San Diego’s Cyber Center of Excellence officially launched in March but has been doing a lot of what Center co-chairman Andrew Lee calls “frantic paddling underneath the surface” ever since.
One of the first tangible yields of that paddling was the National Cyber Security Month keystone forum held Wednesday in San Diego, which convened the field’s top players across the industry, government and nonprofit swaths to tackle questions needing answers and solidify San Diego’s lead in all things cyber.
“We set up the Cyber Center of Excellence for this one purpose -- to create a lens through which the rest of the nation, and our world, can see what San Diego has to offer in cybersecurity and cyberbusiness,” said Lee, also CEO of ESET North America. “We have an absolutely unique situation here in San Diego -- we have some of the world’s top talent, we have some of the world’s best companies, we certainly have the world’s greatest concentration of military expertise, and we have a number of incredible schools, we have great government involvement — we have so many things going for us, we have an analytics community second to none.”
San Diego’s prowess and the growing importance of the space are about the only things certain in this emerging and rapidly evolving industry, which is about to get even more shaken up as the Internet of Things exponentially increases the attack possibilities.
Among the top questions with no definitive answers are: Will businesses adopt cybersecurity -- and devices be built with it in mind -- of their own volition, or will legislation be required?
At what level should protocols and plans be rolled out -- national, state and local, or on a sector-by-sector basis?
How can the average consumer be better reached on the educational and safety front?
Where will all the data generated by these new devices be stored, and how can reasonable privacy measures be ensured?
“The thing I’m taking away from this is we know that we’re in the early days of this thing called the Internet of Things, and it’ll morph and change,” said Jeff Nichols, IT director at Sempra Energy Utilities. “And one of the ways we know we’re in the early days is there are actually many more questions than answers.”
Here’s what is known: As household appliances, cars, medical devices, etc. become “smart” and able to produce data that can be analyzed and used for good, the criminal world is finding ways to use the devices and data for bad.
But the speakers at the forum said that things aren’t all doom and gloom -- the few cases where things go wrong are the ones most heard, not the thousands of cases where firewalls, encryption and identity checks work.
One of the presenters from the federal level was Ryan Gillis, on the National Security Council staff at the White House, who said that cybersecurity isn’t an issue the federal government can solve on its own; collaboration is key, as evidenced in Executive Order 13,636: Improving Critical Infrastructure Cybersecurity.
“The federal government fully recognizes that cybersecurity is not an issue that we can solve for the nation,” Gillis said. “This isn’t missile defense. Private sector, state, local, tribal territorial governments own and operate the overwhelming majority of critical infrastructure in the United States, and also in many cases know the best way to defend that infrastructure. We need to leverage the capability that is inherent from those owners and operators.
“The government doesn’t want to tell everyone how they should do cybersecurity,” he said. “The government wants to, in some cases, lend some unique capabilities to that, but in other cases, use our convening capabilities to bring in those leaders, harness best practices among private industry and promote adoption across the board.”
Michelle Robinson, chief information officer for the state of California, also advocated for a broader approach to building and monitoring cyberinfrastructure.
“With respect to looking at the network and segmentation and a layered approach, I think we need to start looking at our network … as the United States enterprise network for critical infrastructure, not just our individual networks and trying to secure those,” Robinson said. “I think maybe we need to look at this concept of segmenting our larger critical infrastructure into really important things and working toward that perhaps, and looking at it more broadly.”
While the details of which sectors are most critical get hashed out and issues of regulatory necessity get answered, those in the trenches continue using their constantly evolving best practices -- as they will agree, there is no end state to cybersecurity.
“If you look at brute force attacks to our critical infrastructure, they have doubled over the last year alone,” said Chris Baker, senior vice president and chief information officer at Sempra Energy (NYSE: SRE). “Half of those are targeted at the energy industry.”