A digital magazine brought to you by The Cyber Initiatives Group
What to Expect from the New National Cyber Security Strategy: A Conversation with National Cyber Director Chris Inglis Predicting Cyber Challenges in 2023 In Case of Cyber Emergency: Break Cyber Structure
“What if a transgressor in this space had to beat all of us—to beat one of us?”
“The Cipher Brief’s Cybersecurity Summit unquestionably ranks with the very best of the numerous cyber conferences in which I have participated. The level and range of expert dialogue are always unmatched, and the agenda unerringly focuses attention on the issues that are most critical to government and the private sector. Beyond that, the expert-led sessions and simulation exercises do a wonderful job of providing the audience insights into the thinking of policy makers and consistently spotlight the gaps in our cyber organizations’ authorities, resources, and capabilities.”
—Gen. David Petraeus (Ret.), former Commander of the Surge in Iraq, US Central Command, and Coalition and US Forces
Welcome to the Cyber Initiatives Group’s inaugural digital magazine. It’s an exciting opportunity for The Cipher Brief to highlight our focus on cybersecurity and national security and specifically, on how The Cyber Initiatives Group (the CIG) aims to change the way we collaborate when it comes to cybersecurity. After years of covering this space, first as an Intelligence correspondent and later, as the founder, CEO & Publisher of The Cipher Brief, it’s obvious to me that much of the reason why we haven’t moved the needle quickly enough on strengthening cybersecurity over the past several decades, is because not enough people are paying attention. Not enough of us are paying attention to how sophisticated phishing attacks have become. Not enough boards are paying attention to the seriousness of the risk that cyber breaches pose to their enterprise and not enough of us in general, are educating ourselves about basic cyber hygiene.
For many of us, this all still feels foreign. It even has a language many of us don’t understand. Let’s change that because like it or not, thanks to the rapid evolution of technology, our children and their children will be living in a world very different from our own. So, how do we get started?
The CIG’s number one priority is to educate. We don’t do that by preaching, we do it by listening. The CIG convenes quarterly virtual summits with cyber leaders across a variety of disciplines who bring deep public and private sector experience to the conversation.
We make it easy to sit at your desk in the office, in your dorm room, or on your living room sofa, and hear from the experts about what’s top of mind and more importantly, what they’re doing about it. We also partner with other organizations
that have similar goals and academic institutions that are shepherding the next generation of cyber leaders, diplomats and warriors.
Some of our principals and experts are former directors and deputy directors of the National Security Agency, the CIA and the ODNI. Some are the quiet engineers, mathematicians, social scientists, analysts, and strategic thinkers who are figuring out how to solve the complex challenges that come with this new world we’re living in.
To date, we’ve welcomed thousands of attendees to our summits. Now, we’re sharing what’s top of mind for our principals and experts in the CIG Magazine. Please feel free to share and reach out with your own ideas.
This mission requires collaboration and it’s one where we—as a community—will demonstrate that competition and collaboration can and must co-exist. When it does, we’re all stronger. Read more on that concept in our feature interview with National Cyber Director Chris Inglis, who posed the question at the recent he question at the recent Cipher Brief Threat Conference: “What if a transgressor in this space had to beat all of us—to beat one of us?”
Kelly Founder, The Cyber Initiatives Group
Senior
VP,Booz Allen Hamilton
Exclusive Knowledge Partner
Kelly Bissell CVP, Microsoft
Join The Cipher Brief and national security leaders from government and the private sector as we engage in exercises and expert-led conversations on national security issues. Cipher Brief sessions are expertly crafted and focused on ways the public and private sectors can most efficiently work together to address key national security challenges. Visit tcbconference.com to learn more today. Find out more about how your company can become a sponsor by downloading the sponsorship kit at tcbconference.com/sponsorship
The US could see its first National Cybersecurity Strategy within days or weeks, depending on how quickly the process in Washington takes, according to comments made by National Cyber Director Chris Inglis at The Cipher Brief Threat Conference this past October. Inglis’ goal is ambitious: create a strategy that will help bolster cyber defense of critical infrastructure, strengthen the cybersecurity of US government networks, counter and deter cyberattacks against Americans and US entities, strengthen cyber cooperation with allies and partners, and support development of post-quantum encryption.
Director Inglis spoke with Cipher Brief CEO & Publisher
at the 2022 Cipher Brief Threat Conference about what he describes as the “tough” new strategy, which will reportedly greatly expand the government’s role in the security of cyberspace.
The director also talked candidly about what he’s learned during his time at the Office of the National Cyber Director (ONCD), the importance of evolving public-private partnerships and what he sees for the future.
His interview immediately followed an appearance by the Head of the Office of the President of Ukraine,
addressed the conference on the same day that Russia launched a barrage of missiles attacks against Ukrainian cities. Ukraine, of course, has been the target of Russian cyber operations as well, for years and has often been seen as a ‘testing ground’ for new cyber weapons.
INGLIS — Thank you for the opportunity to hear the Ukraine session that we just did. I must say, I probably speak for all of us when I say how humbled and inspired I was by what we just heard.
Many of us in the work that we do vis-a-vis cyber sometimes feel like we’re being cast about on some kind of trackless sea and that we’re fated to suffer certain consequences. In no way, shape or form did we just hear a country talk about fate, they talk about choice. They’re quite intentional about declaring what their future should be and they’ve taken this by the horns and they’re moving forward. Who amongst us could demonstrate any lack of resilience and robustness in declaring what we will choose to do to make sure that the future is what it must be?
To that end, I have some opening remarks about where we are today at the office of the National Cyber Director. We’re on version 6.0 of the organization and we’ve been growing like Moore’s Law every quarter. Version one was just me, for the better part of a month. Version two was three of us for another month
and so on and so forth, and here we are, a year later. We’re sitting at about 65 people in the White House. It’s not about the organization, but it just gives you a sense that we’re big enough to now begin to sponsor initiatives to do the work that we set before us. We’re of course, too small to be an operational organization, and I’ll speak a little bit more about that later.
I was going to offer up front, perhaps in a somewhat Socratic way, three framing questions, and then put that in a larger context.
The first framing question is, given that we’re all here to discuss cyber, what if a transgressor in this space had to beat all of us, to beat one of us? What if that were true?
Second, what if it were finally true that we put cyber in its rightful place, meaning we subordinated it to our larger interests, the things that we want to do in cyberspace? What if we did this as opposed to thinking about cyber for its own sake, thinking about it as a silo that we develop and deliver so that we have bragging rights at the water cooler about how clever, cool and brilliant our digital infrastructure is?
And what if, as a third matter, we got up in the morning and did not obsess about threat and obsessed about the positive aspirations we have in and through cyberspace? What if we re-imagined what we were thinking about in the 1990s, when we thought that the
introduction of ARPANET, MILNET, the internet, and cyber was brilliant to the point where we could do things we could never have considered before?
If we take those three questions and reverse them in order and make them declarative statements, I think that begins to constitute the choice we must make going forward following in the brilliant example of the Ukrainians. What is it we want the future to look like and are we willing to actually bring that about?
Choice one is do we in fact have positive aspirations for the use of digital infrastructure? Is that what we get up in the morning and think about? If that becomes true, then we should be prepared to make the investments necessary to deliver that, not let it take its own course, not let market forces alone or fate alone, render
where we’re going to go with this too.
Two, we should then think about the role of cyberspace not as a thing in its own right. Remember what Jeff Moss [the person behind both Black Hat and DEFCON] would say: race cars have bigger brakes, not to have bigger brakes, but to go faster. If we think about the role of cyber as being something that delivers the outcomes that individuals and societies want — the delivery of critical functions, the ability to do banking and so many other things — then I think it becomes a matter for all of us. It’s not just those who have the words cyber IT show up in their job title, but all of us have a role to play.
And if we then do that, if we make the investments necessary that it delivers on our positive aspirations, we get a defensible
architecture, but by no means a secure architecture. In an architecture that’s comprised of technology, people who are in it and doctrine, which is a component of it, roles and responsibilities have to be specified. Then we get an architecture that’s defensible but not secure. It must be defended and at that moment, we have to choose how we defend it.
