Posted on



In the lead piece in this package, Idaho National Lab’s Andy Bochman puts forth a provocative idea: that no amount of spending on technology defenses can secure your critical systems or help you keep pace with hackers. To protect your most valuable information, he argues, you need to move beyond so-called cyber hygiene, the necessary but insufficient deployment of security software and network-monitoring processes.

ABOVE: Forts like HM Fort Roughs were marvels of defensive engineering at the time: capable of being brought to sea, sunk in place, and fully operational within 30 minutes.

Bochman lays out a framework that requires switching your focus from the benefits of efficiency to the costs. Ideas that were once anathema — unplug some systems from the internet, de-automate in some places, insert trusted humans back into the process — are now the smart play.

But they’re not the only play. Another that’s gaining attention is “active defense.” That might sound like Orwellian doublespeak, but it’s a real strategy. It involves going beyond passive monitoring and taking proactive measures to deal with the constant attacks on your network.

There’s just one problem: As active defense tactics gain popularity, the term’s definition and tenets have become a muddy mess. Most notably, active defense has been conflated with “hacking back” — attacking your attackers. The approaches are not synonymous; there are important differences with respect to ethics, legality, and effectiveness.

Active defense has a place in every company’s critical infrastructure-protection scheme. But to effectively deploy it, you need a proper understanding of what it is — and that’s tougher to come by than you might expect.

We enlisted two of the foremost experts on the topic to help us proffer an authoritative definition of active defense and give you a fundamental understanding of how to deploy it.

Dorothy Denning was an inaugural inductee into the National Cyber Security Hall of Fame. A fellow of the Association for Computing Machinery and a professor at the Naval Postgraduate School, she has written several books on cybersecurity, including Information Warfare and Security. She also coauthored a landmark paper on active defense, which states, “When properly understood, [active defense] is neither offensive nor necessarily dangerous.”

Robert M. Lee is a cofounder of Dragos, an industrial security firm. He conducted cyber operations for the NSA and U.S. Cyber Command from 2011 to 2015. In October 2017 his firm identified the first known malware written specifically to target industrial safety systems — in other words, its sole purpose was to damage or destroy systems meant to protect people. (The malware had been deployed that August against a petrochemical plant in Saudi Arabia, but the attack failed.) When asked about active defense, Lee sighs and asks flatly, “How are you defining it?” You can tell he’s had this conversation before. The number of people co-opting the term seems to have wearied him, and he’s happy to help bring clarity to the idea.

The following FAQ primer draws on interviews with Denning and Lee.

What exactly is active defense, also known as active cyber defense?

It depends on whom you ask. The term has almost as many definitions as it does citations. NATO defines active defense this way: “A proactive measure for detecting or obtaining information as to a cyber intrusion, cyber attack, or impending cyber operation or for determining the origin of an operation that involves launching a preemptive, preventive, or cyber counter-operation against the source.”

A solid working definition can be found in Denning’s paper with Bradley J. Strawser, “Active Cyber Defense: Applying Air Defense to the Cyber Domain:Active cyber defense is a direct defensive action taken to destroy, nullify, or reduce the effectiveness of cyber threats against friendly forces and assets.”

That sounds like offense, but Lee and Denning note that it describes a strictly defensive action — one taken in reaction to a detected infiltration. Lee argues that there’s a border distinction: Active defense happens when someone crosses into your space, be it over a political boundary or a network boundary. But Denning says that’s probably too simple, and below we’ll see a case in which the line is blurred. Lee says, “Most experts understand this, but it’s important to point out, especially for a general audience. You are prepared to actively deal with malicious actors who have crossed into your space. Sending missiles into someone else’s space is offense. Monitoring for missiles coming at you is passive defense. Shooting them down when they cross into your airspace is active defense.”

Can you give some other examples?

Denning says, “One example of active cyber defense is a system that monitors for intrusions, detects one, and responds by blocking further network connections from the source and alerting the system administrator. Another example is taking steps to identify and shut down a botnet used to conduct distributed denial-of-service (DDoS) attacks.” It’s the verbs “responds” and “shut down” that make these instances of active defense. An example of passive defense, in contrast, is an encryption system that renders communications or stored data useless to spies and thieves.

