In the 1980s, Edward Amoroso was a member of the security design team for then-President Ronald Reagan’s Strategic Defense Initiative, the program that sought to build a space-based shield to protect Americans from a nuclear ballistic missile attack.

Now, as chief security officer at AT&T, Amoroso oversees a strategic defense initiative of a different nature – securing billions of bytes of information as they travel over the airwaves and wires.

On an average business day, nearly 24 petabytes of data travel over AT&T’s global backbone. Although that backbone includes 46.6 million access lines and 19.3 million wired broadband connections, a huge share of that information moves via wireless networks. In 2010, wireless connections on the company’s network increased by 8.9 million, the largest jump in AT&T’s history. The company also operates the country’s largest Wi-Fi network with 29,000 hot spots nationwide.

“If I look back over the decades, it becomes crystal clear that security in the mobile ecosystem has to become virtual.”
______________________________________________________________________

This article was originally published by the CGI Initiative for Collaborative Government.
______________________________________________________________________

Almost 18 million broadband customers in more than 150 countries use home Internet services, smart phones and other mobile devices to share information ranging from innocuous tweets and Facebook status posts to purchases containing highly sensitive personal banking information, tax returns with Social Security numbers, confidential medical records, and even commercial and state secrets.

In many ways, Amoroso’s challenge hasn’t changed: Allow people to conduct their daily lives blissfully under a transparent, trusted security umbrella they never see or want to see. But the cyber threats he now seeks to block, root out and destroy are much more subtle than an incoming ballistic missile.

Shifting the Front Line

The cybersecurity world has become much more complex in the intervening years. Today the term “hacker” connotes malicious intent, but 25 years ago, Amoroso used Unix operating system commands to access others’ machines and understood they were doing the same to his computer. The environment was collegial, but that changed when commercial and public entities began adding important information and transaction capabilities, he said.

“As soon as mobile became part of the infrastructure of a company, the military, power companies and so on, it’s not enough to say, ‘Oh, well, I’ll just promise to not [use what I find],’ which is what we did in the early days of the Internet,” Amoroso said. “When you go from convenience to necessity, then suddenly the underlying infrastructure becomes important, and that’s where the security comes in.”

As the Internet has evolved, it went from being a tool for technologists to being a required part of personal and professional communication. We now expect to be able to communicate on the go anytime, anywhere with confidence and security.

“Remember when your BlackBerry or your smart phone was a convenience?” Amoroso said. “Today, it’s a necessity. When you go from convenience to necessity, then suddenly the underlying infrastructure becomes important, and that’s where security comes in.”

Hackers’ intent is of little consequence to Amoroso; his response is the same regardless of whether the suspicious activity comes from a curious kid or a malevolent nation state.

“The problem for us as [Internet service providers] is that a kid in a garage hacking and a nation state hacking look the same,” he said. “It doesn’t do you much good to get yourself wrapped up in the intrigue because we’ve seen teenagers who are really, really good, and we’ve seen nation states that are really, really bad.”

Amoroso said it’s unfair to expect consumers who are largely untrained in technology to be systems administrators fighting toe-to-toe with expert hackers. In the early days, the contracts between ISPs and their customers stated that all the providers had to do was move traffic the way a phone company connects callers.

Today, customers don’t want every piece of data coming to them out of fear of hackers and viruses, Amoroso said. They want a virtual Do Not Call list. He believes the future of security lies in virtualization, which means moving identity management and threat detection to the cloud.

In that scenario, Amoroso said, “I just tell the ISP, ‘Here’s my policy: I want you to filter the viruses from my e-mail, I want you to filter spam, and I’d like these services to be allowed and these services to not be allowed. I don’t want my employees on Facebook, for example.’ The Internet Service Provider can very easily do that for wired and wireless service.”

Virtual makes sense to the next generation of mobile users. They accept that systems are maintained virtually, he said, and they easily relinquish control.

