MESA, Arizona (August 23, 2017) -- At the Arizona State University's Polytechnic campus, members of industry, academia and federal and state government were focused on cyber security and the roles of educational institutions and the public and private sector.
The university's first Congressional Conference on Cyber Security was unique for its concentration of members of Congress engaged on this issue of strong interest to the university, and critical to the state of Arizona and the Nation. Lawmakers representing Arizona were the key speakers and moderators for a series of panels with leaders from all sectors.
Panels were held on a variety of topics from defining cyber security and cyber incidents to workforce development and education, and advanced threats to protecting critical infrastructure. With the varying areas of expertise, there was always some difference of opinion on defining the underlying component -- cyber security and threats. And while many on the panels and attending were not in complete agreement on what constitutes a cyber-threat or attack, they all agreed it was something that required high-level attention.
"Most people think a cyber-attack is only something faced by big companies," said Arizona Rep. Kyrsten Sinema. "Cyber challenges are also faced by small companies."
Sinema recounted the story of a self-employed hair stylist whose data was held hostage during the WannaCry ransomware outbreak, and forced to pay $500 for its return.
One of the largest "companies" facing an almost constant barrage of cyber-related incidents is the Department of Defense. Representing the Army's Network Enterprise Technology Command at Fort Huachuca, Arizona, Maj. Gen. John Baker is in a unique position to give a real-time view of the network issues the Army faces on a daily basis.
"Our goal is to place ourselves in a position to detect and respond in two minutes or less to any situation," Baker said. "Responding to a problem we're trying to resolve in the DoD, we are averaging 21 days. In this ever-changing environment, that doesn't work very well."
Other problems that compound the issue include assigning responsibility -- what is called attribution -- to those committing crimes and attacks through online means. Even with the technology and forensics tools available, pin-pointing the culprit is often impossible simply because the level of cyber security is not where it should be.
"We have to solve security before we can solve attribution," said Ben Turnbull, from the University of South Wales, Canberra, Australia.
Panelists agree that improving cyber security will take a concerted effort by government, industry and institutions of higher learning.
Industry and some government leaders fully believe attracting the right people to fill the nearly 200,000 open positions today will require a full complement of tools early in life -- from research opportunities, internships, and even early learning programs in coding at the elementary and secondary school levels.
Baker also believes strides must be made for the current workforce.
"We face many of the same workforce challenges as those in this room," Baker said. "In addition to recruiting the new workforce, we must continue training our existing force and looking for opportunities to partner with academia and industry."
Some of the initiatives Baker is already considering for NETCOM is the expansion of its intern program to bring in more data scientists and engineers, and the possibility of setting up small presences near academic facilities that specialize in growing students with in-demand technical skills and development of innovative tools and capabilities for the network.
There is also the human nature aspect to cyber security; and it's not confined to the threat actor.
"Profiling (threat) actors is only just starting," said Prof. Nancy Cooke, a cognitive psychologist working with the university's Army Research Office, Multidisciplinary University Research Initiative.
"We are just getting into combatting threats based on understanding human nature -- what makes people trust and how we see threats."
Additionally, Baker mentioned the growing issue of insider threats and indiscipline within organizations as factors impacting network security.
It is currently estimated there will be close to one million vacancies in the cyber security field by 2020.