The New Rules Of Cybersecurity

The man who built the U.S. Army’s cyber command says online threats are going get worse before they get better. But that doesn’t mean leaders are powerless. To win, focus on your culture and your people to create a sense of urgency to protect what you value and ensure you’re ready for the threats focused on you. Some hard-learned lessons from the war for cyberspace.

My 37-year career in the U.S. Army spanned the digital revolution we continue to experience today. From being assigned to the Army’s first digitized division to leading the army’s human resources command during a time of war, to creating, in 2010, a global command with 17,000 cyber professionals charged to not only conduct defensive operations, but when directed, to be able to do offensive operations, I witnessed and helped lead the transformation of our military into a new age.

Over that time, the ability of cyber threats to try to take advantage or limit America’s ability to conduct uninterrupted operations—both militarily, and commercially—increased dramatically. Yet, until recently, many leaders assumed that, despite the occasional interruption, these adversaries would not have the ability to seriously interrupt operations. We took our freedom to operate in cyberspace for granted. That assumption is no longer true. There is a growing threat from sophisticated cybercriminal networks and individual actors that might have a political cause or something that they want to try to impact through cyberspace. Most significant are the growing cyberthreats from nation-state actors—especially Russia, China, Iran and North Korea—that have the potential to commit not only cybercrime or espionage, but launch disruptive and potentially destructive attacks.

Iran’s capability, in particular, has grown significantly from a 2012 attack on the U.S. financial sector. Iran is no longer only taking a disruptive approach; it now has destructive capability as well. North Korea has also demonstrated a growing ability to successfully target institutions around the world. America’s sophisticated, networked critical infrastructure—our financial institutions, our electrical grid, our telecommunications sector—also make the U.S. potentially vulnerable to nation-states as well as cyber-terrorists who have a clear intent to do us harm, but only lack capability for the time being.

“YOU WILL NEVER ELIMINATE ALL RISKS BUT YOU CAN FOCUS ON WHAT
MATTERS MOST TO REDUCE RISK.”

Our ability to operate in cyberspace from now on will be predicated on our ability to defend and conduct appropriate cybersecurity—if we expect military operations to continue, or we expect businesses to bring the value that we intend.

Cybercrime Will Continue to Explode
The bad news is that it is going to get worse before it gets better. Cybercrime is going to explode as an industry. In addition to today’s sophisticated cybercriminal networks, technology is converging to the point where any individual can easily take advantage of tools to do something to others that would put them at risk. Almost half of all breaches result from criminal or malicious attacks already, and as the tools to commit cybercrime become easier for individuals to use, it will create an increased number of new opportunists seeking new markets and new partners, creating more threats across the world.

The Internet of Things (IoT) in particular brings increased opportunity for cybercriminals. IHS forecasts that the number of IoT devices will grow from 15.4 billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion in 2025.

It is already relatively simple for even unsophisticated adversaries to take control of IoT devices and harness their computing power as part of a botnet, significantly increasing their ability to disrupt a company’s online operations by flooding its network with data in a denial of service attack. But the growth of IoT also dramatically increases the threat of direct penetration of corporate networks, especially through supply chains and third-party relationships.

As IoT and frictionless machine-to-machine data flow becomes ubiquitous, corporate leaders will see their cyber risks grow substantially. Where is all that data from all those IoT devices going? Who has access to the data in your company? Are those vendors and customers doing enough to secure their networks? These are the questions that will keep CEOs up at night and requires attention now.

Healthcare is a good example. The $28 billion global market for electronic medical records is expected to surpass $36 billion by 2021, according to Kalorama Information. All this sensitive personal information is a rich target for cybercriminals, and the number of IoT devices, including wearables and implants, is making it ever more vulnerable.

Beyond that, the ability for criminals to seize control over these personal medical devices and hold their users for ransom is growing. Last year’s WannaCry
ransomware outbreak affected thousands of hospitals and reportedly targeted medical devices for the first time as well.

Cybercriminals are just beginning to think about the ways in which they can leverage their abilities. Any belief that if we pay them it will be okay will break down. You can’t trust agreements between people with values and people without values. Paying them will not ease the pain. Defining and mitigating the risk to prevent these threats from making you a victim is the key. And if prevention fails, your resiliency will depend on how prepared you are to recover and restore operations.

Taken together, the overall threat from cybercrime will result in far more expense to companies—not just from the breaches themselves, and working to prevent them, but also from litigation and, in all likelihood, additional regulation. Breaches at companies over the last year, especially Equifax, generated increased scrutiny among lawmakers and regulators around the country—and on Capital Hill. Expect a growing push for companies to start to do some of the necessary security basics.

