Center for Public Policy Innovation’s Two Part Cybersecurity Discussion with Oracle and Congressmen Michael McCaul and Mac Thornberry

On May 13, and June 7, of 2016, the Center for Public Policy Innovation (CPPI), in conjunction with the
Congressional High-Tech Caucus and Cybersecurity Caucus, hosted a two cybersecurity roundtables
for senior Hill staff. The events gave staff an opportunity to not only hear from nontraditional
stakeholders on the Hill, but to engage, asking questions to better shape future policy.

May 13th Roundtable with Chairman Michael McCaul and Oracle’s Hayri Tarhan

Oracle, one of the world’s leading tech companies’ Vice President of Public Sector Security, Hari
Tarhan delivered a briefing before fielding questions and sitting down for an engaging discussion with
staff. Chairman of the Homeland Security Committee, Congressman Michael McCaul kicked off the
event meant to create greater understanding in Congress about the constantly evolving nature of
cyber threats and what government can do to minimize risks.

“Congress is finally starting to pay attention to Cyber. It wasn’t a big issue previously, which is why I
started the Cybersecurity Caucus,” began Chairman McCaul, adding he’s doing a lot of work related to
the Commission non Digital Security as well as recent cyber legislation.

In an ever-changing landscape, it’s important to continue educating Members and Staff by hearing
from some of the brightest minds in the field of cybersecurity. Oracle’s Hari Tarhan rightly pointed
out, echoing the sentiments of Chairman McCaul, is that years ago, no one was paying attention to
cyber, and that has led to many of the challenges we face today.

According to Tarhan, there is a new currency in IT and that currency is data. Furthermore, the value
isn’t money, but trust. Mega breaches within the last two years have skyrocketed because hackers are
becoming more skilled and this threat is asymmetrical. The cost of protecting data is exponentially
greater than an attack.

Anatomy of an Attack

Hackers will determine the database administrator using something like LinkedIn, learn what they do
for fun via other social media sites, and social engineer an email where the administrator will click on
a link, downloading malware. If this malware is a key logger, the hacker gains vast information,
including username and password. After establishing a foothold, the hacker will create multiple back
doors, creating a relational database- that’s where data can be stolen very quickly.

In cases where the intruder wants to pull something like 10 terabytes of data from a network without
anyone knowing, they do so a little at a time, using the administrator’s credentials to not arouse
suspicion.

“Don’t assume mediocre, assume exceptional when thinking about your cyber adversary,” noted
Tarhan. Chinese hackers are exceptionally good, with schools dedicated to hacking U.S. networks.

Post OPM Breach

Following the cyber breach of the Office of Personnel Management, a cybersecurity sprint was
implemented with four key components:

  1. Provide log-in information to the Department of Homeland Security
  2. Patch critical vulnerabilities without delay (including encryption)
  3. Tighten policies and procedures for privileged users.
  4. Implement multi-factor identification

In order to better encrypt data and prevent unauthorized access, a username and password will not
suffice without pervasive monitoring along with auditing to improve cyber posture.

One of the major takeaways from Tarhan’s briefing is the fact that 96 percent of all breaches could
have been prevented had the proper protocols had been implemented.

Q&A:

Q: Where do we go from here in terms of securing government networks?

A: From a network standpoint, it is pretty straight forward there are a few things to put in place
including multi factor identification. Risk is a spectrum, which means there is a spectrum for
authentication. Unfunded mandates that are still out there. Hosting facility and a tenant, both must
be in compliance, but neither is in a good security position and ended up pointing fingers.

Q: Where is the pushback coming for two-factor identification?

A: Secure ID is pretty good system, especially for administrators. The challenge is for very large
organizations that need a help desk and dedicated team. The PIV card is the second factor, which is
very secure, but some agencies haven’t implemented this yet.

Q: Generational differences in approach to cybersecurity?

A: Security has traditionally been the responsibility of the network team, not the administrator. CISOs
traditionally come from network background. The database team needs to place someone on the
security team within an organization.
More prevailing generational challenge, the expectation of the youngest generation is getting things
when they want it, device-oriented, their digital life in a phone, they don’t use email. Their
expectation of what they want from IT is way different from generation before, but security needs to
built-in.

Q: Thoughts on Internet of Things and cyber security applications?

A: Tailored marketing from IoT devices, such as the wristbands at Disney World that track all your
movements and activities. The next change in cybersecurity is not the theft of data, but the
modification data without anyone knowing it. Theft of data scary, change in data is frightening.

Q: Cyber Skills gap?

A: There aren’t enough people that are properly trained, the old curriculums are not up to date.
Staffing levels, skills, expectations, these are realities on the ground for IT organizations.

Q: Hardware/software challenges?

A: Are the security measures you put in place really going to improve security? There are some
realities, if you buy hardware without software in mind, that’s a problem. Hardware and software
need to match-up, otherwise the system will be slow and people will want to back away. Government
needs to come-in to explain the steps to properly secure data, need to be prescriptive. Government
needs to figure out how to properly encrypt data.

Q: A lot of money being spent on cyber, why still so many unfunded mandates?

A: Money is going into network security, which is something you need. Need to also strengthen the
supporting systems.

June 7th Roundtable with Chairman Mac Thornberry and Oracle’s Jackson Thomas

Chairman of the Armed Services Committee Mac Thornberry kicked off the event by telling the group
cyber is one of the most important and difficult issues confronting our nation. One of the most
challenging aspects being the growing threat is evolving so much faster than the response. “We need
smart people to guide policy making to close this gap,” urged the Chairman.

