19 May 2018 (Athens, Greece) – The start of my conference year is in Lille, France at the International Cybersecurity Forum (for my coverage click here), and that kicks off 30+ technology events I attend each year on artificial intelligence, cyber security and the technology-media-telecommunications ecosystem.
I cannot attend everything … damn! … so I rely on my brilliant media team. And this past week we saw three major cybersecurity law events in the U.S. so my team had to be on top of their game:
- Georgetown Law’s Cybersecurity Law Institute
- the Harvard-MIT Cybersecurity Conference.
- the Logikcull/ACEDS “Corporate eDiscovery and Cybersecurity User Group”
Each of those events had high value for different reasons and I will have more detailed comments on each event (with video interviews) in the coming weeks but just a few points:
- the Georgetown event receives “Pride of Place”. In my U.S.-based cyber security and intelligence community networks this event is always referred to as “the cyber event you need to attend”. I credit the Georgetown Law brains behind the event … Dean Larry Center, Lisa Fthenakis, Whitney Gurner and team … and the chair/organizers: Christina Ayiotis, Harriet Pearson and Kimberly Peretti. Their marketing material does not lie: the insights on preparedness, resilience strategies and solutions for the cyber issues you face on a daily basis are astounding.
- the Harvard-MIT event was especially notable this year because Melissa Hathaway, who served presidents George W Bush and Barack Obama as a top cybersecurity adviser, was principle speaker and she had a lot to say about cyber studies and executive orders.
- and rounding out the list are the brainiacs at Logikcull who focused on e-discovery and information governance, two interrelated data-intensive processes, that can be either low-hanging fruit for cybercriminals or a first line of defense for protecting a company’s most sensitive information. And after that massive e-discovery document review hack in D.C. last year, quite timely.
So this will be a bit of a mashup from all three events because there were several common themes across all of the venues.
1. Everything is hackable. Deal with it.
For the cyber security vendors who made presentations at these events, that was a major theme. They seemed to break it downs follows:
1. everything is hackable
2. cybersecurity is the practice of minimizing intrusions into our digital affairs
3. two basic truths:
(a) you can usually prevent most individuals from gaining access to your “data valuables” with a bit of reasonable effort and expense
(b) but you usually can’t prevent those with the right tools and experience from bypassing even the most sophisticated alarm system
And we have plenty of studies to tell us what needs to be done for cyber security, yet we still are stymied because companies do not seem to have a “commitment to action” to employ the right resources — people, time, and money — to execute these recommendations. Probably, as one vendor noted, “it is far easier to study and recommend than it is to do.” A key aspect of this is approaching the problem from a risk management perspective. And one corporate counsel rejoined “no way anyone can execute all of these recommendations pouring forth. It takes a risk assessment to prioritize actions and then a disciplined, resourced, time-bound execution plan that actually gets implemented”.
2. What the “WannaCry” ransomware attack taught us.
Needless to say, I suppose, but comments on the “WannaCry” attack seemed to be on everybody’s bucket list. WannaCry was an example of the insecurity of legacy systems. It’s not that “new” internet infrastructure is insecure and “old” technologies are proven. Much of computing and the internet is already “old”. But there’s a life cycle to technology. “New” systems are more resilient (able to adapt to an attack or discovered vulnerability) and are smaller targets. Older legacy systems with a large installed based, like Windows 7, become more globally vulnerability if their weaknesses are discovered and not addressed. And if they are in widespread use, that presents a bigger target.
This isn’t just a problem for Windows. Sebastian Benthall … a data scientist at Ion Channel, an AI software/cyber startup … sent me a long paper which I just started parsing and his point is that similar principles are at work across many data/software ecosystems. The riskiest projects are precisely those that are old, assumed to be secure, but no longer being actively maintained while the technical environment changes around them. The evidence of the WannaCry case further supports his view.
3. Enough with the executive orders, already!!!
This was a pet peeve of Melissa Hathaway, but it was echoed by several speakers at these events. Hathaway took aim at Trump’s recent cybersecurity order:
This will require every agency to dedicate precious and shrinking resources – time and personnel – to develop these plans, delaying and possibly distracting these agencies from their current cybersecurity activities and operations.