Do we continue to have a division of effort approach, or do we have a collective approach to my first question, which is really the third issue of do we make it such that a transgressor has to beat all of us to beat one of us?
The strategy — and we are, at the moment, writing a US national cyber security strategy — that emerges from that, has two misnomers: one, it can’t just be a US strategy. That’s what we can speak for, but it has to work in an international domain.
And two, the second misnomer, is it’s really not about cybersecurity. It’s about delivering the full fruits and promise of the internet and of cyberspace. But that strategy is based upon two premises.
One, that resilience by design cannot any longer be discretionary. We have to actually step in and determine what we want the internet to do for us and we have to invest in roles and responsibility definition, getting people up to speed and making sure that technology is bent to that purpose. And, when what results then
as a defensible architecture is given to us, we have to defend that as a collective collaborative endeavor. We can no longer afford to do that as a division of effort.
Ukraine has shown us that defense can be the new offense. Ukraine has shown us that you can in fact defend yourself even in and through cyberspace by essentially doing what’s required to invest sufficient resilience and robustness. By no means do they have a perfect digital infrastructure. It’s full of challenges, possibly some days full of Russians.
But it’s shown us that you can take that defensible architecture and if you use agility, if you use audacity, if you understand what it is you want that to do and deliver, and if you participate in a collective defense where many nations and the private sector and the public sector together challenge the Russians to beat all of us to beat one of us, you can in fact achieve your aspirations in and through cyberspace as much or more as in and through your physical domains and your society.
I don’t exist for cyberspace. I exist because of cyberspace, and we need to make sure that we bend it to do what we want it to do for us in all the most positive ways.
(This interview was been lightly edited for length and clarity. You can find the full interview on The Cipher Brief’s YouTube Channel.)
One thing that I’m watching is the activities of the Russian government around the Ukraine invasion, and in particular cyber activities. In a recent blog post, Microsoft attributed ransomware activities directed against Ukraine and, significantly, Poland to the GRU, Russia’s military intelligence (and information operations) organization. This was significant because the GRU targeted organizations in Poland that were involved in logistics and transportation, presumably to interfere with their activities in support of the movement of supplies and weapons to Ukraine. It is a shift in targeting that may presage more intrusive and widespread cyber actions by Russia. There are some unknowns here, although I can make some assumptions. First, there is no indication of
whether any of the organizations affected by the ransomware tried to pay the actors and decrypt their data. If they did, I would be surprised if the actor responded and even more so if they were actually able to decrypt their data. One of the advantages to a “ransomware” deployment is that it masks the actor, which is undoubtedly in Moscow’s interest as it makes it harder for NATO to invoke Article 5 (an attack on one is an attack on all). Second, there is a lack of certainty in terms of future targeting. If this is viewed by the Russians as successful, will they continue their efforts, and perhaps expand them? My take is that they would, and that expansion would extend beyond the primary targets to secondary or even tertiary targets. This might include transportation and logistics entities in other NATO countries like Germany, the Baltics, or even the UK. It could also include private equity firms that own companies involved in supplying Ukraine.
Rick Ledgett served as the Deputy Director of the National Security Agency from January 2014 until his retirement in April 2017, culminating a nearly 40-year career in cryptology at NSA and in the U.S. Army. He previously led the Media Leaks Task Force, the Agency’s response to the Snowden leaks. He was the first National Intelligence Manager for Cyber at the Office of the Director of National Intelligence, and he directed NSA’s 24/7 cyber threat operations center.
What’s top of mind for you in cyber right now and why?
Network vulnerabilities come in many forms and as a result, there is a growing industry to discover those vulnerabilities and develop solutions to mitigate them. But there is one vulnerability that we are not addressing sufficiently - one that all networks have in common and affects how networks are designed, developed, implemented and used. That vulnerability is us.
Human behavior is at the heart of entire life cycle of networks. We must find a way to comprehensively mitigate this vulnerability and although we can’t devise a perfect solution since people are imperfect beings with different interests, when it comes to capabilities and behaviors, we can, and must, do better.
Let’s start at the beginning. The time is right for a national cybersecurity education campaign, not just in elementary schools, but also in high schools, colleges, tech schools and workplaces not only to grow cybersecurity literacy and awareness, but also to grow our nation’s cybersecurity capability and depth at all levels of society.
Basic cybersecurity awareness is rapidly becoming a necessary life skill for everyone who uses network connected devices which, let’s face it, is all of us. Aside from building awareness,
Mr. Darby is a CIG Expert and nearly 39-year veteran of the U.S. Intelligence Community, primarily in the National Security Agency (NSA)/Central Security Service (CSS), culminating in serving over four years as the NSA/CSS Director of Operations (DO). Prior to assuming the DO position, which oversees all of NSA’s collection, code-breaking, analysis and production of signals intelligence (SIGINT), he led some of NSA’s most difficult missions. He managed a budget in the billions, drove development and use of advanced technologies, and in multiple positions led thousands of globally distributed civilian and military personnel providing intelligence support.
a concentrated education campaign will also help accelerate the growth of cybersecurity skills and capacity.
Hardening, managing and monitoring networks is absolutely critical, and government, industry and academia are investing millions of dollars, if not more, to do just that. It’s essential investment and risk management for any network owner. Much of this is out of the hands or even the view of network users, which is a good thing. Leave the complicated “technical stuff” to the pros and make the network user experience as friendly and simple as possible. But cybersecurity capabilities being user friendly does not mean they are not susceptible to flawed human behavior that could render moot the technical solutions.
Organizations are investing in cybersecurity awareness training for employees. Many are also putting in place accountability measures if an employee is found to not be following appropriate cybersecurity procedures. But despite this, how many times have we heard that a particular cyberattack could have been avoided if someone had resisted the urge to click on that phishing link?
management and investment decision making. It needs to be “baked into” the thought processes of every individual at every level of an organization.
need
entire population to understand cybersecurity risk and awareness.
Given the increasing interconnectedness of our world, we need our entire population to understand cybersecurity risk and awareness. It needs to be foundational to how we operate on a daily basis, not that “technical stuff” that is left to the “technical folks,”, but something that is fully integrated into operational, risk
Unfortunately, this mindset is not widespread across our nation and will not occur overnight. This is why we need to take the long-term view. Investment in today’s elementary school students is investment in tomorrow’s CEOs, government and academia leaders who will be making decisions affecting our way of life.
Cybersecurity is not a government, industry or academia problem, but a whole-of-society problem. While significant progress has been made over the last several years, we must do more. Let’s get serious about addressing the enduring cybersecurity vulnerability posed by humans so we can be better postured throughout our society and protect our way of life. Let’s understand our biggest cyber vulnerability and address it.
• Leads Booz Allen Hamilton’s national cyber defense business with focus on protecting critical infrastructure, safeguarding connected devices (e.g. medical devices), securing the supply chain, and defending the federal enterprise against cyber threats
• Supports the core missions of national clients, including the CISA and the FBI
• Consulting Magazine named Kelly a 2021 Woman Leader in Technology, honored for Excellence in Innovation
ourSenior Vice President, Booz Allen Hamilton / Exclusive Knowledge Partner
Director of the McCrary Institute for Cyber & Critical Infrastructure Security, Auburn University
1. What’s top of mind for you in cyber right now and why?
China, China, China . . . and Russia. No secret here; the Communist Party of China has been very vocal about China’s intentions to be a global cyber superpower. Not only is China investing in its cyber capabilities, it has also demonstrated time and again, that it is unwilling to play by the rules. Looking beyond their advanced cyber capabilities, it is hard to overstate the risk to our supply chains. Whether it is semiconductor chips or other critical components and technologies, the risk to our national and economic security is significant and left unchecked, could become debilitating. Keep in mind that China is our nearest peer-competitor and challenger across the board (militarily, economically, and so on) and you can’t look at cyber in isolation from the larger geopolitical backdrop. All of this taken together makes China the one to watch. Pulling on a similar thread, the Russia-Ukraine war is also a concern when its cyber dimension is placed in broader context. There we see the return of geostrategic maneuvering and manipulation in the worst possible way. Relatedly it’s worth asking if the sanctions imposed on Russia as a result of
its war against Ukraine have had a real impact on ransomware operators—since many of the major perpetrators operate out of Russia and are provided safe haven there. While it may be a little too early to discern the data on that it would also be interesting to know whether ransomware (and cybercrime more generally) rises or falls in a time of economic downturn.