Is active defense only an information security concept?

Not at all. Some argue that it dates back to The Art of War, in which Sun Tzu wrote, “Security against defeat implies defensive tactics; ability to defeat the enemy means taking the offensive.” Centuries later Mao Zedong said, “The only real defense is active defense,” equating it to the destruction of an enemy’s ability to attack — much as aggressive tactics in active cyber defense aim to do. The term was applied in the Cold War and, as Denning and Strawser’s paper makes clear, is a core concept in air missile defense. Tactics are tactics; all that changes is where they’re employed.

That seems pretty straightforward. So why the uncertainty around the definition?

As noted earlier, hacking back — also not a new term — has confused matters. Properly used, it refers to efforts to attack your attackers on their turf. But because people often fuse it with active defense, difficult and sometimes frustrating disputes over the merits of active defense have ensued. One research paper went so far as to equate the two terms, starting its definition, “Hack back — sometimes termed ‘active defense’…”

The confusion multiplied in October 2017, when Representatives Tom Graves (R-GA) and Kyrsten Sinema (D-AZ) introduced the Active Cyber Defense Certainty (ACDC) bill, which would allow companies to gain unauthorized access to computers in some situations in order to disrupt attacks. The lawmakers called this active defense. The media called it the “hack back bill.” What it would and would not allow became the subject of hot debate. The idea that companies could go into other people’s infected computers wasn’t welcomed. Some savaged the bill. The technology blog network Engadget called it “smarmy and conceited” and observed, “When you try to make laws about hacking based on a child’s concept of ‘getting someone back,’ you’re getting very far and away from making yourself secure. It’s like trying to make gang warfare productive.” The bill went through two iterations and is currently stalled.

But is hacking back part of active defense?

Probably not. Lee says unequivocally, “Hacking back is absolutely not active defense. It’s probably illegal, and it’s probably not effective. We don’t have evidence that attacking attackers works.” Denning has a somewhat different take. “Hacking back is just one form of active defense,” she says. “It might be used to gather intelligence about the source of an intrusion to determine attribution or what data might have been stolen. If the attacker is identified, law enforcement might bring charges. If stolen data is found on the intruder’s system, it might be deleted. Hacking back might also involve neutralizing or shutting down an attacking system so that it cannot cause further damage.”

But Lee and Denning are defining the term differently. And Denning’s version refers to actions undertaken with proper authority by government entities. When it comes to hacking back on the part of businesses, the two experts are in total agreement: Don’t do it. Denning says, “Companies should not hack back. The Department of Justice has advised victims of cyberattacks to refrain from any ‘attempt to access, damage, or impair another system that may appear to be involved in the intrusion or attack.’ The advice contends that ‘doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability.’”

What’s an example of an aggressive form of active defense that some might consider hacking back?

Denning says, “One of my favorite examples of active defense led to the exposure of a Russian hacker who had gotten malicious code onto government computers in the country of Georgia. The malware searched for documents using keywords such as “USA” and “NATO,” which it then uploaded to a drop server used by the hacker. The Georgian government responded by planting spyware in a file named “Georgian-NATO Agreement” on one of its compromised machines. The hacker’s malware dutifully found and uploaded the file to the drop server, which the hacker then downloaded to his own machine. The spyware turned on the hacker’s webcam and sent incriminating files along with a snapshot of his face back to the Georgian government.

Is that hacking back? I don’t think so. It was really through the hacker’s own code and actions that he ended up with spyware on his computer.”

Note that the actions were taken by a government and occurred within its “borders”; Georgia put the spyware on its own computer. It did not traverse a network to hit another system. It was the hacker’s action of illegally taking the file that triggered the surveillance.

If it’s probably illegal and ineffective, why is hacking back getting so much press?

Companies are weary. “They are under constant attack and working so hard and spending so much just to keep up, and they can’t keep up,” Lee says. “This is a moment when we’re looking for new ideas. That’s why Bochman’s concept of unplugging systems and not always going right to the most efficient solution is starting to be heard. Hacking back feels like another way to turn the tide. Cybersecurity loves a silver bullet, and this feels like one. CEOs are probably thinking, ‘Nothing else has worked; let’s fight.’” Lee has heard many business leaders express these sentiments, especially if their companies have suffered damaging attacks. “This is an emotional issue,” he says. “You feel violated, and you want to do something about it.”

