Print Friendly and PDF

Joining Forces

Public and private sectors must work together to combat emerging cyber threats

By Tom Walsh

Mike Rogers is a national security commentator for CNN and former chairman of the U.S. House’s Permanent Select Committee on Intelligence. He was congressman from Michigan’s 8th district from 2001-2015. The former U.S. Army officer and FBI agent talked recently with the Detroiter about evolving cybersecurity issues and his new CNN television series, “Declassified: Untold Stories of American Spies.”

You were a keynote speaker at the Detroit Regional Chamber’s Cybersecurity Conference this past March. What are the latest emerging threats to business and national security?

2016 will be known as the year of ransomware, in which a user’s computer is taken over and held hostage until a ransom fee is paid. We have seen hospitals, individual phones, entire companies held hostage. Between 2015 and 2016 we’ve seen well over a 1,000 percent increase in the number of ransomware/malware incidents across the country. A significant one was Hollywood Presbyterian Medical Center in Los Angeles, which suffered a shutdown of its computers and paid $17,000 to hackers who took over its systems.

Also, we have the evolution of the Internet of Things (IoT), with 60 billion different devices that are going to be connected to the internet. That has some huge economic benefits, but it’s going to present a host of new vulnerabilities, ways to get into company networks, to steal personal information or intellectual property.

Law enforcement and the private-sector technology industry are at odds over privacy and access to data — as with the FBI and Apple’s tiff over encryption. How big of a problem is this? Are you optimistic about a solution?

I’m not optimistic just yet. These companies have a significant portion of their business overseas. And rather than get caught up in global investigations, they’d like to get out of the business of accessing that information through encryption. I think there will likely be a way forward on this, but we’re not quite at the stage where we can have a good dialogue between the intelligence and law enforcement communities in the United States and these high-tech companies. I think encryption is a good thing overall, but it’s posing some very real problems for tracking, finding and understanding what bad guys are up to.

I’m a big fan of the FBI, but I was very disappointed in the public fight they took with Apple on encryption. I think it led to a broader public misunderstanding of the encryption issue and what law enforcement’s interests and intents were. That probably set back a constructive dialogue for some period of time.

We’re going to have to find a technical solution. I think we can get there, but we have to get past this very public fight. You want to protect the ability to have state-of-the-art encryption; that is a good thing. And I want Apple to be able to sell iPhones in China and Europe and across the Middle East. It’s a great American company, but at the same time, we have to find some solution to this. We’re not there yet.

What’s the impact of cybersecurity on Michigan’s automotive industry?

Huge. Cars are already connected to the internet for maintenance schedules and other diagnostics. We know hackers have been able to penetrate vehicles and do some pretty bad things. Imagine that your driverless vehicle is cruising down the expressway at 70 mph, and somebody decides that it’s fun and games to slam on the brakes of that car. That is dangerous to life and limb, so we’re going to have to figure out a way to have a higher level of security.

Every application adds a vulnerability. Hackers have been able to show that they can get into GPS systems, so the concern there is that they just turn it off. That would be a huge problem, both economically for the United States and militarily. You could also have a huge problem with people losing trust in e-commerce — which is about 20 percent of our economy — very quickly.

Hackers are generally perceived as the “enemy” in cybersecurity, but they’re also employed by security firms and paid “bug bounties” to find bugs and guard against attacks. Right?

The trick is how do you engage the ethical cyber defense community. I hesitate to say ethical hackers because I don’t know if there is such a thing, but how you find those bugs is going to be incredibly important. In the case of automotive, just having laws that make hacking into a car a felony is not likely to stop this when an individual can be 5,000 miles away. This is not like somebody is in there fooling around with your brakes with a screwdriver.

I would use the latest, greatest, best talent you could find. And bring them into “red team,” to stress test your system in a way that it finds those bugs, finds malicious source code, finds gaps in your security and defense systems, and it may have to be constant. This is not something that you go through once, and you’re done. You must do it. If you’re not, you need to start.

Can the automotive industry and defense groups, such as TACOM and TARDEC work together on cybersecurity solutions?

Absolutely. It has to be a joint effort. The government sector in cybersecurity has some of the best hunters — folks who are trained and have the capabilities to go overseas and find malicious source code, to break into systems to find what the bad guys or our nation-state adversaries are doing. That brings a very unique talent that most private sector companies just don’t have.

How can we train more qualified people to meet our cybersecurity needs?

The education community has a critical role to play in today’s mad gold rush of trying to pump out cybersecurity professionals. What we really need are coders who can sit at the computer and code their way out of a problem, and that’s very different than some of the new cybersecurity degrees being offered by colleges. Those degrees are important because we do need people who understand the policy around cybersecurity, but the biggest shortfall now are those real coders, electrical engineers that have computer science and coding experience.