Cybersecurity Gets Real: Insights from the TAG / NTSC Active Cyber Defense Challenge
“The cavalry isn’t coming.”
As some of the first words heard at the November 13 Technology Association of Georgia (TAG) and National Technology Security Coalition (NTSC) Active Cyber Defense Challenge event (presented by Lynx Technology Partners), attendees realized that a serious cyberattack means seriously relying on the strength of your own planning. Patrick Gaul, Executive Director of the NTSC, mentioned “muscle memory” in his opening comments—the kind of training that teaches U.S. Marines to walk through an ambush despite the chaos surrounding them. Active cyber defense requires a similar kind of muscle memory that many of our panelists and speakers have experienced in their careers during real cyberattacks.
To kick off the event, a group of distinguished panelists talked about the concept of active cyber defense and its implications for companies. These panelists included Maj. Gen. Patricia A. Frost (Ret.), former Director of Cyber, Office of the Deputy Chief of Staff, U.S. Army; Franklin Donahoe (former CISO at Mylan Pharmaceuticals and member of the Lynx Technology Partners Board of Directors); Steve Pugh (CISO of Ionic Security and NTSC Advisory Council member); and moderator Suzanne Kelly (CEO & Publisher, The Cipher Brief).
(L-R: Franklin Donahoe, Steve Pugh, Maj. Gen. Patricia A. Frost (Ret.), Suzanne Kelly)
Panel Discussion Highlights
During the wide-ranging conversation, a few themes emerged related to active cyber defense, the role of the CISO, and the cybersecurity responsibilities for even non-technical C-level executives.
- Cyber threat intelligence sharing is a national security issue needing both the public and private sector’s help: Nation state hackers, in a sense, are on American “soil.” This aggressive activity requires a response. This year, the White House, DoD, DHS, US Cyber Command, and other federal agencies have directed efforts toward a more aggressive cyber posture to deter adversaries. Underneath the daily headlines, the federal government quietly does great work in this area, remains focused on its mission, and continues to build out cyber teams both offensively and defensively. However, to protect our country, the federal government cannot connect the dots without information sharing flowing freely between the public and private sector.
- Cybersecurity education lacks technical skills: The panelists noted that we aren’t seeing enough technical backend knowledge from cybersecurity job candidates—and this hurts the cybersecurity industry. Cybersecurity courses often lack this technical background, and a disconnect exists between many degree and certification programs compared to the experience needed by organizations. We need more technical training and alternative ways to teach people, such as micro degrees. Technical knowledge helps an organization’s active cyber defense strategy, and its lack weakens an organization’s cybersecurity posture.
- CISOs need to transcend their legacy skills and step up more as leaders. The legacy skillset of many CISOs resides in security operations and it’s easy for them to stay preoccupied with tactical tasks in that area. They need more confidence to delegate commodity tasks and instead focus more on proactive strategy related to security policy and threat intelligence. It’s vital they explore public-private sector partnerships and join an ISAC or other information sharing group. “The unknown” is the CISO’s biggest fear and challenge, and they need more cyber threat information (not less) to assuage that fear. Panelists also noted that CISOs need to understand how building a threat capability affects assets (thinking beyond the asset inventory of a CIO). An understanding of business architecture and the underlying data architecture leads to understanding one’s assets.
- Business leaders must become cybersecurity thought leaders. While boardrooms have become more educated about cybersecurity, it’s still not enough. Panelists noted that we are a digital country with digital companies. Yet, we’re not thinking through the impact of security vulnerabilities. We’re prioritizing digital transformation but not security. Businesses need to see vulnerabilities as a threat to business imperatives, and CEOs of large industries need to become thought leaders about cybersecurity (especially those heading critical infrastructure companies). Return on security investment (ROSI) and risk avoidance need more discussion at the C-level. Business leaders seem to understand P&L but not the business of security. If they resist, panelists suggested that penalties—written in a company’s policy—need to be heavier such as fines or the threat of getting fired. We need to wake up the workforce and let them know, unambiguously, that they are part of a company’s—and nation’s—safety and security.
- More standards needed around cloud security. While cloud providers are doing a much better job now than in recent years, it’s still difficult for them to show proof of security. Panelists suggested more standards are needed for cloud providers, especially for off-the-shelf products.
- Active cyber defense is preferable to “hacking back.” Despite some public desire for “hacking back,” panelists suggested the private sector should not be offensive. One panelist noted that companies tend to be 90% wrong about attributing the right attacker. This discussion about “hacking back” versus active cyber defense carried into the table top exercise.
Active Cyber Defense Table Top Exercise Exposes Difficulty of Acting in a Cyber Crisis
Before the table top exercise started, Geoff Hancock (Senior Fellow at the George Washington Center for Cyber and Homeland Security and CEO of the Advanced Cybersecurity Group) talked about a few important definitions.
- Passive defense means (like much traditional cybersecurity and most current security solutions) waiting until you’re attacked before you act. It’s a purely defensive mindset.
- Hacking back involves malicious intent with no authorization to access another’s systems, which currently violates the Computer Fraud and Abuse Act.
- Offensive cyber operations are military operations in cyberspace.
- Active cyber defense is a proactive defense strategy that relies on highly responsive, highly resilient cyber teams with access to relevant, contextual cyber threat intelligence, and includes the use of denial and deception tactics that confuse and deter attackers.
With such a wide variety of attendees, Hancock—as the table top exercise leader—said the table top situation would be broad, not technical, and industry-agnostic. Attendees were assigned to different teams including a fake company (Lockray), the White House, the FBI, the State Department, and the Navy. After attendees were assigned roles within their groups, they were given information about a data breach situation. Throughout the course of the exercise, the situation evolved and grew more dire. Once the exercise concluded (and the chaos subsided), attendees shared insights that apply to many businesses. A few of these insights from attendees, panelists, and Hancock included:
- Prepare and test an incident response plan. Practice the kill switch.
- If the government takes over your network, you are still running a business. You need a playbook in case this happens.
- Make sure legal advice is integrated into your plan. Do you have the authority to take certain actions?
- Conduct proactive IT work related to cybersecurity.
- A crisis communications plan needs a chain of command and must help protect the CEO.
- Create relationships with the government, especially local FBI contacts. Invite the FBI and others to your tabletop exercises. The first time you talk to the FBI should not be after a breach.
- Conduct an IT asset assessment. What are your assets? What are you trying to protect? What’s your coverage?
- Set up a fusion cell.
While the cavalry may not be on its way, attendees found that a well-prepared active cyber defense strategy and incident response plan that leverages public-private sector partnerships will not only help the security of a CISO’s company but also strengthen national security. We encourage any company to conduct table top exercises in partnership with the public sector as a way to prepare for a cyber incident and address weaknesses in your cybersecurity posture.