infrastructures.
Later that year, the Mirai botnet—a fairly simple malware that hijacked devices running Linux by exploiting weak passwords—affected internet access in large sections of the United States. It did this by bypassing the weak security of IoT, turning the devices into bots that could be deployed in a DDoS attack. That one Mirai attack shut off access to the internet for millions of Americans. In the following weeks, Mirai attacks successfully disrupted internet service for 900,000 people in Germany and infected 2,400 routers in the UK.
This year, the percentage of organizations hit by a DDoS attack exploded from 17 percent to 33 percent. In 2016, 82 percent of the organizations that were hit reported being attacked multiple times. More troubling, 53 percent discovered that the DDoS attacks were executed as flak to cover more serious cybercrime such as malware and data theft.
Currently, the Reaper IoT Botnet—built upon parts of Mirai’s code, and already infecting a million networks—has shown how rapidly and destructively these attacks can iterate. And Reaper has yet to show its true colors, mostly sitting silent across vast networks like a highly connected digital sleeper cell. As the attack in Rye, NY proves, our adversaries see DDoS as a viable tactic to access and affect infrastructures such as energy systems, transportation systems, critical manufacturing and other democratic institutions whose availability we cannot afford to take for granted.
To eliminate the power and damage of DDoS attacks, private sector and government capabilities would each be leveraged. A national capability would leverage the best of breed from the private sector, augment it with government capabilities as well, and be available nearly instantly in times of need.
Service providers would stop the hemorrhaging by being able to quickly amass bandwidth at the point of attack.
Agile segmentation companies would narrow the effect against the targeted victim, and perhaps also segment off misbehaving systems.
Government agencies that are capable and authorized to defend the country would take the fight into foreign cyberspace, e.g. U.S. Cyber Command could swiftly defend upstream, deploying operations with the full strength of its mandate and resources to stop the attack at its source.
All of this is eminently doable, if we have the courage and humility to work together. The collective brilliance that the digital and cybersecurity communities have amassed is staggering—with each new generation poised to push us further. At one time, we were challenged to ask not what our country could do for us but what we could do for our country. It is time that the leading organizations in digital technology come together once again to ask the same.
This blog originally appeared in CSO.