How to Manage Cybersecurity in 2022

Michael Krigsman: The state of security in 2022 with retired Air Force Brigadier General Greg Touhill. He's now Director of the CERT Division of the Software Engineering Institute at Carnegie Mellon University. Greg, tell us about yourself and the things that you've done.

Gregory Touhill: Towards the end of the Obama Administration and after OPM, the President decided that we needed to have a chief information security officer, so I was appointed into that position as the very first Federal Chief Information Security Officer and went through the end of the Obama Administration doing that.

After I left federal service at the end of the Obama Administration, I did two different paths. I became a professor here at Carnegie Mellon at the Heinz College, but I also joined industry. Not only did I serve as president of Appgate, which is a cybersecurity startup; I also served on boards of Semantic, Splunk, and Intel, Bay Dynamics, and Cyber Response. So, I got a really great experience in industry.

When this job came open here at the Software Engineering Institute, I was recruited to come here. Now I'm at what I consider the top of the pyramid, as it were, leading a team of brilliant researchers and engineers whose mission is to help better protect national security and national prosperity by hardening the cyber ecosystem.

On the state of cybersecurity in 2022

Michael Krigsman: What do you consider to be the landscape, the security, cybersecurity landscape today at this moment in time?

Gregory Touhill: I would give the state of cybersecurity right now the grade of being unsettled, and here's why. As we take a look at the pros versus cons, some of the pros in the environment today is we really have some great technologies that continue to be fielded to better security our infrastructure.

We also have the government taking the lead in implementing and promoting the zero trust security strategy. Notice I say zero trust strategy not zero trust architecture or the technology. It starts with strategy. Kudos to the government for moving forward with that.

Then I'm also seeing that the marketplace is responding to things like small and medium businesses that need some help with the development of managed services, security services providers, or MSSPs. Those are really positive things, and I'm also seeing increased information sharing, so four elements I think are really pro.

But they're offset by some of the cons that are still out there. First of all, I'd say that as you're taking a look at the reliance on information technology, we certainly saw during the pandemic thus far, it's really highlighted the reliance that we have on information technology and a secure, trusted cyber ecosystem.

Secondly, we still are seeing a lot of integration issues. As you go to integrate more things, you also are increasing your risk exposure. We have many organizations that don't necessary have a good handle on their risk exposure, particularly as they are integrating information technology with operational technology, industrial control systems such as billing systems that are linked to the pumps, valve switches out in the field. That's a great example of where we see administrative systems and industrial control or operational systems tied together. That increases risk exposure.

Then the last two cons are: complexity is continuing to plague our human element, the wetware that's involved in systems because complexity is the bane of security. We keep on having products that are fielded that take literally months or years to master. We have a confounded workforce that is struggling to keep up from a cognition standpoint.

Then finally, we continue to see that it is very inexpensive entry for offensive attackers. Anybody who has enough money to go buy a Kindle or a low-end laptop can (with sufficient access to the Internet) go onto YouTube, for example, and take training courses on how to hack and can become a very proficient hacker.

Taking a look at those pros and those cons, I see it still being a very unsettled state right now. I think that's something that we all need to be aware of that we have a lot of pros, but there are also a lot of risk exposure remaining.

On security weakness arising from the intersection of administrative and operational systems

Michael Krigsman: Let me ask you a question just to drill down on a point that you made, this intersection of the administrative systems with the operational systems, and that basic architecture leading to greater security risk. How did that get designed in and what can we do about that? I ask because we read about this problem, and it's obviously a very severe issue and very common.

Gregory Touhill: It is a very common issue, but it's also been underneath the radar for a lot of different organizations because, as you went, as a company, to take a look at how do I make myself more efficient and lower costs, many organizations said, "Well, you know what? I'm going to go, and I'm going to reduce my manpower costs, which were very expense."

We've got electrical meters. We've got gas meters in critical infrastructure. We used to have people who would go around, house to house, business to business, and read the electrical meter and read the gas meter. As you take a look at the cost and the value proposition, automating that and linking those type of metering systems reduces the manpower and labor cost.

I use that as an exemplar. But as we go and we link those different systems together with billing and stuff like that, then we have to tie them together. Often, if you have somebody who is a network architect who is being told, "Hey, you've got to connect these two together," boom, they'll go do that. But folks don't necessarily make the cognitive leap that, "Oh, these systems now are electrically connected. If I can see it as a cyber operator, I can go get it."