“If I look back over decades, it becomes crystal clear that security in the mobile ecosystem has to become virtual,” Amoroso said. “If the computer was basically a virtual terminal or virtual desktop and there wasn’t as much software there and more of it was in the cloud, then you wouldn’t have so much to break, right? The way Facebook doesn’t break because it’s out there somewhere.”

Amoroso puts the alternative in perspective by asking, “Do you really want to have to worry about doing security administration on your BlackBerry? No, not in a million years. Let somebody else do it.”

“As soon as anybody under 25 is in a position of leadership, you know it’s going to be mobile, you know it’s going to be virtual, you know it’s going to be cloud,” he added. “All those words are things that are connected to youngsters.”

One way to secure what’s “out there somewhere” is to create decoys, Amoroso said. Deception is a highly understudied and underused, although well-proven, form of defense. Setting up decoys that mimic actual infrastructure can trick adversaries into thinking they’re attacking something real, he said. “You can imagine the uncertainty [for attackers] that comes out of that type of arrangement and the value to anybody protecting critical infrastructure,” he said in a video about protecting the national infrastructure from cyberattacks on AT&T’s Tech Channel.

Securing the Insecure

The root of the problem with cybersecurity lies in the fact that the Internet was not built with security in mind, Amoroso said, and retrofitting it for protection is an ongoing, inherently faulty process.

“The infrastructure was built to support cooperation and communication and the collaboration between different groups,” Amoroso said. “Protocols were designed that way, systems were designed that way, software was designed that way. The computer you have at home was designed that way. There’s no inherent or intrinsic security, you just plug into an Internet service provider.”

When the Internet went from being a tool of the Department of Defense to one of the people, every sector of the U.S. economy wanted to be part of it. “We had a big time-out and retrofit security onto the whole thing, and it was never retrofit properly and it’s still not retrofit properly,” Amoroso said.

To address the problem, he said, two main problems with the Internet have to be solved: domain names and routing.

“The Domain Name System to this day is a pretty easy thing for someone to go in and muck around with and cause problems simply because it was designed as a very collegial thing,” he said, adding that “it’s tremendously easy for someone at the ISP level to redirect you around.”

For example, in April 2010, the networking hardware that routes Internet traffic sent requests from 15 percent of IP addresses through China, knocking many websites, including U.S. government ones, off-line, according to a Nov. 23, 2010, article by the Massachusetts Institute of Technology’s “Technology Review.”

“We haven’t gotten to the point yet where we’re all comfortable that there are appropriate protections for things that we would connect to the Internet.”

One of the steps Amoroso recommends for improving security is diversification, as opposed to the current practice of interoperability. He acknowledges that interoperability has its advantages, including reduced training costs, ease of use and ease of procurement. But the pros don’t outweigh the cons. Interoperability “is a situation where an attack, a worm, a botnet – some sort of malware – once it finds its way into the enterprise has an almost trivial path to the rest of your infrastructure,” Amoroso said in the AT&T video.

The rise of mobile applications and the ease of simply clicking and downloading an app have further complicated the security puzzle. Gone are the days when no one would insert a disk into a hard drive unless it came in tamper-free shrink wrap from a reputable store. “All of that is broken down now with the concept of an app store,” he said. “Some of us still think about buying ashrink-wrapped copy of Microsoft Office and here it is, I can put my arms around it. It’s mine. It’s not off in Neverland. Kids don’t think that way. I buy shrink-wrapped Office for my kids and they say, ‘Dad, that’s stupid.'”

Fixing the Information Superhighway

In “Cyber Attacks: Protecting National Infrastructure,” published in November 2010, Amoroso suggests actions government and commercial leaders can take to improve their security posture, such as separating internal assets, using multiple layers of protection and being aware of indicators that suggest problems before harmful effects are seen. He also offers larger policy recommendations to tackle the difficult work of overlaying security on top of something that was built to be open.

