2018 NTSC National CISO Policy Conference Recap: The Panels

2018 NTSC National CISO Policy Conference Recap: The Panels

In our last post, we summarized the discussion highlights from our keynote speakers at the second annual NTSC National CISO Policy Conference. In this post, we summarize two panel discussions and a “fireside chat” that covered cyber threat intelligence, data privacy and security, and the federal government’s role in cyber deterrence.

Like the keynotes, our panelist conversations spread into the audience of CISOs and senior technology executives who asked additional questions and offered unique insights. The depth and breadth of the panelists’ experiences meant that CISOs were engaging national cybersecurity experts from the public and private sector who are most in the know about critical issues—leading to actionable insights that CISOs took back to their companies.

Panel Discussion 1: “Cyber Threat Intelligence”

  • Tonya Ugoretz, Director of the Cyber Threat Intelligence Integration Center (CTIFF) at ODNI
  • Andrea R. Roddy, Chief, Security Engineering Services, NSA
  • Pete Chronis, CISO, Turner
  • Moderator: Marci McCarthy, President and CEO, T.E.N.

Speaking earlier this year at the Billington INTERNATIONAL Cybersecurity Summit, Jeanette Manfra, DHS Assistant Secretary for Cybersecurity and Communications, said, “Identifying a threat in one area could lead to building defenses against it in all areas, but only if government is fully leveraging information sharing at the scale and speed that the internet enables.”

That’s the vision. But while the federal government and various ISACs have made significant progress with information sharing, the security community is traditionally not very good at sharing and collaborating—even though experience shows that the more we share and collaborate, the stronger we become when dealing with cyber adversaries.

The panelists started off by giving a bleak portrait of cybersecurity’s current state. We’ve made incremental improvements but little fundamental changes as an industry—especially with serious behavioral change. Essentially, we’re managing risk but not solving risk. Some observations included:

  • Speed to market is still rewarded more than security in the private sector.
  • So much cyber hygiene is still manual, and we’re not using automation enough to help.
  • We emphasize quickly resolving helpdesk tickets versus instilling a culture of curiosity within IT and security organizations.
  • 97% of cybersecurity incidents come from known vulnerabilities—proof that cyber hygiene and patching programs are just not up to par. However, CISOs pointed out that while many security vulnerabilities may exist in a company’s systems, they must prioritize how they tackle the vulnerabilities based on limited time, staff, and budget.
  • CISOs find themselves at the mercy of a “dirty” supply chain that can affect cybersecurity.

The federal government has improved its understanding of cyber threats, but efforts by the DHS, NSA, and US intelligence community are still maturing. Attribution of cyber threats to serious adversaries (such as nation states) has improved but we are seeing an increased attack surface through the IoT, increasing impact from individual and often indiscriminate events (such as WannaCry), and more sophisticated tools used by attackers. The media often talks about an impending “cyber 9/11,” but the panelists said it’s more likely that we’ll experience “death by 1,000 cuts.”

Both panelists and attendees brought up the topic of public-private sector trust and context around shared cyber threat intelligence. The federal government still needs feedback from the private sector to understand how best to share relevant cyber threat intelligence. For example, some organizations are interested in just technical indicators while others believe indicators are useless without additional context. Currently, interaction between the public and private sector is still often indirect, irregular, and full of distrust. It needs to move toward robust two-way information sharing but we currently lack an easy mechanism for private companies to receive information back in an operational way. Plus, the private sector is currently not often consuming and acting upon the information shared. Delays in security clearances (sometimes lasting over a year) don’t help when cyber threat intelligence is often highly classified and CISOs are unable to view the information.

Panelists and attendees ended optimistically on the note that both the federal government and private sector seem to be addressing lingering problems, slowly but surely, and all parties realize what’s at stake by the success—or failure—of effectively sharing cyber threat intelligence.

Panel Discussion 2: “Data Privacy and Security”

  • Greg Silberman, Chief Privacy Officer, Cylance Inc.
  • Pedro Pavón, Senior Managing Counsel, Oracle
  • Robert Ball, Chief Business Development Officer and General Counsel, Ionic Security
  • Moderator: Mauricio F. Paez, Partner and Legal Counselor, Jones Day

An extremely lively discussion erupted from our panelists and attendees about data privacy and security, especially so soon after the California Consumer Privacy Act of 2018 was passed. With GDPR also fresh in people’s minds from its enactment in May 2018, the panelists said it’s tough to talk about US data privacy and security in isolation from the rest of the world. Stronger compliance requirements in the EU are influencing more privacy laws in the US. California may signify the beginning of a federal and state data privacy law wave as we see more, not less, regulation and enforcement.

