The 10th annual National Cyber Summit (NCS) was held in Huntsville, Alabama at the Von Braun Center from June 5th-7th, 2018. The Summit is an annual event for cyber training, education and workforce development aimed at protecting the nation’s infrastructure from the ever-evolving cyber threat. As a growing tech hub, Huntsville offered the perfect landscape for the thousands of government and commercial participants that attended this year. Below is a snapshot of our booth and one of our team members, Amy Edwards, at the show.
This years’ lineup of Speakers, Tracks, and Sessions did not disappoint. From Paul Abbate (the Associate Deputy Director of the FBI) to Margaret Isler (the Head of Risk for Google Technical Services), the Keynote Speakers were all distinguished experts in their respective fields. The Tracks offered leading insights in Advanced Manufacturing, Education and Workforce Development, Finance, Research, and Technology.
We recently put on a joint webinar (skip to 3:00) with H2L Solutions, where we broke down the key industry updates of NCS. Our President and Managing Partner, Scott Edwards, linked up with H2L’s Program Manager, Iain Deason, to divide and conquer. Here’s a summary of the sessions we attended, a few of the tracks that were offered, and our top cyber recommendation/takeaways from the Summit:
- Paul Abbate, Associate Deputy Director, Federal Bureau of Investigation (FBI)
Mr. Abbate was named the associate deputy director of the FBI in February of 2018. He is responsible for the management of all FBI personnel, budget, administration, and infrastructure. However, his FBI career started in 1996 as a special agent to the New York Field Office.
The focus of Mr. Abbate’s session at NCS revolved around the state of the cyber threat. As technology is taking the forefront, threats are becoming bigger, bolder, and more complex. They change rapidly and don’t discriminate in their targets. Various cyber vectors are being used by nation states and criminal groups alike, and he says that it’s only a matter of time until a “Cyber 9-11” occurs.
The FBI is actively working on this problem. They maintain national and international resources to combat attacks so that they can investigate these events as they happen and maintain privacy. Cyber-attacks are still attacks and treated as such.
With the threat of a "Cyber 9-11" and more on the horizon, Government and private industry must work together to protect the nation's data. It’s not enough to just “have an IT person” anymore. 80% of failures are known issues and patches, AND people are the most vulnerable point in our environment. Luckily, there are immediate steps to be more secure without a large burden on the organization.
Multi Factor Authentication (MFA) and other Mobile Device Management (MDM) solutions are crucial. Microsoft products can be configured for DFARS 7012 and NIST 800-171 compliance, which will severely lessen the threat of information leaks. Not to say it won’t happen, but the chances of a successful cyber-attack are much more limited.
- Dr. Ron Ross, Fellow at the National Institute of Standards and Technology (NIST)
Dr. Ross is a Computer Scientist and Fellow at NIST. He focuses primarily on information security, systems security engineering, and risk management. He leads the Federal Information Security Modernization Act (FISMA) Implementation Project, which includes the “development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure”.
One of the biggest takeaways from Dr. Ross’ session was his explanation of modern businesses and their heavy dependence on Information Technology (IT). AMr. Abbate claims threats are becoming increasingly complex, and coupled with the dependency on IT, it’s an incubator for attacks. Notably, 2015 was the worst year for cyber threat. There was the OPM Breach, Anthem Blue Cross breach, and the Ashley Madison leak. There may not seem to be a correlation between these three attacks but look closer and you’ll see that there is. Attackers were able to cross-reference each list to provide a target list for espionage and blackmail for generations.
According to Ross, cyber is, and probably always will be, difficult to grasp because people live and train in kinetic activities. You can’t see or touch cyber, which makes it harder to understand. There are many threats, so you must be able to assess and prioritize. Dr. Ross says that for every hundred threats you protect against, there are a hundred more that you don’t know about. Systems are too complex, vulnerabilities are too common, and data is everywhere. Manufacturers don’t let you install your own airbag, and users/consumers shouldn’t be doing their own engineering and building.
"... for every hundred threats you protect against, there are a hundred more that you don’t know about."