2. What will you be watching for most in the next six months?
How things will shape up on the Hill after the departure of multiple cyber-titans from Congress. Representatives Langevin and Katko and Senator Sasse have demonstrated exemplary leadership and expertise which has played an instrumental role in driving cyber policy into law. Now that Congress is finally having real impact in this area the question is, who will pick up the mantle to continue leading the charge? At this stage, we need serious leadership on oversight and on budgeting (after all, policy without resources is rhetoric) to make sure that important policies will succeed in their implementation. Pivoting to the other end of Pennsylvania Avenue, we should also keep our
eyes open for the upcoming release of the National Cyber Strategy. It’s expected to be comprehensive in scope, but the real test will lie in translating its nouns into verbs in order to achieve actual operational impact.
3. What will be the next big drivers of the evolution of public-private partnerships?
Everyone recognizes that the private sector is an enormously important piece of the puzzle, but we need to act that way and not just say it. Taking the public-private partnership (PPP) to the next level requires building ever-greater confidence on both sides of the equation, because trust is the coin of the realm. Yet trust takes a long time to build and can evaporate in a nanosecond. Fighting side by side in the same foxholes, addressing the same challenges, will move us in the right direction—
and the Joint Cyber Defense Collaborative (JCDC) is a positive development. That experience of public-private partnering will help form an increasingly strong foundation for enhanced cooperation. With industry on the front lines in so many critical settings and taking an increasingly important role (such as in space domain), the need to evolve PPPs becomes ever more pressing. One tool for getting us closer to where we need to be is the new Department of Energy National Strategy for Cyber Informed Engineering (CIE). The idea here is to promote cybersecurity by design; and in order to maximize our potential for reaching that goal, industry (along with educators and innovators) was heavily involved in the crafting of the Strategy. A product that truly reflects the expertise of the private sector is a good step toward meaningful PPP.
Frank J. Cilluffo serves as Director of Auburn University’s McCrary Institute for Cyber & Critical Infrastructure Security. He has decades of national and homeland security experience derived from working inside and outside government including serving as a Special Assistant for Homeland Security to President Bush in the White House, immediately following the 9/11 attacks on the US. He recently served as a commissioner on the Cyberspace Solarium Commission and chaired a handful of committees for the Homeland Security Advisory Council on economic security, cybersecurity and counterterrorism. He has testified before Congress dozens of times and has published extensively in major media.
In the past year, the cybersecurity landscape has been rich with new partnerships, timely security guidance and remediations, and collaboration across all sectors. Simultaneously, we have seen a continued uptick in intrusions, attacks, supply chain breaches, ransomware demands, and public disclosures.
In fact, while it could be said that we are in a static state as it relates to the use of novel, more sophisticated and lethal cyber tools, the volume, and impact of the use of cyber tools continues to grow exponentially.
While cyber has played a role in geopolitical conflicts as evidenced by the Russia-Ukraine war, it has been minimally employed in advancing large-scale strategic objectives. One might conclude that we are in a static
state in cybersecurity, but now is no time to let our guard down. Well-resourced and capable malicious actors are still worth watching carefully. We must remain not only vigilant, but determined and resilient, as the use of cyber capabilities to satisfy a myriad of objectives continues apace.
In the mid-2000s, when cyber intrusions were first accelerating in pace and intensity, a frequently used formula for conveying the impact and potential for cyber attacks to be successful was that 85% of attacks were the result of exploiting known vulnerabilities for which there were existing known solutions. The message then, was that if we would only invest in applying these solutions, we could then spend scarce resources in not only addressing new mitigations for classes of vulnerabilities, but also in developing and delivering solutions to the remaining 15% of the attacks —the novel, more sophisticated and seldom, if ever, seen exploits with no know solutions.
Fast forward to today.
While it remains true that most attacks today are exploiting known weaknesses (largely enabled by humans), there have been more novel attack strategies that have presented new challenges to cyber defenders. These include supply chain breaches which have opened the door for more pervasive, widespread, and impactful attacks. Also included are the uptick in the investment in discovering and deploying zero-day exploits, with China emerging as one nation state with significant investments and stated intentions in this area.
The security community’s response to the continued growth in the volume of attacks has been to collaborate more, partner across sectors, speak transparently about risks and emerging threats, and address the potential attacks by bringing government and private sector resources to bear.
Unlike any other time in the lifecycle of cybersecurity, private sector organizations are uniting to bring their best capabilities together to assess and develop solutions for tough cyber challenges. These partnerships are genuine and encouraging, as the skills shortage in cyber security means the best talent is often disbursed across multiple organizations.
Like no other time in the past, competitors in the cybersecurity field are openly praising the work and partnership of others. Alliances are
being established and matured as the cyber community realizes that the strength of our response is contingent not on the capabilities of one, but on the contributions of all. It is critical that these alliances continue to flourish.
The U.S. government, likewise, has increased its efforts to collaborate both across government and with the private sector.
The strengthening of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), both in substance with designation of additional resources to this mission, and in leadership, has resulted in a stronger front line for the USG’s engagement with industry.
Similarly, collaboration across the USG is manifest, as evidenced by published security guidance on a myriad of security topics, often co-authored and/or sponsored by multiple USG departments or agencies.
Unlike any other time in the lifecycle of cybersecurity, private sector organizations are uniting to bring their best capabilities together to assess and develop solutions for tough cyber challenges.
This collaboration takes advantage of the cybersecurity expertise that exists in several organizations while acknowledging established authorities.
Examples include multi-organizational publications on control systems, co-authored by NSA and CISA; guidance on vulnerabilities exploited by the PRC, co-authored by NSA, CISA and FBI; and information on tools targeting SCADA devices, co-authored by DOE, CISA, NSA and FBI.
The outcome is win-win certainly for the USG but more importantly, for the cybersecurity ecosystem which needs the best that the whole of government has to offer to stay in the game.
Collaboration between government and industry continues to prove to be a worthy investment in time and talent. Relationships of trust between some elements of government and industry are not new. However, the rapid increase in demand for cyber solutions and recovery options has demanded a more fulsome approach to these partnerships.
While there has been some movement on more sharing, particularly from government to industry, there remain opportunities to share more relevant, sensitive cybersecurity information within government and with industry partners to both enhance trust and create additional opportunities for
breakthrough developments to address tough cyber problems.
This challenge must continue to be worked to take full advantage of the strength of the cybersecurity community.
Cyber as a means for criminal, geopolitical, and social activities is here to stay. It is most important that those in the fight to protect and defend networks, data, and the privacy of citizens, are armed with the best talent, tools and intentions. Collaboration with all stakeholders is critical to having a fighting chance of winning in cyber. Now is not the time to watch and wait, but rather to keep a watchful eye on malicious cyber actors and nation-states who have declared their intentions; leverage the full capacity of the USG to predict, identify, and mitigate cyber acts, and finally to expect the need to recover and be prepared to do so.
Vigilance, diligence, and resilience are critical to winning in cyberspace.
Disruptive cyberattacks by the People’s Republic of China (PRC)* are a growing threat to U.S. national security. Organizations need to understand what sparks these attacks. They need to anticipate risks. And they need to be ready to counter these threats. That’s why our cyber threat intelligence team wrote a new study on PRC cyberattacks called Same Cloak, More Dagger: Decoding How the People’s Republic of China Uses Cyberattacks.
