The potential threat posed by cyberterrorism has crippled both government and security experts. Whether it is cable news, newspapers, websites or social media, “cyberthreat” is hitting the headlines every day. One might think cyberwarfare is a relatively new issue that popped out just a few years ago. However, the armed forces and the U.S. Navy have been concerned about cyberwarfare for decades. In fact, the phrase “Cyber Pearl Harbor,” was coined by American security pundits to raise awareness about the dangers in the realm of digital space. The analogy refers to a potential cyberattack that has the devastating intensity of the 1941 Pearl Harbor attack by the Japanese Navy against the U.S. Even though more resources have been deployed to counter the sophistication of cyberthreats, we still have a long way to go for things to get better. In the present day and age, cybercrime is a grave threat to every individual and business in the world. And our best defense is to be cyber aware.
To discuss this in detail, Pooja Tikekar, Sub-Editor, CISO MAG, interviewed retired U.S. Navy Vice Admiral Jan Tighe. Tighe served as Deputy Chief of Naval Operations for Information Warfare and as the 66th Director of Naval Intelligence. Previously, she served as the Commander of U.S. Fleet Cyber Command and U.S. 10th Fleet where she was the first woman to command a numbered fleet. A career cryptologist, she served around the globe in leadership positions for both the Navy and the National Security Agency, specializing in Signals Intelligence and Cyber Operations. She earned Naval Aviation Observer Wings and supported Operation DESERT STORM in the EP-3E aircraft (electronic signals reconnaissance/ intelligence).
Tighe currently serves on the Board of Directors for Goldman Sachs, the Huntsman Corp., Progressive Insurance, IronNet Cybersecurity, the U.S. Naval Academy Foundation and serves as a Trustee for the MITRE Corp. She is a 1984 graduate of the U.S. Naval Academy and earned a doctorate in Electrical Engineering and Master of Science in Applied Mathematics from the Naval Postgraduate School, in Monterey CA. She is also a National Association of Corporate Directors (NACD) Governance Fellow.
Tighe sheds light on the mission-critical role of the Navy’s Information Warfare Community, 5G infrastructures in connecting people and machines, and the CyberQ Aptitude test for upskilling talent and leadership.
Edited excerpts of the interview follow:
You have extensive Navy experience. How do you apply your experiences and learnings from the Navy to solve cybersecurity challenges, particularly risk mitigation? And what are the best practices to keep in mind to minimize cybercrimes?
Just as military commanders develop Deliberate Campaign Plans to flesh out the details of a military response to a potential future conflict, deliberate planning for resilience and continuity of operations is an important exercise for the private sector to prepare for potential cyberattacks and minimize the risks to their companies. A military crisis is never exactly what the Deliberate Campaign Plan envisioned but serves as an excellent resource and provides response options that can be tailored to the actual crisis that you face. Private sector companies are well served by thinking through and practicing their responses to a cyberattack.
The best defenses against cybercrime, and specifically ransomware, include: having the ability to restore your system from your backups stored off-network in an acceptable amount of time-based on your risk appetite; multi-factor authentication, or continuous authentication through behavioral-based analytics; and an effective patching program to minimize vulnerabilities.
Over a decade ago, the Navy’s Information Warfare Community (IWC) was formed to effectively combat adversaries targeting U.S. national security. How is it meeting the needs of warfighting in the current Information Age, while simultaneously providing accurate information to the forces? Do you see some parallels here?
It’s important to understand that the Navy’s Information Warfare Community is all about warfighting. We may play both a lead and supporting role depending on the mission. I see parallels in the private sector as Technology and Cybersecurity teams typically see themselves supporting corporate operations, but in crises, their work may become mainline of effort to defend or restore corporate systems for business continuity.
The IWC also integrates the Navy’s information-based capabilities, including cryptology. And you started your career as a cryptologist. Since many aspects of IT security rely on encryption and cryptography, do newer methods such as the Advanced Encryption Standard (AES) promise complete concealment of data?
Complete concealment is a lofty goal. Assuming it is implemented correctly, and until quantum computing is a reality, commercially available, authenticated end-to-end encryption such as Wickr is a valuable capability in building zero trust architectures – in both the public and private sectors.
As technology evolves, so does connectivity. 5G isn’t just a buzzword anymore. 5G networks are slowly being inducted everywhere. How would it help mission-critical services in better decision-making? And would it endanger data privacy? What are the security threats you foresee from 5G?
5G is the next leap ahead in mobility architecture connecting people, machines, and sensors with much higher throughput, capacity, reliability, and lower latency than 4G offers. Specifically, 5G Enhanced Mobile Broadband is expected to be up to 100 times faster than 4G LTE. 5G will also support greater densities of Massive Machine-Type Communications, which are required for the growing number of Internet of Things (IoT) and the Industrial IoT sector.
5G Ultra-Reliable Low Latency Communications underpin mission-critical services for autonomous vehicles, factory automation, and safety/security systems where communications delays are not an option. Reducing data latency is a critical element in control systems where multiple sensors feed into automated “decisionmaking” for systems like the self-driving car, the highly automated factory floor, military unmanned vehicles, and cyber defense. The more reliable and less latent the sensor data, the more autonomously the machines can operate, collaborate, and complete human intended missions or outcomes with less hands-on human intervention.
Self-driving cars will be much safer than a car with a human at the wheel. Increasing the automation in factories will be more efficient and effective. 5G could also enable more computing power and collaboration at the edge in military unmanned vehicles, which could make them more autonomous, effective, and/or lethal depending upon the mission.