So how do we defend ourselves in the 21st Century? We still haven’t learned how to defend ourselves in cyberspace, and we’re losing a trillion dollars a year in Intellectual Property. The only way to change course:
- Simplify. Innovate. Automate.
- Use best practices in systems engineering to reduce attack surface.
- Consolidate. Optimize. Standardize.
- Move to FedRAMP cloud services in order to isolate and strengthen protection for high value assets. This allows you to build layers of defense, which reduces susceptibility to threats.
- Make systems resilient, as they must be able to withstand the attack and still function.
But how? We need to rethink how we build our systems. Security and privacy MUST be integrated into the design process, senior leaders must be involved in the design process early on, and there must be communication between C-Suite and operations. Security has to be a priority, and we must work together to secure our national infrastructure.
- Elena Kvochko, Barclays Bank
Elena Kvochko is the Chief Information Officer (CIO) for Group Security Division at Barclays Bank. She immigrated to the US nearly a decade ago after studying and working in Europe and Russia (her birth country) and joined Barclays in 2015 as Head of Global Information Security Strategy and Implementation. Not only is she a high achiever in her professional capacity, she's a high climber in her personal life too.
As an expert in cybersecurity, she knows first-hand that it impacts every aspect of life. In 2017 alone, there were 90 billion cybersecurity events, with $450B-$600B lost. There are 480K identity records stolen every day, and 2M internet emails per second, 50% which are spam. Our entire lives revolve around cyber and technology, and that changes things. There is this expectation of always being online and connected, and the fact that there are more mobile phones than people on earth certainly attests to that.
"There are 480K identity records stolen every day."
As our world becomes more tech-centric, every company really is a technology company. With everyone moving to the cloud and putting all their data online, there is now a huge demand to protect data and stakeholders. IT has successfully moved from the back office to being a strategic asset to the business.
Like the two speakers before her, Ms. Kvochko emphasized the recent sophistication of cyber threats. Cybersecurity is complex and comprehensive, and it is based equally on people, process, and technology. She suggests hiring qualified staff, because competent and efficient teams are the cornerstone to effective security strategy and execution. Many cyber-attacks are preventable, so having a team you can trust makes all the difference.
- Shawn Henry, CrowdStrike Services
As the President and Chief Security Officer (CSO) of CrowdStrike Services, Shawn Henry knows how dynamic threats are. They change just as the days do, so a lack of understanding and/or awareness of threats means you don’t understand the risk. In this case, what you don’t know IS going to kill you.
Henry claims the days of data not being seen as an asset are long gone, as it is now being weaponized. The cyber-attacks of three major, albeit very dissimilar, companies now give hackers blackmail information for decades. As the world gets smarter, we have to shift direction and defend in different ways. To begin with, training and leadership are two of the most important factors because humans are one of the biggest problems; yet, they can be the difference of fending off an attack or not. Employees need to be capable to properly manage passwords, report of suspicious online/email activity, and communicate to the appropriate leaders when a breach is detected.
- Dr. Michael D. Griffin, Assistant Secretary of Defense
As the Under Secretary of Defense for Research and Engineering, Dr. Michael Griffin is responsible for the research, development, and prototyping activities across the DoD enterprise. He posed the question:
“If we cannot protect our nation, what are we doing?”
We have to have cyber resilience. We aren’t going to be able to stop attacks and they are just going to continue to get more sophisticated, but we have to be aware enough to know when we have been attacked. We have to know that something has changed and we have to get comfortable with risks and innovation. As threats get more sophisticated, our retaliation plans have to as well.
- Leroy Smith, Missile Defense Agency, Chief Information Officer (CIO)
Leroy Smith is the CIO at Missile Defense Agency, where he has been since 2002. He is the senior MDA official responsible for ensuring information management and information technology resources are acquired, operated, and maintained for the Ballistic Missile Defense System (BMDS) program, providing oversight to the cybersecurity initiatives for the BMDS, support systems, and MDA networks.
