This week was the cybersecurity law “trifecta” … and maybe a little cyber security fatigue

 

19 May 2018 (Athens, Greece) – The start of my conference year is in Lille, France at the International Cybersecurity Forum (for my coverage click here), and that kicks off 30+ technology events I attend each year on artificial intelligence, cyber security and the technology-media-telecommunications ecosystem.

I cannot attend everything … damn! … so I rely on my brilliant media team. And this past week we saw three major cybersecurity law events in the U.S. so my team had to be on top of their game:

There was also a presentation mid-week by good friend Brett Williams, a former Major General in the U.S. Air Force. He is a well-known cybersecurity expert and through his company IronNet Cybersecurity he helps Board of Directors get up-to-speed/educated on cyber issues.  He was a source for my 2-part series on the “WannaCry” ransomware attack last week and I will have a few of his comments at the end of this post.
 

Each of those events had high value for different reasons and I will have more detailed comments on each event (with video interviews) in the coming weeks but just a few points:

  • the Georgetown event receives “Pride of Place”.  In my U.S.-based cyber security and intelligence community networks this event is always referred to as “the cyber event you need to attend”. I credit the Georgetown Law brains  behind the event … Dean Larry Center, Lisa Fthenakis, Whitney Gurner and team … and the chair/organizers: Christina Ayiotis, Harriet Pearson and Kimberly Peretti.  Their marketing material does not lie: the insights on preparedness, resilience strategies and solutions for the cyber issues you face on a daily basis are astounding.
  • the Harvard-MIT event was especially notable this year because Melissa Hathaway, who served presidents George W Bush and Barack Obama as a top cybersecurity adviser, was principle speaker and she had a lot to say about cyber studies and executive orders.
  • and rounding out the list are the brainiacs at Logikcull who focused on e-discovery and information governance, two interrelated data-intensive processes, that can be either low-hanging fruit for cybercriminals or a first line of defense for protecting a company’s most sensitive information. And after that massive e-discovery document review hack in D.C. last year, quite timely.

So this will be a bit of a mashup from all three events because there were several common themes across all of the venues.

1. Everything is hackable. Deal with it.

For the cyber security vendors who made presentations at these events, that was a major theme.  They seemed to break it downs follows:

1. everything is hackable

2. cybersecurity is the practice of minimizing intrusions into our digital affairs

3. two basic truths:

(a) you can usually prevent most individuals from gaining access to your “data valuables” with a bit of reasonable effort and expense

(b) but you usually can’t prevent those with the right tools and experience from bypassing even the most sophisticated alarm system

And we have plenty of studies to tell us what needs to be done for cyber security, yet we still are stymied because companies do not seem to have a “commitment to action” to employ the right resources — people, time, and money — to execute these recommendations.  Probably, as one vendor noted, “it is far easier to study and recommend than it is to do.”  A key aspect of this is approaching the problem from a risk management perspective.  And one corporate counsel rejoined “no way anyone can execute all of these recommendations pouring forth.  It takes a risk assessment to prioritize actions and then a disciplined, resourced, time-bound execution plan that actually gets implemented”.

2. What the “WannaCry” ransomware attack taught us.

Needless to say, I suppose,  but comments on the “WannaCry” attack seemed to be on everybody’s bucket list.  WannaCry was an example of the insecurity of legacy systems. It’s not that “new” internet infrastructure is insecure and “old” technologies are proven. Much of computing and the internet is already “old”. But there’s a life cycle to technology. “New” systems are more resilient (able to adapt to an attack or discovered vulnerability) and are smaller targets. Older legacy systems with a large installed based, like Windows 7, become more globally vulnerability if their weaknesses are discovered and not addressed. And if they are in widespread use, that presents a bigger target.

This isn’t just a problem for Windows. Sebastian Benthall … a data scientist at Ion Channel, an AI software/cyber startup … sent me a long paper which I just started parsing and his point is that similar principles are at work across many data/software ecosystems. The riskiest projects are precisely those that are old, assumed to be secure, but no longer being actively maintained while the technical environment changes around them. The evidence of the WannaCry case further supports his view.

3.  Enough with the executive orders, already!!!

This was a pet peeve of Melissa Hathaway, but it was echoed by several speakers at these events.  Hathaway took aim at Trump’s recent cybersecurity order:

This will require every agency to dedicate precious and shrinking resources – time and personnel – to develop these plans, delaying and possibly distracting these agencies from their current cybersecurity activities and operations.

