Cyber Security for Executives (including deans and small business owners).
This year’s conference at the Johns Hopkins University covered ground of interest to business leaders, especially with respect to the implications cyber risk has for their legal and contracting activities. The executives for whom the conference was organized were expansively and quite properly defined to include not just the denizens of a Fortune 500 C-suite, but small business owners, partners in medical and accounting practices, college deans, and so on.
In his opening remarks, Anton Dahbura, Director of the Information Security Institute at the Johns Hopkins University’s Whiting School of Engineering, reviewed his “Unlucky Top 13” list, an inventory of recent security horror-shows. He thinks these incidents (the Equifax breach being the one that’s arrived with most éclat) may have induced the public to pay attention, and may finally be moving people away from what Dahbura called “the gazelle mentality,” that is, the comforting thought that if you stay close to the herd, you’ll be OK. (You won’t.)
Other speakers discussed the opportunity costs sound security inevitably imposes on organizations. One new addition to the faculty at the Johns Hopkins School of Advanced International Studies, Thomas Rid (who’d just arrived from his previous appointment in London) offered an overview of the attribution challenge. Historically informed, Rid’s account argued that attribution is as much art as science. A panel of legal experts offered advice for businesses. (One highlight: Whiteford Taylor Preston’s Howard Feldman reminded everyone of the importance of contracts, and that you may be bound by contracts you hadn’t realized were contracts at all. “Your privacy policy, on your website, is a contract.”)
And Bob Olsen, CEO of event sponsor COMPASS Cyber Security, closed with some effective analogies security professionals can use to communicate with the business leaders they support.
Strategic perspective from US Cyber Command.
Guy Walsh, Brigadier General (retired), US Air Force, and currently responsible for strategic initiatives at US Cyber Command, delivered the conference’s opening keynote. He began with a quick observation about Equifax, saying that the incident should serve as a reminder that it can take time to patch and address known vulnerabilities.
He described the emergence of cyberspace as a fifth operational domain, joining land, sea, air, and space, and he described US Cyber Command as a warfighting organization recently elevated in status and sharply distinguished in its mission from the National Security Agency.
Walsh reviewed some Air Force history, and claimed that the first insider hack of the USAF was done in 1963, by John Boyd, the leading thinker of the Fighter Mafia. Boyd is more familiar as the officer who formulated the concept of the OODA loop, the cycle of Observe, Orient, Decide, and Act that he outlined in his Discourse on Winning and Losing. Boyd argued that if one could execute that cycle faster than one’s adversary, “get inside their OODA loop,” one would have a decisive advantage in combat. Getting inside the OODA loop, Walsh argued, was as important in cyberspace as it was in air-to-air combat.
After describing Buckshot Yankee, a Russian attack against US Central Command with Agent BZT, Walsh outlined the strategic adversaries the US faces. They are, as many others have said, Russia, China, North Korea, Iran, and terrorists. In this threat environment Cyber Command operates National Mission Forces, Combat Mission Forces, Cyber Protection Forces, and, against ISIS, Joint Task Force Ares.
One trend and two observations Walsh made have implications for most enterprises, not just Cyber Command. The trend he sees is that big data and artificial intelligence will change the dynamic in cyberspace. His two observations with broader implications were, first, the point that retaliation against cyber attack need not be exclusively or primarily cyber retaliation. It may not need to be cyber retaliation at all. And second, when he described the three major Cyber Command exercises (Cyber Flag, Cyber Guard, and Cyber Knight) he said they took their inspiration from Red Flag, the Air Force’s realistic training against a dissimilar adversary opposing force. Like Red Flag, these exercises have been vital in increasing readiness and capability.
The risk landscape as seen from the perspective of the healthcare sector.
Stephanie Reel (CIO, the Johns Hopkins University Health Systems) brought the perspective of a healthcare organization (and a “hybrid organziation”) to the discussion. She claimed that healthcare has surpassed financial services as the most-targeted sector. In some ways the sector’s modernization has increased its vulnerabilities. Unification and aggregation of data have exposed the sector to “unintentional negligence among the players.” That unification is striking: about 60% of patient data in the United States is currently held by a single vendor.
With greater risk has come more spending on security, and Reel pointed out that this is not only a direct expense, but it imposes opportunity costs as well. “Money spent on security is not being spent to cure disease,” she said, nor is it being used to improve public health. But the reality of the threat requires that security be addressed. Ransomware has been a particular problem for healthcare, Reel said as she reviewed their own experience with the Medstar incident of 2016. Medical care and patient safety require that digitized records and networked devices have high availability, and it’s that availability that ransomware attacks. Direct manipulation of medical devices themselves (“still sort of science fiction; we haven’t seen it at Johns Hopkins”) also remains a very real threat, although not yet a common one.
Reel seconded Dahbura’s call for a national conversation about an identification system, and, although she feared that people were too ready to concede defeat on identity management, still closed on a hopeful note. She thought the tensions a hybrid organization like hers faces among the competing claims of security, operations, healthcare, research, and education could ultimately be resolved.
For the full article, visit The CyberWire. If you would like to be informed about next year’s event, please CONTACT US.
This is an excerpt from an article originally written by The CyberWire.