Every organization out there really needs to have positive control of their architecture and know how things are put together and plugged in. That's the acme of skill that many organizations have yet to master. Once again, it's an exemplar of how complexity is the bane of security.

Michael Krigsman: Then fundamentally, is the issue one of insufficient training on security issues, or is it an enterprise architecture issue? Where is the root here?

Gregory Touhill: Some of this is legacy activities from well before some of the people who are in current jobs. It just came that way because their predecessors were plugging it in, in the '90s, and trying to bring these two together to have a more efficient business.

We're finding and, certainly, when I was at DHS and we were working with critical infrastructure providers, we would do penetration testing and red teams to show them how we could in fact leap over and get between the IT and the OT, leveraging some of these activities that were plugged together (with all of the best intentions).

With that complexity, making sure that you have a good handle through enterprise architecture, discovery through pen testing and red teams to see if anybody plugged it in that you didn't know about, all of those are part of the calculus for today's best practice. Every executive, every board, every IT staffer, every operational staffer, the whole company needs to have situational awareness as to how things are put together and what those risks are.

Michael Krigsman: I'm assuming that this type of organized situational awareness that you're describing is not sufficiently prevalent, as evidenced by the fact that there are so many privacy breaches, ransomware attacks, and so forth. This is happening all the time.

Gregory Touhill: Things are getting better in many areas, though, Michael. We now have tools that are helping IT staff map their networks and have better situational awareness.

However, as you take a look at some of the connections, some of them are not persistent. They'll pop up, pop down. But even then, the technology is getting better for detecting some of these things.

Yet, that said, we still need to be aware of what the adversary is looking for and start thinking like a hacker. As such, it all boils down to your data.

As a war college graduate, I was obliged to always quote a dead German in every public speech. [Laughter] I'm going to quote from Frederick the Great today who said, "He who defends everything defends nothing."

One of the best practices we've seen is making sure, first of all, before you even put your defenses together, that you understand your data. All data is not equal. You need to understand the value of your data and protect proportionately.

Further, you get great value by doing things like red teaming and pen-testing. When you're thinking like a hacker, often you find risk exposure that you didn't even know you had.

For IT professionals out there, we think it's the best practice to do those regular exercises where you are doing pen testing, you are doing red teaming. And if you are developing code or if you're hanging out websites and the like, consider a bug bounty program as well to help you understand what your risk exposure is and to better control those risks that you have.

On the challenges of enterprise security

Michael Krigsman: Now let's take a moment. Please subscribe to our newsletter. Hit the subscribe button at the top of our website so you can stay up to date on our upcoming live shows. Be sure to subscribe to our YouTube channel.

Greg, given the challenges that are faced by the largest companies in the world with these data breaches. What's going wrong? It seems like, as you've been describing, the solutions or the preventions are known to us. What goes wrong?

Gregory Touhill: I will start by emphasizing, though, that there are a lot of things going right. As we've taken a look at how reliant our economy is, our national security enterprise, all of this is reliant on a safe, assured, and secure IT infrastructure.

Our economy is coming back from the pandemic extremely strong. I would contend, during the pandemic, information technology and our ability to do sessions like this, the video teleconferences, the remote workforce pivot, all of that is a pro and should be something that we celebrate.

That said, we have adversaries out there that are actively seeking access to our data, trying to seek a competitive advantage, trying to shake us down for money such as the ransomware crooks that are out there.

How are they slipping through? Well, as I take a look at my taxonomy for the threats that are out there, we continue to see the vast majority – and by vast majority, I contend that the evidence shows that about 95+% of all cyber incidents are caused by careless, negligent, indifferent, or confounded people who haven't properly installed, configured, or likewise done the right things with the information technology that they have. There are contributing factors there such as complex systems.

As a Star Trek fan, and many of us in the technology world certainly are fans of science fiction, to paraphrase Scottie, the chief engineer of the Enterprise, "The more complex you make it, the easier it is to break it."

As a former military cyber operator, we were always looking for seams. In the physical world, as a commander of a base, we would do the base defense exercises. You would always look for seams in the adversary's defenses.

That's where we're seeing cyber adversaries following the lead of the physical world in looking for seams in our cyber defenses, interfaces, human elements, what we are not doing, what we're supposed to be doing from a configuration, installation, et cetera, not patching properly. All of those create seams that are easily identifiable with some of the scanning tools that are out there, and then to be leveraged by cyber attackers.

