In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Jason Witty, Chief Information Security Officer of JPMorgan Chase. Witty talks about the evolution of data privacy, advances in cyber threat intelligence sharing, and the continually evolving role of the CISO.
Related to cybersecurity standards, the development of Version 1.1 of the NIST Cybersecurity Framework was a major step forward as NIST partnered with government agencies and trade groups in multiple sectors to come up with a framework that could be universally applied. During the last year especially, the adoption of the NIST Cybersecurity Framework has been significant as more companies across different industries choose to standardize on it.
The financial sector has since then built on CSF 1.1 to develop a sector-specific version of the Framework. Launched in 2019, the Financial Sector Profile was developed to incorporate unique industry practices and reference standards, as well as regulatory guidelines, to streamline and rationalize enterprise cyber risk management. In August 2019, the U.S. federal banking regulators recognized the financial sector profile as a beneficial approach to cyber risk management, thus expanding the alternatives for regulatory exams.
NIST is also now developing a Privacy Framework built upon the same common core as the cyber framework. We hope that this privacy framework can serve to provide a standardized approach to the technology and business controls necessary to form an effective privacy program. NIST has recently closed comments on its first draft and is employing their typically open and collaborative process for development.
As we head into 2020, NIST is looking at quantum-resistant cryptography and trying to get ahead of advances in quantum computing. NIST’s efforts are significant when considering countries like China that currently invest heavily in quantum computing.
The development of certain other new standards, such as TLS 1.3, may challenge some of the tools that network defenders have come to rely upon. Packet inspection and web-flow analysis may become more difficult and so we are working with large technology companies, non-profits, and vendors to develop solutions that enable effective enterprise security while also allowing for personal privacy and security outcomes through effective encryption.
The evolution and maturity of the CISO depends on the person and their journey. Did they start off in law enforcement and do they primarily think about cybersecurity as fending off bad guys? Did they start off in compliance and primarily think of cybersecurity in terms of policy? Did they start off in the business and primarily think of cybersecurity as a business problem? Did they develop their skills under a technology leader and learn more about the business later? The role of the CISO has become a mix of all these elements. But what's fascinating to me is that different tribes exist based on each CISO’s background—whether it’s law enforcement, compliance, business, IT, or another area.
During the past 3-5 years, businesses have given the CISO more recognition. Clearly, the CISO’s first job is to protect the firm but they must also safely enable new technologies and new business in a much nimbler way than ever before in an environment with dramatically more attack surface area and sophisticated threats. The role has become a blend of people, process, and technology expertise—the ability to speak tech to your team and plain English to everyone else. CISOs need the ability to articulate a problem in a way that the business understands and present problems in terms of risk instead of just compliance.
The CISO, especially of systemically important firms, is also charged with looking beyond the enterprise to the system. Actions that a CISO takes could have ramifications to the financial system due to the interconnectedness of the financial ecosystem.
We need a federal privacy goal. Otherwise, all 50 states are going to create laws similar to the 50 state data breach notification statutes we have today. These state privacy laws will create an untenable set of varied rules with complexity we will never be able to fully understand, much less comply with. So, I do feel very strongly that we need federal privacy legislation with preemption in order to create a data privacy law that we actually want and can maintain.
In addition to the fragmentation of U.S. law, we are likely to see a continued proliferation of differing privacy approaches abroad. Countries such as India are currently designing new comprehensive privacy regimes. Without a federal law in America, the U.S. government will be limited in its ability to negotiate for the fair treatment of U.S. companies or citizens in foreign markets. This could lead to regulatory and technology fragmentation as we see jurisdictions adopting measures such as data localization in an effort to protect data flowing to incompatible privacy regimes.
Looking ahead, big data analytics meets artificial intelligence / machine learning meets deepfake audio / video will exacerbate data privacy. Two to three years from now, these things put together will fundamentally change the way we think about personal privacy, reputation (and reputation management), and what's permissible when considering the corporate use of data. With these more advanced technologies taking hold, we are going to experience a fundamentally different world three to five years from now. And I feel very strongly that if we don't come up with a better federal framework for privacy, we're going to find ourselves in an untenable situation in a few years.
The passing of the Cybersecurity Information Sharing Act in 2015 created the foundation for some of our most notable public-private partnership accomplishments in recent years. This law really galvanized companies and increased the ability for them—with liability protection—to share cyber threat indicators. Private industry and government, especially through ISACs and ISAOs, were able to share more threat intelligence with each other and take their efforts to more of a team sport level.
When considering sharing from the private sector to government, I think we've made marked progress since the Cybersecurity Information Sharing Act went into law. Automation has come into play with STIX and TAXII helping to give us system-to-system interoperability. ISACs have dramatically matured over the past few years, partly by offering automated feeds. The information fidelity has improved to the point where you can expect you won’t block the wrong intelligence, and you are able to write automated rules and take action on indicators received through automation. We've accomplished a lot, but there is clearly more room to go.
As we think about the role of governments in information sharing, I see three predominant roles for them to play:
1. As large enterprises, government agencies can increase their participation in cyber threat information sharing through venues such as the MS-ISAC and other partnerships with industry.
2. As defenders of the national interest, governments should be looking to use all levers of national power to limit cyber risk. For information sharing, this means setting intelligence collection and analysis priorities based on deep understanding of critical infrastructure risks.
3. As lawmakers, elected officials can continue to revise the legal system and enable better information sharing. For example, can we expand legal liability protections from CISA 2015 to protect the sharing of other information related to cyber risk?
Right now, government intelligence collection priorities predominantly focus on protecting the military or government networks. The more we can shift toward intelligence collection priorities mirroring national critical infrastructure risks, the more likely that public-private intelligence collection will happen—and the government will share intelligence on a timelier basis. With or without context, this information is very important when shared from the government to the private sector.
While timeliness is certainly the number one issue with government, context comes in a very close second. It’s a real problem that we often don’t know the age of an indicator, or how long it took to get an indicator declassified and pushed out to the system. Even within mature industry circles, we don't do a great job of making threat intelligence bidirectional. The STIX taxonomy contains specific language for what STIX calls sightings, but almost none of the STIX implementations use them. The way sightings work is that company A sees something and sends it out to companies B through Z. Companies B through Z would take a particular course of action based on what company A said and…that's where the information flow stops.
With a sighting, companies B through Z would not only say, “Hey, I'm in receipt of this information” but they would also fire back and say, “I've also seen a sighting of this particular threat.” With collective sightings, you get the ability in both directions to understand how far a threat has spread. Are multiple companies or industries being targeted? Is it hitting everybody or just one company? Knowing it’s just one company is interesting, in and of itself, because then you know you're being targeted. A lot of room exists for making cyber threat intelligence sharing more bidirectional, enabled through automation and supported by enhanced government services. It’s more an operational problem than anything. The capability exists, but not a lot of discussion is happening to demand it. It's also about maturity. More bidirectional sharing will be the next logical place that information sharing circles go, but we're just not there today.
First and foremost, diversity and, more importantly, inclusion, are very, very key to our overall business strategy as a firm. Because of diversity’s importance, we have a multifaceted approach toward how we handle pipelining in general. For example, we think about our pipeline as early as elementary school and teach kids through our Cyber Kids program about the risks of going online—using this program to get them interested in STEM and information security. We've also got programs for middle school and high school, apprenticeship pipelines, a software engineering pipeline with universities, and multiple business resource groups in different geographies looking to recruit specific affinity groups into the pipeline as well—such as military recruiting. You need to constantly create support on one side and interest on the other side very early while you're also working through the more tactical pipelines related to positions you may have open right now.