Anyone have a Cyber Vaccine?
2020 sucks, can’t end soon enough. And if all that has happened this year wasn’t enough, we just got h$#%d up. The last two weeks have opened the eyes to millions of Americans on the nature of cyber warfare. Welcome to the party.
Let’s see if we can summarize what happened over the past week shall we: A likely nation state actor who is well known to the cyber and intel community, committed our Cyber 9/11. Ever the diligent jerks, they compromised the supply chain of a “trusted” vendor and basically got Schneider’s key ring (for those young whipper snappers out there, duckduckgo One Day at a Time). Then they went stealth mode, not making a lot of noise so that a curious cyber hunter would catch them. We will not know the full impact for years.
Considering what has just happened, the average American just might ask.. How much are the feds spending on cyber security? Cyber threats change daily, how long do regulations and laws take?
Think most of Americans would say whatever we are doing, it ain’t working. We need a new approach. In the spirit of trying to solve a problem, could this be a vaccine for what ails us in the cyber space?
· What is our Cyber Doctrine? Mutual Destruction, Equal Force, Lead from behind and take it, other? Nature abhors a vacuum. We spend billions every year on cyber and yet here we are. The feds didn’t see the hack for at least nine months and wouldn’t even know it was happening today without a private sector firm notifying them. Yikes, that’s tidak bagus. The Congress and the Executive Branch must design a policy to fill the vacuum, or this will continue ad nauseum. Would strongly recommend the Congress and feds bring in cyber pros that do not live in the beltway for your SMEs. If you bring in beltway bandit SMEs the orb will design a policy that ultimately leads to future omnibus spending bills including $$ for H1B visas to take tech jobs from out-of-work Americans. Don’t believe me read the latest Covid “relief” Porkulius. The military has great capabilities, but they need clear ROE… do they have it? Get to work Congress and get it done. No talk of “reform” which always goes no where. Just get it done.
· Wake up American CEOs: The bad guys are coming for you and your company. Most of you have chosen for the past decade to ignore this risk…pushing it down to your CIO to manage. So now you scramble. You can either pay for security now or pay more later — there is no third option. Chose the latter, make sure you make a significant investment in a legal counsel on retainer. The bell tolls for thee. Cyber Security starts with you. So here are a couple suggestions: 1) Implement a cyber is everyone’s responsibility policy for your company and actively talk about it, including in the board room 2) Know your most critical assets Make smart investments and monitor results 3) Add cyber security clauses AND financial penalties into all your contracts 4) Hire a competent CISO that has a proven track record managing risk (NOT just compliance) and make them a direct report. Of course there is more to do, but this should get your started. Tick Tock…
· Public/Private Partnerships — We have to improve information sharing. This was a main takeaway from 9/11. We weren’t sharing intel effectively between our international partners and within our own intel agencies. Similar problem here, but this problem requires better collaboration with industry as well. In fairness to industry, what protections has the government provided to companies, so information they share with government does not initiate liabilities in the future? If the government wants to get serious about cyber, they can’t do it without industry. I have had countless discussions with industry executives since I left Homeland Security and they all say the same thing…”I don’t trust the government to not use our information against us or to protect our data.” Houston, we have a problem. So, Congress get off your ass and add in 1) Liability and Tort protections for companies that self-report and actively share cyber information with the government 2) Require agencies to get much better at protecting data, including using classified controls on any data collected from industry, whether it is threat data, vulnerabilities, bugs, etc… Lastly, hold federal officials accountable. Try it, it works quite well in the private sector.
· Is anyone thinking about all the other thousands of IT companies that sell tens of thousands of products into the government? Just thinking out loud here.. do we really think that the bad guys just did this to one company?? C’mon man..to quote a politician. Who owns that supply chain review in the federal government and what is the status of that review. Have the Feds made identifying where the bad guys went once they got into the fed networks a Secretary level priority to be reported on weekly to the Congress in public hearings? Implement zero trust across all federal networks, add cyber clauses into all federal contracts with significant financial penalties to include vendor pays all clean up costs, create a moon shot cyber training initiative based on merit, results and creativity; pay the good cyber pros commercial rates and bonus them accordingly to their results..not time in grade; use more bug bounty programs, pay for good intel, etc.. These are just a few ideas, lets get them into round 3 clinical trials.
· Blockchain/Crypto & AI — Lead or get owned by the ChiComs. They are making significant investments with a capital B, have their own approved crypto currency and use their AI tech to support their R&D off our intellectual capital and fleeced data. And what are we doing… thinking about using 1940’s regulatory policies for Crypto currency. We have to do better and who in our Congress is taking this threat seriously? While Congress pumps hundreds of millions of dollars into Pakistani gender programs and building border walls in foreign countries, China is laughing all the way to the predominant world power position.
The U.S. needs to get serious about this national security threat. Anyone who says the weather is higher priority, should just ask the person who sold the last president a home in Martha’s Vineyard.. a short sand wedge from the Atlantic Ocean’s water’s edge.
These are just a few ideas for a cyber vaccine. What are yours?.