In this report, the team put together more than a dozen case studies from the past decade. They then analyzed these attacks to reveal their logic. Finally, they created tools to help organizations prepare for this threat. These tools include:
• A framework for anticipating and interpreting China’s cyberattacks
• Insights and actionable advice for threat analysts and chief information security officers (CISOs)
• A catalog of threat actors and tactics
• Factors that increase the likelihood that PRC cyberattacks will target or impact organizations
China uses cyberattacks below the threshold of war to coerce its rivals. For instance, it has targeted American critical infrastructure to deter U.S. involvement in Asia. China’s cyberattacks can affect government agencies, global corporations, and small businesses—either directly or via cascading risks.
As tensions rise between China and Taiwan, it’s crucial to understand when, where, and how these attacks may occur—and how they might affect global supply chains. Cybersecurity teams can get ahead of future threats. There are clear steps that threat analysts and CISOs can take. All U.S. critical infrastructure entities—and businesses with global interests—should prepare by strengthening their security and resilience.
*Note: Consistent with U.S. policy, this report uses “ People’s Republic of China” (PRC) and “China” interchangeably. Statements about “China’s” actions, intentions, capabilities, and responsibility for cyberattacks refers only to the government of China.
The cyber dimension to the war in Ukraine has been a revelation. The presumption of offensive advantage and the old tropes (“when, not if…”) no longer convince.
The cybersecurity orthodoxy of the last decade has been of worsening threat trends. We have notes the growing capabilities, agility and ambition of cyber adversaries, whether governmental, criminal or activist. Scaremongering, always a viable sales tactic in the security industry, has been the norm.
Ukraine has highlighted another, equally important, trend. Cybersecurity professionals may not have discovered a magic bullet, a transformative new technology that will eliminate cyber risk, but they have incrementally learnt the right cocktail of measures. In aggregate, these have shifted the balance of advantage away from the bad guys. We have listened and learnt in to recognise what good cybersecurity looks like. We understand how to invest sensibly in governance, awareness, and technologies to build a risk-based, data-driven multi-layered defensive approach. Most importantly, a focus on cybersecurity has been supplanted by an emphasis on operational
Steve Hill is Chief Information Security Officer (Head of Strategy) at Credit Suisse. He was previously CISO for the Investment Bank and Americas; global head of Operational Resilience; and head of Technology, Cyber and Third Party Risk. Before joining Credit Suisse in 2017, Hill spent over thirty years in the UK Government, including a variety of national security roles at the Foreign and Commonwealth Office and as deputy director, with responsibility for aspects of UK Government cyber security policy, at the National Security Secretariat of the Cabinet Office. Steve is a visiting senior research fellow at the War Studies Department of Kings College, London.
resilience. Prevention measures, which will never be unimportant, are increasingly complemented by investment in response and recovery.
The success of Ukrainian cybersecurity measures in preventing Russian offensive measures from playing a decisive role in the war paints some clear lessons beyond the importance of pervasive basic cyber hygiene, among the most compelling which might be:
1. Strategic and tactical intelligence in guiding cybersecurity investment: the Ukrainian government understood their enemy, and clearly learnt from the lessons of the 2016 cyber attacks on their
power infrastructure and the wider 2017 NotPetya wiper attacks; and then in 2022 companies such as Recorded Future quickly fed them actionable tactical intelligence.
2. Agility and to innovation—the rapid switch to secure cloud data storage or the adoption of the Starlink network bolstered data and digital resilience.
3. Public-private partnerships: across commercial cloud providers and threat intelligence providers to Western government military and intelligence Agencies.
4. Culture: the unification of all players behind a single well-understood purpose (perhaps the most important of all the above).
As we move into 2023, our collective challenge is no longer one of grappling with various nuanced interpretations or frameworks around cybersecurity best practice. Nor of onboarding the latest and glitziest AI-powered technology. It is the challenge of execution.
The commitment to enhancing cybersecurity and resilience demonstrated by Ukraine (perhaps one might also point here to the banking industry, albeit this has been driven in no small part by regulatory pressure) needs to be extended across all our critical national infrastructures. We can no longer tolerate the happy fragility of the last few decades.
There will be more major incidents. The outcome will not be perfect. But the optimum direction of travel is now clear.
• Leads the intelligence research, analysis, sales and marketing, services, enterprise and product security, and client delivery functions for Recorded Future
• Served as the CTO for Optiv and held various leadership roles at iSIGHT Partners and Bank of America
• Advisor and investor across the cybersecurity industry
• Currently a senior officer in the Air National Guard, focused on cyber operations
We are hearing four consistent concerns from organizations across all industries and geographies.
First, geopolitical shifts are creating new risks prompting organizations to reexamine their areas of exposure. At the same time, inflation and supply chain interruptions are stressing business operations. As a result, CEOs and security leaders are asking how they can improve cybersecurity and risk management while simultaneously managing costs long-term.
Second, recent supply chain attacks revealed the potential vulnerability of the increasingly interconnected systems that are now critical to business. This is driving organizations to ask for help in understanding their true risk footprint including third- and ‘Nth’-party’ suppliers.
In addition, increasing regulatory and shareholder expectations are adding complexity and challenging organizations to clearly articulate how they are managing risk and programmatic goals. Regulations around data sovereignty,
privacy, cybersecurity and incident breach notification in particular vary across jurisdictions and industries. As a result, organizations are trying to understand how to grow business while navigating challenging and sometimes conflicting expectations. Finally, with an estimated 3.4 million workers needed to close the industry workforce gap globally, organizations are looking for more creative and effective ways to fill cyber roles and retain talent. One example is apprenticeships, which widen the talent pipeline and help organizations become more diverse—which in turn fuels innovation. It’s also critical for organizations to help their people succeed by creating dynamic career pathways and investing in growing future leaders.
How organizations around the world respond to shifts in the geopolitical landscape and the resulting cyber threats will be critical. As always, we will closely monitor any new zero-day vulnerabilities and cyber incidents
What’s top of mind for you in cyber right now and why?
involving third parties, especially those that may affect critical systems. We will also track how regulations and shareholder expectations change the way organizations communicate their risk management efforts—including how they energize and enable the C-suite to be active in this mission. In addition, we’ll be looking to help organizations retain, grow, and strengthen cyber talent—as well as how they move quickly to encourage cooperation between public and private sectors.
What will be the next big drivers of the evolution of public-private partnerships?
Geopolitical forces will drive allied countries’ efforts to share more information across sectors and borders. We already saw the seeds of this
being planted with Russia’s invasion of Ukraine. While several highly regulated sectors share cyber threat intelligence and incident information within and across information security teams, more critical industries will share intelligence within their sectors, and this will be supported by government investment. This broadening of cross-sector sharing will set the stage for information security teams and C-suite members to engage more with their peers on cybersecurity.
Cybersecurity is a team sport. It requires collective action to improve cyber resilience for public and private organizations. As part of that effort, we believe forward-leaning organizations will begin considering cyber resilience as part of their ESG framework because it’s vital to making the world safer now and for future generations.
Paolo Dal Cin brings more than 20 years of experience to C-Level leadership at the largest organizations in the world. He oversees the full spectrum of cybersecurity services across the globe and is a member of Accenture’s Global Management Committee. Previously, Paolo led Accenture’s Security Business in Europe. He is a Principal Member of the Cyber Initiatives Group.
Today, organizations are operating cyber, privacy, and security workstreams within many silos, which in turn, cause inefficiencies. The need to drive an integrated enterprise risk-based approach is a function vital across the mission, with workflows that can inform modernization throughout the organization.
Data-driven cybersecurity is an integrated approach that provides risk-based observability, a holistic perspective that gives stakeholders visibility across the enterprise while providing insights tailored to the organization’s priorities. This agile approach goes beyond tools, controls, and remediation to give security and network operations a predictive, proactive posture.
It is a revolutionary shift from today’s reactive stance. With the complexity of today’s infrastructure and applications, current cyber operation tools make it practical only to record events, not interpret them. Current tools alone do not equip analysts to understand what happened,
who was affected, and how the problem can be fixed. Nor do they provide insight into the chances of impending threats in a particular area.
