Lt. Gen. (ret) Ronald Lee Burgess, Jr., who served as the 17th Director of the Defense Intelligence Agency, was one of the keynote speakers at Cyber Security Summit 2016 in Minneapolis. As head of the Agency and a former Acting Principal Deputy Director of National Intelligence, Burgess served as a key player in the national security arena, called upon by the President, the Secretary of Defense, the Director of National Intelligence, the Chairman of the Joint Chiefs of Staff, and Congressional leaders for his opinions, advice and expertise. He is currently Senior Counsel for National Security Programs, Cyber Programs and Military Affairs at Auburn University.
Addressing the Summit audience on cyber threats and solutions, Gen. Burgess noted that he has worked in security roles for more than 40 years. His presentation, titled “The Cyber Threat and Way Ahead,” touched on America’s security status in the world today, leaks and threats from others and the urgency to act to head off attacks. His far-ranging accounts of numerous events lent unusually revealing insights into security, including national security.
“Weaponized ones and zeroes are now referred to as cyber bombs, and they can be,” he said. “The good news is it’s a changing world out there. That’s also the bad news.”
He recounted how, years ago, one of the earliest social media sites, MySpace.com, was compromised and millions of subscribers lost personal information. That history is a case study in what happens when data stewardship fails. The site now is tiny in comparison to what it once was. Apparently, it also represents a lesson not learned by most Internet users.
Risky Shortcuts
“Fifty to 75 percent of Internet users use one password or derivatives of that password,” he noted. “We are lazy.”
The security veteran keeps his “eight pages of passwords” locked in a safe on a secure thumb drive.
“It’s hard, but welcome to the 21st Century,” he said.
Attacks happen and reward bad actors. One incident that originated from Bangladesh launched 35 requests for payment to the Federal Reserve Bank, Burgess recounted. Thirty weren’t paid – five were.
Crime is a service industry, he said. Just as the drug cartels have done by franchising and outsourcing, so too are operations in cyber space highly organized.
Likewise, ransomware is becoming more prevalent as a device in cybercrime. He cited war games that considered a scenario in which people with pacemakers are held hostage by treacherous assailant-hackers demanding payment in exchange for removing blocking software interrupting the device’s functionality. The doctor can’t send the signal to reset the pacemaker’s normal performance unless the patient pays $2,000 in ransom.
General Burgess mentioned a startling statistic about the unseen world of the Internet. A mere seven percent of the Internet is used daily by regular users. The other 93 percent, called the Dark Internet, is a realm not easily accessible to mainstream users.
The Internet of Things is ratcheting up security concerns as users engage with multiple digital communication devices. Adopting more devices introduces added risks for hacking. “Drones and robots will be used in defense by 2020,” he noted. “The world has changed – are we ready for it?”
“This revolution has just started and will affect our lives in every way,” Burgess told the audience.
Evaluating Our Losses to Theft
Burgess said the military is ready because “we train incessantly – and the Chinese do, too.”
In a war game scenario pitting China against Taiwan, it was discovered that “critical nodes defending Taiwan” included two American military bases, which would become targets in the event of a real attack. The threat extended to a third U.S. base because of its role as a military transport center.
Could China really take out these targets? Burgess asked. “I don’t know if they can actually do it, but they talked about it.”
The four most hacked targets last year were information systems, electrical grids, lasers and aeronautics, he said.
“The Air Force F-35 tactical fighter is the best fifth-generation fighter,” he said. “The Chinese and Russians have similar fifth-generation fighters – they stole it from us.”
Piracy of valuable assets is a major issue. In 2010, the estimated amount of intellectual property leaving the U.S. could have been as high as $250 trillion, Burgess said, a loss greatly eclipsing the value of the annual U.S. Gross Domestic Product.
The Most Likely Source of Risk
At the end of the day, it’s about doing a risk assessment, he said. The insider threat is real. Trust, but verify. People are people.
“Murphy’s Law is alive and well out there. There’s no real gold standard in cyber security – we don’t know what we don’t know.”
While serving at the Defense Intelligence Agency, Burgess said he instructed his people not to download anything on their personal devices. Although he knew and trusted his people, knowing human nature lead him to find out how well his instructions had been followed. He ended up confiscating 63 iPods that were discovered to contain downloaded data.
“The weakest link is generally the individual, he said.
In summary, he said, “The threat is clear … it will continue to evolve over time. It will move in real time.”
Protecting our critical infrastructure is critical, especially the power grid: “A scenario like power grid failure is not out of bounds.”
He said our tech advantage is narrowing. He also noted that his career security training equals some 5½ years. Most civilians have only on year of specialized training.
Cyber security “is a team sport” that requires serious commitment to ongoing training.
“You can’t keep up by doing it on the fly,” Gen. Burgess said.