• United States




For a moonshot, you need more than just the moon

Jan 22, 20185 mins
CyberattacksCybercrimeData and Information Security

At one time, we were challenged to ask not what our country could do for us but what we could do for our country. It is time that the leading organizations in digital technology come together once again to ask the same.

supermoon 5
Credit: REUTERS/Leonhard Foeger

Time and again I have heard a declaration that is typical of the sweeping statements of the digital age. 

“We need a cybersecurity moonshot!”

Vision without a strategy, however, is no more than ear candy. A smart person once said that leap-ahead progress is one percent inspiration and 99 percent perspiration. To achieve a moonshot, you need a lot more than just the moon. And, more often than not, those who throw this phrase around with regards to cybersecurity have little else.

In 1961, President Kennedy threw down a gauntlet: “This nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the Earth.” At the time, what Kennedy proposed seemed impossible.  And then we did it, in a public-private collaboration that drew from the best strengths of government and industry.

This is the kind of vision and determination to which we should aspire. Calls for a comprehensive cybersecurity moonshot are too often vague cries to “make the internet safe.” I’d like to re-claim the moonshot term to resolve a national problem that impacts lives and the future of the digital economy.

It will demand a shared vision that is achievable, yet bold enough to push us collectively and ambitiously, with a timeline aggressive enough to demand focused, sustained action. The challenge must be real, and we must be as pragmatic as we are ambitious. And we must make a commitment to achieving this goal swiftly – within a year. Not only will this allow for maximum input and commitment across a wide range of organizations, but it will also allow for a more manageable cost model. It will prime us to expand such moonshots for future, more ambitious achievements.

The counter-DDoS moonshot

I propose eliminating Distributed Denial of Service (DDoS) impacts, leveraging the combined strengths of industry and government to create a national counter-DDoS capability that serves all.

DDoS attacks take websites and entire organizations down by flooding them with massive amounts of data or commands and they have become more destructive and more common over the past several years. And yet, even the most consumer-facing brand, no matter how large or small, is expected to stand up to the cyber might of activist groups and nation-states.

In 2016, a team of Iranian hackers launched sustained DDoS attacks against dozens of U.S. banks, costing losses in the millions. The hackers also used the DDoS attacks as a distraction while they attempted to remotely take control of a dam in Rye, NY, just 25 miles north of New York City. For the FBI and the U.S. government, the hack of the dam was a game-changer that made real the talk of the widespread risk of the nation’s infrastructures.

Later that year, the Mirai botnet—a fairly simple malware that hijacked devices running Linux by exploiting weak passwords—affected internet access in large sections of the United States. It did this by bypassing the weak security of IoT, turning the devices into bots that could be deployed in a DDoS attack. That one Mirai attack shut off access to the internet for millions of Americans. In the following weeks, Mirai attacks successfully disrupted internet service for 900,000 people in Germany and infected 2,400 routers in the UK.

This year, the percentage of organizations hit by a DDoS attack exploded from 17 percent to 33 percent. In 2016, 82 percent of the organizations that were hit reported being attacked multiple times. More troubling, 53 percent discovered that the DDoS attacks were executed as flak to cover more serious cybercrime such as malware and data theft.

Currently, the Reaper IoT Botnet—built upon parts of Mirai’s code, and already infecting a million networks—has shown how rapidly and destructively these attacks can iterate.  And Reaper has yet to show its true colors, mostly sitting silent across vast networks like a highly connected digital sleeper cell. As the attack in Rye, NY proves, our adversaries see DDoS as a viable tactic to access and affect infrastructures such as energy systems, transportation systems, critical manufacturing and other democratic institutions whose availability we cannot afford to take for granted.

The implementation

To eliminate the power and damage of DDoS attacks, private sector and government capabilities would each be leveraged. A national capability would leverage the best of breed from the private sector, augment it with government capabilities as well, and be available nearly instantly in times of need.

Service providers would stop the hemorrhaging by being able to quickly amass bandwidth at the point of attack.

Agile segmentation companies would narrow the effect against the targeted victim, and perhaps also segment off misbehaving systems.

Government agencies that are capable and authorized to defend the country would take the fight into foreign cyberspace, e.g. U.S. Cyber Command could swiftly defend upstream, deploying operations with the full strength of its mandate and resources to stop the attack at its source.

All of this is eminently doable, if we have the courage and humility to work together. The collective brilliance that the digital and cybersecurity communities have amassed is staggering—with each new generation poised to push us further. At one time, we were challenged to ask not what our country could do for us but what we could do for our country. It is time that the leading organizations in digital technology come together once again to ask the same.


Phil Quade serves as Fortinet’s Chief Information Security Officer and brings more than three decades of cybersecurity and networking experience working across foreign, government and commercial industry sectors at the National Security Agency (NSA) and U.S. Senate. Phil has responsibility for Fortinet's information security, leads strategy and expansion of Fortinet's Federal and Critical Infrastructure business, and serves as a strategic consultant to Fortinet's C-Level enterprise customers.

Prior to Fortinet, Phil was the NSA Director's Special Assistant for Cyber and Chief of the NSA Cyber Task Force, with responsibility for the White House relationship in Cyber. Previously, Phil also served as the Chief Operating Officer of the Information Assurance Directorate at the NSA, managing day-to-day operations, strategy, and relationships in cybersecurity.

The opinions expressed in this blog are those of Phil Quade and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author