I expect security options to evolve with the rollout of 5G. Clearly, there is a risk that if global 5G infrastructure is overwhelmingly underpinned by Chinese-provided technologies (namely Huawei and ZTE), it can then be used to support Chinese state-sponsored malicious cyber operations, including espionage, IP theft, disruption of critical services and infrastructure, and (increasingly) influence operations. We need to assure global 5G connectivity to (at least) our closest allies with trusted 5G infrastructure and account for the fact that some of the global 5G infrastructures will be untrustworthy.
Since the pandemic took over the world, cyberattacks grew more sophisticated and increased in volume. And the SolarWinds Hack is an indisputable example. State actors breached both tech bigwigs like Microsoft as well as the U.S. Treasury and the Dept. of Homeland Security. SolarWinds garnered attention because it shed light on the need for best security practices within the government and for the integration between the government and the private sector. What is your take on it?
We need to stop trying to defend ourselves in our individual silos and find a way to create a collective defense, which can start in individual sectors, (e.g. energy, finance, manufacturing), then expand across sectors, and optimally to the public sector. If you can detect anomalous behavior (e.g. IronNet’s IronDefense) in your network traffic, share and correlate those alerts across different organizations (e.g. IronDome), you can accelerate the identification of malicious activity by the SOC and enable defensive actions.
In this scenario, everybody benefits from the investigation, analysis, and result sharing by a single company’s security team. If we were all working together to eliminate false positives and to identify the most dangerous threats, we could see a dramatic impact on our ability to protect against attacks. SolarWinds is a prime example. If we had a collective defense in place, it may have helped analysts who did not see the comprehensive threat. Correlating the same analogous activity across multiple networks could have alerted analysts earlier to the threat. We really need to get after a collective defense and stop fighting alone in our individual silos.
The shortage of cybersecurity talent is key issue today. Recently, EC-Council, along with the University of Maryland’s Applied Research Lab for Intelligence and Security, and Haystack Solutions collaborated to launch CyberQ Aptitude to help uncover aptitude for cybersecurity regardless of background. This testing is also in use by the U.S. Intelligence Community and the DoD. Do you think testing of this kind would help organizations mitigate talent shortages, or even form better teams based on their cognitive abilities?
Cognitive and aptitude testing has helped revolutionize talent pipelines for some fields that have the most demanding mental requirements. CyberQ Aptitude is the cyber equivalent successor to the military’s Defense Language Aptitude Battery (DLAB), which has significantly improved the language training success rates from less than 25% to greater than 75%. Some of the scientists behind the updated DLAB created CyberQ aptitude to allow us to build our cyber warriors, while shaving hundreds of billions from the required investment.
CyberQ Aptitude will give managers the tools to build teams that align with organizational needs. This kind of alignment will dramatically improve retention because people will be supporting problems that most appeal to their natural cognitive wiring. This will also give managers an ability to do succession planning, aligning junior team members with the same cognitive fingerprint as their senior, cyber rockstars.
CyberQ Aptitude will change upskilling programs from a form of corporate gambling to focused talent development. The upskilling leadership will be able to lay out a training program with high confidence that learners can pick up the material and generate the required cyber effects.
Do you also think the CyberQ Aptitude test will help organizations broaden the recruitment and retention horizon?
Neither the private sector nor most government agencies have sufficient talent pipelines to support sustainable talent acquisition plans. CyberQ Aptitude offers the way to find significant numbers of future cyber geniuses in places we haven’t looked. We can find the marginalized, underrepresented raw talent that never would have considered cyber and attract them to global, complex problems that have urgent societal impact. This can help solve the talent shortage facing the public and private sectors while mitigating some of the hiring risks. CyberQ Aptitude will give the training leaders confidence that the candidates will be able to execute the cyber mission, after having mastered the course material. CyberQ Aptitude has repeatedly shown its ability to identify nontechnical, high-potential talent that excels in cyber training.
Coming back to cryptology, its role and discipline have evolved over the years. Do you think it is one of the critical cyber skills to learn in these pressing times, when confidential data is vulnerable at all times, whether stored or in transit?
Cryptology includes information security, which is clearly a critical skill. Whether you are putting protections on the front end or you’re actively mitigating threats that are hitting your front door. Honing your analytical skills in your intellectual curiosity is probably the most foundational thing that you can do in this area.
Lastly, is there anything you would like to add?
In general, I think it’s important to recognize the risk to our operational technologies that can be found in industrial control systems and manufacturing factories. A key lesson from the Colonial Pipeline attack is that if you operate machinery and industrial control systems, you need to be certain that those systems are not connected to your IT systems or directly accessible from the open internet. Typically, operational technologies are not easily restored like an information technology system and the effects of having ransomware infect and not just encrypt, but probably destroy the operational technologies would be a much longer recovery process than what we saw in Colonial Pipeline, where they shut down the pipeline as a preventative measure, even though they believed there was no connectivity between their IT and their OT systems.
If we step back and examine the big picture, talent is at the heart of our ability to protect and defend our systems. We have to engage our primary and secondary educational systems to prepare our future cyber workforce. That workforce needs to be as diverse as our population and we are a long, long way from that goal. It is imperative that we identify programs and resources that can support, encourage, and empower the young people of this country to understand what cybersecurity truly means and how they can be a part of it.
This interview first appeared in the July 2021 issue of CISO MAG.
About the Author
Pooja Tikekar is the Sub Editor at CISO MAG, primarily responsible for quality control. She also presents C-suite interviews and writes news features on cybersecurity trends.