Former Rear Admiral Mike Brown had a good word for Australia’s approach to cyber security.
John Hilvert | Canberra
While it has been fashionable to criticise the Australian Government’s glacial approach to cyber security, RADM Brown (retd) was quick to acknowledge Australia’s influence when he was rebuilding US Government’s cyber security capacity within the Department of Homeland Security (DHS).
He believes this was vital to advance public-private policy developments in cyber security.
Now employed as RSA’s vice president and general manager of its global public sector operations, Brown spoke with ADM in late September to reveal that when he was building the national cyber security and communications integration centre in DHS, he fought hard to ensure private sector representatives were there drawing on Australia’s approach.
“They (private sector partners) were in a classified operational command centre sitting side by side with government and defence folks,” Brown said. “You were, early on, before the US, more closely linked to the public-private sector than we were.”
"Governments need to figure out how they can achieve their objectives with decryption."
Cyber is about offence, defence and the ability to integrate exploitation to provide that level of intelligence and access.
“The Aussies were leading the Royal Australian Navy with respect to team work capabilities that we were trying to build in the US. Having that type of relationship was really important.”
Since then Brown concedes cyber security suffered setbacks in the US. He said that investing all cyber security resources in protecting the perimeter was not the best strategy.
“We focused so much on trying to keep the malicious actor from getting into the network,” he said.
He said the US Government, particularly in the Defense Department, realised that to keep building that wall higher and higher was not going to be the answer.
Brown believes cyber security decision-makers need much better visibility of what is happening on their networks and having the intelligence to respond when required.
The massive penetration of the Office of Personnel Management’s (OPM) database earlier this year was an example of forgetting old lessons, he said.
We learnt the same old lessons again, he said.
First off, OPM’s a legitimate target. If you are a nation state, interested in understanding your potential adversary, then a database, a location that is rich with intelligence and information, is a natural target.
However the powers that be did not treat it like that. That was a big risk, he said.
The other lessons were an over-reliance on an intrusion detection system known as EINSTEIN. The system monitors the network gateways of government departments and agencies in the US for unauthorised traffic. The software was developed by the US Computer Emergency Readiness Team (US-CERT), the operational arm of the National Cyber Security Division of the Department of Homeland Security (DHS).
As with all intrusion detection systems, EINSTEIN’s weakness is that it cannot detect threats that do not have an associated signature in its database.
“You have to have that information from the past,” Brown explained. “You have to have those indicators that get turned into a signature. If you have seen it before, you can catch it.”
But it had not been seen so EINSTEIN could not help. This led to a new strategy of “continuous diagnostic mitigation”, he explained. But integrating those pieces together was proving challenging.
He emphasised having the right products was not enough. They had to be integrated to provide visibility and the ability to detect and respond.
“You have got to have smart people that are properly trained and have contextual information about both the threat as well as they need to be working with the major parts in the US government.”
At the same time, the US Government and its security advisers were being blind-sided over their ineffectual advocacy for more intrusive methods for combating cyber attacks.
A recent example of this set back was evident over its moves to propose weaker encryption for cyber security purposes.
“This will play out with difficulty,” he said.
There was a huge history going back to the Clipper chip in the early 90s when Brown was with the NSA and the range of issues raised were understood then and were also never resolved.
He believes the public needs a better appreciation of why measures such as weaker encryption in the US and mandatory data collection in Australia are essential.
“It’s not as simple as saying we are going ‘dark’,” Brown said. “There needs to be a significant amount of information provided before dialogue can start.
“In addition there had not been a real proposal to favour weaker encryption option,” he said.
He noted that in some places the US Government was looking to the private sector to come forward with a solution.
“If we are not completely aware of the details around the problem, that makes it difficult.”
Finally, weaker encryption is tough to implement technologically.
“How do you create a situation where the US government wants to have an ability to be able to decrypt? Why can’t other Governments require the same thing? Where governments don’t, then the bad guys are going to buy their products from there,” Brown adds.
The US Government and other governments need to figure out how they can achieve their objectives with decryption. If it’s more effective national security, can they achieve that in other ways?
Metadata retention was a major issue in the US, according to Brown, and a major level of conversation with action that took place in US Congress as well.
“In courts and most importantly in the court of public opinion, there needs to be more transparency between the Government and the private sector and the individual citizens,” Brown said. “It’s more about the ‘why’ and ‘who’ is responsible.”
It is well known that the US Government and its allies used metadata for bolstering its intelligence for anti-terrorist operations. However Government advocates need to be sensitive to the “court of public” opinion before assuming such techniques can always be used in their future strategies.