ACAMS 2017 Day One Keynote – Author Fred Kaplan
On Dec.19, 2014, President Barack Obama stood in the White House and addressed the attack on Sony Entertainment by hackers connected to North Korea. For Fred Kaplan, author of Dark Territory: The Secret History of Cyber War and a columnist with Slate, this was a defining moment in the security space. As he explained, who knew a hack of a movie studio would require a statement from the President? And yet, the cyber security landscape is changing in ways many professionals are unprepared for.
This was the cautious message delivered to a packed house during this morning’s opening keynote at the ACAMS (Association of Certified Anti-Money Laundering Specialists) 16th Annual AML & Financial Crimes Conference in Las Vegas.
Despite Kaplan’s words of caution, he reminded the audience, “For a lot of you, this whole cyber business is a new thing, but this is nothing new.” He went on to talk about the work of Willis Ware from the Rand Corporation. Ware saw the value of sharing information on a network, but he also understood the vulnerabilities of having electronic data with multiple points of access.
For many of Ware’s contemporaries, his concerns were seen as something of a “buzzkill.” To them, Kaplan said, it was seen like pushing the Wright Brothers to immediately fly their plane for a second time, only asking them to “build it bigger” and “carry passengers for miles.” It was this attitude that meant not a lot was done with regard to cyber security at the time.
Things changed, Kaplan described, in 1983 when President Reagan watched the film War Games, where an unsuspecting Matthew Broderick almost triggers thermonuclear war playing, what he believes, is an online computer game. When Reagan went back to his advisors at the White House, he asked if something like what happened in the movie could happen in real life. As Kaplan said, the general tasked with “looking into it” went back to the President and simply said, “It’s much worse than you think.”
At the moment, the government set to work of developing a cyber policy, and as Kaplan described, what was written then in 1984 read like a security protocol one would write today, but as Kaplan noted, much of the policy was focused on the security of military systems.
Things changed in 1995 after the Oklahoma City bombing when President Bill Clinton formed a group to look at government cyber vulnerabilities, including “critical infrastructure,” including not only water and power systems, but also banking and financing networks. As Kaplan explained, those in the banking and finance industry were confused by this, and some responded by asking, “You mean vulnerabilities against bank robbers?” And yet as Kaplan said, this was a security issue that our nation had known about since the 1960s.
“At that time it was denounced as Orwellian,” he said, but it didn’t take long for the industry to take notice of the threat landscape. In fact, he explains, the industry needs to sharpen their focus on security further to make sure that systems have redundancy built in.
Kaplan used the example of the military, which has incorporated cyber intrusion exercises into their war game strategy. As he explained, the military knows that someone will always “get into the system” during these exercises. The Navy has even begun training commanders to navigate their vessels via sextant – a centuries old navigational tool – just in case a ship is cut-off from the network. As he notes, the baking and finance industry needs to take note and prepare for “the inherent fragility of our infrastructure.”
But a new threat has emerged in our new, hyper-connected world. While the Internet of Things (IoT) with “smart appliances” signal, that we now live in “a Jetsons’ fantasy,” but Kaplan voiced caution.
“We’ve given bad guys the rope with which to hang ourselves,” Kaplan said. “The big danger of IoT is that someone will hack into your smart home, and they can amass all the data and recruit everything [in your home] as digital bots. They can be used to trigger a DDoS attack.”
While this was a sobering moment in his speech, Kaplan noted that there is some hope.
“You can’t keep people out [of your house], but that shouldn’t mean you don’t make better locks or better doors,” he explained, adding that while you can’t protect everything, security professionals should hone their focus on the “things that are vital” to protect.
But Kaplan issued this final, reflecting again on one of Willis Ware’s early concerns about computer security.
“The only secure computer is a computer no one can use.”