Hard-Learned Lessons to Consider
In this environment, the main issue for CEOs and top leaders isn’t which software to buy. When it comes to cybersecurity, culture is the most important thing because people are the weakest link. It isn’t just in corporate America. In every large organization, including the Army, where high discipline and high standards are expected, people often fall short, given the anonymity the virtual world provides. In my experience, soldiers—and employees—often fail to remember that a risk to one is a risk to all.

“the main issue isn’t which software to buy. culture is the most important thing because people are the weakest link.”

A worker who would never think of leaving the door to a factory unlocked will think nothing of clicking on a malicious link from an unknown sender or using a weak personal password to protect critical company data. A 2017 Verizon study found 81% of hacking-related breaches leveraged either stolen or weak passwords.

So how do you lead in this volatile environment? Here are 10 ideas on where to start.

1. Lead from the Top and Keep It Simple. First, figure out how to make policies simple. If it’s too hard to follow a directive, your people won’t follow it. In addition, complex policies take more time, stealing time from your business. Your people are pretty creative—if you’ve put something in place and they don’t like it, they’ll find a way not to do it, or a way around it. In simple terms, find ways to protect people from themselves.

Changing a culture is hard, and harder when people are the weakest link. Most importantly, demonstrated leadership from the top is essential to change. It’s pretty clear to an organization if the leaders have not embraced the need for a cybersecurity culture. Make a point of discussing cybersecurity openly—and reinforce the message as often as possible. Then, ensure your actions match your words.

2. Don’t Be Overconfident. It is very easy for adversaries to take advantage of companies that may not have invested in the appropriate measures with respect to cybersecurity. Overconfidence makes it worse. People tend to think they are better than they actually are. This is human nature. If you find threats in your network, and you ask the people doing the forensics where other threats are, the answer will likely be, “there’s no one else, that we’re aware of.”

The reality is you get so close to the problem that you think you’re better than you really are. Change your mindset to believe that anything your organization can do, your adversaries can do, and in some cases, do it better. Finally, think about changing your perspective and assume cyber threats are in your network, and see how this may change an organization’s thinking.

3. Collaborate and Communicate. Too often, we’re not communicating in terms that other people understand. Be sure your IT decision-makers speak English, not tech, and make sure they can be understood by everyone around them—up and down the leadership chain. That’s critical to companies because boards and management are talking past each other too often today. They’re not communicating in terms each can understand.

It’s also critical that teams are transparent and work across silos. A personal anecdote: The first meeting I had when I was starting up the Army’s cyber command was like a negotiation between North and South Korea. On one side of the table, were the people who did IT, on the other side were the people who did intelligence. They had their arms crossed looking at each other. I could feel the tension in the room and said, “Relax, I’m just trying see where we are, as we prepare to stand up to command.”

The IT people looked at me and said, “We’ve been responsible for defending these networks. And those intelligence people over there, if they gave us the intel we needed to have, we could defend these networks.” And the intelligence people looked at them and said, “If you had a need to know, I would tell you.” That was not a good place to start when it came to building better cybersecurity, where the first question you need to ask is, “Who else needs to know?” and information sharing is critical to success.

4. Know That Technology Is Always Changing. Far too often, you will hear IT people say, “I could have stopped it if I only had this.” But the reality is that resources are finite, and technology is always changing. It’s not an issue of not having the right technology. How do you mitigate the most significant risk? Given the technology you have, how can you leverage your people? How can you leverage your processes? What do they need to do differently? Because you can’t go buy every widget and gadget that you think is going to solve every problem.

“make sure your IT decision-makers speak English, not tech, and that they can be understood by everyone around them, up and down the leadership chain.”

There are so many products out there, and everybody is claiming to do something. Where to start? Do not buy anything until you have 100 percent visibility into your network. Anything you can’t see, expect that someone else can see it and use it as a point of entry and a point of vulnerability. Also, invest in capabilities that are part of an integrated, automated, real-time prevention platform.

5. Recognize that Threats Are People. The threat is not malware. It’s people. You have to know and think about what do you have that they want? What are the crown jewels of your organization that would be most valuable to a cybercriminal? And then you have to understand their capability and intent to threaten that information. Not everything is a threat to you. But what you need to address are threats that bring the most significant risk to what it is you value the most.

6. Compliance Isn’t Cybersecurity. In many organizations there’s still a false sense of security that compliance equals cybersecurity. Compliance does not equal cybersecurity. Compliance says that you are compliant on this particular thing that you’ve been told to do, and compliant at this particular moment in time. Too many companies are focused on compliance at the expense of mitigating and managing risk.