In contrast, data-driven cybersecurity combines focused data management with automation to integrate and process data, extracting insights and delivering intelligent alerts—delivering holistic cyber defense. Stakeholders receive operational visibility into the entire enterprise so they can not only record events, but also track them to their origin. They will have insight into patterns, allowing them to anticipate threats and prevent attacks.
How is this achieved? Fusing and enriching data from the moment it enters the inventory— whether it arrives from an internal endpoint, a firewall, a sensor, network, or mobile device— makes it possible to structure data in a way that aligns with the organization’s risk priorities. The data is then channeled into analytics pipelines for processing, using AI to spot patterns and gain insights. When an incident occurs, AI-powered analytics help identify the root cause, while
related alerts are automatically grouped so they can be addressed by a single action. Professionals will know the impact on their organization and which priorities they must respond to first.
Imagine one integrated workflow providing a unified picture in areas such as signatures, system properties, host-based logs, cyber compliance audits, and user activity—all grouped on a single dashboard. Instead of swiveling from one siloed application to another, analysts can work within one common toolset that provides a complete understanding of what is happening across applications and on the network.
Implementing this approach requires varied internal teams to collaborate, a step toward attaining the integrated IC approach of the future. Stakeholders can be further motivated to work together by the prospect of gaining shared awareness of vital data. Think of stakeholders from cyber operations, incident response, legal, compliance, and other teams having access to the same views, grounding each conversation
in a shared context. And because data is being jointly managed and used, this reduces the costs of storing data while it delivers more value from those assets.
Creating such a unified workflow requires advanced technological expertise but that does not need to be a roadblock. Advancing cybersecurity is a national security priority, one of the areas the Intelligence Community (IC) is focusing on its “second epoch” transition to interoperable digital frameworks. IC teams can move faster by partnering with firms experienced in helping U.S. leaders secure modernization for sensitive missions.
Focusing on data promises a robust payoff. A data-driven approach can further areas like threat hunting and zero trust. It can also help intelligence organizations share data and insights to speed operations. Data-driven cybersecurity allows the IC to recognize data for what it is—a superweapon to help national security agencies move the mission forward.
Cyberattacks that disrupt enterprise and government organizations are common and increasingly successful. BlueVoyant surveyed 1,200 companies across industries, sizes, and countries to determine the current prevalence and impact of supply chain cyberattacks. We found that 98% said they had been negatively impacted by a cyber compromise of a vendor in the last year—and this had occurred more than once at a majority of companies. Why is this happening?
In response to improved enterprise security standards and technologies at larger firms, threat actors have added tools and methods to their attack portfolios to infiltrate these welldefended targets through their supply chains— where the attacker is likely to find an easily compromised vendor. BlueVoyant performs continuous external assessments of the Internet-facing cybersecurity posture for many companies across the world— at a similar scale to that of advanced nation-
Jim Rosenthal is a cofounder and CEO of BlueVoyant. He was the Chief Operating Officer of Morgan Stanley until 2017. At Morgan Stanley, he was responsible to the CEO and the Board of Directors for Cybersecurity. Jim is the recipient of the 2017 Critical Infrastructure Protection Award from the Financial Services Information Sharing and Analysis Center. He is the co-chairman of Sheltered Harbor, a consortium of major banks, securities firms, industry associations, and technology service providers with the mission of preserving systemic confidence in the event of a cyberattack. He is the past Chairman of the Securities Industry and Financial Markets Association and chaired its Cybersecurity Committee from 2014–2017.
state and criminal groups. Unfortunately, on average, we find about 15% of the vendors in most supply chains show critical, Internetfacing vulnerabilities and make them easy targets for compromise.
How is this happening? Through two sources:
1. Newly discovered Vulnerabilities: Each month, the world becomes aware of new “zeroday” software vulnerabilities. Approximately once a month, one of these zero-day vulnerabilities presents a critical, high-value vulnerability to attackers. Technology vendors typically make software patches available to eliminate these vulnerabilities upon announcement of the zero day—or shortly thereafter. Some companies— those with effective cyber defenses—deploy these
essential patches quickly, which protects them from all-too-easy serious cyber compromise. However, BlueVoyant’s experience has shown that without external assistance, only a small batch of companies (about 7%) deploy these patches within even 10 days of a new zero-day announcement to which they are vulnerable. Even a month after public announcement of the zero day, less than 20% of unassisted vendors will have deployed the critical patch.
IT represents a complex, living organism that is under continuous change—vendors send patches and upgrades that are often automatically installed, components break and need replacement, business needs change, and the infrastructure is reconfigured to adapt, etc. All these changes induce the risk of misconfigurations that create risk. Everything was fine yesterday, but during the night a network engineer opened a port in your main firewall to troubleshoot a connectivity issue for 10 minutes—and forgot to close it when finished. Or, someone at a manufacturing facility put an OT network connection outside the firewall because that was easier than going through the company’s network security approval process —and connected it inside the firewall, too. Now, your entire network is exposed and no one knows. What is the current state of supply chain cyber defense at most companies, and why is it not sufficient? Three reasons:
1. Most organizations require suppliers to fill out risk questionnaires that contain cyber sections. While a good practice, this generally only happens at a single point in time (often annually or less frequently) and tends to get answers reflecting the intended state of cyber defense—which often does not capture the actual state.
2. Many organizations perform on-site audits of some vendors. Again, a useful practice, but due to the cost, these audits are typically performed only on a subset of vendors and typically reflecting their status at a single point in time (again often annually or less frequently).
3. Some organizations add external cyber risk scoring of vendors (analogous to credit ratings for financial risk). Also a useful practice, but issues often arise in putting in place sufficient skilled staffing to follow up to curate the external scores for accuracy and prioritize vulnerability findings. They then follow up with the vendors to make sure they remediate in a timely manner. What needs to be done to put effective supply chain cyber defense in place? We recommend both enterprise and government organizations follow a six-step program:
Step 1: Know Your Vendors—Both Existing and New Maintain a comprehensive and regularly updated inventory of the identity of your
vendors, the type of business they are doing with you, any network connectivity and credentials planned/implemented, and the risk represented by disruptions in their delivery of goods/services to your firm. This is perhaps the most important step in the entire vendor management process from a risk perspective. It is stunning how few mature, process-driven organizations cannot identify even just their critical vendors.
Ensure you have language in your contracts to enable enforcement of reasonable cybersecurity measures, adherence to standards, incident notifications, and remediations. You need the options to penalize vendors who do not perform to your standards in this area.
Knowing your vendors also includes knowing who to call to get something fixed. Often, the point of contact you have for a vendor is a person identified by the purchasing organization. However, when a material insufficiency or a critical externally facing vulnerability is identified, the remediation responsibility will usually fall upon someone within the IT or CISO organizations. Maintaining current contact information for various team leads (networking, network security, SOC, executives, etc.) is essential to proactive supply chain cyber defense.
Put in place a system for onboarding new vendors that leverages the process identified in this article.
Risk tier your vendors based on the type and degree of business and cyber risk they pose to your enterprise or agency. Set appropriate cyber risk tolerances. For example, some vendors have network connectivity (a SaaS provider, perhaps), others have confidential data (a health insurance provider, perhaps), others are essential to your operations (warehouse inventory management software provider, perhaps), while others are not immediately critical to your operations (a catering company, perhaps).
As noted above, periodic questionnaire responses on vendor policies, processes, and technologies (and the scoring thereof) tend to tell you more about the intended state of cybersecurity than the actual ongoing risk of compromise. These responses have both compliance and cyber protection value. Yet the cyber protection value is substantially increased if you have the capability to independently validate a set of the questions and calculate a questionnaire reliability score.
Depending upon your resources, performing periodic on-site audits of the most critical vendors can supplement your overall cyber risk assessments. These audits should focus on verifying from within the network that policies
and processes are implemented and consistently followed. The focus is not to scan the network for malware but to ensure that the scanning technology is in place, of sufficient quality, being monitored, and alerts are being followed up to conclusion.