In a paper titled “Ethics of Hacking Back,” Cal Poly’s Patrick Lin captures the sense of utter vulnerability that could lead some to desire vigilante justice:

In cybersecurity, there’s a certain sense of helplessness — you are mostly on your own. You are often the first and last line of defense for your information and communications technologies; there is no equivalent of state-protected borders, neighborhood police patrols, and other public protections in cyberspace.

For instance, if your computer were hit by “ransomware” — malware that locks up your system until you pay a fee to extortionists — law enforcement would likely be unable to help you. The U.S. Federal Bureau of Investigation (FBI) offers this guidance: “To be honest, we often advise people to just pay the ransom,” according to Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program.

Do not expect a digital cavalry to come to your rescue in time. As online life moves at digital speeds, law enforcement and state responses are often too slow to protect, prosecute, or deter cyberattackers. To be sure, some prosecutions are happening but inconsistently and slowly. The major cases that make headlines are conspicuously unresolved, even if authorities confidently say they know who did them.

What are the ethics of hacking back?

For the most part, experts say that hacking back without legal authorization or government cooperation is unethical. And whenever activities leave your boundaries, it’s hard to condone them. The targets are too evasive, and the networks are too complex, traversing innocent systems and affecting the people working with them. In addition, Lee points out that government entities might be tracking and dealing with malicious actors, and hacking back could compromise their operations. “Leave it to the pros,” he says.

Denning stresses that unintended consequences are not just possible but likely. She says, “The biggest risks come when you start messing with someone else’s computers. Many cyberattacks are launched through intermediary machines that were previously compromised by the attacker. Those computers could be anywhere, even in a hospital or power plant. So you don’t want to shut them down or cause them to malfunction.”

What kind of work is under way with regard to ethics?

According to Denning, researchers began wrestling with these issues as early as 2006. Speaking about a workshop she participated in, she says, “I recall discussions about measures that involved tracing back through a series of compromised machines to find the origin of an attack. Such tracebacks would involve hacking into the compromised machines to get their logs if the owners were not willing or could not be trusted to help out.”

A decade later Denning collaborated with Strawser to examine the morality of active defense writ large, using the ethics of air defense and general war doctrine as a guide. They wrote that harm to “non-combatants” — especially and most obviously physical harm — disqualifies an active defense strategy. But they say that “temporary harm to the property of non-combatants” is sometimes morally permissible. (It should be noted Denning is primarily focused on the government use of active cyber defense strategies). Denning cites the takedown of Coreflood — malware that infected millions of computers and was used as a botnet. The Justice Department won approval to seize the botnet by taking over its command-and-control servers. Then, when the bots contacted the servers for instructions, the response was essentially, “Stop operating.” In the instance of Coreflood, as in some similar cases, a judge decided that the actions could proceed because they could shut down major malicious code without damaging the infected systems or accessing any information on them.

“The effect was simply to stop the bot code from running. No other functions were affected, and the infected computers continued to operate normally,” Denning says. “There was virtually no risk of causing any harm whatsoever, let alone serious harm.”

Still, the case may have set a precedent for at least the suggestion of more-aggressive measures, such as the ACDC bill. If the government can take control of command-and-control servers, it can, in theory, do more than just tell the bots to shut down. Why not grab some log files at the same time? Or turn on the webcam, as in the Georgian-NATO case? Oversight is needed in all active defense strategies.

How can I deploy an ethical and effective active defense strategy?

If you have or subscribe to services that can thwart DDoS attacks and create logs, you’ve already started. Denning says that many companies are doing more active defense than they realize. “They might not call it active defense, but what they call it matters less than what they do.”

Cooperating with law enforcement and the international network of companies and organizations combating hacking is also part of an active defense strategy. The more companies and agencies that work together, the more likely it is that active defense strategies like the one that took out Coreflood can be executed without harm. Several such operations have taken place without reports of problems.

Denning recommends A Data-Driven Computer Security Defense: THE Computer Security Defense You Should Be Using, by Roger A. Grimes. (Full disclosure: Denning wrote the foreword. “But the book really is good!” she says.)

