Current cyber policy is a threat to national security, Air Force scientist says at SU lecture

Svitlana Lymar | Staff Photographer

Kamal Jabbour, a senior scientist for Information Assurance at the Air Force Research Laboratory, said less than 4 percent of all existing malicious software, also called malware, has been detected.

Kamal Jabbour said the disconnect between cyber policy and technology is a threat to national security.

His lecture, “The Disconnect Between Cyber Policy and Technology,” was held in the Syracuse University College of Law on Monday afternoon. Jabbour is a senior scientist for Information Assurance at the Air Force Research Laboratory in Rome, New York.

He said virus scanners detect 100,000 to 1 million new signatures every day, but even then fewer than 4 percent of all existing malicious software, also called malware, has been detected. Signatures are sets of specific data that allow viruses to be identified, he said.

There used to be an assumption that people who write malware are “few and far between,” Jabbour said. However, he said now there’s a brand new category of individuals who produce malware — making it a much more relevant and significant problem.

Jabbour also said dwell time — the time between the infection and detection of malware — averages between three to four years, which is rather slow.

“This concept of trying to detect malware is just not working,” Jabbour said.

He added that there’s a growing disconnect between training and education in this area. He stressed the idea that training builds robustness and education builds resilience, but the nation is falling behind in terms of its training system.

Jabbour said today, cyber policy focuses more on resilience, but rather than looking for a system that picks itself up after it fails, he said he wants a robust system that will not fail when it needs to work.

“We’re very comfortable detecting things and then reacting to them” instead of trying to prevent the conflicts from arising in the first place, Jabbour said.

Part of the reason behind this is that people are becoming comfortable with cyberspace because they believe it’s a man-made domain and they think they can change it or defy it, he said.

“At the end of the day, cyberspace is governed by the laws of physics,” Jabbour said, adding that the only proper way to look at it is through math, specifically the application of math to physics.

Multiple times during the talk he brought up that, to write cyber policy, people must have taken at least 35 credits of math in school.

He said people in the government who are currently writing policy are not qualified from a technology or mathematics perspective. The cyberspace doctrines today aren’t accurate, he said, because the people writing them aren’t paying attention to the law of technology.

Jabbour went through three cyberspace policy-making mistakes that he thinks the government makes. First, he said they detect things that go wrong after they go wrong and don’t think proactively. He also said the government doesn’t focus enough on the human component of cyberspace. Lastly, he said that they don’t correctly interpret the relationship between cyberspace threats and vulnerability.

Every cyber program was a mathematical equation before it was converted, Jabbour said. He added that if math is relied on to write cyberspace policies, then the United States will be in much better shape.


Top Stories