We are entering a period of time when we are going to see an uptick in the number of security threats, both physical and in cyberspace. There is an increasing global unrest. Over the past few months what we’ve seen electorally, in the U.S., but also in Europe and in other parts of the world, has been a manifestation of that. This has also been reflected in physical violence and inspired acts of terrorism, as we have tragically seen in Charlottesville and Barcelona. We will see this manifest online, too. For those of us in the security space, we have to raise our game to meet the growing demand for innovative security tools and strategies. As I learned during my time as Homeland Security Secretary, planning, equipping, training and exercising are what will prepare you to face unexpected threats.
In today’s business world, IT has become more ubiquitous than ever; much sensitive data is now online. Cyber connections are pervasive in every aspect of commercial activity. We use the internet to execute financial transactions, maintain customer and business data, manage financial and Human Resources functions and to direct operational activities, including industrial control systems. The new age of innovation is profoundly changing the economy through technology-driven tectonic shifts including social media, big data analytics, cloud mobility and the Internet of Things. Unfortunately, this golden age has enabled a new class of bad actors to take advantage of security vulnerabilities in these platforms, creating new risk in the form of cyber threat.
Consider the way businesses’ threat surfaces have evolved. Many unvetted endpoints access your networks under bring-your-own-device policies. Businesses depend upon subcontractors, and in so doing take on their vulnerabilities as well. The supply chain is also vulnerable to a variety of cyberattacks, and the Internet of Things makes its own considerable and increasing contributions to this threat surface.
As much as we are seeing greater vulnerabilities across networks, we are seeing more threat actors as well. Cyber risk affects virtually every kind of enterprise. Those who carry out threats have almost every type of motivations imaginable: terrorists, “hacktivists,” disgruntled employees or customers. When you factor accidental or negligent leaks of data, and the multiplying access points to information networks, the loss is potentially staggering.
The scale of the theft of data has dramatically expanded in recent years. Yahoo lost a billion user accounts in two operations – one of them involved the engagement of two Russian Intelligence Officials. The involvement of Russian spies suggest this was partly designed to further espionage activities. We’ve seen massive disruptions to business operations through “ransomware,” including the WannaCry, Petya and NotPetya episodes. The WannaCry attack ravaged computers at hospitals in England, universities in China, rail systems in Germany, even auto plants in Japan. Additionally, a large pharmaceutical company had 75,000 machines affected by the malware and lost critical research.
These ransomware attacks have scaled from mere nuisances to material adverse business events. Over the past two months, thanks to Petya, FedEx reported ‘‘material’’ financial impact, Merck reduced its full-year 2017 GAAP EPS’ and Mendelez, a snack and candy manufacturer, reported a three-percent reduction in the company’s second quarter growth.
Incidents like WannaCry, Petya and NotPetya caused massive disruptions to enterprises worldwide on an unprecedented scale and indicate a rise in nation-state actors involved in driving these kinds of attacks. We are now dealing with nationstate actors who are more sophisticated and whose motivations may not be as easy to anticipate as criminals.
So how do we secure enterprises in a risk environment that is increasing in the surface area of attack and as the nature and the number of threat actors and the scale of what they are able to do continues to expand?
We need to start with the presumption that you are indeed going to experience a cyber intrusion. It is not a matter of “if” but “when,” and we must focus on how to continue business operations, despite being under attack.
Risk Management, not Risk Elimination
Cybersecurity is about risk management, not risk elimination. Complete prevention of attacks is impossible; what is realistic is an in-depth security approach that operates layered defenses, rapidly mitigates harm and fosters resiliency and recovery.
Consider the human immune system as a model of resilient security. While our bodies repel many bacteria, viruses and contaminants, some will inevitably be ingested. Our healthy immune systems are designed with that expectation. They characterize the nature of the bacteria or other foreign matter, and destroy those that are harmful. Our cyber networks as well need to repel many attacks, but anticipate that some will succeed in penetrating. For those, we want to be able to resist, recover and learn. Indeed, as human we protect ourselves in part through immunization, which is in effect a form of information-sharing with our immune systems. Likewise, information-sharing ought to play a role in security in network security analogous to that which immunization plays in public health.