As for more-aggressive tactics, like the ones proposed in the ACDC bill, proceed with caution. Work with law enforcement and other government agencies, and understand the risks. Denning says, “It’s all about risk. Companies need to understand the threats and vulnerabilities and how security incidents will impact their company, customers, and partners. Then they need to select cost-effective security defenses, both passive and active.” There are limits, she cautions. “Security is a bottomless pit; you can only do so much. But it’s important to do the right things — the things that will make a difference.”THEBIG IDEA

About the author: Scott Berinato is a senior editor at Harvard Business Reviewand the author of Good Charts: The HBR Guide to Making Smarter, More Persuasive Data Visualizations.

Posted on

Protect Credit Union Assets from Sophisticated Hackers

Rob Johnston MSNBC

Protect Credit Union Assets from Sophisticated Hackers

Today’s criminals have moved beyond ransomware and malware.

Protect Credit Union Assets from Sophisticated Hackers

From left: Tim Evans, chief of strategy; Don McLamb, Director of Engineering; and Rob Johnston, CEO.

Financial institutions are prime targets for cybercriminals looking to gain access to volumes of consumers’ personal data and money.

In 2017, the U.S. experienced 1,579 data breaches, 8.5% of which involved financial services companies such as credit unions, banks, investment firms, and credit card companies.

Credit unions face considerable challenges protecting sensitive personal and financial data from breaches. As nonprofit entities, they tend to have lean information technology (IT) teams and reduced technology budgets.

While credit unions may have smaller IT staff and budgets than larger banks, collectively they serve more than 100 million members and have assets of roughly $1.4 trillion.

To support their business, credit unions rely upon complex IT infrastructures with hundreds of connected devices transmitting large volumes of sensitive data. In addition to defending against intruders, credit unions must implement security controls to meet security compliance requirements.

It’s no surprise hackers find credit unions attractive.

Hackers realize that legacy security tools can’t properly protect today’s dynamic infrastructures. Firewalls and penetration testing alone can no longer keep sensitive data and assets safe.

Today’s hackers have moved beyond ransomware and malware, and have identified new methods for infiltrating networks to steal employees’ identities, and then use those identities  to roam the network—without  the network owners even knowing of  their presence.

Fileless attacks are becoming their weapon of choice. They don’t require any payload, and they are harder to detect than traditional malware-based threats.

Credit unions looking to outsmart hackers and ease the burden of compliance need to reassess their security strategies and identify the right blend of people, technologies, and programs necessary to protect themselves and their members.

To outsmart the bad guys, some credit unions are looking at advanced detection technologies that leverage machine learning and artificial intelligence.

Machines capable of cognitive functions, such as anomaly detection and classification, have superior processing power and continuously scan huge volumes of data to identify risks.

Today’s cybersecurity technology

Technology is revolutionizing the way credit unions secure enterprise assets and ensure PCI DSS (Payment Card Industry Data Security Standards) compliance. Today’s solution must be a cloud-delivered SaaS [software as a service] solution that protects against internal and external malicious actors.

A perfect Security Information & Event Management (SIEM) replacement or augmentation platform uses artificial intelligence, machine learning, and pattern recognition to monitor an organization’s network 24/7 to detect changes in user behaviors. It provides real-time visibility and analysis of the activities of every identity within the enterprise.

Creating a heuristic baseline of user activity by analyzing behavior, it identifies   potentially malicious activity and sends a warning to the administrator, providing details about the questionable event before the threat becomes critical.

PCI compliance

Credit unions also need a platform that helps manage the security and confidentiality of member information by monitoring systems and activities to detect attempted and actual attacks on, or intrusions into, member information systems.

Appropriate technology solutions help manage the complexity of a constantly changing IT environment and provide insight into what sensitive data is being accessed by every account on the network.

Visualize privilege across your network

Managing user privilege across multiple groups is a challenge. User rights that are assigned to a group are applied to all members of the group while they remain members.

If a user is a member of multiple groups, the user’s rights are cumulative, meaning that user has more than one set of rights and privileges. Failure to routinely audit privilege and groups can result in misuse of privilege and unauthorized access to sensitive files.

SIEM-like technology automates the process for managing user privilege, ensuring account privilege status is up to date and accurate.

