Chuck Brooks, president of Brooks Consulting, globally recognized as a subject-matter expert on Cybersecurity and Emerging Technologies, sees the coming proliferation of IoT devices as expanding the threat landscape. His experience helps to put it in perspective. In government, he has received two Presidential appointments, by George W. Bush to a legislative position at the Department of Homeland Security, and by Ronald Reagan as an assistant to the director of Voice of America. In industry, Chuck has served in executive roles for General Dynamics, Xerox, Rapiscan Systems, and SRA.
Today, Chuck is on the Adjunct Faculty at Georgetown University’s Graduate Applied Intelligence Program and the Graduate Cybersecurity Program, where he teaches courses on risk management, homeland security, and cybersecurity. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.
He recently spent a few minutes with AI Trends Editor John P. Desmond to discuss the state of cybersecurity today. Chuck is a speaker at the upcoming AI World Government event held both online and in Alexandria, Va., on Oct. 18-19, 2021.
AI Trends: What do we have to worry about today in cybersecurity?
Chuck Brooks: We have a lot to worry about. First, everyone is a target now because of the increased attack surface from remote work and from the interconnections of IOT devices. Now, everyone has several IOT devices at home, and they’re all entry points now for hackers.
Second, not only are these hackers a threat, they’re a more sophisticated threat. They’re using artificial intelligence tools, machine learning tools, to automate their attacks. So they don’t necessarily have to be on a computer looking at your email one at a time, they can do thousands at a time. It only takes one or two to make it happen and then you’re hacked.
Third, and probably the most critical thing you have to worry about is, is our infrastructure has been under attack. We’re looking at not just Solar Winds and Colonial Pipeline, but our energy grid, financial institutions and transportation systems—all of them are vulnerable for one reason or another. It may be because they’re legacy systems, built on legacy systems, with a lot of gaps. And hackers are now targeting that and they’re asking for ransomware payments, which are now more accessible [to hackers] because they can use cryptocurrencies. And they’re doing it many times with the help of state sponsors. So the criminal gangs are sharing their information and tools and sometimes even the money. It’s a real precarious world out there.
How about on the defensive side? What are the top current trends in AI in cybersecurity?
Well, AI does a lot of different things, and the first thing it does is it synthesizes information, and looks for patterns and correlations, much more quickly than previously possible. We’re really talking more about machine learning at this point, but artificial intelligence that encompasses machine learning and other things such as deep learning, allows defenders to look at the whole ecosystem at once. It can look for anomalies, pick them out and block them. It also allows defenders to process known threats and separate them from being on your computer or network. AI can also detect risky configurations, and it can be used for analytics, which is really important.
So AI has given us a huge opportunity to compensate for the lack of skilled cybersecurity workers and fill in gaps in security activities that in the past would have been done by adding people. Now we can do more with AI.
Can we ever go on the offense in cybersecurity? And, if so, how do we do that?
Well, we’ve already done it. A few years back, we had an incident in the Gulf where Iran took out one of our drones. And so we took out their network. That was an example of how capable we are in that area.
Offensive cybersecurity in some ways is easier because we’re on the attack, not the defensive, and it’s much more difficult for defenders to find those attacks. The reason it’s a precarious capability is that if you’re dealing with China, Russia, you’re dealing with equal capabilities or close to equal capabilities, which can inflict damage too. So it really is an asymmetrical type of offensive capability that we reserve for situations when it’s really needed.
But, yes, we have the ability to do it. We can put things in deep packets, we can get into networks, we can use insiders, we can do all kinds of back doors. There’s a lot of different ways. Everything a hacker can do, we have the tools to do and probably more.
Is there any forum where the US can sit down with Russian and China and talk through cybersecurity to see if we can reach some agreement, like we used to do with arms talks?
There has been talk of that, and it goes back to having the red phone when we had nuclear confrontations back in the ’60s. I think there’s a need for it because there are very strong capabilities, particularly on the Chinese and Russian side, so it has to be looked at. This current administration has already reached out and told the Russians not to do it, but that doesn’t mean anything. I think eventually there will have to be some formal treaty that says, for example, you do not use these offensive weapons or attack critical infrastructure. And it remains to be seen whether this will happen, but it’s a good idea to at least try to have a dialogue.
