Security Strategies

Amoroso: Expect Devastating US Cyber Attack

NEW YORK -- Service Provider & Enterprise Security Strategies -- Ed Amoroso, AT&T's recently retired chief security officer, predicted on Thursday that there will be a major and devastating cybersecurity attack on the US in the next four years and challenged the security professionals gathered here to be more vocal in insisting their companies and this country be better prepared.

Amoroso, who retired last March and now operates his own company, TAG Cyber LLC , said the time has passed for "talking down" to CEOs, boards of directors and legislators, and instead urged telecom security professionals to speak up, demanding more resources and making clear the threats that lie ahead.

"I believe that during the next presidential administration, we are going to see a massive cyber attack on infrastructure," Amoroso said. "I believe it is going to be of devastating proportions and I think we are not ready for it."

During what he calls "the grace period" -- before the attack occurs -- Amoroso said telecom security professionals are uniquely positioned to take action to protect the infrastructure.

Ed Amoroso

"It is not going to come from enterprises, it is not going to come from the government, this is an infrastructure play," he said.

High on his list of advice to telecom security professionals is the idea that they stop protecting executives, boards of directors or even legislators from what they don't know or understand. Basically, Amoroso is calling for the telecom security sector to insist that those in charge step up to the current reality and get informed.

"You have got to get a little more vocal -- I know you have a boss somewhere, telling you are not allowed to do that but do it anyway," he said, adding that security skills are so hard to find that most folks won't get fired for being honest. The telecom security community needs to speak up to "help people understand that these are infrastructure problems that need to be solved by smart people who understand how DNS works, how routing and autonomous systems work, how virtualization can be realized at scale using open source and OpenStack and how NFV and virtual managed security services can make a difference. Those are all things you understand and every one of those can make us more secure."

"I think it's time for them to have that paralyzing fear that they just don't understand," he said. "I think we are at that point."

Amoroso bemoaned the total lack of cybersecurity expertise among the incoming federal government leadership, saying the imminent attack should be a top priority but isn't. "We have a president-elect who says 'the cyber,'" he said with a tinge of disgust.

But his attack wasn't totally partisan -- Amoroso called John Podesta, Hillary Clinton's campaign chairman, "a case study in what not to do."

"What we are loyal to is infrastructure and our country and protecting what we have -- I don't care who the president is," he said. "It doesn't matter if it is Hillary Clinton or Donald Trump, I think I would be giving the same speech here. I believe something is coming -- I believe that this administration will be defined by cyber terrorism in the same way that George W. Bush's presidency was defined by physical terrorism."

He pointed to two common approaches to addressing security issues -- compliance regulations and information-sharing requirements -- as pointless and time-consuming exercises. The former should be done once and done right, Amoroso said, criticizing the time wasted on paperwork after that, and the latter isn't an effective approach in a time of crisis -- which is where he thinks the US is today.

"Do we really want an infrastructure where everybody has a walkie-talkie and a helmet and field glasses and when they see incoming, they tell everybody else?" he asked. "And that is our scalable, sustainable architecture? Do we really want that?"

Instead, in the same way that the US once rallied behind the World War II war effort with everything it had, the nation now needs to rally behind the cybersecurity effort with everything it has, giving those on the front lines the funding and ammunition they need to implement the right approaches to protecting infrastructure -- and from Amoroso's viewpoint that's a highly distributed approach to security that eschews a perimeter protection, and incorporates things like machine learning. (See AT&T's Amoroso: Build Botnets of Security.)

"That's something that should be an outrage -- 'what do you mean my service provider or my DNS provider or my hosting provider or my software developer doesn't have everything they need to make things secure?' -- that should be an outrage, that should be the role of government," he said.

Amoroso also encouraged anyone who wanted to focus on retribution against those who hack the US or offensive measures in retaliation to instead focus on preventing attacks. While the hacking of the DNC is widely attributed to the Russians, the reality is that there are five countries -- the US, Russia, China, Israel and the UK -- whose security agencies have the ability to hack into whatever they want and make the attacks appear to come from anywhere they want.

Instead of wasting energy in trying to make attribution for an attack, the telecom security sector should work harder on trying to prevent attacks, he said.

"All the energy spent on attribution is wasted energy," Amoroso said. Any of the five countries he cited are able to get away with hacking because they can make it look like someone else did it -- which makes it the perfect crime. "The energy for this group should be focused on making those things impossible and not on attribution, only because you run around in circles."

Specifically, the telecom security folks need to focus on fixing the infrastructure including doing what Amoroso calls "some simple things" which will go further than national debate of who is doing what to whom.

— Carol Wilson, Editor-at-Large, Light Reading

COMMENTS Add Comment
Foundera69353 12/5/2016 | 5:31:01 PM
Re: FUD-based marketing pitch Ed Amoroso here: While I agree that the statistical probability of something happening in the next four years lends well to making broad "expert" predictions, that's not really what I was hoping to convey. I believe that a serious, life-threatening cyber attack of enormous consequence will come duirng the next White House administration for several reasons: First, my experience is that many of the more serious cyber attacks are prompted by the belief that some target entity, group, or individual can be easily provoked. Second, my experience is that with improvements in data protection, the next logical APT step involves destructive cyber attacks, which are quite a bit more devastating. And finally, when I graph attack intensity estimates (such as DDOS pps or bps), I see a logical inflection point where things will begin to change. DDOS attacks, for example, are roughly hitting national peering capacity, so they must change - and this will not be for the better. Finally, your point about me running a consulting firm is flattering. Sadly, my consulting group right now is just me - and I cannot take on any more work than I already have. Maybe next year, I'll hire some people and then I guess you will have a reasonable point about me being a grubby marketing consultant. But for now, it's just me. Thanks for taking the time to comment, Ed
t.bogataj 12/5/2016 | 2:01:58 AM
FUD-based marketing pitch One does not have to be a genius to "predict" that something is going to happen in the next four years -- it is merely a matter of statistical probability based on historical data.

And the "call for action" is expected from someone who runs a security-consulting firm.

Carol Wilson 12/2/2016 | 1:28:40 PM
Re: Very powerful stuff I think your last point is the key thing, Patrick. 

We heard from multiple folks, including John Marinho, Ed and Dale Drew from Level 3 - I am about to post a story on his talk - and one point I kept hearing was that technology would allow ISPs to do more to block bad traffic, but there are reasons why they can't just do that on a blanket basis. 

And that's where policymakers need to be able to step in. But first they have to truly understand the issues and that starts with knowing what they don't know and, as you said, getting uncomfortable with the current state of affairs. 
pdonegan67 12/2/2016 | 12:24:37 PM
Very powerful stuff This was an unusually powerful talk, even by Ed's standards.

I thought one of the biggest points he made was that while a great many professions are very well represented in Congress in terms of the previous backgrounds and experience of law makers - finance, public service, law, education etc -  hardly any have a background in computer science or cyber security. 

Hence hardly any law makers truly "get it", and far too many comfort themselves all too easily with tough-sounding declarations, many of which are inoperable, counter-productive or both.

John Marinho from CTIA alluded to similar arguments yesterday, albeit his role curtails his freedom to expand on them as fulsomely as Ed is able to now.

As a Brit I know that I really can't go too far wrong by keeping my nose well out of U.S politics. 

As a network security analyst, I can nevertheless reflect that Ministers, Prime Ministers, Senators, MPs, and Congressmen and women, of all kinds, and in all countries, have to have much more intense exposure to this kind of hard, real-world, expertise and insight. 

To Ed's point, their comfort level with their own ignorance has to be unacceptable.

Sign In