Time for the US to develop a Manhattan Project in cybersecurity

If cybersecurity is one the greatest challenges facing our nation today (and few would question that it is), why are we helping our adversary defeat billions of dollars in cyber defenses?

Specifically, why do we:

(1) give our adversaries the legal right to ask what security tools our government uses, and

(2) allow them to purchase those tools and perfect their attack methods on us before they unleash them?

{mosads}This makes no sense, yet it is what we are doing today.

Through Freedom of Information Act requests and other means, anyone can ask the government what the government is purchasing – including for its cyber defense – and for the most part the government has to respond. Moreover, most of these tools are so-called commercial-off-the-shelf purchases, or COTS. Armed with the knowledge of what the government is buying, an adversary can buy those very same tools, giving them a virtually unlimited ability to examine, probe, and test it.

Compare this with other aspects of our national defense. When the Air Force needs a new radar system, the secretary of Defense does not grab one off the shelves at the local big-box retailer. Nor can hostile countries buy their own copy of that radar and check to see if their planes will be detected. So why are we doing this with cyber defense? Why are we allowing an attacker with sufficient resources to virtually assure that an exploit will bypass known defenses before ever launching them?

Obviously security vendors like Symantec know that the bad guys can do this, and we design our products to provide the best possible protection in the face of this reality. And when modern security tools are properly deployed, they are remarkably successful.

But the game changes when nation states with unlimited resources are specifically targeting our national security systems. For those systems, to quote Steve Jobs, we need to “think different.” What does “think different” mean in the context of national cybersecurity defense?

The first step is to stop buying the same security products that our adversary can buy at the aforementioned stores. To be sure, not all COTS purchases are bad, and they make perfect sense for much of the software the government uses – it does not need a proprietary payroll system or a custom-build word processor. But the same is not true of security tools, and COTS purchases of these products are in and of themselves a threat to national security.

Instead, the government needs to work with trusted partners to develop custom, purpose-built security tools, ones that are unique to the government and the national security agencies they are protecting. Recall that I said earlier that a resourced attacker can often bypass “known” defenses. Thus, the key is to ensure the defenses are unknown to our adversaries. If they do not know what they are attacking or how to defeat it they will be stumbling around in the dark, like a burglar without a flashlight bumping into furniture, making noise, setting off alarms. We will be able to see them coming and to stop them, and we will learn more about their attacks than they can learn about our defenses. Tailoring tools to particular agencies and applications would also allow for more mission-specific defenses that can be customized for a specific environment.

These next-generation security tools will have benefits far beyond just securing government systems. A major security-focused research and development effort will lead to new approaches and tools that will have broad private-sector applications, as well as IT innovations that go beyond just security. Take the Space Program – the underlying goal was to go to the moon, but this effort gave us everything from CAT scanners to cordless tools to memory foam mattresses. A generation earlier, the Manhattan project led to numerous medical and scientific breakthroughs.

Cyber defense is an enormous challenge to the nation, but it is also an enormous opportunity. The United States has not shied away from challenges in the past. From the Manhattan project to the moon shot, we have demonstrated time and again that we have the ingenuity, the tenacity, and the resources to excel at any test put in front us. We need to stop chasing the last attack, and instead we need to get ahead of our adversaries.

Doing so will not be easy, and will require a significant commitment of resources, as well as a willingness to ask some hard questions about how we are currently securing our most important government systems. But it is doable, and if the government commits the nation to this endeavor we can be well on way in five years. Cyber defense is this generation’s test, and the world is looking to us to lead the way.

Greg Clark is the CEO of cybersecurity firm Symantec.