NEW YORK -- Service Provider & Enterprise Security Strategies -- Ed Amoroso, AT&T's recently retired chief security officer, predicted on Thursday that there will be a major and devastating cybersecurity attack on the US in the next four years and challenged the security professionals gathered here to be more vocal in insisting their companies and this country be better prepared.
Amoroso, who retired last March and now operates his own company, TAG Cyber LLC , said the time has passed for "talking down" to CEOs, boards of directors and legislators, and instead urged telecom security professionals to speak up, demanding more resources and making clear the threats that lie ahead.
"I believe that during the next presidential administration, we are going to see a massive cyber attack on infrastructure," Amoroso said. "I believe it is going to be of devastating proportions and I think we are not ready for it."
During what he calls "the grace period" -- before the attack occurs -- Amoroso said telecom security professionals are uniquely positioned to take action to protect the infrastructure.
"It is not going to come from enterprises, it is not going to come from the government, this is an infrastructure play," he said.
High on his list of advice to telecom security professionals is the idea that they stop protecting executives, boards of directors or even legislators from what they don't know or understand. Basically, Amoroso is calling for the telecom security sector to insist that those in charge step up to the current reality and get informed.
"You have got to get a little more vocal -- I know you have a boss somewhere, telling you are not allowed to do that but do it anyway," he said, adding that security skills are so hard to find that most folks won't get fired for being honest. The telecom security community needs to speak up to "help people understand that these are infrastructure problems that need to be solved by smart people who understand how DNS works, how routing and autonomous systems work, how virtualization can be realized at scale using open source and OpenStack and how NFV and virtual managed security services can make a difference. Those are all things you understand and every one of those can make us more secure."
"I think it's time for them to have that paralyzing fear that they just don't understand," he said. "I think we are at that point."
Amoroso bemoaned the total lack of cybersecurity expertise among the incoming federal government leadership, saying the imminent attack should be a top priority but isn't. "We have a president-elect who says 'the cyber,'" he said with a tinge of disgust.
But his attack wasn't totally partisan -- Amoroso called John Podesta, Hillary Clinton's campaign chairman, "a case study in what not to do."
"What we are loyal to is infrastructure and our country and protecting what we have -- I don't care who the president is," he said. "It doesn't matter if it is Hillary Clinton or Donald Trump, I think I would be giving the same speech here. I believe something is coming -- I believe that this administration will be defined by cyber terrorism in the same way that George W. Bush's presidency was defined by physical terrorism."
He pointed to two common approaches to addressing security issues -- compliance regulations and information-sharing requirements -- as pointless and time-consuming exercises. The former should be done once and done right, Amoroso said, criticizing the time wasted on paperwork after that, and the latter isn't an effective approach in a time of crisis -- which is where he thinks the US is today.
"Do we really want an infrastructure where everybody has a walkie-talkie and a helmet and field glasses and when they see incoming, they tell everybody else?" he asked. "And that is our scalable, sustainable architecture? Do we really want that?"
Instead, in the same way that the US once rallied behind the World War II war effort with everything it had, the nation now needs to rally behind the cybersecurity effort with everything it has, giving those on the front lines the funding and ammunition they need to implement the right approaches to protecting infrastructure -- and from Amoroso's viewpoint that's a highly distributed approach to security that eschews a perimeter protection, and incorporates things like machine learning. (See AT&T's Amoroso: Build Botnets of Security.)
"That's something that should be an outrage -- 'what do you mean my service provider or my DNS provider or my hosting provider or my software developer doesn't have everything they need to make things secure?' -- that should be an outrage, that should be the role of government," he said.
Amoroso also encouraged anyone who wanted to focus on retribution against those who hack the US or offensive measures in retaliation to instead focus on preventing attacks. While the hacking of the DNC is widely attributed to the Russians, the reality is that there are five countries -- the US, Russia, China, Israel and the UK -- whose security agencies have the ability to hack into whatever they want and make the attacks appear to come from anywhere they want.
Instead of wasting energy in trying to make attribution for an attack, the telecom security sector should work harder on trying to prevent attacks, he said.
"All the energy spent on attribution is wasted energy," Amoroso said. Any of the five countries he cited are able to get away with hacking because they can make it look like someone else did it -- which makes it the perfect crime. "The energy for this group should be focused on making those things impossible and not on attribution, only because you run around in circles."
Specifically, the telecom security folks need to focus on fixing the infrastructure including doing what Amoroso calls "some simple things" which will go further than national debate of who is doing what to whom.
— Carol Wilson, Editor-at-Large, Light Reading