That’s encouraging. How about on the topic of ransomware? Is there any solution?
Well, there’s no one real clear-cut solution. But obviously the solution is, first, having a backup of your data. Because if you do get hacked, and they hold your data at ransom, you’re really in a tough spot. So you need to be able to have a backup somewhere on a different system and network to be able to operate.
The second thing is that we need to have laws that enable us to go after the perpetrators and charge them with crimes. So we need some enforcement capability, some international law enforcement cooperation, to be able to operate against these people. It’s a real issue right now. We have Interpol [International Criminal Police Organization], but there’s not much activity because some of these same governments who are part of Interpol are harboring these cyber criminals.
How do you think the current administration is doing with cybersecurity?
I think pretty well. It starts really with personnel, and they have brought in some very good cyber [security] people from industry, and others who really have experience, who know the players and what needs to be done. The administration had a strategy going in with DHS [Department of Homeland Security]. The DoD [Department of Defense] and NSA [National Security Agency] tend to operate by themselves, but I think we’re still a long way off.
We have realized that it’s a public-private cooperation issue, and where the administration is excelling right now is reaching out to industry. And so in that sense, I give them a B plus. I think they’re doing pretty well.
Are social media companies that permit the spread of misinformation security threats?
That’s difficult because you’re getting into a free speech area. As a First Amendment person, unless it’s violent or threatening information, I would leave it alone. I think people can discern for themselves on social media. It is being used for cyber hacking, though. That’s a different issue. And people are using social media platforms to gain information about people, find out passwords, find out things about their home, where they live and then use it for identity theft. So that’s a real problem. And they’re also using it sometimes to find buying habits and other things if they get hold of information off the dark web.
So social media is a different type of cybersecurity problem. I think, personally, this is a personal viewpoint, I think it gets difficult when the government tries to be in a censorship role. But for protection and cyber reasons, I think there’s a lot to be worried about with social media.
What’s the best thing that college students can learn or study about cybersecurity if they are interested in pursuing it as a career?
Well, I happen to be teaching. I teach at Georgetown University’s Cyber Risk Management program. So it starts with that, risk management. Your whole life is about risk management. And I think part of what students need to learn nowadays is security orientation. Everything they do has some security risks, whether it’s driving, or even going on a trip because of the risk of catching a virus.
Students really have to consider cybersecurity because everything they do now is more digital. All their papers, all their activities, all their communications, are based on their iPhones or Androids or their computers. And if they don’t have an understanding of the risk involved in what they put out there that may be used against them, whether it be when they are going for a job interview or whether they’re being exploited for ransomware, because they were too careless. So cybersecurity and risk management, the security implications of the digital world, should be an essential part of every course of study in college.
So is cybersecurity a good career path and what type of student do you think is the best fit for it?
Oh, it’s an excellent career path, mainly because there’re so many unfilled jobs and also because the threats aren’t going away. And there’s always, I think, a misconception that you need to be a coder or an IT person to really thrive in cybersecurity, but that’s not the case. Some of the best cybersecurity people have come from music backgrounds, where they think in patterns, for example. Also, cybersecurity can involve public relations, marketing and the sale of products as well as engineering.
The main thing is, it’s a learning process. You can get the background and an understanding of it. Then you can take specialized courses and get a certificate for them if you really have an interest, depending on what you want to defend and work on.
So it depends on how you tailor your career; I don’t think there’s any one person that necessarily fits the mold. I do think it’s important to have coders and people that understand the technical side, but it’s also important to have people with liberal arts backgrounds too.
How important is AI to cybersecurity, do you think? And does it have more potential?
Yes. You can see the amount of money being invested by the Department of Defense and Department of Homeland Security into artificial intelligence technologies. And the reason for that is because they’re differentiators. And, again, it goes back to several factors: one, that there’s a lack of qualified people to fill roles; but it also, it really goes directly to capabilities. With advances in computing and artificial intelligence along the way, we’re building the ability to synthesize so much data at once. And when this data is synthesized and correlated, it can lead to immediate actions being taken.