Some of the panelists argued that the wrong data privacy laws introduce a high cost for companies to comply and leads to less innovation. While the EU sees data privacy as a human right and took four years to develop GDPR, California’s law took seven days to develop (although the California law won’t take hold until January 2020) and seems to target for-profit businesses and consumer transactions. Fines also give the California law teeth at $7,500 per violation. The haste, lack of private sector input, and eagerness to punish companies associated with the California Consumer Privacy Act concerned many conference attendees.

Panelists called for better national information security standards, enforcement, audits, and mandated controls—thinking beyond just data breach notification legislation and legislative standards. GDPR has led the security industry to more holistically change its business models. How should businesses collect data? What is data? Where is it? Business considerations and operational questions are coming to the forefront as the US makes a stronger shift toward data privacy. The California law is a cautionary example of lawmakers needing to understand practical implications before passing legislation because of unintended consequences. In fact, legislators, regulators, customers, and internal employees all need more education about data privacy.

In the meantime, CISOs, CIOs, marketing, and legal all need to have a conversation together to sort out the consequences. One panelist humorously asked the CISOs, “Do you know your lawyer well?” This conversation got the NTSC members discussing how they need to involve more compliance and risk officers into future dialogue and discussion.

Other discussion threads included:

  • No one is talking to product or sales teams. Products often drive security as teams ask, “How do I make what we just did legal?” Companies need to push for security and privacy baked into product design.
  • Even with these new laws, are we providing enough protections for consumers? And are those protections balanced with the needs of national security and protecting critical infrastructure?
  • The companies getting punished the most are the ones held to the highest standards versus many powerful and important companies falling outside the purview of existing privacy laws.
  • Attendees talked about how larger companies would have an easier time complying with the California Consumer Privacy Act and how it doesn’t seem to apply as much to companies like Google or Facebook.

Fireside Chat: “The Federal Government’s Role in Cyber Deterrence”

  • Geoff Hancock, Principal, Advanced Cybersecurity Group
  • Lt. General Kevin McLaughlin (Ret)., President, Kevin McLaughlin Associates and former Deputy Commander of US Cyber Command

Current proposed legislation such as the Cyber Deterrence and Response Act of 2018, discussion around active cyber defense, and the shifting roles of the US military in cyberspace are all leading to many questions about our approach to cyber deterrence. General McLaughlin and Hancock began the fireside chat by talking about the difference between cyber deterrence versus traditional deterrence. For example, nuclear deterrence was established many decades ago and clearly established what was being deterred, how we were deterring it, and who was deterring it. Everyone in the military hates fighting a war, and it’s the same in cyberspace.

Like traditional deterrence, we want to deter cyber adversaries by:

  • Hitting back so hard that they will stop.
  • Denying enemies any benefits from attacking.
  • Demonstrating resiliency so that we can counterattack.

Cyber deterrence is not anywhere near as established, although recent federal government efforts have been building up more offensive capabilities. US Cyber Command is creating greater capacity and adding thousands of people to help fight adversaries in cyberspace. We are shifting from a “doctrine of restraint” (a passive, reactive position based on Department of Defense guidance in 2015) to the equivalent in cyberspace of fighter squadrons warding off the enemy.

General McLaughlin and Hancock talked about Russia as an example of an adversary actively targeting our critical infrastructure, meddling in our elections, and possibly planting the seeds for a future cyberattack. Right now, Russia is benefiting from its cyberattacks and we’re not hitting back—a clear example of cyber deterrence not working. Russia and China are especially both making efforts to find out our vulnerabilities and beat us before we can even counterattack.

Cyber deterrence is not IT, and it’s not intelligence. Cyber deterrence is cyber warfare, and it requires a different set of skills. How do we mature these capabilities? Because most critical infrastructure is owned by the private sector, these companies are part of the federal government’s cyber deterrence plan whether they like it or not. What if a nation state takes over a dam? What if a nation state shuts down Wall Street’s electricity? What if a nation state installs malware into a water supply network?

CISOs need to ensure basic cyber hygiene, the ability to share cyber threat intelligence, and communication with the federal government to let them know if something is wrong. In today’s environment, you’re not just a business supporting critical infrastructure. You’re now supporting cyber deterrence.

When asked if the US and private sector are on track to properly secure systems from the attacks of adversaries, both General McLaughlin and Hancock said no. While the NSA, US Cyber Command, and DHS are doing all they can, they’re not currently on track to be successful. Our adversaries are not encumbered by the US Constitution. When Russian or Chinese leadership owns government assets directly, they can employ a mix of military and corporate resources to carry out cyber warfare. That’s their version of “public-private partnerships.”

Conversely, the US DoD can’t control corporations or spy on citizens without cause. Because private companies have rights that companies in Russia or China do not, we instead need to create a national plan that provides the cyber deterrence protection we need. Otherwise, while it probably won’t be a cyber 9/11 that gets us, we will instead experience death by 1,000 cuts.

Interested in participating in next year’s conference, joining our Board, or becoming an NTSC underwriter? Reach out to the NTSC at info@ntsc.org.