In risk management, we ask who are the threat actors, what are the consequences and what are the vulnerabilities. What you need to consider when you think of today’s cyber threats to your enterprise is how to protect the things that matter to your enterprise the most and to ensure that you apply a risk management approach that informs all functions of an organization and incorporates a variety of techniques. All organizations, regardless of size or industry, must identify those valuable assets that support critical business functions in a risk-based process. Organizations must link assets to business goals. This allows you to determine what information and information assets are important to the business.
The Ten Commandments of Cybersecurity
I’d recommend Ten Commandments for approaching cybersecurity:
- Know your perimeter. That means knowing, minimally, who is supposed to be allowed in. The perimeter is not enough, but we do need to survey endpoints and other actors.
- Establish segmentation to protect more sensitive types of data, and reflect that segmentation in appropriate allocation of administrative privileges.
- Establish strong access controls and identity management. The password is no longer good enough; every enterprise needs stronger methods of authentication.
- Employ continuous monitoring and diagnostics.
- Balance convenience against security. (And note that it’s a balance – too much emphasis on either can be dangerous.)
- Encrypt data at rest and in motion.
- Plan and monitor for the malicious insider threat.
- Consider and plan for the innocent, non-malicious insider threat. Here the key is training and exercising. (Behavioral monitoring and analysis can help here.)
- Design your network as a whole for security. Configure devices securely (and ask whether every device needs to be connected).
- Develop and exercise a sound incident response plan.
Dealing with Boards & Management
In today’s digital economy, you simply cannot have an effective digital or growth strategy without a tightly interwoven cybersecurity strategy. Security is now being perceived as a competitive differentiator and will continue to be a market distinguisher as technologies and threat continue to evolve in the years to come. But how do security practitioners convey this to management and the board?
It is valuable to have the CISO and CSO up to the board to walk members through what we’ve been seeing over the last quarter in terms of nature of attacks, reconnaissance, security trends and how we rank in terms of maturity. This can drive the CISO and the CSO and the entire security organization to assure that they have got a good story to tell.
When I was at DHS, I met with President Bush every week to go over the threat matrix. In preparation for the meeting, everybody in the relevant departments – the IC, DHS, FBI – made sure that word went out that we were going to be meeting with the President. It energized people to execute their responsibilities efficiently and fully. As a management tool, having someone come in to report to the board with metrics, is a good way to motivate them.
Boards care about risk management, value creation and metrics. We need to empower board members and management. Don’t inundate the board with solutions or with unexplained data. Manage their expectations, and present them with understandable options as they manage enterprise risk. Most important, remember that while cybersecurity has technical aspects, fundamentally it is about human beings – both those who threaten us and those who have to secure us.
Finally, we need to keep the information fresh. CISOs don’t underestimate the power to educate through current events. Make it risk-focused – this is a language that Boards understand.
The Next Wave: The Internet-of-Things, Artificial Intelligence and International Norms
As we move into a period of more wirelessly connected so-called “smart devices,” security needs to be built into the device from inception. We are currently in a state where smart devices deployment are running far ahead of any general security awareness. Currently, the IoT requires every consumer to validate whether the device has reasonable security, and that’s an approach that’s destined for failure. The IoT should be like food at the grocery store. You rely on safety regulations as a reasonable assurance that what you are consuming is safe. As with food safety (we don’t vet every piece of produce we buy at the supermarket for cleanliness or safety) there’s a proper role for regulation with IoT security. At a minimum, standards for IoT smart devices should allow changing passwords, updating and patching vulnerabilities. Regulation, properly applied, can actually foster a more secure IoT sector, and thereby actually promote more widespread adoption and use.
Finally, the shape of international conflict is evolving in cyberspace. Our core internet infrastructure, our global trading system and the financial system could be all be at risk in a global conflict. We need to think of the internet as a global commons, like the sea, and, as we’ve done for that commons, we should evolve laws of armed conflict that protect the essentials – critical infrastructure – from malicious destruction. There are, of course, difficulties in doing so. For example, deterrence, a cornerstone of security, depends upon attribution of malicious activity, and attribution in cyberspace is notoriously difficult. But the public debate is essential, invaluable and inescapable.