Security means knowing your network better than your attackers – or your users: ex NSA head

Australian debate on encryption based on a “very thoughtful question” about visibility of government’s own insider threat

Governments must be held to higher standards than commercial entities when it comes to protecting citizens’ privacy, a former deputy head of the US National Security Agency has said while noting that increasingly complicated threats have nonetheless necessitated a fresh look at security and privacy.

Few know this better than Chris Inglis, a career US military officer who served as deputy director of the NSA for 8 years and presided over the ignominious mass information leak by Edward Snowden. Snowden’s actions – which Inglis has previously said showed a lack of courage – drew attention onto the NSA and its mass surveillance programs, which eventually led to changes in the NSA’s remit and even bigger problems when NSA-developed exploits were this year leveraged to enable the mass WannaCry and Petya malware attacks.

Snowden’s compromise, and the significant shift in government transparency that Snowden’s revelations about mass surveillance occasioned, has been a defining force in reshaping the information-security dialogue between public and private sectors. Recent years have seen governments in Australia and elsewhere moving to formalise their cybersecurity defences, as well as the rapid maturation of a security community that has tapped novel technologies to respond to the growth in ‘low and slow’ infiltrations used by malicious insider like Snowden.

Because they are familiar with installed defences, such insiders have proven uniquely able to avoid tripping conventional alarms. And this, says Inglis, has laid out the extent of the problem facing companies and government agencies alike.

“We’ve got to move from episodic defence at choke points, to a continuous understanding of what’s happening on these networks such that we can detect anomalies or bad activities the first time it happens,” he explains. “It’s no longer good enough to react well; you have to anticipate well.”

Inglis’ comments mirror those of Australian government cybersecurity advisor Alistair MacGibbon, who has frequently and publicly called for change in our collective approach to security. Security vendors have been on the same page, with analysts warning years ago that Australian companies are thinking reactively more than in an agile way. This requires engagement from the business – yet even as hackers get more professional about their approach to breaching security, some CSOs had struggled to make the same progress in getting the executive support they need.

This had led many companies into a similar situation as the one that Inglis and his peers faced at the NSA – where companies find themselves compromised and trying after the fact to figure out where they had gone wrong. With Australian businesses recently ranked as the most likely in the world to deploy data loss prevention tools after a breach – rather than before one – it’s a lesson that many companies will continue to learn the hard way.

Inglis, for one, has put his money on user entity behavioural analytics (UEBA) technology that watches users’ online behaviour on an ongoing basis, quietly searching for behavioural anomalies that might indicate suspicious behaviour by otherwise-trusted users.

Shortly after leaving the NSA, Inglis joined the advisory board of UEBA vendor Securonix, which this month opened shop in Australia to tap into a land rush for ANZ businesses that are shoring up their defences in anticipation of a perfect storm of new legislation and governance requirements they will face in 2018 and beyond.

UEBA is just as important in catching outsiders as it is in catching Snowden-like insiders. “Outsiders’ Holy Grail is to become someone or something that has privileges inside the system,” Inglis said. “You’re looking for a baseline that says that there is actually a different entity behind this privilege, and you want to catch that to defend the integrity and reputation of the person whose privileges have been stolen.”

Once that theft happens, the damage can be considerable – and fast. “We have put more and more power into the hands of fewer individuals,” Inglis said. “Computers allow you to have much higher leverage based on a single person; the scope and scale attendant to what somebody can do is now much bigger. And your ability to catch it in time to restore things to good order easily, is much harder.”

Varying narratives about Snowden’s legacy – years later, he remains a traitor to some and a hero to others – shouldn’t distract from the importance of embracing new technologies to stop what he did, Inglis said, arguing that everything should be on the table at this point.

Despite his call for stronger government oversight, Inglis called for a level-headed approach to the current controversy around the government’s plans to force software giants to figure out a way to provide access to otherwise inaccessible communications.

While mass brute-force decryption remains mathematically challenging and the details of how such access might be provided remain sketchy, Inglis said it’s important to remember that the government is effectively fighting its own insider threat. And while discussion about the mechanisms of such a policy are still in early days, he sees them in large part as an extension of long-standing policy around police access to potential evidence of criminal activity.

The Australian government’s push to gain access to secure private messaging was an example of the type of considerations that had to be weighed given the current security climate, Inglis said. “The question is whether we can take advantage of the capabilities that are there under the rule of law as it has existed for time immemorial,” he explained.

“The question now is how do we not force ourselves into a place to choose between one and the other,” he said, “but to ask the right policy questions and come up with the right framework.”

“The further question,” he continued, “is whether you want to begin to alter technology trends so you can continue to have a collective defence – with secure domestic and national security – and individual rights? The government is held accountable by its citizens to deliver those. It’s a very thoughtful question.”