In my interactions with Dick, I have been impressed with his thought leadership and overall career. I asked if he’d answer some questions on current trends in cyber attacks against space programs and other areas. That interview follows.
Dick Wilkinson (DW): My current role as a co-founder and CTO of a cybersecurity company was inspired by some unique experiences in the Army. As a soldier you often hear the price tag for a piece of military equipment and think, “I could have made this, and maybe even made a better one.” The joke that follows is, “We are in the wrong line of work.” Well, I decided to make the products and services that some current soldier will see and think to themselves, “I could make this, and probably make it better.” I put myself in the right line of work.
DL: You are a co-founder at Proof Labs with a goal of protecting space systems from cyber attacks. Is the space cyber threat growing?
DW: The space cyber threat is proliferating by leaps and bounds. Space was a nation-state-only arena for any offensive activity over the past 50 years. That is no longer the case. Space is now a full commercial industry that stands in parallel to government satellite use. The motivation to attack a satellite had been purely intelligence or national security-driven until the commercial industry was established. Now the classic hacking threats that face regular enterprise assets also face satellites. Fraud, ransom, denial of service and even hacktivism have all made their way into the space tech sector. Couple the commercialization with advancement in technology like interconnected satellites that operate as mesh networks and you have not just a bigger attack surface, but an entirely new attack landscape.
DL: What are some potential solutions to these challenges?
DW: The federal government has identified the importance of space technology but has not fully classified the industry as critical infrastructure. A policy move toward identifying space assets as critical infrastructure would raise the bar for security throughout the industry very quickly. Establishing a baseline of security for technical features, like the previously mentioned cross-satellite communications in mesh networks, would ensure our critical infrastructure is not being built without protection. This would motivate the manufacturers and operators to build in security by default, and not only when demanded by the client.
Continued emphasis on sharing threat intelligence within the industry is also important for us to overcome about a decade of security technology lag that is present in the space industry. Knowing if our current defenses match the current threats and how to quickly get to the right level of defense can be achieved through intelligence sharing and analysis at the industry level.
DL: How is the landscape changing as far as protecting the Internet of Things (IoT)?
DW: Within the last year it seems that the average consumer is starting to care about the risk of connected devices in their homes and communities. The development of the federal cyber trust mark program is a reflection of this new interest and will hopefully continue to close the security knowledge gap between the inventor of a new widget and the end user.
There is also a new understanding within the security industry that the components of IoT devices may seem benign, but the supply chain associated with building the device may pose a significant threat. Recent reports of police radios in the United States having corrupted components that support nation-state eavesdropping seemed to have a great eye-opening effect for IoT network managers and end users.
DL: Where are IoT or operational technology (OT) cyber threats heading from your perspective?
DW: I believe the full scope of this attack vector is just being realized by many threat actors, to include nation-states. Criminals may use these devices to build lucrative botnet services, but nation-states can use them for intelligence collection in places that had previously been denied. Couple new access with an exponentially growing number of devices, and we are inviting risk directly into our homes and offices with almost no scrutiny.
I have written previously that OT physical systems would become the target of ransomware opportunities. I believe this is still a realistic and looming threat, with a few recent examples that have essentially been a proof of concept for organized crime to move from data ransom to device ransom on high-value assets.
DL: What are the public and private sectors missing currently regarding cybersecurity? How can these issues be addressed?
DW: I believe culturally we are impacted by an imbalance between wanting new technology cranked out as fast as humanly possible and the need or social desire to secure this new technology. When you buy a new computer or phone, there are already new versions of software available to upgrade this brand-new never-used device, usually to patch security issues. We have accepted that security can wait and can even be applied after the product is already sold to the user. We would not buy a door for our house and install it knowing the deadbolt lock will arrive in a month. Why do we buy a phone, put our banking info into it, and then hope it is secure?
Consumers need to demand better security from device makers and service providers. The new cyber trust mark may help consumers “vote with their dollars” to influence the security industry. The industry needs to respond to this demand with the belief that a more secure product delivers a competitive advantage.
DL: You are an adviser for the U.S. Global Leadership Coalition. Tell us about that program and the importance of its mission.
DW: The U.S. Global Leadership Coalition (USGLC) as well as Global Ties are both avenues for international diplomacy for business and community leaders. The organizations connect industry leaders with their international peers to foster economic partnerships and transfer of best practices regarding government policy. Through these programs, I was able to meet with Ukrainian cyber leaders several months prior to the Russian invasion to exchange ideas around internal interagency data sharing to improve cyber intelligence programs at varying levels of government administration.
DL: How does cybersecurity play into the USGLC? What can be done to improve global collaboration in stopping cyber crime?
DW: The USGLC has a national security advisory board, and threats from the cyber domain would be considered there. Cybersecurity is not a focused effort for most diplomacy efforts. That needs to change. Average citizens across the world are all impacted by cyber crime. Crime is eroding GDP and passing money into organized crime rings. Billions of dollars of lost cash and productivity should be enough to promote cyber issues to the international stage; the financial aspect of cyber crime has not been enough to gain adequate awareness. The new understanding that cyber threats are also national security threats has taken the front seat in getting diplomatic organizations and peer networks to take interest in addressing cyber threats both economic and strategic.
International legal frameworks regarding extradition of cyber criminals will have to be improved to gain any traction in the global aspect of these crimes. Standards to define attribution of an attack should also be established and internationally recognized to allow for more prosecution of crimes when they occur.
DL: Anything else you want to add?
DW: Cybersecurity is often seen as purely technical and disconnected from business imperatives or goals. Conflicts often arise between technical thinkers and business leaders because the perceived goals don’t align. “Turn off the CAPTCHA on our website, customers are complaining” — enough said.
I would like to encourage more midcareer professionals to consider a move into cybersecurity. The skills they have gained in the business or management aspects of their careers can be applied in the technical environment of IT and cybersecurity. The security industry needs professionals that were not born in a computer lab to take on some organization responsibilities and bridge some knowledge gaps that many of us super-technical cyber folks may have. Aptitude for technology and some depth of knowledge in cybersecurity is required to be successful, but the fresh thought coming from other business sectors could help the cybersecurity industry greatly.