Cyber Defense: A Conversation with Jason McNew

Jason McNew Founder and CEO of Stronghold Cyber Security, has over 20 years of experience in the field of Information Technology. This includes 12 years at the White House Communications Agency (WHCA) and Camp David, where he worked on some of the most secure systems in the world, for some of the most important customers in the world.  While at WHCA, Jason held what is known as a “Yankee White” security clearance, also known as a PSD (Presidential Service Duty).  The Yankee White is an elite clearance granted only to those of unquestionable character and integrity.

Jason, a United States Air Force veteran, holds a Master’s degree from Penn State in Information Sciences, Cyber Security and Information Assurance, in addition to a Bachelor of Science and two Associate of Science degrees.  Penn State’s Cyber Security program has been reviewed and endorsed by the National Security Agency (NSA) and the Department of Homeland Security (DHS).

Hugh Taylor                        Having worked in the government, what’s your impression of the U.S. federal government’s ability to handle a massive cyberattack?

Jason McNew:                   Well, this might sound kind of cynical, but when you look at COOP and COG, Continuity of Operations and Continuity of Government and those sorts of things, they’re chiefly designed to protect all the people that work and operate within the beltway. And I say that because I’ve personally seen some of that stuff. It’s more designed to protect them than anything.

Hugh Taylor:                       How do you see a cyberwar scenario playing out?

Jason McNew:                   If we got into a shooting match with China in the Pacific Ocean, I don’t think they’re going to go onto direct combat with the U.S. fleet. They’re going to shut down the ACH system, for example, or attack DFAS, which is what funds the federal government, something like that.

Or they could attack the power grids. And just to give you an example, if you look at something that, in my opinion, should definitely be funded by Congress and it’s constitutional, too, as far as I can tell, is the Shield Act. The Shield Act is intended to short up our electrical infrastructure, the transformers, against an EMP attack. Not only is an EMP attack a threat against the grids, also there’s natural threats to that as well. You might be familiar with the Carrington event, that was in 1859, and that was a coronal mass ejection. A CME is when the sun burps out a pile of ionized crap, and it energies circuits, and it induces current, and these things. And the Carrington even was so bad that it set telegraph wires on fire at the time and electrocuted people. And if something like the Carrington event were to happen today, then there’s no guesses. It’s anybody’s guess as to what would happen. So, that’s similar to … So there’s two different reasons why we should be funding the Shield Act. And my point is that congress is really not doing a good job doing anything to identify and mitigate these threats at all.

Hugh Taylor:                       One question I have, because I’ve heard this answered in two different ways, some people say, “Well, this sort of disaggregated nature of the infrastructure in the U.S. makes it a little harder to attack,” like nobody could really attack everything all at the same time. Do you think that’s true or is that wishful thinking?

Jason McNew:                   No, I think that’s a valid argument. There’s two sides to that coin, though, because one thing we do know with the grids, in particular, is that there’s a cascading effect and there’s certain … And I’m not an electrical engineer, and my understanding of those kinds of things is somewhat rudimentary, but there’s theoretical attacks that could cause cascading failures in the grid, even though they’re federated and desegregated, so to speak.

So that if you attack a single point, or a couple of points at once, that it would shut the grids down. But as far as the IP infrastructure goes, that is certainly true because there’s a bunch of different providers that have different pipes that go all over the place, and fiber nodes and those sorts of things. And it makes the United States harder to attack than, for example, a European country. That argument is true and untrue at the same time. You can make strong arguments in both directions on that one.

Hugh Taylor:                       This is kind of subjective but, do you think that there’s sort of a meltdown point? Let’s say you were a commander in the Chinese cyber brigade and you were told to attack Chicago or something. Do you think there’s some sort of meltdown point you could induce, if you just wreaked enough havoc, that the city would sort of implode? Like if you could just shot off the water, and the food, and the electricity, and everything for a long enough time, that everybody might just start killing each other or something?

Jason McNew:                   I’d attack the supply chains. Attacking supply chains, historically, is a military tactic and if you look at the efficiency within our economy, everything is just in time delivery, right? So if you look at Walmart, Target, grocery stores, gas stations, we don’t want to warehouse anything because it’s inefficient. It costs money, right?

So everything has enough food or water for 48 hours or 96 hours, something like that, so if I was going to do that, I would focus on disrupting the supply chains. And that might be through disrupting the power, or IP infrastructure, or disrupting GPS, for example, would be a way to do that because trucking relies on it.

And if you break the supply chains and then the grocery stores go empty, or the water doesn’t work, then yes. People are going to resort to violence in order to get to what they need and that would not be pretty.

Hugh Taylor:                       Do you think that there’s a risk in firmware inside devices?

Jason McNew:                   Oh, yeah. Absolutely.

Hugh Taylor:                       How do you see the firmware risk?

Jason McNew:                   Well, you look at all the cheap IOT that’s coming out of China, right? The Internet of Things, right? And you have to kind of understand the geopolitical, social, economic situation in China, right? China is authoritarian and they’re not really communists, so to speak, in the traditional sense, but the communist party of China does direct a lot of the economy, and they do direct the People’s Liberation Army.

And there’s not a lot of room between these different entities and some of the manufacturers that are over there. I can’t get into specifics, but it’s already been disclosed that when we, by integrated circuits, applications, specific integrated circuits that come from that region, that we’ve got caught back doors in them.

So, if I was China and I was manufacturing all of these things, and I have a lot of oversight over the way that manufacturing is happening, then I would be looking at some of these cheap IoT devices, thermostats, cameras, and all these other things, and looking at embedding some type of back doors into these things so that I could possibly create rogue armies of bots and those sorts of things.  It’s definitely a threat. I don’t have a doubt in my mind about that.  And you look at, just for example, look at Cisco. Cisco has a massive problem with China counterfeiting their gear. And in some cases, Cisco themselves have had difficulty differentiating between the fake gear and the real gear, its that good.

Hugh Taylor:                       Where are the components made? I’m sure there’s some process to check them, but how good is it?

Jason McNew:                   It’s not something that I have specific insight into. But, just for example, Cisco gear is in use on our classified networks in the United States. And they do have processes in order to control supply chain management, which is to say that they have a positive chain of custody from when the device was manufactured, supposedly, until when it gets here.

Hugh Taylor:                       The iPhone has components from many different companies in it. The problem I have is that I can see, if you look under the skin of a device, there’s software from multiple companies and teams, there’s components made all over the place. So it comes to you as a nice whole package, but does anybody really know what’s what and what kind of back doors or signals it’s sending out that we don’t know about, you know?

Jason McNew:                   No, it’s hard to prove. And the thing is, when you’re talking about ex filtrating data in some fashion, some type of a side channel ex filtration, you can do simple ciphers at slow rates and stuff like that and it would be really hard to track.  So you’re right, you don’t really know. And the thing is, is these things have become so complex that no one person understands them.

Hugh Taylor:                       What do you think could be done to strengthen defense against firmware-based threats?

Jason McNew:                   We got to bring this to work home. Make it in Texas. Make it in Ohio. Make it in Pennsylvania. We got to stop manufacturing this stuff overseas Bring it home.