Rising Tides and Higher Stakes – High Performance Counsel Interview with Chuck Brooks

The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency.

What are the new Cybersecurity Stakes – What are vulnerabilities and risks?

We live in world of algorithms; x’s and o’s. Our digital world is ripe for access and compromise by those who want do harm from just a laptop and server. A myriad of recent breaches have demonstrated that as consumers we are becoming more and more dependent upon digital commerce. Our banking accounts, credit cards, and financial daily activities are interconnected. We are all increasingly vulnerable from hackers, phishers, and malware proliferating across all commercial verticals.

In the past year, the employment of ransomware has become a method of cyber-attack choice by hackers. This is because many networks (especially hospitals, utilities, universities, and small businesses) are comprised of different systems, devices and often lack required patching and updating necessary to thwart attacks. The recent Wannacry, and Petya attacks were certainly wake up calls to the disruptive implications of ransomware. We can expect to see more such attacks because of the ease of infection and because the vulnerabilities to networks still remain.

Ransomware is not a new threat, it has been around for at least 15 years, but it has become a trending one. Experts estimate that there are now 124 separate families of ransomware and hackers have become very adept at hiding malicious code. Success for hackers does not always depend on using the newest and most sophisticated malware. It is relatively easy for a hacker to do. In most cases, they rely on the most opportune target of vulnerability, especially with the ease of online attacks.

More ominous are the Distributed Denial of Service attacks (DDoS). Tech Target provides a succinct definition of A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems. The connectivity of the Internet of Things (IoT) and its billions of connected devices is conducive for DDoS activities. In 2016 a DDoS attacks were launched against a Domain Name System (DNS) called Dyn. The attack directed a variety of IoT connected devices to overload and take out internet platforms and services.

Consider the dire and eye opening facts: Hackers attack every 39 seconds and around one billion accounts and records were compromised worldwide last year. There are estimates that global Cybercrime damage costs will reach $6 trillion annually by 2021. Cybercrime is growing exponentially and so are the risks.

What are the cybersecurity challenges and how do we protect ourselves?

McKinsey & Company and the World Economic Forum published a joint paper a couple of years back projecting that ineffective cybersecurity will result in a cost to the global economy of three trillion dollars by 2020. That estimate may be even greater now that IoT has expanded so rapidly along with the attack surfaces constituted by so many billions of connected devices to the internet. A Gartner report predicts more than 20 billion connected things to the internet by 2020 that can be hacked or compromised. Clearly, it is almost an insurmountable task to monitor and protect IoT. It is also very difficult challenge to keep up with the increasing sophistication of the socially engineered threats and threat actors.

A security strategy to meet these growing cyber-threat challenges needs to be both comprehensive and adaptive. It involves people, processes, and technologies. Defined by the most basic elements in informed risk management, cybersecurity is composed of:

  • Layered vigilance (intelligence, surveillance);
  • Readiness (operational capabilities, visual command center, interdiction technologies);
  • Resilience (coordinated response, mitigation and recovery).

The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency. These guidelines are represented in the NIST mantra: “Identify, Protect, Detect, Respond, Recover”.

Recently, the # CyberAvengers (of which I am a member along with cyber experts Paul Ferrillo, Kenneth Holley, George Platsis, Shawn Tuma, George Thomas, and Christophe Veltsos) published a basic cyber-hygiene formula in Brink News (http://www.brinknews.com/cyber-hygiene-and-government-industry-cooperation-for-better-cybersecurity/) that provides a god 9 point checklist for cyber protection:

1) Update and patch your networks, operating system and devices promptly. “Critical” is “critical” for a reason. Do it within 72 hours of release.

2) Train your employees on how to detect spear-phishing attempts and what best social media practices are. Quarterly training can reduce the risk by up to 90 percent in most cases.

3) Use multifactor authentication. We have effectively reached the age of password uselessness due to our poor habits. Passwords slow down bad guys who do not know what they are doing. Biometric solutions are great, but proceed with caution if you go this route because you now have data management and privacy concerns that must be addressed.