Cyber hunting

The Adlumin Platform is revolutionizing how credit unions secure sensitive data and intellectual property while achieving their compliance objectives. Adlumin provides a virtual machine-learning team of four to five personnel that hunts networks 24/7 for anomalous behavior.

This eliminates the need for credit unions to hire a single person.

TIMOTHY EVANSJ.D., L.L.M., is co-founder/senior vice president and chief of strategy for Adlumin Inc.

Posted on

Password Safety and Complexity to Protect Your Accounts

Password Safety and Complexity to Protect Your Accounts

By James Warnken

“The most used password in the world is 123456”

A simple password like this is cracked in a matter of just a few seconds. Whereas, if your password contains one capital letter, lower case letters, and numbers it may take a few hours to crack. The most complex passwords take weeks to crack and they include everything above including randomly placed special characters within the password. Keep this in mind when renewing or creating passwords to ensure accounts and information are secured by complex and strong passwords.

Before delving into how to construct a complex and secure password, we must first understand how hackers are stealing and breaking passwords in just minutes and clicks.

There are 5 ways hackers steal and break passwords to be mindful of:

  1. Mass Password Theft-This form of theft is done solely using a program and exploiting files within websites that contain username and password credentials. A hacker uses a software that scans websites that store and create lists of user credentials and once found the hacker has full access to do with the information as they please. One interesting fact is that a computer does not have to be connected to wifi or even turned on for this to happen. This theft is done by a server basis which means websites with autofill passwords enabled and weak security are a prime target for this form of password theft.


  1. Wi-fi Traffic Monitoring- This form of password and credential theft often goes undetected, this is not often given a second thought. When visiting public places that offer free WIFI that require a sign in with an email are often where this takes place. A hacker sits within that network and once an email address is entered they then can monitor and record information from any site or programs visited while on the free public network. For example, say you are on a public network checking your social media accounts, if a hacker is monitoring the network once you enter your password to login the hacker now has the needed credentials to access the account.


  1. Trial and Error Theft- Although less practical for hackers, this method is still relevant and used with today’s technology. This method is exactly as it sounds. Hackers know that most people use significant words, phrases, or dates when setting passwords so just by guessing and performing trial and error a password can be cracked. For example, it is common for people to use their date of birth in some form within their password, this information is easy for someone to get ahold of and use when trying to guess a password.

There are two forms of phishing attacks


  1. Fake Websites- Everyone gets obvious spam emails, but what about the ones that seem legitimate and very important. Some hackers have been known to set up websites that mimic official sites that then send spam emails that seem real. This is one effective way hackers steal credentials without much work beyond the setup phases. The email usually seems very important and provides a link that will help resolve whatever issues is claimed to be occurring. Once the username and password have been entered the hacker has the information that then can be used to log into the actual account and do whatever they wish. These are very hard to spot and many times are never given a second thought. If this occurs and may be a problem that could be happening do not log in through the link provided in the email. Go to the official website and login there.


  1. Key Logging-This form of phishing is very common and usually is very easy to spot. Hackers send emails that attempt to catch the receivers attention through various ways that aims to drive them to clicking on a link attached to the email. If the link is opened it may seem that nothing bad has happened which is true from a general view. However, on the back end, the email will inject code into the device and begins tracking and recording information. Such codes track keys and information within files that are then used to breech, crack, and steal passwords, credentials, and sensitive information. One rule of thumb is if it seems to good to be true, it more than likely is.


Now that we know how hackers get our passwords, what can we do to stop them?

Here are 6 tips to making your password complex and impossible to crack.


  1. Password Length-The longer a password is, the most complex it is and harder it is to be cracked and stolen. Most websites require a minimum of 6 characters, but in reality, 8 should be the minimum characters used. Never use the minimum characters required but instead make passwords lengthy and use variations of uppercase, lowercase, numbers, and symbols to ensure passwords are complex.


  1. Password Variety- This may seem very simple but it is key to making password complex. Instead of using the usual variation of first name, last name, and date of birth, try switching things up and using quotes and phrases. These are much harder for hackers to guess or replicate. Use a set of words or phrases that have no direct attachment to you personally. To make the password more complex than that, use variations of this by substituting words in or out, or rearrange words so that it may not make much sense to anyone but you.


