Opinion: Cybersecurity needs an offensive playbook

In order to beat malicious hackers, the cybersecurity community must develop innovative approaches for deploying – and automating – offensive strategies to find and fix software vulnerabilities.  

The DARPA Cyber Grand Challenge at DEF CON 24 was the first all-machine hacking Capture The Flag tournament with automated systems.

Photo by Ann Hermes/The Christian Science Monitor

December 13, 2016

What do recent political hacks, the massive cyberattacks that took down a wide swath of the internet, and digital assaults on a portion of the Ukrainian power grid have in common?

All of them reveal that attackers are far ahead of defenders when it comes to digital security. But with global investment in cybersecurity expected to top $1 trillion over the next five years, why are the government agencies and companies charged with defending public networks and corporate systems so far behind?

It's simple: Cybersecurity defenders aren't playing enough offense.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

The traditional way of thinking about cybersecurity has been that you can only have good a digital defense if you "build secure from the ground up." But this approach assumes a perfect world where everyone constructs bulletproof computer programs. That's a fantasyland.

Instead, cybersecurity is more like sports. You have to excel at both offensive and defensive strategies to win.

This doesn't mean that information security firms and independent researchers should start launching attacks on adversaries. But the good guys need to be more aggressive about finding and fixing vulnerabilities in systems and networks before malicious hackers uncover and exploit them.

Think about it this way: Defensive teams in sports improve their skills by practicing against offensive teams, studying their plays, and understanding their approaches. We need this kind of tactic for improving cybersecurity across the board. 

In the digital security business, the skill set between offensive and defensive groups are strikingly similar. Both sides want to discover flaws first. But to build more robust offensive teams – for seeking out vulnerabilities in government or business networks – and defensive ones – for building the barriers and fighting off the malicious hackers – we need to invest more heavily in automation.

Why Florida and almost half of US states are enshrining a right to hunt and fish

We need automatic tools that play offense – tools that can check every program, system, and piece of critical infrastructure for flaws. These will become more essential as the number of hackable devices – cars, medical equipment, industrial machinery, and home electronics – is exploding.

Many wireless routers, for instance, are laden with security bugs. There are hundreds of different routers, and examining each one for security flaws by hand is not possible. But we could program computers to hunt down those bugs.

Earlier this year, the cybersecurity community witnessed its equivalent of the moon landing: The Defense Advanced Research Projects Agency (DARPA) showed that computers are capable of autonomously deploying offense and defense in battles between supercomputers. The event dubbed the "Cyber Grand Challenge" paved the way for a new era of machines defending against computer attacks.

During the challenge that took place over nearly 10 hours in a Las Vegas conference hall, seven competing computer systems autonomously detected, evaluated, and patched software vulnerabilities before other competing systems had a chance to exploit them in a classic cybersecurity exercise known as Capture the Flag. It was the first all-computer hacking contest, and its success illustrated the potential of automation in cybersecurity. 

Right now, most companies rely on a small number of security analysts to test their products, so countless vulnerabilities go unnoticed. The Cyber Grand Challenge showed that in the not-too-distant future, it will be possible for companies to use automated tools to find and fix software vulnerabilities much faster, and at scale.

Even though cybersecurity automation will eventually make everyone safer, we still need skilled engineers to build these kinds of systems. The computer security field is projected to grow 50 percent faster than computer science in general, and more than 200 percent faster than average jobs. And demand is quickly outpacing supply.

Burgeoning efforts within government, from foundations, and private sector to focus on innovation and training are helping. We need more smart people building automatic systems that can work harder and faster – on both defense and offense – than even the most skilled hackers. 

David Brumley is the director of CyLab Security and Privacy Institute and the Bosch Distinguished Professor in Security and Privacy Technologies at Carnegie Mellon University. He's also chief executive officer of ForAllSecure. Follow him on Twitter @thedavidbrumley.