Continuous external monitoring shows the actual state of cyber risk as seen by attackers. Ongoing insights into the cyberrelevant decisions vendors make via changes in configurations, product selections, attack surface, and other IT cyber hygiene factors will either validate or belie the posture asserted in the responses to questionnaires. As noted above, one must keep abreast of the vendors’ constantly changing vulnerability landscape in which new critical software and configuration vulnerabilities regularly occur—and they will attract attackers unless remediated.
Identifying the threat actors scanning and attacking your vendors’ externally visible infrastructure allows you to adjust your risk thresholds for vulnerability management. Finally, getting early tips on successful attacks on your vendors when that malware reaches back to attacker infrastructure allows you to proactively implement countermeasures or other compensating controls within your own network prior to acknowledgment by the vendor of the issue.
When a critical vulnerability or other serious deficiency is identified, rapid and certain follow-up is necessary with the vendor to ensure that they understand the issue and the proper remediation for it. Then, crucially, follow up to ensure prompt and complete remediation. Otherwise, the chances are all too high that the vulnerability will persist. In our experience with remediating such deficiencies for our clients, we find that vendors with a continuous external push for remediation get 370% more issues resolved after 30 days than those with no external pressure.
If you levy reasonable requirements and communicate identified issues professionally, most vendors will appreciate the assistance— you are helping them be more secure, after all— and will implement remediations in a timely manner. Unfortunately, some will not. Those vendors who repeatedly demonstrate important cyber deficiencies need to be told that they must take action to reach an acceptable level of cyber hygiene/defense in order to remain in your supply chain. This can be achieved relatively easily either with internal or external resources at the vendor (e.g., a Managed Detection and Response Service or an IT service provider). In the absence of demonstrated action and observable improvement, your organization will be involuntarily accepting the vendor’s cyber risk.
Former A/S for Cyber, Infrastructure, Risk and Resilience Policy, DHS
internet by nations has led to a potential wild west of space infrastructure.
The people/workforce challenge is the looming challenge that demands the most effort, with the most advanced and effective cyber solutions still including specialized talent to script and guide even the most advanced tools.
What will you be watching for most in the next 6-12 months in cyber?
Lessons learned from the Ukraine conflict will continue to arrive, but the subject of digital sovereignty as it pertains to space based data and communications will continue to progress with the use of services like Starlink. The sovereignty is a cyber topic as the balkanization of the open
Threat landscapes and future risk planning depends on trust and leveraging a well understood strategy from both sides of industry and government. The current strategy setting process out of the White House by DIR Inglis and his team has worked well to include input and understanding from those outside of government, and the reveal along with the implementation plan will go a long way in aligning where industry roles and responsibilities advance.
Matt Hayden served as the Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Policy at DHS where he was responsible for leading policy development in support of department-wide efforts to reduce national risks with a focus on critical infrastructure cybersecurity, federal network security, countering cyber-crime, and improving the security and resilience of the global cyber ecosystem, as well as national resilience initiatives that enhance Federal, State, and local government and community preparedness and response capabilities. Additionally, he served as an expert advisor on Cyber, Infrastructure, Risk and Resilience matters to the Under Secretary, Secretary, and other high-level officials.
What’s top of mind for you in cyber right now and why?
What will be the next big drivers of the evolution of public-private partnerships?
Congress has had a spectacular threeyear run developing and passing cybersecurity legislation that both protects our national critical infrastructure and secures our federal networks. On a bipartisan, bicameral basis, hundreds of provisions to protect our national security, economic productivity and public health and safety have become law. One bill however, undermines this record of success: the Inflation Reduction Act.
This bill, which passed via the partisan reconciliation process, did not mention cybersecurity even once in 300 pages, despite appropriating hundreds of billions of dollars to industries including electric vehicles and renewable energy, that are highly vulnerable to cyberattacks.
Compare that to the Infrastructure Investment and Jobs Act. When the president signed the bill into law in November 2021, he extolled it for making “our infrastructure more resilient to the impacts of climate change and cyber-attacks.” The fingerprints of House and Senate cybersecurity committee
Annie Fixler is CCTI’s deputy director and an FDD research fellow.
staff and members, both Democratic and Republican, were all over the text. Investing more than a trillion dollars in the future of the U.S. economy, the statute mentions cybersecurity 277 times. The bill also makes specific cybersecurity investments including a $1 billion grant program to address cybersecurity risks faced by state and local governments. For the energy sector, there are two $250 million cybersecurity-specific grant programs: one provides support to rural and municipal utilities to address known cybersecurity issues and another supports developing cybersecurity technologies in the energy sector.
Passing Congress with bipartisan support in both chambers, the bill includes policy direction and appropriations for the Cybersecurity and Infrastructure Security
Agency (CISA) including $100 million to establish a “response and recovery” fund to provide government assistance to remediate and recover from a significant cyber incident, $35 million for CISA’s sector risk management responsibilities, and another $157 million for research and development.
The Act is not without its flaws—it misses opportunities to fund cybersecurity improvements in the water sectors, transportation sectors (like pipeline, maritime transport, and aviation) and the healthcare and public health sectors. But on balance, the Infrastructure Investment and Jobs Act attaches cybersecurity to critical infrastructure investments.
In August 2022, the president signed the bipartisan CHIPS and Science Act into law. This legislation provides nearly $150 billion dollars in new funding for semiconductor development and investments in science and technology funding. It includes 76 references to cybersecurity and specific funding for science and technology education and training efforts, cybersecurity training programs, and regional technology hubs. It also provides numerous policy authorizations including increasing U.S. engagement in international standards development. Each element of this legislation was carefully developed and shaped by Republicans and
Democrats across numerous congressional committees.
In stark contrast to these two bipartisan bills and the annual National Defense Authorization Act, which has consistently included dozens of bipartisan cybersecurity provisions, stands the Inflation Reduction Act. The legislation had little to no committee oversight and management, and it showed.
The bill authorized nearly $400 billion in energy and climate investments, with no acknowledgement of the cybersecurity challenges inherent in these industries. The law includes a number of government-funded programs intended to spur the adoption of electric vehicles and the use of electric-vehicle charging stations (EV stations). There are no cybersecurity requirements or funding, despite the fact that these stations are at serious cybersecurity risk, with a number of well-publicized attacks already occurring.
Hackers might be seeking personal and financial data, but they could also create cascading power system outages that place regional electrical grids at risk. A virus that compromises a public-facing EV station could then infect all of the vehicles it subsequently charges. The overall cybersecurity risk is amplified by the fact that the supply chain for most EV charging station equipment runs through China, a known cyber malicious
actor. This bill needed cybersecurity “guardrails” all over it.
The Inflation Reduction Act’s rushed “back-room” drafting process and the paucity of involvement of professional committee staff members contributed to the failure to include necessary cybersecurity provisions in the final legislative product. Now, it will take significant intervention by the Executive Branch and strong congressional oversight to reverse engineer
in cybersecurity guardrails that were needed in the legislative drafting process.
The October forum hosted by National Cyber Director Chris Inglis on cybersecurity challenges to electric vehicles and EV charging infrastructure was an important step in the right direction. Congress, for its part, would do well to return to its proven process of developing legislation in a bipartisan, committee-based manner.
Senior Adviser, Homeland Security, International Security Program
I have long thought strengthening resilience against the adverse impact of malicious cyber activity is one of the most crucial aspects of managing cyber risk, and I think it is more true today than ever. There’s a lot of important progress being made in hardening networks but we will continue to be vulnerable to cyber hacks for a very long time. Even as we are implementing ZTA and other policies and technologies, we must plan for failure. Making sure you have a way to operate essential functions even in the face of a ransomware or other incident that affects data CIA (confidentiality, integrity, access) makes it harder for a bad actor, whether a nation state or criminal, to achieve their desired outcome. The same is true at a more macro level, looking at the resilience of national critical functions that cut across entities, and at the overall resilience of our economy in the event of a cyber
incident with the potential for catastrophic impact. This is why the Solarium recommended planning for continuity of the economy.
