I’m an engineer. From Arkansas.
I’ll wait until you’re done laughing.
That means there isn’t much I can’t do with some duct tape, a can of WD-40, and a tub of Bondo. It also means I know a thing or two about adding a few “extras” to a system to make it do things it wasn’t designed to do. The problem with this approach is that it generally works … until it doesn’t. And when it doesn’t, it usually fails spectacularly.
Unfortunately, this technique is how many people approach cybersecurity – they think it is something you can just bolt on to a system after the fact. Just like duct tape, the solution will hold – for a while. Just like duct tape, the solution will not be flexible enough to stand up to an evolving threat.
And make no mistake -- the threat continues to evolve. Despite the fact that ransomware is in the headlines because of recent attacks against the cities of Atlanta and Baltimore and a series of executives at Boeing, the number of ransomware attacks actually decreased from the prior year.1
The hot new trend in cybersecurity this year is mixology. Put down the craft rye and gourmet bitters. I’m still talking about computers. OK, fine -- bottoms up! Now let’s keep going.
If you track how malware is evolving, you’ll find that hackers are increasingly using each other’s code to create new attacks. From June to October 2017, WannaCry evolved into FakeCry, Petya evolved into NotPetya, and NotPetya ultimately grew to become Bad Rabbit.
Just as we begin to bolt on defenses against ransomware, a new threat emerges. It’s like a Pokemon nightmare.2
That’s the point.
As you can imagine, there is no single solution that can be bolted on to protect against this rapidly evolving threat. We’ve been talking about cyber hygiene for decades; clearly keeping your software patched and antivirus up to date aren’t enough.
So What Is the Answer?
At Engility, we’re taking a different approach toward cybersecurity. Our Cyber 2.0 Strategy focuses on Secure Systems Engineering and Cyber Test and Evaluation. These are pretty much two sides of the same coin.
With SSE, we identify and define the architectural requirements a system’s got to have in order to be designed with cybersecurity in mind. We figure that systems include considerations for security, including resilience to attack, isolation, and diversity. This is so the delivered system is resistant to a variety of attacks and can withstand the pressures of evolving threats as they come…kind of like how you both water- and fire-proof your barn before winter.
We also include data analytics engines (e.g., Synthetic Analyst) to review the state of the system and identify when the system is operating kind of funny. For example, we’ve found a way to include cybersecurity requirements into the specifications to the Navy’s newest shipbuilding program. By including SSE as part of the overall requirements process, we are ensuring that the Navy’s Frigate will deliver not only the newest physical capabilities, but it will also set the baseline for the latest cybersecurity capabilities.
With Cyber T&E, we combine cybersecurity into the overall test and evaluation strategy. When we test a system, we make sure that all requirements, including cybersecurity, are all set in terms of mission readiness. With our support of NASA, we included cybersecurity and software assurance testing into the overall T&E plan. This helps ensure that the systems built meet not only the mission requirements, but also provide cybersecurity resilience necessary to support the NASA mission now and in the future.
Our Cyber 2.0 Strategy allows us to design and field solutions that help our clients respond to current and emerging cyber threats as soon as possible. Sometimes, that response is to isolate and clean the system. Sometimes, it means take the system offline and operate via alternate paths. Sometimes, other approaches are necessary. Cybersecurity is a lot like triage in the emergency room – treat what you can now, turn off the systems you don’t need, stop the bleeding, and get the most important issues to the OR stat. Our clients’ missions are most important. Our Cyber 2.0 Strategy is all about mission readiness.
So go ahead and put down the duct tape. Take it from this Arkansas engineer, the threat means we have to change with the times. We’ll use that duct tape to fix other things.
SonicWall, Inc. (2018). 2018 SonicWall Cyber Threat Report. Available: https://www.sonicwall.com/en-us/lp/2018-cyber-threat-report
Crowdstrike. (2018). 2018 Global Threat Report: Blurring the Lines between Statecraft and Tradecraft. Available: https://www.crowdstrike.com/resources/reports/2018-crowdstrike-global-threat-report-blurring-the-lines-between-statecraft-and-tradecraft/
Posted by John P. Sahlin