Charles Clancy, professor of electrical and computer engineering and director of the Hume Center at Virginia Tech, testified earlier Tuesday that, in order to address the growing security threats securely and reliably to wireless devices, we must focus on workforce development initiatives and public-private partnerships to foster innovation, information threat sharing, and risk mitigation.
An internationally recognized expert in wireless technology, Clancy was one of four witnesses at a hearing on “Promoting Security in Wireless Technologies.” Rep. Marsha Blackburn of Tennessee, chair of the U.S. House Energy and Commerce committee’s subcommittee on Communications and Technology, called the hearing to examine a variety of cybersecurity issues and challenges that face the mobile industry, as well as potential solutions.
In his testimony, Clancy cited examples of key cyber threats that have exploited thousands of devices for massive Internet attacks. These include the Mirai botnet attack against the Dyn Internet infrastructure company in 2016; the Android ransomware attack that affected LG smart TVs earlier this year; and the increasing number of privacy compromising attacks to steal financial or other personal data.
One of the biggest challenges, Clancy told the subcommittee, stems from complex, interlinked ecosystems of device manufacturers, software and app developers, cloud infrastructure providers, and platforms for media and services.
No one entity controls enough of the ecosystem to guarantee unilaterally the needed security, he said.
“Another side effect is that regulatory authority is distributed across the Department of Homeland Security, Federal Communications Commission, Federal Trade Commission, and various other sector-specific regulators. Without a single ’belly button,’ top-down approaches to achieving objective levels of security are infeasible,” according to Clancy.
“Consequently it is imperative that we develop mechanisms to foster continued collaboration,” he said.
Clancy explained that there are wireless systems, like cell phones, which operate over a licensed spectrum and services like WiFi, which operate over an unlicensed spectrum.
“Cellular systems have the advantage of being centrally managed which helps ensure that security safeguards are implemented,” Clancy said, but cautions that security may be undermined when there is a need to continue supporting backward-compatible legacy technologies.
“Our new 4G-LTE systems are secure, but the 2G networks are vulnerable to a wide range of attacks that can compromise subscribers’ security and privacy,” he said. “Meanwhile as we look forward from 4G to 5G, a range of new technologies are under development that offer the opportunity to close current cybersecurity gaps while potentially opening up new ones in ways we cannot yet anticipate.”
Examples include software-defined networking, cloud-based radio access networks, and edge computing, all of which fuel applications for the Internet of Things — which connects everything from home appliances to industrial infrastructure to the cloud.
In the case of unlicensed technologies, Clancy pointed out that these have their own challenges.
“While residential WiFi networks are generally now operating with adequate levels of security, public hotspots and paid WiFi in hotels and airplanes remain vulnerable to attacks that have been well known for nearly two decades,” he said.
Clancy concluded his testimony by encouraging the subcommittee to act as a convener, bringing groups together to help set priorities for cyber defense based on a shared understanding of threats to critical networks and privacy of citizens.
He stressed a need for significantly increased investment in STEM-focused workforce development initiatives in both K-12 and higher education, as well as research funding from both industry and federal government in order to build in security from the start, rather than solutions applied after-the-fact. He pointed to the example of the National Science Foundation/Intel Labs partnership that funds jointly a $6 million grant program for Internet of Things security.
Clancy also expressed a need for programs that would incentivize universities to build programs to educate students on cybersecurity for telecommunications and, more broadly, critical infrastructure.
Joining Clancy as witnesses at the hearing were: Kiersten Todt, managing partner, Liberty Group Ventures, LLC; Bill Wright, director, Government Affairs and Senior Policy Counsel, Symantec; and Amit Yoran, chairman and chief executive officer, Tenable Network Security.