At the NTSC’s 2019 Eastern Region CISO Policy Roundtable on April 18, 2019 in New York City, our speakers talked about a range of topics that overall encompassed the theme of preventative cybersecurity strategies that mitigate the risks of cyberattacks. Attendees heard from the Deputy Director of the Department of Homeland Security’s (DHS) newest agency, an NTSC Policy Council member who played a significant role in the aftermath of the Atlanta ransomware attack, and a nationally recognized expert in cyber defense who talked about security automation. This post summarizes some of the key points made during each presentation, all of which led to productive discussion among our CISO and cybersecurity leader attendees.
Matthew Travis, Deputy Director, Cybersecurity & Infrastructure Security Agency (CISA)
Cyber threats remain one of the most strategic risks for the United States, threatening our national security, economic prosperity, public health, and safety. As the lead federal agency responsible for coordinating the protection of our nation’s critical infrastructure from physical and cyber threats, CISA is leading an effort to work with federal and private sector partners to exchange threat intelligence and manage risk.
Matthew Travis spoke about these efforts with our attendees, beginning with the importance of CISA’s recent rebranding that mentions cybersecurity in its name (compared to the National Protection and Programs Directorate). He also assured attendees about the resiliency of CISA, especially after Secretary Kirstjen Nielsen’s resignation. An organization such as CISA that focuses on the resilience of critical infrastructure is also resilient.
CISA protects 16 sectors of critical infrastructure along with focusing on hometown security (such as securing soft targets and crowded spaces), election security, .gov and other non-military government networks, and a few other areas. To more proactively identify risks to critical infrastructure, the National Risk Management Center serves as CISA’s “planning, analysis, and collaboration center working to identify and address the most significant risks to the Nation’s critical infrastructure.”
Travis mentioned that CISA grows increasingly concerned about nation state cyberattacks on our electrical grid and financial services sector (such as the New York Stock Exchange or Georgia’s “Transaction Alley” where 70 percent of all payments are handled). The term “collective defense,” coined by Jeanette Manfra, the Assistant Director for Cybersecurity at CISA, is not just a sound bite. Because most critical infrastructure is owned by the private sector, lines continue to blur between national security and private sector security, and CISOs feel more at a disadvantage fighting asymmetrical attacks, it’s more important than ever for the public and private sector to work together, communicate, and partner.
Travis discussed a few issues such as FBI and CISA collaboration and mission alignment issues, CISA’s budget (which limits its available staff and resources), and ongoing (but steadily improving) issues with DHS’s Automated Indicator Sharing (AIS) program. On the private sector side, bi-directional information exchange continues to be weakened as companies still fail to provide enough information to DHS. CISA really desires to partner with the private sector, and Travis made the case that this relationship creates value for both CISA and the companies that participate.
Discussion also turned to China, 5G, Huawei, and the supply chain. On the one hand, Huawei’s 5G network offers better and cheaper technology than anything currently existing in the United States. However, when the UK recently examined this technology, they found opportunities for hackers to steal data. Because Chinese malicious cyber activity is a top priority of CISA, this 5G technology causes legitimate concerns if it were to be adopted in the US. This is a high-profile example of third party vendor management issues that affect both the federal government and private companies.
Recently, the National Risk Management Center assembled a task force to identify National Critical Functions defined as “functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Based on private sector feedback, these critical functions were separated into four categories: Connect, Distribute, Manage, and Supply. Vulnerabilities and interdependencies exist across the critical functions, so how do we contain any cybersecurity challenges and limit the amount of risk?
The next steps for this task force include creating a Risk Register. According to the CISA website, “By performing risk and dependency analysis and consequence modeling, CISA will identify scenarios that could potentially cause national-level degradation to National Critical Functions. This will result in a tiered Risk Register that prioritizes areas of national risk to critical infrastructure in need of mitigation and collective action. The process for developing the Risk Register will involve representatives from across government and industry and combine analysis, with policy judgment and operational insight.”
Roy Hadley, Attorney & Cyber Practice Lead at Adams & Reese, LLP
In March 2018, the City of Atlanta experienced a sophisticated ransomware attack that made national headlines. The hackers literally held the city for ransom, preventing it from using certain critical databases like those for the judicial system and first responders until the city agreed to pay the hackers to unlock the city’s systems. Attacks like these are becoming increasingly common and serve to demonstrate that state and local governments are vulnerable to cyber threats. Roy Hadley was the lead outside counsel assisting the city in responding to the attack and discussed what happened, lessons learned, and best practices to help prevent organizations from becoming the next headline.
The City of Atlanta was infected with SamSam ransomware that encrypted much of the city’s data. The attackers asked for about $50,000, but Mayor Keisha Lance Bottoms followed cybersecurity best practices and the public advice of the FBI when she decided not to reward criminality. Instead, the city called in cybersecurity experts to help assess the damage, recover systems, and get the city operational again. Beginning some very long days at the city, Hadley talked about aspects of the attack and lessons that CISOs can apply to their organizations.
When assessing the damage, it was important to identify what the virus impacted and what it left unscathed. For example, the Hartsfield-Jackson Atlanta International Airport and Department of Watershed Management were mostly unaffected, but areas such as utility billing, court and legal services, and public safety were heavily impacted. While systems were down, city staff lost the ability to file information electronically. Older staff were more comfortable temporarily returning to paper-based methods, but younger people struggled to carry on with their work—leading to reduced productivity.