He noted the scope of breaches, from the Target and the OPM breach, to North Korea’s hacking of
Sony. Now we see ISIS hacking and releasing personal data of military personal, a method of
intimidation. Furthermore, threats to physical infrastructure remain a major concern as well and while
we have the best technology and minds on the cyber front, we lack the policies and approaches as of
yet.

In 2011, Congressman John Boehner appointed a task force on cyber. The first recommendations
were issued in October 2011, and the first reform wasn’t signed into law until December 2015 – this
lag must change to keep pace with cyber.

The Value of Data

Jackson Thomas, Vice President of Marketing for Oracle echoed a sentiment heard more and more as
increased number of devices are connected to networks, “The value of today is data. How do we
protect data? If you lose record from your database with PII information, that’s a big deal. If it has
some elements in health information, the value goes up three times.”

“Uber is the largest car company in the world, Airbnb is now the largest “hotel” company, and they
both own the data connecting people. That is what makes them so valuable,” continued Jackson.
“Some organizations accept risk without recognizing the real problem, but if you lose the trust of your
users, that’s something you can never buy back.”

Most breaches take place because we don’t have enough solutions to guard data. Many occur in this
way:

  • Victims of phishing attacks, sometimes obvious it is dangerous, but sometimes these emails
    can look legitimate.
  • Step #1 malware in your system- once you get into the system, only a matter of time before
    hacker can own data.
  • Step #2- identify weak targets → many organizations use default passwords, gain access to
    database, get the info out through SQL injections (or smart code) try to lift the data from the
    network.

The attacks to date are just the beginning, and the private and public sector are in a constant game of
catch up. More disturbingly, three major breaches in one year came from the same Chinese
organization.

The United States’ cyber sprint is very straightforward:

  1. Identify indicators that tell us about threat vectors, scan systems, see what is happening.
  2. Security patches are applied. Should also be looking at access of privileged users. Need multi-factor
    authentication. Government taking small steps, but more can be done.
  3. Steps to Secure Database-
    – Encrypt the data, make it useless to a hacker on your network
    – Prevent unauthorized database access- think carefully about who has access, such as
    contractors, etc.
    – Look for anomaly where a lot of data is being moved or accessed
  4. Manage identity lifecycle
    – Background: Employees from hire to retire/departure.
    – Comprehensive strategy for identity governance (How to onboard user, remove user)
    – Control authentication, authorization, and multi-factor authentication in certain cases.

APT is real, the good news we have solutions for this.

Q&A:

Q: Some organizations aren’t using all the security features available to them, why does this happen?

A: Sometimes it is just a matter of education and awareness. For example, just turning encryption on.

Q: Ransomware and will encryption solve this problem?

A: Ransomware is a new way for bad guys to get what they want. You need to have a
defense-in-depth strategy. Encryption is in place, an organization needs to make it difficult for
someone to access the data and implement layers of security. Multi-factor authentication important
in this situation.

Q: Thoughts on U.S. government partnering with private entities to retaliate on cyber attacks

A: It is necessary evil, combination of defense and offense.

Q: White hackers, do you think we will see more of them? Can government take better advantage of
them?

A: Yes, the person who can do the hack are the best to provide solutions. Oracle employees own
“ethical hackers” to go after their systems to look for vulnerabilities.

Q: Biggest form of cyber attack today?

A: Phishing seems to the majority choice for hackers to get into systems. After you get into the system
SQL is a top choice.

Q: Oracle works with various levels of government, what type of variations do you see in terms of
types of attacks?

A: Various a lot between lines of business (i.e. financial versus healthcare). With state and local
governments, early stages of discussions about cybersecurity and need to wrap heads around cyber
problem. The basic principle and anatomy of the breach is very much the same across different levels
and branches of government.

Talking to an ethical hacker from Oracle and asked how he goes about penetrating infrastructure. Pick
a banking organization, for example, go to LinkedIn and find the bank’s database access
administrators. Even former DBAs, likely still have active account within their old organization.

Q: Where are we with funding and balancing needs and creating a defense-in-depth strategy for
federal government?

A: Doing things like basic authentication, encryption of data,
Encryption is such a powerful tool to make it difficult for the hacker to gain access to information.

Q: SS7 control protocol?

A: Now have telecom companies who are selling access into their networks, people can buy access.
Used to be a limited club, now you can buy your way onto the networks. To prevent that, there is
registry of bad players, and you can prevent them from accessing your networks. This is a legacy issue.

Q: Attacks on commerce, other cyber acts of war? Where are we headed?

A: Cyber warfare is where we are going, what we are seeing right now is just the beginning. The
manipulation of data is a huge concern. For example, take U.S. army logistic information and change
it, then they can’t find their assets and resources when needed during conflict.

Q: Government has received criticism for having antiquated systems? How big of red flag is this and
how can they be modernized with young talent going to tech companies?

A: Important for government to work closely with private organizations, technology solutions not
limited. Increased cooperation with private sector being
Big problem with legacy systems, saw this at OPM. Working with contractors to turn on security
features. Some of these systems are mission critical in government- need to keep them updated, and
secure.

Q: Internet of Everything with multiple entry points? How do you view security in this area?

A: A good architecture should be something inclusive of IoT, each individual thing is treated as a
separate identity. How do you authorize these various things (i.e. smart phone, smart car). Treat
things like an identity, this is critical.