By Paul Ferrillo, Chris Veltsos, George Platsis, George Thomas, Shawn Tuma, Ken Holley and Chuck Brooks.

​Like you, we are passionate about this country, its hard-working people, its go-getter attitude, and its embrace of technology to drive efficiency and improve lives. Yet, we’ve also noticed a troubling trend. We’ve seen the continuous onslaught of cyberattacks, the resulting disruption and losses, and the very real impact it is having. We can’t stand by another day and let the national wealth of this country — meaning our ability to innovate, our ability to dream, and our ability to execute — be plundered by others to the tune of $600 Billion a year. As technology is now woven into the fabric of our societies and our economies, cybersecurity connects with national security, with economic security. We can’t afford to be distracted by politics, divisiveness, and other matters-of-the-moment and fail to recognize that cybersecurity is not only a big problem, it’s a huge problem. It’s a hideously expensive problem. And it is getting worse.

​Which brings us to this message. It’s time for a National “Stop the IP Brain-Drain” Strategy. We call ourselves the Cyberavengers. We’ve been around for two years, sounding the alarm, sharing ideas and solutions, writing, speaking, helping. We want to help prevent the next Business Email Compromise (BEC), the next ransomware case. We have seen the “Thanos” of the cyber world (insert here any nation-state you want) launch attacks after attacks.  He wants to snap his fingers again. But the Cyberavengers say “enough.” We all need to step up our game, for our country, our neighbors, our children.  At $600 billion a year, can anyone truly say what will be left in 20 years, when our children have to take over this mess?  As friends of ours say, this is not happening. This will not happen on my watch.  Period.

Many have said to us, “we need a strategy.”  The smart ones say, “we need an actionable strategy.”  That is the correct view.  We need a “whole of nation” approach.  We break our strategy down into three bite sized pieces, people, process and technology.  There are actionable items in each piece.  Adopt one piece of the strategy.  But please adopt more.  The government part of our strategy will take some more work.  But that needs to be accomplished too. As the only way we stop this Brain Drain is by a whole of nation approach.

But the CyberAvengers say “enough.” We all need to step up our game, for our country, our neighbors, our children.  At $600 billion a year, can anyone truly say what will be left in 20 years, when our children have to take over this mess?  As friends of ours say, this is not happening. This will not happen on my watch.  Period.
Paul Ferrillo

Stop the IP Brain Drain – People

1

Pay “Thanos” the respect he deserves – for the moment.  Cybersecurity is not government’s problem.  It is not solely the NSA’s problem or US Cyber Command’s problem.  It is not solely a corporation’s problem.  It is every single citizen’s problem.  We are not getting past stage one unless we recognize, “yes we are a target, yes we will be hacked, and yes, we might have been hacked already.”  Cybersecurity takes constant attention.  Respect the beast.  Then kick it in the ___________.

2

Cyber retraining/education of our workforce and our country.  This must go along with step 1 if we are to succeed.  Our view?  Time for at home, at work, efforts to stream NIST Cybersecurity Framework to everyone.  From government to business to schools (and especially our K-12 schools).   Whether it was the OPM breach, Sony, Target or hundreds of others, we have all been attacked.  The NIST cybersecurity framework can be (and should be) the curriculum of our country.  It is mandatory in for the US government already.  But it needs to get down to the employee, manager, and officer level of EVERY organization for the game to really change.

3

Passwords can no longer be our kid’s name, or our dog’s name, or “0123456” — this is an easy one.  How many people reuse your password constantly since they are too much of a pain in the neck to remember? Well guess what, attackers know that too.  When they get your credentials from a breach at Retailer X, they can try and get you at Retailer A, B and Store C and D.  Make your passwords tougher to break. Don’t reuse them. Use pass phrases like “ThreeBlindMiceLike5EarsOfCorn.”  Just no more, “0123456” or “password.”