I’ll be watching to see if the anticipated Cyber Strategy includes a robust strategy for building resilience in the face of ongoing cyber risks. That will then need to be followed up by a plan and appropriations for implementation.
The next big step in the PPP will be around data and using that data to achieve greater shared understanding and insights. This is the objective behind the Solarium recommendation for a Joint Collaborative Environment. It is the data sharing and analysis piece to accompany the operational collaboration in the JCDC.
Suzanne Spaulding is senior adviser for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies (CSIS). She also serves as a member of the Cyberspace Solarium Commission. Previously, she served as undersecretary for the Department of Homeland Security (DHS), where she led the National Protection and Programs Directorate, now called the Cybersecurity and Infrastructure Security Agency (CISA).
It is the time of year for every expert or person with an opinion to voice their top cybersecurity predictions for 2023. Here we go again! Undoubtedly you will be hearing some of the same themes you’ve heard in the past and perhaps some new ones.
My guess is that threats to our data will be prominent on the list and a growing issue to address. The data challenges going into the next year will be a result of an increase in volume—and that volume can lead to an increase in value—as AI algorithms evolve to use that data quite effectively.
The age-old Volume, Velocity and Variety description of data challenges are amplified by the IoT emergence and expanding 5G and 6G infrastructure. It’s predicted that by 2023, there will be over 21B IoT devices connected to networks. In time, those network connections will bypass home routers and will be directly connected to Cloud infrastructure providing ubiquitous data storage. The ultimate goal of the majority of attackers is data theft. Certainly, we have seen numerous successful operations where our valuable datasuch as our personally identifying information
Teresa Shea is former Vice President of Cyber Offense and Defense Experts (CODEX) for Raytheon Intelligence and Space (RIS). Shea previously worked at InQ-Tel as Executive Vice President of Technology and director of CyberReboot. Shea spent thirty-two years at the National Security Agency (NSA) holding key leadership assignments including serving as Director of Signals Intelligence. Shea is a former Board Member at Recorded Future and former Board advisor to the Virginia Tech Hume Center. She currently serves on the Georgia Institute of Technology Board of Advisors.
including your social security number, passport information, financial information and medical records have been successfully stolen in a variety of attacks. Once this data is compromised, it can be used to further attack individuals and their networks. The increase of work from home puts businesses at greater risk simply from a data breach that compromises a single employee.
Ransomware attacks, which rose 82% in 2021, are predicted to continue at that pace in 2023.
In May of this year, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) formed a Joint Ransomware Task Force to tackle the growing threat of ransomware gangs. The Department of Justice has also increased its focus on cracking down on these groups.
The positive results from these efforts are starting to show with ransom payments reducing
and downtime from ransomware attacks also decreasing. Unfortunately, none of this has stopped the attacks. The Treasury’s sanctions list is intended to stop companies from paying ransoms to these gangs, leaving victims with tough choices. Companies could face fines if they pay ransoms and if they don’t, they could have far-reaching business impacts.
Although the government is trying, data protection is everyone’s responsibility. Attaining the ultimate goal of complete data protection and privacy will require all of us to be engaged in the fight.
Data regulation is bound to be a major theme going into 2023, most notably around individual data protection. States like California, Colorado and Virginia have already passed Bills that give you some type of notice and choice in controlling your data, but they do not provide protection from ransomware or other fundamental concerns such as theft.
•
Bottom line is that our data continues to be vulnerable, and it’s a growing challenge to keep it safe. Data security often includes ensuring its availability, as well as keeping it protected or confidential and finally certifying its integrity or accuracy.
The good news is that Zero Trust models are being adopted and are making a difference. Zero Trust is exactly what it sounds like— never trust and always verify. This applies to individuals as well as device connections.
Part of this approach requires constant validation of data access. Perhaps another part of this approach should be making our data “invisible” except to an authorized recipient, protecting our data from being stolen or compromised at least for our most valuable assets such as our Intellectual Property or our bank account information. It’s a good place to start as we prepare for what the new year will bring.
• Has written and spoken widely about the intersections of technology and national security and privacy
• Practiced law for almost 40 years at international law firm Milbank, LLP
• Served on the President’s National Infrastructure Advisory Council and the District of Columbia Homeland Security Commission
Two recent events made me more aware than ever of the danger to individuals and to governments from the internet.
First, I was hacked by a scam that froze my computer and then, hackers claiming to be contractors for my service, wanted several hundred dollars to provide a firewall that I already had. It took assistance from my local Computer Geeks group to clean up the problem and explain how often such scams take place.
Second, was a revelation I had after a Center for Strategic and International Studies (CSIS) webinar featuring Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA) and General Paul M. Nakasone, who runs both U.S. Cyber Command and the National Security Agency (NSA).
When asked what responses have been put in place if a major event such as the May 2021 Colonial Pipeline hacking took place again, Easterly referred to what was done when “Log4Shell” occurred—which was a serious vulnerability contained in open source software that was incredibly easy to exploit.
It involved a vulnerability in Apache Log4j2, a popular Java library for logging error messages in applications. The vulnerability, which quickly became known to malicious actors, enabled remote attackers to take over any Log4j2 user’s internet-connected service.
Apparently, the Chinese company Alibaba first reported the problem to Apache in late November 2021, but it was not until December 9, 2021, that Apache informed its users. What followed was what one security expert called “an exploit storm,” with some 50,000 scams or exploitation attempts made within nine hours, expanding to 100-per-minute. It quickly grew to over one million, because most Java users did not know they had that Apache Log4j application.
Easterly explained that after the Apache disclosure in December, CISA marshaled the Federal government on the Log4j problem. “We were very worried about incursions on federal or civilian networks or ransomware” and worked together to ensure we were putting out authoritative guidance—how do you find this vulnerability and how do you mitigate it.”
She explained how CISA had “led the Federal response working with all our partners, terrific collaboration with the technology and with the researchers that gave us amazing insights into what they saw across the ecosystem.”
The result, Easterly said, showed wider cybersecurity cooperation over the past year with the so-called “public-private partnership” enabling the transformation of “the whole idea of partnership into real time operational collaboration, so we are getting those insights so we can take those dots, connect those dots and we can drive them to the nation’s scale.”
On the international side, Easterly said she had been incredibly impressed by the Ukranian’s ability to withstand cyberattacks which she attributed in part to “the power of international partnerships.”
For Gen. Nakasone, the lesson was, “How am I going to be able to bring that kind of action with a number of really important partners and synchronize it in terms of when we need it. We’ve learned a lot on that.”
Based on the idea that foreign allies had experiences that helped contribute to cyberattack responses, I looked at list of significant cyber incidents that CSIS maintains covering “attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars.” The CSIS list described 96 such attacks worldwide so far this year.
Here for illustration, are those CSIS reported for September 2022:
• Iranian hackers targeted Albanian computer systems, forcing Albanian officials to temporarily shut down the Total Information Management System, a service used to track individuals entering and exiting Albania. This attack closely followed Albania’s decision to sever diplomatic ties with Iran.
She said the U.S. had been working with the Ukrainian Emergency Computer Response Team, but also with “our partners from Latvia, Lithuania, Estonia, Poland, the Czech Republic, in a fantastic sharing platform to essentially get ahead of potential cyber activity. I think that’s also something that’s helped give us some insight of what could potentially happen here.”
• Hackers targeted Montenegro’s government networks, rendering Montenegro’s main state websites and government information platforms inaccessible. Montenegrin officials blamed Russia for the attack.
• Hackers targeted the state-level parliamentary website of Bosnia and Herzegovina, rendering the sites and servers inaccessible for multiple weeks.
We are getting those insights so we can take those dots, connect those dots and we can drive them to the nation’s scale.
• China accused the U.S. National Security Agency of numerous cyberattacks against China’s Northwestern Polytechnical University. Authorities claim the NSA stole user data and infiltrated digital communications networks.
