2018 & Beyond – Cybersecurity’s Future

George Platsis: Save the geek factor, becoming involved in cybersecurity was anything but linear.  What started as business continuity/organizational resilience turned into something much larger, where I began looking at linkages between security and economy.  Basically, looking at how these systems are very much dependent on each other and if one goes, so does the other.  That led to looking at national security and constitutional/international issues.  Ultimately, ended up where I am today: focusing on human vulnerabilities related to cybersecurity and information warfare.  All the disciplines are linked together.

Chris Veltsos:  I came to cybersecurity via the software development world. Programming was my first passion, but to be fair, cybersecurity and cyber risks weren’t much talked about in the late 80s. While I was taking computer science courses, I encountered my first virus in the late 80s early 90s, and while I didn’t pivot right away, the experience left me puzzled about the world we were building, at the dawn of the information age, so susceptible to the influences of nefarious software.

While I came to cybersecurity and cyber risks from the technical side, it’s the business and human psychology side that I’ve connected with the most, and that’s the area where I would say I have experienced that most professional development in the past decade. What I love about cybersecurity is that it’s not an IT issue but a business issue, and it’s finally treated that way. Some CISOs (and CIOs and CEOs) still see this as an IT issue, but the evolution of this mindset is undeniable. In my opinion, we’ve only begun to scratch the surface about ways to improve the People and Process side of cybersecurity and cyber risks: how we make decisions, how we communicate risk, how risk considerations are infused into every part of the business. Cybersecurity wasn’t part of MBA programs a decade ago, but this issue is certainly finding its way into business courses today.

Kenneth Holley: My professional background is rooted in software engineering.  I served in the United States Navy for six years, where I worked with and on the first generation Naval Tactical Data System (NTDS) and surface warfare simulation software.  Following my separation from the Navy, I settled in the Washington, DC area and founded Information Systems Integration (ISI).

ISI’s initial focus was on software development, including the early days of HTML, website, and web app development.  Driven by my deep interest in computer networking, ISI shifted its focus in the late 1990’s to meet the burgeoning need for network infrastructure design and network security.  As the CEO of ISI for the past 24 years, I lead an organization which has become the preeminent authority in cybersecurity for the world’s most influential government affairs firms.

Chris Veltsos: For most organizations, the focus should really be to take care of the basics. Things like:

• Patching (patch completion rates, time-to-patch windows, determination and patching prioritization of critical systems that are exposed to the Internet);

• Backups (ensuring you perform regular backups, test them routinely, and ensure that not everything is connected all the time);

• Don’t forget the people factor — there are many quick wins that can be achieved when people are included in security awareness. Employees can be human sensors, and can not only avoid making silly mistakes, but also provide early warning of things being strange.

• Not just technology, but processes as well — security isn’t a project to be implemented and forgotten about. It needs to be part of the fabric of the business, and processes should be reviewed to determine how well security is integrated into each, and in turn, how each process influences the security posture of the organization.

• I’m sure my colleague Paul Ferrillo wrote about adopting the Cloud. But you shouldn’t deploy anything in the Cloud until you know exactly how you’re going to test that things were deployed correctly and securely. So many breaches in 2017 were a result of not having checked that a cloud-based storage unit was properly secured.

• For the more mature organizations, they should test their security controls to gain assurances that those controls are working the way they’re supposed to and to find ways to improve them.

• More mature organizations should also look at where the CISO (or equivalent role) is positioned in the organization chart. CISOs reporting to CIOs creates more problems than it solves.

Kenneth Holley: As a global community, we have done an excellent job in pushing cybersecurity technology forward, particularly advancements within the realm of human-driven AI threat detection, automation, and orchestration.  That said, we’re losing the war against cybercriminals.  It’s my belief that we need to intelligently alter our tactics, refocusing on the human aspects of the problem.  In order to counter the ever-increasing sophistication that cybercriminals are bringing to bear, we must focus on the people behind the machines.  Unfortunately, much of the recent advancements in AI-based cybersecurity solutions seek to remove valuable human judgment while at the same time eliminating biases.  Human judgment and decision-making – and all of the subtleties which accompany them – is the uniquely powerful essence of who we are.  The very things which cybercriminals have become masters at leveraging against us.  The goal should be to amplify, not replace, human judgment through a truly powerful approach which creates superior, collaborative solutions.  This should our focus going forward.

George Platsis: 1) Fix the basics.  2) Fix the basics.  3) Fix the basics.  Look at all the big breaches of the last while and they almost all have a similar thread: somebody screwed up.  The tech does (mostly) what it is supposed to do, even when complex and convoluted.  It is the humans that are making the most basic mistakes though and that’s costing us.  Whether it is failure to patch, forgetting to do maintenance, or not being able to identify a spearphish attempt, these mistakes hurt.  And we only have a limited amount of resources, so we should be spending wisely.  A full flick of the switch to all AI won’t work.  Humans need to up their game.

Kenneth Holley: Extremely serious.  We must work rapidly to replace legacy infrastructure systems with modern, fully hardened systems end-to-end.  In addition, true air-gapping for critical infrastructure is a must.  Finally, a cybersecurity regulatory / standards body is a necessity for these systems.

George Platis:  Protecting critical infrastructure warrants serious attention.  IIoT devices, just like IoT devices, need to be secured out of the gate.  They’re low hanging fruit for malicious actors.  The #CyberAvengers have suggested a type of certifying authority to ensure these devices are safe and secure.  We need more security by design mentality too.

Chris Veltsos:  Pandora’s box is open, and unfortunately we’ve done a seriously poor job at realizing the kinds of plagues and evils that we allowed to spill into this world. On the topic of IoT, I applaud efforts of governments around the world to try to steer manufacturers and consumers towards better-engineered products that have implemented security-by-design and privacy-by-design. However, market forces are at play here, and with a global market, it’s tough to control what gets built, to what specifications, and then find an appropriate way to share that information with potential buyers. There’s no “energy-star” rating system for IoT security or IoT privacy.

Regarding critical infrastructure, the US government has been worried about this for several decades, but the private sector — which owns most of the actual infrastructure in this country — has been slow to react and implement much-needed upgrades and safeguards. Forcing the CEO of a utility company to testify in front of Congress after a blackout doesn’t do much to scare the rest of the utility companies into compliance. So, in my opinion, we’ll have to wait for a significant national-level disaster to “wake up” and do something. I see lots of parallels with road safety: many roads are poorly designed but aren’t scheduled for improvements until there’s been a number of horrendous crashes with significant loss of life.

What worries me about the critical infrastructure is that we don’t have to look far in time or distance to see examples of what can happen: entire cities or even states without power; cascading failures; polluted water supply; unstable underground gas pipelines. Just in the past two decades, there have been many documented cases of countries or terror cells waging these kinds of attacks. These are not “maybe’s” or “what-if’s”, these are documented instances of weaknesses in our nation’s critical infrastructure. Heck, even the sewage systems could be a target; what kind of a crappy situation is this?