  1. Using the Full Keyboard- When it comes to creating a solid password we all typically use letters and numbers, but utilizing the entire keyboard will make passwords more complex and harder for hackers to crack. Using special character such as ‘’!’’ or ‘’#’’ are always a good idea along with other special characters. It is also key to not have characters, numbers, and symbols in a generic pattern. Mixing things up and replacing a character with numbers and arranging them in a unique pattern will ensure your password is complex and uncrackable.


  1. Variations across accounts- When it comes to logging in to accounts, many people fall into the thinking “’I want my password to be easy to remember’’ so consequently the same password is used across multiple or all accounts. This is very risky and makes all accounts vulnerable to attacks. Instead of using the same exact password, create variations of the password such as replacing letters with numbers or making characters capital or lowercase. Simple variations can protect accounts and add to their complexity making it harder for the attackers to steal.


  1. Avoid Common Passwords- When it comes to password complexity and making the job of a hacker harder, this tip is the easiest and can be impactful. Avoid using the famous ‘’123456’’ or ‘’qwerty’’ and any others that just seem too easy to guess. Also, it is important to keep in mind if it is something that sticks out on the keyboard, it is more than likely to easy and simple of a password. A simple password would be your initials and birthday where a more complex password may be the month you were born followed by middle name (capitalize one random letter) followed by a special symbol concluded with the day you were born.


  1. ` Renewing passwords- Passwords that have been the same for long periods of time are more vulnerable than ones changed from time to time. Best practices suggest a password should be reset and changed at least once every 3 months. Changing passwords will help out in both securing from future attacks but also for attacks that may have happened that were undetected. For example, a hacker could have login credentials and be hiding and monitoring data and information, but with regular password reset the hacker would be locked out and all access they had would no longer be available. In most cases stale passwords or passwords that have not been reset for long periods of time are the prime target for hackers that can grant them access often without anyone ever even knowing they are in.


Having all this in mind, let us see some examples of PCI compliance regulations regarding passwords.


  • Passwords must be reset every 90 days
  • Require a minimum password length of 7 characters
  • Passwords must contain numerical and alphabetical characters
  • New passwords cannot be the same as the old password
  • Temporary locking of account after 6 failed attempts
  • Idle timeout after 15 minutes

Be sure to check the full list of regulations as well as others within your industry to ensure both compliance and protection.

Posted on

U.S. More Vulnerable To Weaponized Cyberattacks Than You Think

Fast company Weaponized Cyber Attacks

U.S. More Vulnerable To Weaponized Cyberattacks Than You Think

Experts on a panel at SXSW warn major hacking onslaughts of our infrastructure, personal data, and businesses are coming—and we’re not ready.

[Photos: Wokandapix/Pixabay; Flickr user Shinji Abe]

Until Americans get more serious about cybersecurity, the United States remains extraordinarily vulnerable to attacks from enemy nations–and even individual hackers–on our electric grid, hospitals, infrastructure, and companies large and small.

That was the sobering takeaway from the War Games: From Battlefield to Ballot Box panel of experts at South by Southwest Friday.

Representatives from the federal government, security firms, and private investors painted a bleak picture of the current state of our digital safety considering hackers’ increased ferocity in recent years.

“When I first got into cyber, it was a game for nation-states,” says Robert Johnston, the CEO of Adlumin, and the cyber sleuth who detected the Russian hacking of the Democratic National Committee. “Only nation-states would play at this level… The barriers to entry were so high, the knowledge you needed was so high. In today’s day and age, that’s not the case.”

Today, says the former Marine, who also led efforts to counter Russian cyberattacks against the U.S. Joint Chiefs of Staff, software has made it easy for even the smallest countries, or even private hackers, to carry out dangerous attacks.

Software has made it so easy, says Ann Cox, a program manager in the Department of Homeland Security’s Cyber Security Division, that bad actors can easily and cheaply buy tools with relatively simple graphical interfaces on the Dark Web. “Anyone who has an interest in doing malicious things, there’s a very low barrier to entry,” Cox says. It’ll cost “only a few hundred dollars.”

And while we might worry about the impacts of things like Russian hacks on national institutions, Cox says even these small hackers are now regularly carrying out coordinated shutdowns of things like 911 call centers by overwhelming them with phone calls.