4) Back up regularly (daily if feasible). Where possible, use the “1, 2, 3” backup rule: 1. a segmented backup on-site; 2. one off-site; and 3. one in the cloud. No need to pay the ransom if you have a clean backup ready to be uploaded to your system.

5) Be cautious with older systems. Yes, older systems can be repaired. However, the upfront capital cost is not always affordable. The critical issue becomes support (patches) for these system stops. If these systems are past their “patch life” they become tempting targets for hackers.

6) Follow-on to the last point, sometimes the best answer is the cloud. Cloud service providers have state of the art hardware and software and cloud migrations have become easier, especially over the last two years. The cloud is not a savior—it comes with other issues, such as needing to learn what your obligations and responsibilities are, ensuring you have robust agreements with your vendors, and knowing what third-party sources will have access to your information.

7) Know how your intrusion detection and prevention system works. Is it signature-based? Perhaps it is behavioral-based? Maybe it is both? New cyber threats require new tools. This is where machine learning, cognitive computing, AI, automation, and orchestration all come into play (but only when done in tandem with all other techniques discussed here). Internet data traffic has reached the stage where humans aren’t able to do this on their own.

8) Consider a Managed Service Provider (MSP) or a Managed Security Service Provider (MSSP). Cybersecurity is not everybody’s strength, but one ransomware attack could be crushing. There are options out there to help you. Sure, it costs money, but you are buying peace of mind. Do your homework and find the right solution for you.

9) Do you drive your car without insurance? Cyber insurance is not mandatory yet, but it may be in the future. Chances are if you are doing a lot of what is suggested here, premium payments will be at the lower end.

A successful cybersecurity will also require integration of emerging technologies for identity management, authentication, horizon monitoring, malware mitigation, resilience, and forensics. Automation and artificial intelligence are already impacting the capabilities in those areas.

Cybersecurity capabilities in information sharing, hardware, software, encryption, analytics, training and protocols, must keep pace to protect and preempt the increasingly sophisticated threats in both the public and private sectors.

Where does your cybersecurity perspective come from?

My perspectives on both cybersecurity and homeland security come from my experience in the policy arenas in Washington, DC. In my early career I worked almost seven years for the late Senator Arlen Specter. In this role I covered technology and national security issues and spend my days writing and promoting legislation and meeting with constituent companies with interests in those areas. This was beneficial because it gave me a ground view of how things work in Washington, DC. And interacting with what I term “The Four Pillars”; Government, Academia, Media, and Industry on a daily basis.

My first deep dive into cybersecurity was at the Department of Homeland Security (DHS). I was one of the first people onboard and helped set up both the Office of Legislative Affairs and later served as the first Director of Legislative Affairs for the Science & Technology Directorate. Initially, CBRNE (chemical, biological, radiological, nuclear and explosive) threats were the primary focus of DHS. But as the digital world and connectivity evolved, so did the security mission. Presidential directives and Congressional mandates elevated DHS to play a primary role in the civilian side of government for cybersecurity. Cyber intrusions and threats from malware and hackers required restructuring of priorities and missions.

Each passing year since its inception DHS has to step up capabilities in assessing situational awareness, information sharing and resilience research and development plans with the stakeholders to mitigate risk and protect critical infrastructure. I have stayed close to many of my former colleagues both inside and outside of government who have been steering the DHS mandates.

I was also fortunate to teach at the Johns Hopkins University (SAIS) campus for two years a course called “Congress and Homeland Security.” It added a new perspective for me on the implications of policy, especially in the privacy areas. It also contributed to my understanding of how academic and policy institutions an really impact on programs, budgets, and priorities in the milieu of Washington, DC.

What I have concluded from publishing over 150 articles, numerous speeches, and as working as a Subject Matter Expert is all areas of homeland security and cybersecurity, is that security outcomes really depend on a three tiered formula. 1) You need the innovation and expertise from the technical and engineering people in government and industry. 2) You need the business and policy perspectives to integrate management approaches and to commercialize technologies, and 3) you need evangelists to explore, communicate, and help provide vision for all connected to the internet to understand and meet the challenges of world of algorithms; x’s and o’s. I try to dabble in all three tiers, but focus primarily on evangelism.

Also available on LinkedIn