On the importance of prioritizing enterprise cybersecurity

Michael Krigsman: We have some interesting questions from Twitter, and it relates to this. Arsalan Khan, who listens a lot and he has these great questions, says he read somewhere that two-thirds of the government is helped by government contractors that are small and midsize businesses. When government contracts are based on cost, then cybersecurity may not be the first thing that's on the mind of these contractors. They're focused on low-cost rather than high security. What do we do about this?

Gregory Touhill: My recommendation and the recommendation out of our organization at the Software Engineering Institute CERT Division is that high-performing organizations, whether in government or outside of government, make cybersecurity a requirement.

You don't guess that they're going to have proper cybersecurity controls. You make it a requirement that they have proper cybersecurity controls.

Further, depending on your risk appetite, you can buy down your risk even further by writing in the requirements such as I want an independent third-party audit, a regular audit, of that vendor. An independent third-party regular audit to make sure that their cybersecurity controls are in place and that they're properly followed.

We're seeing more organizations – not only in government like the Department of Defense but in the private sector as well – that are now putting those cybersecurity requirements in place and they're following through with that independent third-party audit capability.

Now, I am aware of the Department of Defense's initiative for the cybersecurity capability maturity model that they have been looking towards. That's still a work in progress.

But we here at the Software Engineering Institute CERT Division applaud efforts like that where you are baking in cybersecurity and secure by design upfront not only in your code,  your hardware, and your wetware, but in your processes as well. Hopefully, that's helpful for organizations everywhere, not just in government.

Michael Krigsman: We have another question from Twitter. This is from Wayne Anderson, who is another regular listener. I believe Wayne is working for Microsoft in security. Wayne says this. "With the shadow of a recession looming and investment cycles changing, what have we learned since the last one for how we become secure in an economically constrained environment? And what will be different now than 2018 or 2007?" He's basically asking more or less the same question of the allocation of resources to security – or the lack thereof.

Gregory Touhill: At this point, as you take a look at a recession, and we're seeing inflation creeping up, the Fed is looking at adjusting interest rates to try to control the inflation. Ultimately, businesses have to balance the books, and the purpose of a business is to make money.

Similarly, government organizations also have to live within their means. The taxpayers are demanding it and sending representatives to their legislatures to hold the government administrators accountable.

Ultimately, for us that are on the technology side of the house, we need to make a better business case for why we need to be investing in cybersecurity. Ultimately, cybersecurity preserves the integrity of the information technology systems that fuel the economy that fuels that business.

Typically, we found over the last 30+ years, we fellow IT people haven't done a really great job of understanding how to articulate that business case, but there are encouraging signs that folks are getting it. Cybersecurity is now on the agenda in boardrooms, in classrooms, lunchrooms, and now even living rooms. We need to be able to show where the value proposition is, the return on investment, and the like.

We've been doing a lot of work here at SEI, and I would encourage the audience to take a look at our website and our blogs at sei.cmu.edu where we've done some research that shows some of those best practices out there.

But if you're going to be recession-proof, you always have to show the value proposition for not only the internal competition for resources but also to the end consumer, showing that in fact if they're going to give you any of their data that you're going to be a good custodian of it. That's the strength of a lot of the top-performing businesses that have proven themselves worthy and recession-proof during these uncertain economic times.

On managing ransomware attacks

Michael Krigsman: Certainly, when your customers' data, personal data – credit cards and the like, social security numbers – are released onto the Web, that doesn't do your corporate reputation any good. That's for sure.

Now another type of attack that we're hearing about all the time is ransomware. Can you tell us about ransomware and how do these attacks take place?

Gregory Touhill: Ransomware is in fact a thorny issue right now all around the world. We've got cyber burglars that are popping up everywhere. As I mentioned in the introduction, you can go online and literally download courses on how to be a hacker, how to create malicious software such as ransomware.

For those who don't know what ransomware is, in essence, folks that are out there engaging in ransomware are criminals. They're cyber crooks, and they are creating programs or downloading programs because now you can do ransomware as a service. You can go buy access to a piece of code that can institute a ransomware attack.

But they'll send it to the victim, often through a phishing or a targeted spear-phishing attack, launch the code, it'll move laterally, and it'll encrypt your data. Then if you want to unencrypt your data and have access to the data that they've tampered with, you have to pay them a bounty. Basically, pay up or we're going to keep your data from you or we may even destroy it and make it irretrievable.

Really sophisticated ransomware crooks are very patient as well, and they'll wait until you do your five or six backups before they go and they trigger it and deny you access to your own data.