The media widely reported that the city of Atlanta used many legacy systems and had not updated its IT infrastructure in a long time. Public estimates ranged, but it’s safe to say that the ransomware attack cost the city millions of dollars. While an obvious lesson is to always keep one’s IT infrastructure modernized, updated, upgraded, and patched, Hadley shared some additional lessons that may pertain to a CISO’s organization:
1. Rewarding criminality is not a good idea. It is not guaranteed that criminals will decrypt your data, and additional risks crop up when attempting to deal with criminals.
2. Develop a thorough incident response plan. This plan defines not only what you will do in case of a ransomware attack but also how you will communicate. Post-breach communications are essential in the wake of such an attack, and Atlanta fumbled in their public responses. Equifax is also now a classic example of a company’s inability to communicate both internally and externally after a data breach.
3. Conduct tabletop exercises and account for reality. Ideally, organizations should use a cyber range to replicate the reality of how a cyberattack will develop, but tabletop exercises also work well in a limited way. CISOs need to remember that tabletop exercises are not reflective of real issues. For example, what if teams work 12-hour days for 15 days in a row? Their decision-making will work differently than well-rested resources.
4. Create an advisory committee. An advisory committee can offer objective guidance and best practices to ensure that an organization can appropriately respond to a significant cyberattack. For example, the City of Atlanta created a Chief Information Officer Advisory Board who will work with the City of Atlanta Information Management team to advance the technology strategy of the city.
5. Don’t rely on people to do the right thing. Even the best security measures will not prevent that one employee from making a mistake. As a result, organizations need to set up their information security systems assuming an employee mistake will happen. Compartmentalizing networks, patching software, using rigorous antivirus and antispam software, monitoring networks, and backing up data will all help mitigate the consequences of a cyberattack.
6. Learn from others. Remain open to advice from your industry peers and security experts. When you are not learning and evolving your security strategy, then you can get behind and find yourself wide open to a cyberattack.
Dwight Eisenhower once said, “Plans are worthless, but planning is everything.” The process of developing plans is important even if plans go by the wayside during a battle. The same is true for a cyberattack. Atlanta failed to plan, and they paid a high cost.
Kim Watson, Technical Director, Applied Physics Laboratory, John Hopkins University
Issues around the current state of cyber defense are well documented. The potential for automation and autonomy to address these issues is openly promoted and marketed—and highly debated. As a member of the Senior Staff at the Johns Hopkins Applied Physics Laboratory and Technical Director for Integrated Adaptive Cyber Defense (IACD), speaker Kim Watson has partnered with and influenced government, industry, academia, and not-for-profits with the goal of advancing the speed and scale of cyber defense. Through demonstrations, experiments, and pilots, the IACD team has learned a lot about the use of automation in cyber defense operations.
Because IACD is based on tenets such as Bring Your Own Enterprise (BYOE), dial-able automation, and actionable information sharing optimized for network defenders, the team’s findings tend to be very practical. This session highlighted aspects of these lessons learned, and attendees discussed strategies for implementing security automation in a manner that serves an organization instead of ending up as just another security capability that organizations are forced to deploy, manage, and report on.
Watson flipped the script on many information security discussions when she said our industry’s issues are not a people problem. So much talk exists about the cybersecurity talent shortage, but she argued that we don’t have enough people who we could throw at our problems to fix them. Instead, we face an automation problem. The scale and speed of information security has grown so much that only automation and orchestration can handle these issues in a way that ensures consistency and rapid decision making.
A big difference exists between security automation (machine-based implementation of tasks) and security orchestration (machine-based implementation of processes—or synchronization of decisions and tasks), and Watson clarified that definition. It’s an important distinction because while cybersecurity automation can make security tasks more efficient, orchestration can make security processes more efficient. And when the two are combined with business objectives, they can make security operations more effective.
Watson also talked about an automated response action benefit vs. regret matrix. Organizations tends to be comfortable with high benefit / low regret response actions (such as blocking or removing malware), but low benefit / low regret response actions offer many opportunities for automation. Benefit refers to the value an organization gains from mitigating risk while regret refers to the potential for regret from an automated response. Low benefit / low regret response actions would include gray areas such as blocking a suspicious IP address or an unauthorized website. As Watson says, “You don't have to be right, as long as you are not sorry.” For such response actions, even if your intelligence is faulty, the negative impact on business from taking a specific response action is very low.
Currently, security investments are weighed down by manual security processes. If organizations learn how to make more rapid decisions using the various benefit / regret approaches, powered by automation and orchestration, then their security posture will strengthen. Automation can also help with the time element of cyberattacks. When did an attack happen? How long has a threat been in your environment? What was the duration of an attack? Watson asked, “How can you respond to a cyberattack if you never detect it?” Arguing that we need to automate as much of a SOC as we can, Watson posed the question, “How do we rapidly move forward and build the automation that’s required?” Instead of spending 80 percent of your time focused on 20 percent of your problems, Watson believes the right security program facilitates automation and orchestration so that CISOs spend more time on the right things.
The National Technology Security Coalition (NTSC) provides a platform for CISOs to advocate for beneficial legislative and regulatory cybersecurity policies. Interested in adding your voice to the national cybersecurity dialogue as a CISO, underwriter, or contributing expert? Check out our events calendar for upcoming roundtables, learn more about the NTSC, and contact us about ways you can contribute.