In today’s technology-driven world, the importance of cybersecurity has never been greater. To help push this point forward, the Naval Postgraduate School (NPS) hosted a Secretary of the Navy Guest Lecture (SGL) with speaker Mary Ann Davidson, the chief security officer at Oracle Corporation, one of the largest software companies in the world, Mar. 8 in King Auditorium.
The former U.S. Navy civil engineer spoke about the importance of cybersecurity, the challenges involved in promoting it, as well as the importance of implementing concepts from different fields into the cyber defense arena. She praised the military mindset and said that many aspects of military life and military history influence the way she looks at cybersecurity.
Davidson spoke about how the military has become more dependent on Information Technology (IT) and therefore more vulnerable to it.
“Warfighting now relies on an IT backbone,” said Davidson. “Information has become your force multiplier and now the network itself has become the battlefield.”
She cautioned, however, that while technology can give a great advantage it can also be an Achilles’ heel and although the U.S. has a powerful military, a weaker opponent could cause serious problems by attacking U.S. networks and stealing technology. She assured that technology could not be an advantage if current and potential enemies can easily have access to it.
Davidson stated that the military understands this concept but she still sees many challenges in making developers think in a defensive way.
“My biggest issue is convincing people, who are truly excellent technicians, that there are bad guys out there,” said Davidson. “This is not a problem that I would have with probably anybody in this audience.”
She went on to say that most experts in the commercial world lack defensive vision, that they don’t see the possibility of an attack. This is the reason why commercial software is not in all instances designed for the threat environment in which it’s been placed and this has significant ramifications.
According to the National Institute of Standards and Technology (NIST), Davidson said, the cost of poor security in the U.S. alone is between $22-59 billion a year, making this a concerning issue.
Davidson said that in today’s technology assurance arena, technicians spend too much time on repetitive software patching, where if the software was designed with defensive measures from the beginning, these technicians could focus on more productive tasks.
“If the quality of commercial software assurance were better you wouldn’t have to patch your systems,” Davidson added. “And frankly it would make attackers work harder and making bad guys work harder is a good thing.”
This, she said, would have knock-on benefits to everybody by increasing the quality of commercial standards.
NPS student, U.S. Air Force Capt. Jesus Raimundi, III, a Cyberspace Operations Defense officer, discusses systemic problems with acquisitions and information flow between cybersecurity professionals and top decision makers in the DoD.
Davidson admitted, though, that commercial assurance would probably never meet the requirements of high mission-critical assurance that there will always be specialized systems that would require customized software built specifically for that purpose from the ground up.
“The commercial marketplace will simply not be able to support that high level assurance,” said Davidson. “Having said that, it could still be better. If you get that commercial level to rise, there would still be those knock-on benefits and that is a goal well worth pursuing.”
To reach this goal, Davidson suggested that there should be some key changes – in particular, a cultural change in they way universities educate their students.
“The cultural shift I would like to see starts in universities,” said Davidson. “We hire a lot of very smart developers and they all come from very impressive schools with master’s degrees and Ph.D.s, and you know the one thing they all have in common? They don’t know diddly-squat about security.”
She said that she spends a great deal of time retraining these very talented engineers and trying to instill an assurance mentality. She said she would like to see more of a hacker mentality in her engineers to help them think of every possible avenue of attack.
Davidson also said there should be more accountability, overall, emphasizing that governments must be catalysts for change. She noted the government should take steps in the way it buys software – require more transparency, make better acquisition decisions and develop a standard of assurance. This would have a positive effect on the industry, Davidson said.
Requiring a standard of assurance would save money and force suppliers into sensible decisions by creating simple, automated products with secure configurations without unnecessary software that would not be used but would still require maintenance, Davidson explained.
Also, demanding a better product would create a competitive environment that would by its nature create better products, she said.
Davidson summed up her lecture by commending the military audience. She said that it was in the military where she learned about leadership and that she really enjoyed hearing about their accomplishments. Davidson said that the lessons learned by the military would really influence change in the way the commercial world would build a critical infrastructure of assurance and that it would change the way in which they think about defending it. It would completely change the dynamics, she said.
“I’m here mostly to thank you,” concluded Davidson. “I want to thank each and everyone of you for your service. I know that seems to be a trite phrase but I truly mean it. If I could do something that makes our systems better for the people who work in defense and intelligence I have earned my salary and I’ve justified my existence.”