We bring that on ourselves because every time there’s an incident, somebody thinks about what happened. How can I prevent it? And then they try to think about what compliance measure can we put in place? This whack-a-mole approach of constantly chasing threats does not work, and an enterprise risk-management approach is required. You will always be managing risk. Everything brings some risk to your networks, data and systems. You will never eliminate all risks, but you can focus on what matters most to reduce risk while increasing resiliency to your business.

7. Monitor the Right Metrics. Given the amount of cybersecurity information available, monitoring the right metrics is no easy task. Each company must determine what’s important and the right metrics to assure the mission, not more metrics, is better. Consider distinguishing between leading and trailing indicators. From a cybersecurity standpoint, focus on the leading indicators, particularly as you work to anticipate how to mitigate risks against a constantly evolving threat landscape. Minimize your view of snapshots in time. While they may look good, it’s only a view at that time, compared to tracking trends and patterns. Metrics should be easy to understand, concise and relevant, while enabling discussion and decision making.

While each company is different, all consider metrics related to confidentiality of their information, integrity of their data and availability of their systems. Poor cybersecurity measures can impact all three.

The hardest one, and the one that concerns me the most, is the integrity of the data. What happens when an attacker is able to change your data and you don’t know it’s been changed? Today, all our systems depend on data and if you can no longer trust the integrity of the data, you have a significant problem. In my view, that’s the most dangerous threat we face in the future and one you need to prepare for today.

8. Get a Second Opinion. Second opinions matter—be careful of group-think. Bring in outside experts. It’s great to confirm your ideas, but it is even more valuable to get fresh thoughts and ideas from outside your organization.

9. Practice, Practice, Practice. If you do nothing else, prepare for a breach and be ready to respond. The best way to be ready is to train over and over and over again. Everything depends on it—your company value, your reputation. Have a strong incident response plan, have it reviewed and updated routinely, and most significantly, rehearse it, with internal and external participants, until everyone knows what’s required if they have to respond. I’m sure it won’t go as planned, but I can guarantee everyone will be ready to adjust as needed.

10. Keep Asking Questions. The last thing is to be engaged and keep asking questions. When I started cyber command, the only thing I knew was that I had a lot to learn. I counted on my experts to help inform me on what I needed to know, and I talked to a lot of outside people to get their views. Then, it was important to move quickly beyond the basics and to ask tough questions in order to close the gap between your expectations and reality.

Get engaged, as opposed to saying, “Well, that’s the cybersecurity people, or that’s IT, or that’s not important to me.” That doesn’t send the right message, and it doesn’t allow you to do the necessary strategic thinking and work required to appreciate what needs to be done to protect your business—and to ensure your mission.

THE KEY QUESTIONS TO ASK

Why would they attack us?
What are our crown jewels and where are they; who can access them; how do we know they’re protected?
How do we know threats are not in our network?
What are our most significant vulnerabilities and risks?
Do we have a framework to address cybersecurity and to ensure hygiene?
Do we have a culture of cyber-risk awareness and is the policy for personal responsibility and accountability clear?
Do we have visibility across our supply chain and is cybersecurity built into our contracts?
What is our risk appetite, and do we have an enterprise approach to risk management?
Are we ready to respond to a breach?
Source: NACD

WHAT LEADERS SAY

A recent Ernst and Young survey of 1,200 C-Suite leaders at the world’s largest organizations found worry and weakness when it comes to cybersecurity.

89% say their cybersecurity function doesn’t meet their organization’s needs.
87% say they need up to 50% more budget.
64% say malware attacks increased in 2017, compared to 52% in 2016; phishing is up 64% vs. 51%.
57% don’t have or have an informal threat intelligence program.
48% don’t have a security operations center (in-house or outsourced).
17% of boards have sufficient knowledge of effective oversight of cyber risks.
Only 12% feel it’s very likely they would detect a sophisticated cyber attack.

WHAT TO DO NOW

Do the Basics. Identify and patch all known vulnerabilities. Require multi-factor authentication, not just passwords, for access to your systems. Limit the number of people who have has access to the most important parts of your network. Be sure to guard your back door—supply chains and third parties.

Examine the Impact. Take the time to think about the impact of cybersecurity on your company. What’s the worst that could happen? Are you addressing it?

Get Your Board Right. Look hard at your directors to be sure that they’re suited for today’s world. Do you have cyber expertise on your board?

Be Ready. Rehearse your incident response plan. Some 38 percent of U.S. companies have no plan, and of those with a plan, one-third have not reviewed it since it was initially developed, according to the National Association of Corporate Directors.