We're seeing that around the world. Most recently, Costa Rica's government has been kind of blackmailed with ransomware. But it certainly is a plague upon our house.

There are ways that you can reduce your risk exposure to ransomware. We've posted some stuff on our website to help folks understand ransomware as well as what you can do about it to prevent it. But ultimately, one of the things that everybody should consider, in different businesses, to talk with your law enforcement community ahead of time – FBI, Secret Service, local police department – because, in the event of a ransomware attack, the first time you exchange business cards with those folks who are there to help you should not be in the time of stress and crisis.

As you're building your incident response plans – and you should have one for ransomware that gets exercised at every level of the company all the way up to the board of directors – you should have already made an arrangement to have met law enforcement officials who can bring resources to bear to help you if in fact you're hit with ransomware. To protect yourself ahead of time, I suggest you hit our website and see some of the recommendations that my team has put together.

Michael Krigsman: Ransomware is the cause primarily human failures such as people succumbing to spear-phishing attacks or is it technical penetration of systems?

Gregory Touhill: It's typically going to be a phishing attack that's coming in. Often, there are two different types. There is a spray and pray, as we call it, where the attacker will go shoot out messages to a wide range of folks and just see who clicks the link.

But then there's also targeted spear-phishing where the attacker has done their research on the individual and has a carefully crafted message that they're enticing the individual to click the link because they looked through the carefully crafted message to establish a measure of trust where the individual trusts, says, "Oh, yeah. This looks real. This looks legitimate, and obviously, I've got to click this link because if it's coming from Greg, it's obviously going to be clean."

That's not always the case. You should always be on guard for malicious sent emails and other transmissions that are coming in.

Michael Krigsman: These kinds of ransomware attacks then are partially technology and partially careful research about the intended target.

Gregory Touhill: Right, and there are a lot of crooks that are out there that are literally not the organized crime groups. Although, I think the organized crime groups, the evidence shows that they are highly successful. Their batting average is way, way up there right now.

We still are seeing not the highly organized, highly-skilled, organized crime people doing these ransomware. We are seeing more and more individuals that are going on the Net, and they are downloading ransomware as a code capabilities, and they are targeting their local areas. They're targeting local businesses.

This is something that's going on not only here in the United States but around the world. The cost of entry for attackers continues to go down whereas the cost of defense continues to be a high cost for businesses and governments everywhere.

On creating a culture of cybersecurity

Michael Krigsman: We have another question, again from Arsalan, who is coming back. Arsalan Khan says, "Every day, we see cybersecurity threats around the world. Why is it still so hard to make a business case for cybersecurity and what's the role of culture?"

Arsalan is really focused on this issue of applying resources, sufficient resources to security. Why does this problem even exist?

Gregory Touhill: Let me share with you, if I may, my taxonomy for the threats that are out there because there are so many that are out there.

This taxonomy was developed in conjunction with my friend and colleague Andy Ozment. We worked together at DHS. We served in the same office. He was my boss. I was his deputy.

First of all, from a threat perspective, I contend that you've got six threats that are out there that every organization needs to be prepared for in the cyber terrain.

One is spies. Those spies could be nation-state actors, but they could also be folks who are engaged in industrial espionage. They're seeking a competitive advantage by getting access to your data so that they can act faster than you in a particular issue.

Secondly, we've got burglars. These are the cybercriminals that are out there that are trying to seek financial gain.

The third group are what I call cyber muggers. The North Koreans were a great example with Sony. They mugged Sony.

But then again, everybody who has teenage kids have run into cyberbullies. They try mugging their other high school classmates on the Internet.

Ultimately, muggers are trying to seek leverage so that you can influence the behavior of an entity or an individual. There are muggers out there.

The fourth are saboteurs. Saboteurs are very pernicious, and they're very difficult to detect. Now, they could be nation-state actors who are planting malicious code (kind of like cyber bombs) to go off at a time and place of their choosing. Or it could be a disgruntled employee who's planted some sort of logic bomb thinking that they may get terminated and they're going to stomp out the door. You've got to plan for saboteurs, and you've got to take active controls and implement them to prevent sabotage to your data.

The fifth are vandals. Vandals will typically go out there, and they're trying to get their message out and impugn your message. They're trying to seek an upper hand to discredit your organization or the individual. Anonymous is a great example of folks who have been cyber vandals for a long time and trying to get their message across.

