Raytheon highlights its role in cybersecurity

Raytheon officials gave a rare look at their perspectives on quantum computing, developing a cyber workforce, and the adoption and advancement of zero trust during a webinar Wednesday.

Even though they are a high-profile defense contractor, Raytheon has the same challenges as other corporations when it comes to hiring cybersecurity professionals during the Great Resignation, said Melissa Rhodes, senior director of human resources at Raytheon Intelligence & Space.

“The preponderance of the work we do is in the classified space, which makes talking about the work we do very difficult,’’ Rhodes said. This has required coming up with some creative ways to make people aware that they are looking for cybersecurity talent.

No demographic excluded

One tactic has been to sponsor the National Collegiate Cyber Defense Competition, which helps the company hire a lot of people. Earlier this year the division also invested in the development and execution of a pilot program, RI&S Offensive Labs, to retool engineers from adjacent backgrounds into the offensive and defensive cyber mission space, Rhodes said.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

The program curriculum focuses on vulnerability research, binary reverse engineering and computer network operations.

“Year to date, 23 engineers have completed the program with a goal of 50 in 2022,’’ she said.  “When they complete this program, they are deemed mission ready.”

Working in cybersecurity does not require a college degree, added another speaker, Jon Check, senior director of cyber protection solutions at RI&S. Because of a shortage of people, no demographic can be excluded, Check said. The company makes diversity and inclusion a priority and began offering scholarships to get more people interested in the cyber field.

There is a “whole stigma around cybersecurity” from watching movies that imply you have to be a math whiz or “a computer genius to do this,” he said, stressing that a lot of people who join Raytheon may have backgrounds in criminal justice or finance — or have worked counterterrorism missions.

“They go through our internal training and have become part of our cybersecurity workforce,” Check said. “So we want to really make sure that everybody understands they can transition and really grow their career and not be intimidated by cybersecurity.”

Zeroing in on zero trust

The speakers also spent time discussing how to implement zero trust, following the Biden administration’s executive order requiring that government entities implement a zero trust architecture.

Yet this “is not a trivial task,’’ said Torsten Staab, Ph.D., principal engineering fellow at Raytheon.

“Zero trust implementation requires careful planning, as it involves the deployment of many technologies that need to work in concert to be effective,’’ Staab said. “For many organizations, especially large ones, the ZT journey will take multiple years and will require continuous refinements.”

Companies have to manage user access, identities and sensors, as well as set up proper access to a home network, he said. Zero trust covers not only the network identity piece but also the data itself residing on mobile devices and in the cloud.

“There are lots of opportunities for access,’’ Staab said. “Zero trust can’t just be focused on the network. The message here is everyone has to be defensive.”

But unless you have the skilled talent to not only deploy a zero-trust infrastructure but configure tools, maintain, upgrade and sunset them, that will limit the ability of organizations to do so, Check noted.

In the meantime, organizations can significantly improve their security posture by implementing “low-hanging fruit” such as multi-factor authentication, which is “relatively easy to deploy,’’ Staab said.

Quantum computing has significant security implications

The speakers also discussed preparing for quantum computing and Q-Day, the day on which quantum computers will be powerful enough to break today’s asymmetric encryption schemes, such as RSA, Diffi-Helman, Elliptic Curve Cryptography and DSA.

“These algorithms are used in all sectors and industries around the world, not just the U.S.,’’ Staab observed. “So everyone’s communication and data security will be at risk.”

For example, online shopping or online banking transactions would no longer be secure.

There are also “very significant security implications for national security, as an adversary could decrypt sensitive and classified information once Q-Day arrives,’’ he noted.

Quantum computers already show great promise in areas like drug discovery, route optimization in logistics and transportation, and simulating large-scale cybersecurity attack simulations.

“While many of the traditional cyber defense skills and roles will still be relevant and transferable to a post-quantum world, the tools to defeat quantum attacks will be different, starting at the encryption algorithm and extending to areas like quantum machine learning,’’ Staab said.

Taking advantage of quantum computers requires being able to develop quantum algorithms — existing software and a classical compiler or interpreter cannot be used to run applications on a quantum computer. Already, certain countries are pursuing a “collect now, decrypt later” strategy, Staab said.

Earlier this month, NIST announced the first set of four post-quantum algorithms capable of withstanding a cyberattack by a quantum computer.

“With these new algorithms being standardized by NIST, organizations around the world should start to replace existing, quantum-vulnerable encryption algorithms asap,’’ Staab said. “This will help counter the ‘collect now, decrypt later’ strategies our adversaries are already employing.”

The time to start preparing for Q-Day is now, added Check.

It’s important to have “those contingency plans, like when you have a cyber breach … those same preparations need to start happening” to make sure companies are resilient and can respond to a quantum attack, he said.