Anything networked can be hacked.
Everything is being networked.
Therefore everything is vulnerable.
That was one of the key takeaways for the 30 Captiol Hill staffers who flew to Stanford University from Washington D.C. last week to attend three days of intensive cybersecurity training at the second Congressional Cyber Boot Camp.
“Whatever level you’re worried about cybersecurity, you should be more worried,” LinkedIn cofounder and Stanford alum Reid Hoffman warned the bipartisan group who staff key congressional oversight committees, during a keynote address with former Secretary of State and Stanford professor Condoleezza Rice.
Silicon Valley executives and entrepreneurs, academics and former high-level government officials painted a picture of a complex threat landscape, where foreign nation states routinely hack into U.S. companies and government agencies with near impunity, and everything from utilities and critical infrastructure, to cell phones and cars could be vulnerable to cyber attack.
“The next conflict, if it happens tomorrow, it’s not going to be pretty in cyber space,” said Kevin Mandia, president of FireEye and one of the world’s leading experts on counter forensics, in an onstage conversation with Michael McFaul, the former US ambassador to Russia and director of the Freeman Spogli Institute for International Studies.
Mandia said that 29 out of the 30 significant cyber attacks his company was currently investigating were the handiwork of state-sponsored hackers, with the Chinese and Russian governments among the chief offenders.
“The Russian government has been accessing the majority of our government systems in my estimation for most of the last two decades,” he said.
“They can hack any company they choose. They can hack any government agency they choose.
“We’ve spent billions of dollars on defense, but I don’t think we’ve raised the cost of offense a dollar.”
The asymmetrical nature of conflict in cyber space was a common refrain.
“The people that want to attack have distinct and profound advantages over the defender,” said Herb Lin, senior research scholar at the Center for International Security and Cooperation (CISAC) and research fellow at the Hoover Institution.
That’s because finding flaws in commonly used software, which can have more than 40 million lines of code, is like looking for the proverbial needle in the haystack.
“Each one of those lines of logic might have a flaw that can be exploited by an attacker to break in,” said Corey Nachenberg, chief architect of Symantec’s Security Technology and Response division.
“There’s no silver bullet solution…because the attacks are constantly shifting.”
Dan Boneh, a Stanford computer science professor and CISAC affiliate, demonstrated how a seemingly benign sensor, like the one that measures battery life in your iPhone, could be hijacked to pinpoint your exact location.
He also showed how the gyroscope that enables interactive games on your iPhone could be used to measure minute vibrations on a tabletop surface and eavesdrop on conversations.
Even everyday objects like cars can be compromised.
“Our mental models are focused on servers and laptops…but the vast majority of processors that ship every year look nothing like computers,” said Stefan Savage, a professor of computer science and engineering at the University of California at San Diego.
Savage’s research team published pioneering work on car hacking in 2010 that proved it was possible for a hacker to remotely take control of a car’s engine and brakes.
And cars are just the tip of the iceberg.
“There’s probably not a single mode of transportation that’s not controlled by a computer,” Savage said.
His next research target is the aviation industry.
Amy Zegart, CISAC co-director and senior fellow at the Hoover Institution, led a hands-on simulation exercise for visiting congressional staffers, where they assumed the roles of tech company employees responding to a major cyber breach.
Experienced executives from Intel, Uber, and Palo Alto Networks acted as board members and quizzed the staffers on how their assigned departments (including legal, marketing, business strategy and engineering) would manage the crisis.
The three-day boot camp concluded with a behind the scenes tour of Facebook’s new headquarters in nearby Menlo Park, led by the social networking Web site's Chief Information Security Officer (CISO) Alex Stamos.
Zegart said she wanted to expose congressional staff to a diverse range of experts, drawn from the tech industry, legal, technical and policy fields.
“We’ve got to figure out how to accelerate the learning process and work across disciplines,” Zegart said.
Other speakers agreed.
“The time to tackle these difficult policy challenges is now, not after one of these attacks happen,” said U.S. Air Force Col. Matteo Martemucci, division chief for the Joint Staff at the Pentagon.
The Cyber Boot Camp was hosted jointly by CISAC, the Freeman Spogli Institute for International Studies and the Hoover Institution, and co-sponsored by the Stanford Cyber Initiative.