audience of congressional staffers attending 2015 Cyber Boot Camp

Thirty staffers from key oversight committees on Capitol Hill attended the second Congressional Cyber Boot Camp on campus. (Image credit: Rod Searcey)

Anything networked can be hacked.
Everything is being networked.
Therefore everything is vulnerable.

That was one of the key takeaways for the 30 Capitol Hill staffers who flew to Stanford University from Washington, D.C., last week to attend three days of intensive cybersecurity training at the second Congressional Cyber Boot Camp. The training took place Aug. 17-19, and most sessions convened at the Hoover Institution.

“Whatever level you’re worried about cybersecurity, you should be more worried,” LinkedIn co-founder and Stanford alum Reid Hoffman warned the bipartisan group who staff key congressional oversight committees, during a keynote address with Stanford professor and former secretary of state Condoleezza Rice.

Silicon Valley executives and entrepreneurs, academics and former high-level government officials painted a picture of a complex threat landscape, where foreign nation states routinely hack into U.S. companies and government agencies with near impunity, and everything from utilities and critical infrastructure to cell phones and cars could be vulnerable to cyberattack.

“The next conflict, if it happens tomorrow, it’s not going to be pretty in cyberspace,” said Kevin Mandia, president of FireEye and one of the world’s leading experts on counterforensics, in an onstage conversation with Michael McFaul, the former U.S. ambassador to Russia and director of the Freeman Spogli Institute for International Studies (FSI).

Mandia said that 29 out of the 30 significant cyberattacks his company was currently investigating were the handiwork of state-sponsored hackers, with the Chinese and Russian governments among the chief offenders.

“The Russian government has been accessing the majority of our government systems in my estimation for most of the last two decades,” he said.

“They can hack any company they choose. They can hack any government agency they choose.

“We’ve spent billions of dollars on defense, but I don’t think we’ve raised the cost of offense a dollar.”

The asymmetrical nature of conflict in cyberspace was a common refrain.

“The people that want to attack have distinct and profound advantages over the defender,” said Herb Lin, senior research scholar at the Center for International Security and Cooperation (CISAC) and research fellow at the Hoover Institution.

That’s because finding flaws in commonly used software, which can have more than 40 million lines of code, is like looking for the proverbial needle in the haystack.

“Each one of those lines of logic might have a flaw that can be exploited by an attacker to break in,” said Carey Nachenberg, chief architect of Symantec’s security technology and response division.

“There’s no silver bullet solution … because the attacks are constantly shifting,” he said.

Everyday objects vulnerable

Dan Boneh, a Stanford computer science professor and CISAC affiliate, demonstrated how a seemingly benign sensor, like the one that measures battery life in your iPhone, could be hijacked to pinpoint your exact location.

He also showed how the gyroscope that enables interactive games on your iPhone could be used to measure minute vibrations on a tabletop surface and eavesdrop on conversations.

Even everyday objects like cars can be compromised.

“Our mental models are focused on servers and laptops … but the vast majority of processors that ship every year look nothing like computers,” said Stefan Savage, a professor of computer science and engineering at the University of California, San Diego.

Cyber Boot Camp keynote speaker Reid Hoffman with Condoleezza Rice

LinkedIn co-founder Reid Hoffman delivered the keynote address with Stanford professor and former secretary of state Condoleezza Rice. (Image credit: Rod Searcey)

Savage’s research team published pioneering work on car hacking in 2010 that proved it was possible for a hacker to remotely take control of a car’s engine and brakes.

And cars are just the tip of the iceberg.

“There’s probably not a single mode of transportation that’s not controlled by a computer,” Savage said.

His next research target is the aviation industry.

Amy Zegart, CISAC co-director and senior fellow at the Hoover Institution, led a hands-on simulation exercise for visiting congressional staffers, where they assumed the roles of tech company employees responding to a major cyberbreach.

Experienced executives from Intel, Uber and Palo Alto Networks acted as board members and quizzed the staffers on how their assigned departments (including legal, marketing, business strategy and engineering) would manage the crisis.

The three-day boot camp concluded with a behind-the-scenes tour of Facebook’s new headquarters in nearby Menlo Park, led by the social networking company’s chief security officer, Alex Stamos.

Zegart said she wanted to expose congressional staff to a diverse range of experts, drawn from the tech industry and legal, technical and policy fields.

“We’ve got to figure out how to accelerate the learning process and work across disciplines,” Zegart said.

Other speakers agreed.

“The time to tackle these difficult policy challenges is now, not after one of these attacks happen,” said U.S. Air Force Col. Matteo Martemucci, division chief for the Joint Chiefs of Staff at the Pentagon.

The Cyber Boot Camp was hosted jointly by CISAC, FSI and the Hoover Institution, and co-sponsored by the Stanford Cyber Initiative.