White House tech adviser addresses Stanford Engineering on cyber threats

Hackers are still ahead of network defenders, Obama official warns on eve of Obama's Summit on Cybersecurity and Consumer Protection.

Rod Searcey/School of Engineering John P. Holdren

John P. Holdren, assistant to President Obama for science and technology, speaks at Thursday's cybersecurity event at the Stanford School of Engineering.

On the eve of President Obama's White House Summit on Cybersecurity and Consumer Protection, a senior White House official visited Stanford Engineering to ask researchers and educators to help solve the conundrum of having free and open networks.

"It is easier to penetrate than to defend," said John P. Holdren, assistant to the president for science and technology and keynote speaker at Thursday's 90-minute event. The event drew more than 400 attendees and was webcast and recorded for online viewers.

Holdren, who is also director of the White House Office of Science and Technology Policy, characterized his appearance at the Feb. 12 panel discussion as the long-term complement to the call to action the president would issue the following day.

"New attack vectors are opening faster than we can identify them," Holdren said, adding that even as the nation works to stop breaches today, our goal must also be to "transform the cybersecurity landscape in a 10- to 20-year time frame" to give defenders rather than attackers the upper hand.

Larry Kramer, president of the William and Flora Hewlett Foundation, which last year provided the funding to launch the Stanford Cyber Initiative, kicked off the panel discussion by observing that networks have already touched many aspects of daily life, here and abroad, even as new online applications, like self-driving cars, approach rapidly.

"How are we going to make this work over time?" Kramer asked rhetorically, noting that networks – whether speaking of vulnerabilities or countermeasures – crossed state and national boundaries, challenging legal and rule-making processes.

"At some point we're going to have to think about multilateral solutions," said Kramer, a former dean of Stanford Law School, stressing that a long horizon is essential given how rapidly technology is advancing. "Generally speaking, it's not a good idea to make a path without knowing where you want to go."

John Mitchell, a professor of computer science and vice provost for online learning at Stanford, noted how computing had evolved during his career from the province of specialists to ubiquitous tools for interpersonal communications.

The challenge is to continue expanding the benefits of connectivity while minimizing the risks, he said.

"We are making progress," said Mitchell, who is also the Mary and Gordon Crary Family Professor in the School of Engineering. "There are good people in universities and industry trying to solve this."

Parisa Tabriz, who leads the Chrome security team of hired hackers at Google, used her remarks to echo observations about vulnerability and highlight some of the tactics her company employs to protect itself.

"Defenders have to protect every vulnerability," said Tabriz, who also contracts with the U.S. Digital Service. "Hackers have to find only one."

Google's strategies include paying outside programmers to spot and report vulnerabilities and holding "think like a hacker" classes that ask its own engineers to imagine they are on the other side.

How to teach and recruit security specialists was a theme running through the event. Patricia Falcone, associate director for national security and international affairs in the White House Office of Science and Technology Policy, moderated the discussion, asking at one point: "How are we going to find people? How are we going to train them?"

Her question harkened back to Holdren's remarks about the cybersecurity work force being expected to grow 12 times faster than the job market as a whole, making it all the more imperative to recruit women and underrepresented minorities.

Cynthia Dwork, a security specialist at Microsoft, raised the issue of privacy on the panel, and noted how such concerns must be considered in looking at network design and capabilities over the long term.

Dwork cited the growing sophistication of techniques that can "read our emotions" through inferences derived from online behavior, not a security issue per se, but germane to the consumer protection aspects of the president's national discussion.

Referring to such techniques designed to "keep us in the buying mood," Dwork added: "These are very real concerns. They are going to come up."

Questions from the public posed via Twitter were put to the panel by Stanford's George Triantis, a professor of law and co-director of the Stanford Cyber Initiative steering committee. When Triantis asked what individuals could do to protect themselves, Tabriz recommended strong passwords.

Holdren wrapped up the session by reiterating a principle theme – that the long-term imperative is for industry, academia and government to make security consciousness central to network design.

"As President Obama frequently puts it, this will be an all-hands-on-deck effort," Holdren said.