Hathaway provided a table that lists the new executive order’s 14 requested reports, deadlines to complete the studies, lead agencies overseeing the studies and the recipients of the reports:
| Report | Timeframe | Lead Agency | Recipient |
|---|---|---|---|
| Risk Management Report (using NIST Framework) | 90 Days | All Agencies | OMB |
| Governmentwide Risk Assessment | 150 Days | OMB with support from DHS, DoC, GSA | Assistant to the President for Homeland Security and Counterterrorism (APHSCT) |
| Modernizing Federal IT – Shared IT Services | 90 Days | DHS, OMB, GSA, DoC | Director, American Technology Council |
| Modernizing Federal IT – Shared IT Services for National Security Systems | 150 Days | DNI and DoD | Assistant to the President for National Security Affairs (APNSA) and APHSCT |
| Supporting and Engaging Section 9 Entities – Cybersecurity Risk Management | 180 Days (report annually) | DHS with others | APHSCT |
| Market Transparency for Critical Infrastructure Entities | 90 Days | DHS and DoC | APHSCT |
| Increase Resilience to Automated Distributed Threats (Botnets) (Draft Report) | 240 Days | DOC and DHS | Public Report |
| Increase Resilience to Automated Distributed Threats (Botnets) (Final Report) | 365 Days | DOC and DHS | POTUS |
| Assessment of Electric Sub-sector Incident Response Capabilities | 90 Days | DOE and DHS | APHSCT |
| Risks to Defense Industrial Base, Including Supply Chain | 90 Days | DoD, DHS, FBI with support from DNI | APNSA and APHSCT |
| Strategic Options for Deterrence | 90 Days | DoS, Treasury, DoD, AG, DHS, and USTR | APNSA and APHSCT |
| International Cybersecurity Priorities | 45 Days | DoS, Treasury, DoD, DoC, DHS, AG, FBI | POTUS |
| Engagement Strategy for International Cooperation | 135 Days | DoS | APHSCT |
| Cybersecurity Workforce Strategy | 120 Days | DoC and DHS, with support from Labor, Education, OPM | APHSCT |
| Cybersecurity Workforce Strategies of Other Nations | 60 Days | DNI | APHSCT |
| Cyber Capabilities Assessment | 150 Days | DoD | APHSCT |
One speaker on cybersecurity strategy noted that, yes, modernizing government IT is desperately needed and is consistent with congressional initiatives. It is essential that we clean up our infected infrastructures. But we already have initiatives in place along with continuity.
I want to end with a few comments by Brett Williams, the ex-Air Force Major General I noted above. He made numerous points but let me just highlight two areas which he felt were especially “Board worthy”:
- End of Life (EOL) software
- patching
EOL Software.
Typically, a company runs EOL software because they have a critical application that requires customized software that cannot run on a current operating system. This situation might force you to maintain an EOL version of Windows, for example, to run the software. In the instance of WannaCry, Windows XP and 8 in particular were targeted. Boards should be asking what risks are we taking by allowing management to continue running EOL software. Are there other options? Could we contract for the development of a new solution? If not, what measures have we taken to mitigate risks presented by relying on EOL software?
Other times companies run EOL software because they do not want to pay for the new software or they expect a level of unacceptable operational friction to occur during the transition from the old version to the new. Particularly in a large, complex environment the cross-platform dependencies can be difficult to understand and predict. Again, it is a risk assessment. What is the risk of running the outdated software, particularly when it supports a critical business function? If the solution is perceived as unaffordable, how does the cost of a new solution compare to the cost of a breach? Directors should also ask where are we running EOL software and why.
Patching.
Software companies regularly release updates to their software called patches. The patches address performance issues, fix software bugs, add functionality, and eliminate security vulnerabilities. At any one time, even a mid-sized company could have a backlog of hundreds of patches that have not been applied. This backlog develops for a variety of reasons, but the most central issue is that information technology staff are concerned that applying the patch may “break” some process or software integration and impact the business. This is a valid concern.
In the case of WannaCry, Microsoft issued a patch in March that would eliminate the vulnerability that allowed the malware to spread. Two months later, hundreds of thousands of machines remained unpatched and were successfully compromised.
Directors should ask for a high-level description of the risk management framework applied to the patching process. Do we treat critical patches differently than we treat lower-grade patches? Have we identified the software that supports critical business processes and apply a different time standard to apply patches there? If a patch will close a critical security vulnerability, but may also disrupt a strategic business function, are the leaders at the appropriate level of the business planning to manage disruption while also securing the enterprise? Have we invested in solutions that expedite the patching process so that we can patch as efficiently as possible?
Have a good weekend.