Artificial intelligence is really a catalyst for cybersecurity. Everything you do is based on the threat horizon. You need to know what’s in your system, and who may be doing things that are anomalies. You need to know if your sensors are being tinkered with if you are in industrial automation, for example. AI is going to be the backbone for all that.
How well, in your opinion, is the industry doing in offering software tools and services to help people with cybersecurity?
Well, it’s a marketplace and, unfortunately, it’s not always the best tool that gets bought. We see a lot of issues with multiple things being bought by companies when they don’t know how to use them, maybe because people have left. It comes down to good orchestration to use the products effectively.
I think we have many interesting things coming down the pipeline, particularly around encryption. The bottom line with industry is, it depends on the consumer market. And of course, there is the corporate market and the government market. For the consumer market, you want to make it as easy as possible, the lowest common denominator, something that can just make one click, and you’re protected.
Many interesting encryption technologies are coming out. Polymorphic encryption [in which the encryption/decryption pair changes each time it is used] is one that I’m really following closely because I think it will change the game. This will also impact Internet Of Things devices, 98% of which are not encrypted. They might not have enough bandwidth, but encryption on the network connected to them could do the job. So I think that will be one of the areas where I think you’ll see a lot of interesting things.
Plus many interesting technologies around segmentation and Kubernetes [container management] in cloud technologies, particularly hybrid cloud, are making their way into the system. We are likely to see more adoption by managed service providers, because it takes some expertise to know what you need. Every company is different. The growth of those managed service providers with expertise who can come in and customize your networks and your devices, is going to be the next trend.
Is the impact of hacking tools used by the NSA that were released by Edward Snowden in 2016 still having an impact?
Absolutely. He did a lot of damage in what is referred to as an “insider threat.” And he took tools that were not only used by nation states, which he brought them to, but also by criminal hackers. And those tools are some of the better, more effective, tools that still have application today. It was a very dangerous situation, and I’m sure most people are not aware of the damage he inflicted, but they still apply to what is happening now.
Regarding IoT, what is the impact around IoT devices on cybersecurity?
We’re in a world where we will have 20 billion connected devices. Every one of those is an avenue for a hacker. It’s going to triple in the next 15 to 20 years. Everyone will have three or four devices, more devices than people on the planet. So it just, basically, gives hackers a field day. They choose their way to come in.
And so also the other aspect of IOT is that there’s really no one regulation or manufacturer standard for security. So you’re getting devices manufactured all over the world, put together and usually without much security. People don’t change the default passwords on their devices. So it’s a mess. And I think the only solution is to have a capability to monitor those IOT devices. I have seen some interesting companies and products doing that. In the future, we will have to know what’s in the network. It’s not going to be easy.
Do you have any advice for people as to how to protect themselves from all of these threats?
Yes. I would advise that the most prevalent form of hacking today is phishing. Don’t click on anything you don’t recognize from an email, and don’t fall for a fake bank or a promise that you won a lottery. That is some quick advice. Also, try to use multi-factor authentication if you can, such as a thumbprint or facial recognition on your device, in addition to your password. Strong passwords still work. The hackers usually go for the easiest, low-hanging fruit, and a lot of that is in small and medium businesses. They need the basics in place.
I would also advise that you segment your valuable data. If you have data that you don’t want anyone to read, don’t have it connected to your network. That’s another good part of advice. And then keep up with patching and antivirus stuff. A lot of the big companies, Microsoft and others, have products that are updated regularly. Use them and follow them.
Being prudent and vigilant does not mean you’re not going to get hacked, but it reduces your likelihood.
Thank you. Is there anything you’d like to add or emphasize?
Yes. We are now in a digital world where Industrial Revolution Four is here, the convergence of the physical and the digital. This brings new security implications between operating systems and IT systems—they are all meshed. So we have to be really cognizant that, from here on in, understanding what the threat is will be critical for our economic well-being and national security. All those aspects now need to be re-evaluated and looked at into the new threat landscapes that come with digital connectivity.