I sat down with Nathaniel Gleicher, Illumio’s head of cybersecurity strategy, to talk about why cybersecurity is so difficult to define and the importance of rebalancing the playing field between defenders and attackers.
Your last position, prior to joining Illumio, was with the White House’s National Security Council. Why make the move from the public to the private sector?
For the past 30 years, our reliance on sophisticated communications networks has been a strategic advantage all over the world. But if we don’t get our hands around the security challenges we’re facing, then we risk putting ourselves in a place where our reliance on these networks is a strategic weakness. And that’s a world we really don't want to be in.
The problem is that attackers are much faster and more agile than defenders. It’s a big enough discrepancy that rebalancing the playing field is essential—a slight improvement in existing technology won’t help if our defenders are still an order of magnitude behind. The private sector—and Silicon Valley in particular—is especially well suited for building the solutions that can make this rebalancing happen. So my move to the private sector is an opportunity for me to help build this new platform, which will enable defenders to keep up with (and outpace) the threats they’re seeing.
How do you define cybersecurity?
The problem is that attackers are much faster and more agile than defenders.
If you get 15 people in a room who call themselves cybersecurity experts, you’d get 20 different definitions of the word because five of the experts would disagree with themselves. And one of the challenges with cybersecurity as a discipline is that it is constantly changing—the tactics that defined cybersecurity two years ago look remarkably different from those that defenders should be relying on today. Because of this constant change, I find it most useful to define cybersecurity broadly: it is ensuring that the communications networks and systems that we increasingly rely on for everything are safe and secure from external threats.
what made you decide to get into cybersecurity?
Our communications networks are an increasingly fundamental platform to almost every other discipline. And if those networks aren’t secure and reliable, then the systems that all of those systems we rely on without realizing it stop functioning. Our reliance as a society on modern communication networks has been a rapid accelerator of innovation, economic growth, and the growth of civil society—but it also creates a serious Achilles’ heel if we leave these underlying systems exposed to malicious actors.
We must reduce the dwell time of malicious attackers.
I joined the Department of Justice because of the sense of mission there—you’re working to keep people safe. The professionalization of the cybercriminal community—the malicious actors targeting our systems—has been incredible. These powerful and often violent criminal organizations have built a presence on the Internet and have built a criminal enterprise that targets the Internet because it’s so valuable, because it’s so easy, and because they can use geography to help themselves by hiding across borders. And nation-states also clearly see the Internet as an opportunity to project power across international borders.
We need a security framework that enables, rather than stifles, an open community.
The impulse in the face of these threats, and the steady increase in the frequency and cost of the breaches that we have seen in recent years, is to limit the open exchange that the Internet has enabled. It would be terrible to hobble all of our communications innovations from the last decade because of our fear, and the way to stop that instinct is to build a security framework that enables, rather than stifles, an open community.
What do you think we'll be hearing a lot about in the next few years?
Two things come immediately to mind:
1. The rise of integrity attacks. Usually we talk about malicious activity targeting networks’ confidentiality, integrity, or availability. Availability takes down the system. Confidentiality exposes secret information. Integrity doesn’t expose it so much as change it. For example, which is scarier: the New York Stock Exchange being taken down, or the New York Stock Exchange continuing to operate on unreliable trading data?
Malicious activity targeting integrity has been pretty rare, but we’re starting to see more players in this space. The increase of this sort of threat is one of the reasons we need to focus more on securing the interior of the data center and cloud. Malicious actors looking to impact integrity often need to move extensively through networks from where they enter to their eventual target. We’ll see more integrity threats in the years to come, and it’s one of the reasons we absolutely have to reduce the dwell time of malicious attackers.
2. Securing embedded systems. The Internet of Things is a very hot buzzword right now, but under the buzz, there’s a simple fact: The more we build computer systems into devices that impact the physical world, the greater the secondary consequences of intrusions will be. There’s an old joke that if we built cars like we build computers, we could get a car for $50 that would get 1,000 miles to the gallon, but it would crash twice a day. The technology industry has focused on very fast innovation, and accepted some instability because the consequences aren’t necessarily bad enough to outweigh the value of that innovation. But the consequences of instability go up drastically when you’re talking about an embedded system controlling a factory robot, an electrical power supply, or a car or home. The growth of embedded systems is drastically expanding the attack surface for malicious actors, and making it easier for those same actors to cause physical effects.