As I previously mentioned, Michael, as you take a look at the threat environment, I contend that over 95% falls back down to those careless, negligent, indifferent, and confounded people within your own midst who have misconfigured, who have not properly installed stuff, who aren't keeping up with patches, who are exercising poor practices. That is the number one cause of most cyber threats coming in and the risks that are out there. But as an executive, you've got to plan for all of these different threats that are out there.

Then further, as I get off the stage on this question, these type of threats have been here since well before the Internet. Making your business case and putting it before the board, putting it before your corporate process, you've got to put it in terms that everybody understands.

Often, drawing the analogy to the physical world gives you an advantage in the corporate budgetary process so that you can in fact show, "Hey, here are the different types of threats. Here's the type of controls that we need to employ to buy down our risk." Then from there, you're in a better position to arm yourself with the evidence to make the business case.

Hopefully, that's helpful taxonomy for folks.

Michael Krigsman: You mentioned 95% of the cybersecurity issues that arise are from essentially human error and experience – what have you. What is that other 5%?

Gregory Touhill: The other 5% are those other threats out there: spies, burglars, muggers, saboteurs, and vandals.

On the future of managing cybersecurity

Michael Krigsman: Lisbeth Shaw wants to know where is all of this going. Where is cybersecurity going, and the nature of threats, where is it headed?

Gregory Touhill: I think the threats are going to continue to stay in those lanes, Lisbeth, as you take a look out there. Also, where it's heading is we're going to see more people jumping in to certain areas motivated by what their intended end states would be. If they want to get data, they're going to go after certain things, likely into spies or, if they're crooks, they're trying to get access to data that they can monetize.

As we see the price for the offense going down even further, we've got to counteract to make sure that we have effective, efficient, and secure defenses.

What I'm seeing also, if you're a small to medium business out there who doesn't have the ability (like the government or big corporate entities), we're going to see more and more investments in managed security service providers (MSSPs) where we're seeing them providing collective defense in a lot of different areas.

We're also seeing some of the Internet service providers doing upstream protections for the at-home users. As we see more competition in the Internet service provider market, that will be a competitive advantage for those folks that are ISPs. Can I in fact provide that upstream protection to filter out some of those malicious transmissions that are flooding the Internet right now?

Then finally, from an endpoint standpoint, I think you're going to see folks that are buying phones, laptops, et cetera, where the demand signal from the consumer is I want security built-in from the start. I don't want to have to add it on because that's too complex.

Michael Krigsman: Government policy, what should government policy be regarding cybersecurity? As a consumer, I know my personal information has been leaked repeatedly and is available for sale out there.

Gregory Touhill: Well, there are two issues that need to be on the agenda of every citizen here in the United States, but literally around the world as well.

One is, here in the United States, we need to have a very open and public conversation on privacy versus security. I contend you cannot have privacy without security. On the same token, I contend you can't have security without privacy.

Here in the United States, every state is doing their own thing. We don't necessarily have a cogent federal game plan for privacy that the citizens understand.

I think Congress needs a little bit of education, too, as to all the different options that are available but also what all the implications are. I think a very public and open conversation on privacy and security is long overdue here in the United States.

Further, I think the marketplace really needs to take an introspective look as to the quality and the efficacy of the security in their products. Instead of security being a feature to turn on or configure, we need secure by design. We need to have resilience built into a lot of our products, our codebase, and such.

That's something that we at Carnegie Mellon and the Software Engineering Institute CERT Division, we're working with industry to show where the evidence-based research indicates that we need to do better when it comes to software in systems, in hardware, supply chain, et cetera.

Those are two things right off the bat that I think we need to do better.

Michael Krigsman: Well, it's great advice and practical advice. Unfortunately, with that, we're out of time. Greg, thank you so much for taking your time to be with us today. I really, really appreciate it.

Gregory Touhill: It's my pleasure. Thank you, Michael.

Michael Krigsman: Everybody, we have been speaking with Greg Touhill. He is a retired Air Force Brigadier General. He is the Director of the CERT Division of the Software Engineering Institute at Carnegie Mellon University. He's certainly one of the most prominent figures in cybersecurity today.

Everybody, thank you for watching, especially those folks who ask such great questions. Now, before you go, please subscribe to our YouTube channel, hit the subscribe button at the top of our website so we can send you updates and, if you're on LinkedIn, subscribe to our newsletter on LinkedIn and we'll keep you informed. Tell your friends, check out CXOTalk.com, and we will see you again next time. Thanks, everybody.