Cyberwarfare increasingly crosses international borders, affecting diplomacy, the global economy, and privacy of citizens. Governments and corporations must set new frameworks to defend against nation-state attacks.
This issue was the focus of the Institute for Information Security and Privacy’s (IISP) Cybersecurity Summit, featuring the Sam Nunn Bank of America Policy Forum, on Oct. 4. More than 270 cybersecurity academics and professionals attended the 16th annual event. IISP Associate Director of Policy Peter Swire organized this year’s policy focus. The combined event was due in part to the generosity of sponsors — including Bank of America for the Nunn Policy Forum, and Jones Day, Turner, and ADP for the Cybersecurity Summit.
Andy Ozment, a College of Computing alumnus and chief information security officer at Goldman Sachs and former secretary for cybersecurity at the U.S. Department of Homeland Security, delivered the keynote, In the Crosshairs: When You're the Target of Nation-State Cyberattacks. His expertise in both government and corporate security set the tone for the day as he advocated for “reasonable cybersecurity.”
“If a sovereign adversary is willing to take a year of their time and thousands of their people, I can’t keep them from breaking in,” he said. “You need to think about resilience strategies.”
He suggested both companies and governments need to track threat environments to prevent attacks. Although the government can’t help every company, it can concentrate resources on certain areas and set a precedent to deter attacks.
“The more expertise the government can share the better,” he said. “I don’t have a way of changing attackers’ behavior, but the government does.”
Senator Sam Nunn, a champion of cybersecurity policy and research, also made remarks. He is focused on issues of cyberwarfare, effective deterrence, cyber offense, attribution, the role of private sector in working with the government, and cyber understandings with other countries to restrain attacks.
"I'm very proud of the role Georgia Tech is playing in security," he said.
Nunn’s remarks led well into the first panel on how governments can better protect against cyberwarfare, The Elephant in the Room: Cyberwarfare is War on the Economy, moderated by Annie Antón, IISP’s associate director of privacy engineering and School of Interactive Computing professor. The panel included:
- Michèle Flournoy, co-founder and managing partner, WestExec Advisors; former undersecretary of defense policy, U.S. Department of Defense
- Rick Ledgett, advisor, fellow, and trustee; former deputy director, National Security Agency
- Michael Morell, advisor and author; chairman of the National Security Task Force, U.S. Chamber of Commerce; former acting director and deputy director, Central Intelligence Agency
- Niloofar Razi Howe, technology investor, executive and entrepreneur; recently chief strategy officer and senior vice president of strategy and operations, RSA
The discussion centered on deterrence and how governments could effectively deter nation state attacks without compromising security.
“We’re in a deep deterrence hole,” Flournoy said. “State sponsors of cyberattacks have come to believe they can attack our core democratic processes, and we will do nothing. The first order of business is to try to reestablish some measure of deterrence in cyberspace.”
Just before lunch IISP Co-Executive Directors, Michael Farrell, principal researcher at GTRI, and Wenke Lee, Imlay Chair and professor in the School of Computer Science, presented an award to r00timentary for their capture the flag (CTF) victory at this year’s DEFCON conference. r00timentary team members include Assistant Professor Taesoo Kim and his Ph.D. students Insu Yun, Wen Xu, Soyeon Park, Jinho Jung, master’s student Po-ning Tseng, and alumnus Yeongjin Jang.
The afternoon panel, Who’s Wearing Your Flak Jacket? Corporate Defense for Nation-State Attacks, emphasized corporate responses to cyberattacks. Moderated by Sam Nunn School of International Affairs distinguished professor and Admiral Sandy Winnefeld, it included:
- Jim Harvey, partner, Alston & Bird LLC; co-Chair of Cybersecurity Preparedness and Response; leader, Data Privacy and Security
- David Kris, founder, Culper Partners LLC; former assistant attorney general for national security, U.S. Department of Justice; former deputy general counsel, chief ethics and compliance officer, Time Warner Inc.
- Tony Scott, former chief information officer, U.S. Government, VMware, Walt Disney Company; former chief technology officer, General Motors Information Systems & Services
The panel broke down how to find vulnerabilities in a company and why it’s so important for the government and corporations to work together.
"The relationship between government and private sector regarding cybersecurity ebbs and flows,” Kris said. “Private companies generally don’t want the Feds in their network, but increasingly see the benefits from engaging DHS and, when needed, the FBI. From the government side, they're puzzled that some of these companies tell the public about an advanced persistent threat first." Enhanced information and threat sharing was highlighted as critically important for defending against nation-state attacks.
The summit also included a “Two-Minute Madness” session, when students took the stage for short presentations on their cybersecurity research. This was followed by a poster session showcasing student research, where event participants engaged students in Q&A. All of this was a part of IISP’s annual Demo Day festivities, in which students compete for cash prizes and potential follow-up support to take their research to the next level. The top three teams walked away with a combined total of $10,000 in prize money, after a popular vote from all participants determined the first winner and an expert panel of local chief information security officers (CISOs) selected the second and third-place winners. A bonus award was given to a team of student researchers, giving them automatic entry into Tech’s exciting Create-X program, an initiative to instill entrepreneurial confidence in students and empower them to launch real startups.
The event ended with breakout sessions on FinTech, smart cities, and the role artificial intelligence (AI) and machine learning (ML) in cybersecurity.
- FinTech: Cybersecurity Risk in Financial Services and FinTech explored cybersecurity and regulatory considerations for FinTech companies, financial exchanges, payment processors, banks, and other financial services companies.
- Moderated by Georgia Tech’s Sudheer Chava, with cybersecurity executives from Jones Day, RELX Group, Intercontinental Exchange and Bank of America
- Machine Learning: The Essentials of Cybersecurity for AI and Machine Learning explored the new considerations for CISOs, network administrators, and frontline responders associated with ML, and recent advances, including research underway at Georgia Tech.
- Moderated by Patrick Gaul from National Technology Security Coalition and Wenke Lee of Georgia Tech, and executives from Turner Broadcasting and JASK
- Smart Cities: The Security of Smart Cities under Nation-State Threats focused on the critical risk factors that need to be assessed as smart cities and vendors prepare for the evolving risks.
- Moderated by Georgia Tech’s Margaret Loper, with executives from Honeywell, IPaT at Georgia Tech, Bastille Networks. and Prototype Prime