A major bottleneck in efforts to thwart cyberattacks is complacency. While many companies and people may know the precautions they should implement to protect their systems, few do. Things as basic as regularly updating operating systems, using antivirus software, and two-factor authentication are not being done.

Even if everyone used best practices, it would still leave us vulnerable to between 10% and 20% of attacks, say Cox, and that’s a big reason few have foreseen the scale of the kinds of intrusions that have taken place, the rate at which they’re expanding.

To illustrate just how much worse things are, she detailed how in 2015 her agency launched a program to fight against distributed denial of service attacks and set a goal of being able to handle anything up to a 1,000 TB/second attack against a mid-size company. The program manager in charge of the effort got grief, she said, because few imagined such an attack was possible.

But a year later, the Mirai Botnet brought networks down across the U.S. by exceeding that level, and just within the last three weeks, she says, there have been two attacks that set records for scale. “Because of the way malware is evolving,” Cox says, “if they hit 2 TB/second, or 3 TB/second, we really don’t have a way to protect against that.”

And, we should be prepared for that to happen in the next two to three years, she adds.

While it seems like there are potentially insurmountable technical issues now, a bigger problem may be that a country like the United States has few viable deterrents to keep belligerents from hacking into our systems. Johnston pointed out that when it comes to the nuclear race, we’ve always relied on the concept of mutually-assured-destruction to avoid catastrophe. And in conventional warfare, few countries can withstand American military might that is capable of parking multiple carrier groups off an enemy shore in 18 hours.

But in cyberwarfare, the playing field levels out quick. “At any given time,” Johnston says, “any country can launch” a cyberattack. And while the U.S. certainly can mount its own, there is little we can do to prevent retaliation that’s as bad, or even worse.

He says that economic sanctions and diplomacy have proven to be the most effective deterrents, but that they’re only successful some of the time–when there’s relative economic parity between nations, such as Obama’s efforts to rein in Chinese hacking.

Such efforts won’t work with every country, Johnston says. For example, we’ve already had sanctions in place against North Korea for decades and that country continues its sub rosa cyberwarfare.

Americans probably need to accept that we’re in for a rough future, warns Johnston.  He points to Russia, which has not been deterred from cyberattacking the U.S. despite past sanctions and the threat of new ones that President Donald Trump never implemented.

Russia has too many ways to retaliate against U.S. counterpunches—such as shutting off natural gas supplies. “You can’t pick on a big boy on the block,” Johnston says. “You have to find another way.”


Daniel Terdiman is a San Francisco-based technology journalist with nearly 20 years of experience. A veteran of CNET and VentureBeat, Daniel has also written for Wired, The New York Times, Time, and many other publications.




Posted on

ADLUMIN Selected as DCA Live Red Hot Cyber Company

DCA Live Award

Adlumin Selected as DCA Live 2018 Red Hot Cyber Company


(Left to Right) Tim Evans, Senior Vice President, Don McLamb, Director of  Engineering, Rob Johnston, CEO

Next week DCA Live will recognize the most exciting cyber companies in the DC region. These companies are all growing and creating value and jobs in our local tech community. They are also solving important problems and need to be recognized. Join us at Eastern Foundry in Rosslyn, VA next Tuesday – February 27 – for food, drink, and great networking with leaders of the hottest cyber companies in town.


Founders: Robert Johnston and Timothy Evans

Year founded: 2016

Number of employees: 10

Cyber problem you are solving: Why do corporate breaches continue to succeed? Because attackers can steal legitimate credentials and use those credentials to attack your hybrid network undetected. Adlumin helps customers identify and remediate identity based vulnerabilities, before attackers can take advantage, and uses Data Science to monitor identity access to corporate resources to detect attacks in progress, all from a cost efficient cloud delivered solution that deploys in minutes.

DC is the global HQ for the cyber industry because: DC is the HQ because of guys like Tim and I. We come from intelligence backgrounds at the National Security Agency who are now dedicating their professional lives to solving some of the complicated issues in the security space. The knowledge, expertise, and passion for National Security is a fundamental reason why people move to DC, why people join an intelligence agency, and why our products will be the best in the world.