• The group Anonymous took responsibility for a series of cyberattacks against the Iranian government that took down two main Iranian government websites and the websites of several state media organizations.
• Hackers targeted the Mexican Defense Ministry and accessed six terabytes of data, including internal communications, criminal data, and data that revealed Mexico’s monitoring of Ken Salazar, the U.S. Ambassador to Mexico.
• A Russian-based hacking group targeted the website of the United Kingdom’s intelligence agency MI5 with a DDoS (distributed denial-of-service) attack that temporarily took the site offline.
As Easterly observed, “This is a borderless cyber space.”
Nakasone said in this type of international cyber warfare, “You judge your success by staying ahead of the adversary.”
He added, “That’s something we do very well at the agency [NSA] and the command [CYBERCOM], and trying to figure out the next act, the next tool, the next operation.”
The success of the latter steps he attributed to “the creativity of the people I work with.”
Easterly agreed, “At the end of the day it’s all about the talent of the people who are doing these operations—the defenders, the folks who are listening for intel, that are doing the hunt for admissions, that’s where the creativity lies and that’s going to enable us to be successful in protecting the nation.”
The Internet today is like a small town in the Old Wild West, with no sheriff yet controlling all of the evildoers drawn to that town.
•
•
•
Former Principal Deputy Director of National Intelligence / CIG Principal
What’s top of mind for you in cyber right now and why?
Influence operations. It feels the conversation has moved on from the information shaping that our adversaries and competitors continue to do. Not only are they still active but they’re getting more sophisticated in how they insert their narratives into others’ public squares for the purpose of either disruption or manipulation.
What will you be watching for most in the next 6-12 months in cyber?
Lessons learned and applied from the information war being waged as part of the Russia-Ukraine conflict. My sense is that because it did not manifest as projected at the beginning of the conflict, many aren’t aware of the whole range of cyber actions and just how central they are to the Ukraine war story. We’re actually seeing the
maturation of a specific, new technical discipline into integrated operations that include WW2 tactics. In Ukraine, we’re getting a practical look at the evolution of warfare.
Actual use of all of the technical data that is being collected by the private sector to better understand (and counter) strategic trends—whether associated with intrusions or simply representing the nature of global, digital activity. While we’re starting to use and share data between the government and the private sector, it’s mostly being used to identify tactical threats and in response to crisis. The future to me, includes using the data more strategically to understand intention, trends, and threats and to use it to stay ahead of those who wish to do us harm.
The Honorable Susan M. Gordon is former Principal Deputy Director of National Intelligence (PDDNI). Prior to ODNI, Gordon served in multiple leadership roles in the IC including as Deputy Director of the National Geospatial-Intelligence Agency (NGA) and 27 years at the Central Intelligence Agency (CIA), where she held senior executive positions in four of the Agency’s directorates. In 1998, she designed and drove the formation of In-Q-Tel, a private, non-profit company created to deliver innovative technology solutions for the agency and the IC.
Republicans took the House by a narrowerthan-expected margin last month, sparking questions about what legislative actions on cybersecurity might be rejected, stalled, or pushed through.
Many agree that cybersecurity is still largely a bipartisan issue. The Cyber Solarium Commission, after all, was led by Republican Congressman Mike Gallagher and Independent Senator Angus King (and its commissioners saw many of their legislative proposals pushed through both chambers to become law).
But while both sides may agree on various cybersecurity measures, disagreement on the need for mandatory cybersecurity standards, even for critical infrastructure, remains elusive. With this in mind, I began to think about other ways to have impact in this space and landed on the idea that states must take increased action on cybersecurity and technology—spurring a
Lauren Zabierek is the Executive Director of the Cyber Project at Harvard Kennedy School’s Belfer Center. Here, she runs a policyrelevant cybersecurity and technology policy research program. Her work focuses on strategic, national security issues in cyber and tech—ranging from international conflict, cooperation, and norms to domestic collaboration, diversity, privacy, and supply chain issues. Lauren served as an intelligence officer in the United States Air Force at the beginning of her career. Later, as a civilian intelligence analyst with the National Geospatial Intelligence Agency (NGA) assigned to the Office of Counterterrorism, she completed three war zone deployments. After leaving NGA, she joined the cybersecurity threat intelligence startup Recorded Future, and was instrumental in building its Public Sector business practice in her role as a Senior Intelligence Analyst.
bottom-up approach to meet federal action and resources in the middle.
While encouraging states to establish their own laws on cyber and technology might seem counterproductive (see the current debate on a federal privacy law, which my colleagues and I have argued for) in fact, if we take a broader approach, perhaps in the long-term, state action may be a forcing mechanism for action at the federal level.
I don’t believe we could have such meaningful discussion on data privacy and be as close to a federal law on privacy as we are right now— especially with major tech company support—
If states are the “laboratories of democracy,” then they must develop ways to protect it.
without action at the state level causing the undesired state of patchwork legislation.
What might this look like? Consider the case of New Jersey, which established its NJ Cybersecurity and Communications Integration Cell ( NJCCIC ) and its law on water and wastewater sector (WWS) cybersecurity.
The NJCCIC wears several hats—it serves as a threat intelligence integration cell, as the state of New Jersey’s cybersecurity agency, and has enforcement and rulemaking authority for cybersecurity regulations.
We might also look to CyberFlorida, which is an organization created out of the Florida state
legislature with an education and awareness mission as well as a public policy role.
Massachusetts established a joint committee on cybersecurity and technology last year, seemingly poised to bolster the state’s security and resilience from digital threats.
And New Hampshire has made the process for applying for funding to improve water and wastewater system cybersecurity very simple, laying the groundwork for stronger security statewide, in anticipation of future federal action.
In a recent workshop held by the Cyber Project that included participants in cyber policy, technical cyber experts, and water systems
administrators, the point was made that local utilities and players should be involved in developing the regulations because of their intimate understanding of the systems and their unique challenges. Another point was made that if a law was passed, then more investment and resources could be directed to cybersecurity—but until then, it’s a ‘niceto-have’.
Local utilities and players should be involved in developing the regulations because of their intimate understanding of the systems and their unique challenges.
This sentiment is probably felt across other critical infrastructure sectors as well, along with the shared challenge of a lack of funding, resources, and expertise that hamper state and local efforts. What I gather from these points is that there is recognition of the need for better security, and a desire to want to do something meaningful, but there is also a need for organization, institutional focus, a legal mechanism, and an ecosystem that supports security (funding, education, workforce development), roles that are well-suited for states.
For citizens, too, increased state focus on cybersecurity could be incredibly beneficial because there is little recourse in the event of a compromise, other than being told to report it to local or state police. States could help more with education and outreach, as well as
helping citizens deal with the aftermath of a personal breach.
If more action on cybersecurity occurred at the state level, it would relieve some of the burden on the federal government to help with protection and response and also help to allocate federal resources more efficiently. It could also lead to better relationships between the two levels, bringing them closer together to work on some of the systemic, structural issues that shape the ecosystem, such as workforce and education, continuity of the economy, and future security issues. Research and development of policy recommendations could be undertaken in each state’s research universities, much like CyberFlorida at the University of Southern Florida, Tulsa Innovation Labs at the University of Tulsa, or the UMass Lowell Research Institute.
If states are the laboratories of democracy, then states need to develop ways to protect it from digital threats at the most local levels. We must start integrating these topics into statelevel debates on the ballot, and in legislation.
Cyber threats impact each of us personally, as well as our local and state governments and businesses. We are the attack surface; we hold threat vectors in our hands. We must evolve the structures to protect ourselves, our critical infrastructure, and our capacity to respond in case of an emergency—doing so is vital to deterrence, democracy, and our governments’ ability to deliver services.
Elite intelligence tailored to your teams, processes, workflows, and existing security investments. Everything you need to reduce risk faster — without any of the noise.
Federal agencies rely on intelligence from Recorded Future to make informed decisions and proactively reduce risk.