“We haven’t gotten to the point yet where we’re all comfortable that there are appropriate protections for things that we would connect to the Internet,” he said. “One of our goals as an ISP is to get to that point of ubiquitous trust in network infrastructure.”

Security takes time, Amoroso acknowledges, and he cites examples of technological advances whose safety concerns were gradually eliminated. “Lighting fixtures were dangerous things in the early days, and people were very nervous about using AC power,” he said. “Even cars in the early days were relatively dangerous.”

Computer science is still new and therefore open to vulnerabilities, he said, adding that people write software, the building blocks of the cyber world, and human error is inevitable.

“It’s almost as if we were building bridges out of blocks that we knew would fail,” he said. “When you drive up to a bridge, there’s a big sign that says, ‘Wait a minute, before you go over this bridge, you have to click on this I accept button.’ If you read the ‘I accept’ screens for software it says, ‘This really doesn’t work and if there’s a problem, it’s your fault.'”

“Security generally is something that comes in after a particular device, system or infrastructure becomes important,” he said. “As an engineer, I wish security were incorporated in advance because we all know that’s the time to do it, but unfortunately – maybe it’s an American thing, maybe it’s a human thing – we often don’t want security to get in the way of adoption, and that’s happening over and over again.”

Vulnerabilities can run from trivial to potentially catastrophic, as in the case of nuclear power plants, Amoroso said. Ten years ago, engineers with minimal computing knowledge linked dial-up modems to electromechanical controllers to enable remote maintenance and administration.

On the surface, that capability saves workers time and organizations money, but Amoroso pointed out that if workers can access critical infrastructure from home, so can hackers.
“These are extremely intelligent people who run these systems, but they’re not computer scientists and they certainly haven’t been trained in computer security,” he said.

Amoroso is on a mission to adapt security to the existing information superhighway so everyday people can use mobile solutions with confidence. It won’t be easy, but drawing on the 10 principles outlined in his latest book, he believes achieving that kind of assurance is possible. For example, he recommends being discreet about the details regarding your technology, software, systems and configurations to help avoid or at least slow some attacks. He also emphasizes raising awareness among IT managers so that they can understand and recognize the difference between normal activity and potentially dangerous anomalies.

Geek-Ridden Start

As a kid in Fort Monmouth, N.J., Amoroso knew two things: He liked computing and he wanted to work at Bell Laboratories. In fact, he said computing is in his DNA. His father was a computer scientist at the Army’s Communications-Electronics Command, and both his brother and sister are computer scientists.

“The whole family is pretty seriously geek-ridden,” Amoroso said. “I grew up in and around the Internet. When I was a young teenager, I was sitting in front of a computer terminal logging into the ARPANet in the mid-’70s, poking around and looking at things, so I always had an interest in computing.” ARPANet – the Advanced Research Projects Agency Network – was the precursor to today’s Internet.

Amoroso fulfilled his dream of working at Bell Labs in 1985 and became one of a small group of people who were paying attention to cybersecurity in that decade. He notes that only about 300 to 400 people attended the annual National Computer Security Conference (now the National Information Systems Security Conference) as recently as the mid-1990s.

“At the time, this security discipline was a sleepy sort of thing where you had some hackers and weirdos doing it and people doing cryptography,” said Amoroso. “I loved it because for the first 10 years of my career I was in the lab. I was in bliss.”

Between studying the ills of cybersecurity and the potential cures, Amoroso continues to revel in technology, particularly how it helps him stay in touch with his daughter, who’s away in college.

“I know my daughter’s schedule. I know what kind of day she’s having,” he said. “Now I have instantaneous, ongoing communication with everybody, which is both good and bad, but the point is that the technology bends to fit our lives.”

Amoroso recognizes that just as his focus has shifted over the years from ballistic missiles to even more nuanced warfare, his children’s generation will continue the fight. But his job today is twofold: filling the security gaps created by a technology that has experienced unprecedented and exponential growth while anticipating and warding off new threats in the increasingly mobile world.