Mr. Smith agrees that human error is a major challenge (I’m sensing a theme here), and one that we have to overcome. However, human and machine interfaces will create a strategic advantage in the future. For the meantime, we have to manage risk to threat. Do you know where your data is? How are you protecting it? These are questions that need to be answered.
- Margaret Isler, Google
Ms. Isler is the Head of Risk for Google Technical Services (gTech). She leads the team that enables Google’s internal businesses and protects user and business information efficiently and at scale. She has experience in multiple industries across multiple disciplines, which enables her to advise executives on complex security issues so they can make informed business decisions.
Isler discussed the nuance of a data driven society. She stated that there needs to be certain layers of security in place, and the operational, corporate, and institutional levels are and must be connected and secure. A lot of the time, business stakeholders and higher-level individuals have a false sense of security, so cyber professionals need to educate them. Use compelling stories of why you need resources, identify influencers, talk their language (business), understand the stakeholders, and become a trusted advisor. No one is immune to cyber threats but having trustworthy employees who know how to handle such attacks will certainly help how you respond.
Tracks (main points)
- Advanced Manufacturing Track, Joshua Crumbaugh, Chief Hacker and President, PeopleSec
- Cyber security folly: People are spending more money on security, but the amount of damage from attacks is also increasing.
- Not making cultural progress: reactive rather than proactive.
- 3E’s of IT training: Security training needs to be Effective, Entertaining, and Educational.
- 90% of fishing attacks will be successful with 1% of users. The largest amount of risk will be contained within the smallest amount of users.
- Financial Track
NIST Cybersecurity Framework in the Financial Sector
- Creates a common 3rd party framework.
- Reduces cyber admin burden and compliance complexity.
- Enhanced oversight.
- Greater international collaboration and collective understanding.
- Supports audits more quickly and cost effectively.
Cybersecurity - Why The CFO Cares
- CFO office has the greatest number of attacks.
- CFO holds the pocketbook for the organization.
- Cyber damage is costlier than dollars. The damage it does to a reputation is incalculable.
- CFO's must lead the charge to drive adoption of all financial and security requirements/standards.
- Research and Education
Cyber Threat Analysis
- Education is key: Colleges are scrambling to build cyber programs for 4-year degrees. Adequate cybersecurity training has not happened in education, rather it has happened in industry leadership like SANS and other similar organizations that are teaching individuals already in the IT profession how to secure systems.
- There is a massive skills gap that needs to be addressed, but colleges are slowly starting to catch up.
Network Man agement
- Technical Schools are beginning to transition from On-Premises Instruction to Cloud-based Instruction.
- There is an emphasis on continuing professional certifications. The cyber world changes so frequently and there is always a need for continued education. It's a constant battle to stay up-to-date on what's happening in Cyber Security.
- IAT2 Certification as a minimum requirement for DoD Industrial base IT staff. These certifications ensure that you have a vocabulary and a minimum knowledge of Cyber Security before you get access from an administrative standpoint to a system with Controlled Unclassified Information (CUI).
- Managed Service Providers need to provide IAT2 Certifications. These people will also have access to CUI and need to have a base knowledge. (For extra knowledge, here is our blog on MSP's and how outsourced IT can affect your compliance.
Top 5 Cyber Recommendations/Takeaways from NCS
Summit 7 Systems
1. Leadership, governance, and accountability are the keys to security program
2. Engineer systems security into your environment from Day 1
3. Address legacy systems: 80% of failures are known issues and patches
4. Multifactor Authentication (MFA) is a critical first step
5. Cyber 9-11 is inevitable, so can your business afford to delay action?
H2L Solutions Inc.
1. Look out for new Frameworks for RMF coming out this year featuring new control families
2. DoD is beginning an aggressive campaign on quickness of prototyping and maintaining a technological edge over our adversaries
3. Be aware that new threats will always be emerging and organizations need to be cyber resilient
4. Safeguard the human that is protecting the information
5. Use additional techniques such as red teaming to build a solid security regiment
We'll be back next year, and we hope to see you there!