Hathaway provided a table that lists the new executive order’s 14 requested reports, deadlines to complete the studies, lead agencies overseeing the studies and the recipients of the reports:

Report Timeframe Lead Agency Recipient
Risk Management Report (using NIST Framework) 90 Days All Agencies OMB
Governmentwide Risk Assessment 150 Days OMB with support from DHS, DoC, GSA Assistant to the President for Homeland Security and Counterterrorism (APHSCT)
Modernizing Federal IT – Shared IT Services 90 Days DHS, OMB, GSA, DoC Director, American Technology Council
Modernizing Federal IT – Shared IT Services for National Security Systems 150 Days DNI and DoD Assistant to the President for National Security Affairs (APNSA) and APHSCT
Supporting and Engaging Section 9 Entities – Cybersecurity Risk Management 180 Days (report annually) DHS with others APHSCT
Market Transparency for Critical Infrastructure Entities 90 Days DHS and DoC APHSCT
Increase Resilience to Automated Distributed Threats (Botnets) (Draft Report) 240 Days DOC and DHS Public Report
Increase Resilience to Automated Distributed Threats (Botnets) (Final Report) 365 Days DOC and DHS POTUS
Assessment of Electric Sub-sector Incident Response Capabilities 90 Days DOE and DHS APHSCT
Risks to Defense Industrial Base, Including Supply Chain 90 Days DoD, DHS, FBI with support from DNI APNSA and APHSCT
Strategic Options for Deterrence 90 Days DoS, Treasury, DoD, AG, DHS, and USTR APNSA and APHSCT
International Cybersecurity Priorities 45 Days DoS, Treasury, DoD, DoC, DHS, AG, FBI POTUS
Engagement Strategy for International Cooperation 135 Days DoS APHSCT
Cybersecurity Workforce Strategy 120 Days DoC and DHS, with support from Labor, Education, OPM APHSCT
Cybersecurity Workforce Strategies of Other Nations 60 Days DNI APHSCT
Cyber Capabilities Assessment 150 Days DoD APHSCT

One speaker on cybersecurity strategy noted that, yes, modernizing government IT is desperately needed and is consistent with congressional initiatives. It is essential that we clean up our infected infrastructures. But we already have initiatives in place along with continuity.

I want to end with a few comments by Brett Williams, the ex-Air Force Major General I noted above. He made numerous points but let me just highlight two areas which he felt were especially “Board worthy”:

  • End of Life (EOL) software
    • patching

EOL Software. 

EOL software is software that is no longer supported by the company that developed it in the first place, meaning that it is not updated or patched to protect against emerging threats. WannaCry took advantage of versions of the Microsoft Windows operating system that were beyond EOL and had well-known security vulnerabilities.

Typically, a company runs EOL software because they have a critical application that requires customized software that cannot run on a current operating system. This situation might force you to maintain an EOL version of Windows, for example, to run the software. In the instance of WannaCry, Windows XP and 8 in particular were targeted. Boards should be asking what risks are we taking by allowing management to continue running EOL software. Are there other options? Could we contract for the development of a new solution? If not, what measures have we taken to mitigate risks presented by relying on EOL software?

Other times companies run EOL software because they do not want to pay for the new software or they expect a level of unacceptable operational friction to occur during the transition from the old version to the new. Particularly in a large, complex environment the cross-platform dependencies can be difficult to understand and predict. Again, it is a risk assessment. What is the risk of running the outdated software, particularly when it supports a critical business function? If the solution is perceived as unaffordable, how does the cost of a new solution compare to the cost of a breach? Directors should also ask where are we running EOL software and why.

Patching. 

Software companies regularly release updates to their software called patches. The patches address performance issues, fix software bugs, add functionality, and eliminate security vulnerabilities. At any one time, even a mid-sized company could have a backlog of hundreds of patches that have not been applied. This backlog develops for a variety of reasons, but the most central issue is that information technology staff are concerned that applying the patch may “break” some process or software integration and impact the business. This is a valid concern.

In the case of WannaCry, Microsoft issued a patch in March  that would eliminate the vulnerability that allowed the malware to spread. Two months later, hundreds of thousands of machines remained unpatched and were successfully compromised.

Directors should ask for a high-level description of the risk management framework applied to the patching process. Do we treat critical patches differently than we treat lower-grade patches? Have we identified the software that supports critical business processes and apply a different time standard to apply patches there? If a patch will close a critical security vulnerability, but may also disrupt a strategic business function, are the leaders at the appropriate level of the business planning to manage disruption while also securing the enterprise? Have we invested in solutions that expedite the patching process so that we can patch as efficiently as possible?

Have a good weekend.

For my two-part series on “WannaCry” click here.

Leave a Reply

Your email address will not be published. Required fields are marked *