US Cybersecurity 'Still Catching Up With The Past,' Says Former US Army Cyber Commander Rhett Hernandez

The United States is facing so many foreign cyberthreats that the military has no choice but to prioritize critical infrastructure that's most important to Americans -- protecting things like the electrical grid, power plants and national security networks. The U.S. government and private companies also need to consider a range of problems that can heighten their vulnerability to hackers and data breaches, from a lack of education to the inability to retain top security experts. In fact, the only thing Americans can know for sure is that the recent, devastating hacks on Anthem health insurance and the U.S. Office of Personnel Management represent a sign of things to come.

That's the message from Lt. Gen. (Ret.) Rhett Hernandez. The former commander of U.S. Army Cyber Command, who was responsible for ensuring the Army and Department of Defense “maintained their freedom to operate while taking that away from others,” told IBTimes in an exclusive interview that, while the U.S. is less vulnerable than it was when he assumed command in 2010, there’s still a long way to go.

Hernandez retired from the military in 2013. He now works at the Army Cyber Institute and was recently named to the board of advisers at ProtectWise, a cybersecurity startup that monitors client networks by recording all the activity that takes place there.

We started our conversation with a look at signature-based detection, a common but outdated method of matching a strain of malicious software to known, previous attacks. Hackers easily avoid this by simply adjusting the programming code in their malware.

International Business Times: What’s the status of government programs like Einstein, the cybersecurity program that Chinese hackers eviscerated in the process of the hack on the Office of Personnel Management?

Rhett Hernandez: I think there’s an increased emphasis to fund the next version of Einstein. What I do not know is what the next version of Einstein is. Its previous version, and any capability that we have in place today that’s predicated on signature-based anti-virus protection, is, I think, doomed to failure.

In many ways we’re still chasing signature-based capabilities that do not have the ability to keep up with the current threats. We can’t write signatures fast enough. My analogy is baseball: If you hit .400 you might win the batting championship, but if you hit .400 in this you’re not doing very well. Just because you think he’s throwing a curveball doesn’t mean you’re going to hit that curve. Capabilities that provide an active type of defense in a behavioral-based or predictive-type manner is really where we need to be headed.

I still see us investing in capabilities that are trying to catch up with the past as opposed to where we need to be moving in the future.

IBT: How much of a concern is it for commanders and the government that the private sector is able to pay so much to smart young people from the best technology schools? Has it been an issue to recruit those people and keep them on staff?

RH: The job opportunities far exceed the pool available and, as a nation, we continue to lag further and further with regard to those educated in degrees that support science, math, engineering and technology. From a military standpoint it’s a total issue of recruitment and also being able to develop and retain. It’s asking, "How do we ensure that we provide them with a mission focus that excites them to be developed and want to stay?"

No one has the ability right now to identify, through some type of assessment tools, the propensity someone has to be successful in this area. We’re also forgetting that we’re losing them at the beginning because they really can’t get to the skill set we need initially.

If we’ve trained them and they go off and help the nation in an area that’s going to improve cybersecurity, then that’s good for the nation.

IBT: But this is the United States. The idealized U.S. we think of isn’t supposed to be getting hacked so often. What are American cyber capabilities like compared to adversaries?

RH: In this space the advantage goes to the hacker, and you just can’t defend everything all the time. It’s not an approach that says we can defend everything and anything all the time, and it’s not an approach that says we should accept [protecting] 80 percent when we don’t know, and in reality we might be protecting just 1 percent that really has the most significant value to your organization.

If we can’t do it now, then we really ought to be worried about where we’re going in an Internet of Things world. And there’s no doubt that over the past few years the capabilities of everyone has increased.

We’re seeing cyberarmies popping up all over the Middle East, we’re seeing opportunists trying to jump into the field and take advantage of some things, we’re seeing cybercrime grow at a nexus with cyberterrorism, espionage at scales we never even imagined. We’re trying to even figure out what to call this OPM thing – is it espionage? Crime? It’s not destructive, and we’re not sure it’s intellectual property theft, but it is at a scale we’ve never seen before, and it will affect generations to come.

What’s lacking most significantly is a clear deterrence policy that is tied to a clear policy with credible actions and a recognition that we’re raising the costs for others and causing them to not want to take that action. We’re not there yet.

It’s not necessarily a cyber for cyber; there’s potentially a full range of actions that could cause others to recognize they do not want to pay that cost. If we have a deterrence policy and take no action, then I do not think we should be surprised when the attacks against us continue to rise.

IBT: How much of an issue for you was information silo-ing? Is that still a problem now, when the NSA fails communicate to the FBI, for instance, that their cyberpeople should be on the lookout for a certain malware strain that seems to be coming from the Kremlin?

RH: I’ve thought about that a lot, and I’ve watched that a lot. Clearly, and I don’t just mean this from a military standpoint, if you want any type of operation to be successful you need to have situational awareness. I’d like to get to unprecedented situational awareness, where you see yourself, you see the threat and you see the cyberterrain in real time that allows machines and you to take the appropriate action.

We are far from that kind of nirvana, utopian world. The challenge is, if you look across the government agencies, very few have conquered the ability to even see yourself. I had people say to me, "You are responsible for defending all Army networks," then another guy would come up to me and say, "You can’t defend all Army networks because you can’t see them all."

Those challenges only get exponentially more difficult as you talk about what that means with respect to inter-agency, inter-government and then international. Step one then becomes not just seeing yourself but ensuring you can see others at the level you need to see them.

IBT: What’s your new role like at this cybersecurity startup, ProtectWise?

RH: Well, when I looked at ProtectWise I said, “Where were you when I was in command?” It’s a cloud capability that enhances cybervisibility, detection and response. I like the idea of this virtual camera that records everything on your network.

When you have detection, you now have a machine doing a look at everything in your network that tries to find where else this might me. When I had a breach, it took days to figure out what might have happened with that breach, but what I really cared about was "Where else has this happened and how do I keep this from happening again?"

With something like ProtectWise I’ve now got the ability to learn from the intrusion, and that helps me be more proactive in the future.