Highlights from Patrick Gaul’s Podcast Interview on “Through the Noise”

During a wide-ranging interview on a recent episode of “Through the Noise”—a business podcast led by hosts Blake Althen and Ernesto Gluecksmann—our Executive Director, Patrick Gaul talked about many important cybersecurity issues and trends of interest to CISOs and the NTSC.

Here are some of Patrick’s most interesting insights from the discussion (edited for clarity). Go to Through the Noise to hear the entire interview.

On the industrial internet of things…

The International Society of Automation is very concerned about industrial control systems (ICS) and how those can be hacked. There are plenty of examples such as the electricity unit that got hacked in the Ukraine at the end of 2015 by the Russians—all from a computer—and led to 90,000 homes without electricity for about 36 hours. When you insert malware into these systems, you really mess them up.

IoT security is a big concern for everybody because 85% of all critical infrastructure in the United States is privately owned. How is it being secured? There’s this intersection between information technology and operational technology. Years ago, those were two separate things. Now, we get hacks such as someone hacking a third-party provider that allowed them in because there was an intersection between the HVAC and the point of sale.

Think about this in terms of the possibilities for cyberespionage down the road. There’s a case of a company that manufactured turbines for large airplanes that got hacked by the Chinese. A major component got stolen and it went up on the Chinese market three months later at 30% of what it cost the German company to manufacture that turbine and put it on the market.

On national data breach notification…

What happens when a company gets breached? Today, there are 47 states that have individual laws. Who do I notify? How soon do we have to let them know we got breached? How soon do we have to let our customers know? How do I have to let them know? Electronically? Letter? Call them? What do I have to do after that? Do I have to give customers credit card monitoring for a year? 18 months? 2 years? Do I have to follow up and update them as things develop?

Those are all notification costs, and the U.S. has the highest notification costs in the world. The cost per record for a healthcare data breach is about $385. If you look at Target and the hundreds of millions of dollars they spent on their breach, consider how much of that was spent on indirect costs.

While the attorney general in every state will tell you that he or she is in the best position to determine how to protect their consumers, the number of state data breach laws is financially damaging to the multinational corporations that have to deal with this complex set of rules. Plus, you have the Virgin Islands, Guam, Puerto Rico, and the District of Columbia with laws. And then you must deal with federal authorities. If you’re a healthcare provider, then you must deal with HIPAA. If you’re a communications provider, then you must deal with the FCC. If you’re a financial services provider, then you must deal with the Gramm-Leach-Bliley Act. So many regulations.

As a result, Congress has been debating national data breach notification legislation for nearly a decade. The NTSC wants to leverage the voice of 60 CISOs and encourage Congress to look at this from the standpoint of business instead of the standpoint of individual states. What’s best for American business?

On the intrusion prevention export embargo…

We currently have an embargo on the export of intrusion prevention software because it got bundled into this thing called the Wassenaar Arrangement which involves weapons exports. Because of this agreement signed by 41 countries, intrusion prevention software is considered a cyberweapon and you can’t export it. For an example of its impact, a quick service restaurant like McDonalds that has international locations can’t use the same software to protect its businesses in London that they’re using in Minneapolis.

On the encryption debate…

Shooting incidents in Orlando or San Bernardino have led us to the question, “Is your privacy more important than the ability to protect lives?” Once you start compromising privacy and start opening the door for the government to access devices like smartphones, it’s a slippery slope. On the other hand, if someone came to you and said there was a dirty bomb in New York City and we could save 200,000 lives by backdoor access to an iPhone, what would you do?

The FBI will tell you we’re going dark with encryption because of recent political events. The number of people who are signing up for encrypted email has tripled. But other people like Peter Swire would tell you we’re in a Golden Age of Surveillance and that the FBI has more ways to see people than they’ve ever had before.

Yet, people on the other side of the debate point out that modern encryption is nearly hack proof. Encryption like AES256-GCM (which is similar to NSA-level encryption) means that a company offering that level of encryption has zero knowledge—with zero access to the unencrypted keys or unencrypted data. Only the customer has access. So now the FBI comes to the company and says, “We need access to this information.” All they can say is, “Here’s the server.” Good luck. No one has never cracked AES256-GCM and it’s likely no one ever will until quantum computing gets on its feet. And even then, maybe. So, going dark is the ability for not just me but for ISIS or other bad actors to totally encrypt their data.

On individuals as the first line of cybersecurity defense…

The first line of personal or corporate cybersecurity defense is people. And we don’t have a culture of security awareness in this country. If there’s a fire drill, what are we all going to do? We’re going to run to the exits. If you’re working at a construction site, you’re going to wear a hard hat. There’s a culture of safety. Why don’t we have that same kind of sense and awareness when we’re engaged in the cyberworld? Why do we consistently click on attachments that say your Netflix account has been blocked, so click on this link to log in and give us your details?

Before you know it, you’ve downloaded malware, infected your computer, and locked your own data. Then, you have a choice of paying the bitcoin or going down to Geek Squad to have them completely wipe your computer. Or, you just downloaded something that puts malware onto your corporate network that quietly sits there and gathers information over a period of time. Think about the Yahoo hack and how long it took to download hundreds of millions of files.

CAs, SSL, and TLS are not very viable for most corporations. They have to use a much higher layer of security. Hackers are very, very patient. They only need to find one vulnerability in your corporate network, leaving corporations to constantly patch and fill multiple holes. Today, perimeter fences aren’t enough. Hackers are excellent at getting inside the corporate network. I recently met with someone from a big consulting company and he was telling me how they still conduct exercises within the corporation to see how many people will click on a malicious link. More than 20% of people will click on that link. One of our missions is to try to help reduce those threats by driving more awareness.

On “security fatigue”…

“Security fatigue” is like battle fatigue. NIST recently wrote about a paper about it and found that people are just worn out. We’re doing a lot of great things designed to help protect our infrastructure and government entities. But the bad guys are extraordinarily patient and only have to find one tiny vulnerability to exploit.

For example, you walk into a building and you see a thumb drive. You put it into your computer because you want to find out who it belongs to so you can return it. And…you just downloaded malware into your entire network. That happens at corporations every day. In a great book called Hacking Exposed: Industrial Control Systems, the authors talk about an example of someone who comes in for a series of interviews. On a break between interviews, he goes off by himself to grab a cup of coffee. As he goes around the corner he sees the printer control room, unplugs a cable, attaches a device, plugs it back in, and now has access to the entire critical infrastructure network. This seems like Mission Impossible but it happens every day.