4

Use multi-factor/two-factor authentication always, everywhere, from your retailer accounts, your bank accounts, your place of business.  Always turn it on.  Never not use it.  It helps with credential theft types of attacks.  For many organizations, it will cost you very little to enable 2FA.  Or nothing.

5

Directors of companies – you are in the spotlight today:  don’t let anyone tell you differently.  Breaches causes loss of reputation.  Loss of reputation causes loss of sales. Loss of sales and the post breach clean up costs can run into the tens of millions of dollars. And unanticipated losses can cause lawsuits.  Against you.  That is the circle of life.  Boards need training and guidance too in order to fulfill their fiduciary duty of oversight over cybersecurity.

Stop the IP Brain Drain – Processes

1

The NIST Cybersecurity Framework. — yes, our old friend.  Hug it daily.  Each one of its core elements has great value to any organization. Cybersecurity vulnerability assessments should no longer be considered “nice to have” annually.  Attackers don’t wait annually to attack you.  They attack daily.  Do your own NIST CSF progress review at least quarterly.  Where you are vulnerable, fix it, patch it, or do something to control the risk.  Everything you can do to make your company more resilient will come back to your company 100X in terms of preserving your corporate reputation.

2

#patchit — So basic and yet so important.  Remember when Patch Tuesday was an assortment of 50 or so problems published by the major developers?  Now its like a list of 200 or so CVE’s, a week, and every week.  How do you keep up?  Time and resources unfortunately. But you got to do it!  Prioritize your patches.  Fix the critical ones within 72 hours. Remember attackers won’t wait. They won’t delay.  Many of our worse breaches (see, e.g. Equifax August 2017 breach announcement) have occurred by a failure to timely patch a known vulnerability.

3

#backitup — many a ransomware attack can be foiled (and would be foiled) by following these three steps – A) back up your network once a week to back up media, and keep the media or device fully segmented from everything else. Keep this copy on site. B) keep a second backup offsite, so, God forbid, your building has a fire or a flood, you can follow your business continuity planning, and disaster recovery plans and get back online quickly.

4

Multi-factor/two factor authentication — it’s a must have. Like now

5

Email filters — what are they?  They are solutions that help companies filter bad or fraudulent emails out of inboxes.  They play tricks like changing your email address from something like www.homedepot.com to www.homedepote.com   Sometimes a little trick like that can cause an employee to click on the link or attachment when he or she should not.  That can cause a small problem for the employee (computer starts malfunctioning) and huge problem for the company (evolve into a full data breach).  Filter solutions are good. They work. They are not that expensive.

6

A good, thorough cybersecurity supply chain risk management process (see e.g. NIST cybersecurity framework 1.1) — here is where the country is getting ransacked every day.  There is an old saying, if you can’t get in the front door, try the back or door or a window.  So that is what an attacker does. They are smart enough to know that the prime contractor probably has strong defenses.  And smart enough to know that 100 of the prime’s subcontractors have far fewer and far weaker defenses to a sophisticated attack.
What is the plan here?  A) prioritize your vendors from “extremely valuable and consequential” to those that don’t have real access to your network secrets, B) diligence the heck out of the one’s that matter, use questionnaires, on site visits, audits and other contractual tools that you can to assess and monitor, and C) for the most important ones, like the subcontractor that makes the wings on your new joint strike fighter (JSF) jet, suggest that they employ and pay for machine learning anomaly detection solutions (there are a few good ones) to catch potential IP theft before it happens.  Our losses in the DoD space can’t even be calculated they are so huge.  How do you put a price tag on 10 years of anti-ship missile development, or on the F-35 JSF.  You just can’t.  Cyber vendor due diligence plans, with real fines and penalties, will need to be mandatory in the DoD space.  They should be implemented by everyone else under NIST CSF 1.1.  No exceptions.

Stop the IP Brain Drain –  Technology

1

Identity and Access Management (IAM) — what does this mean?  By using stolen credentials, attackers have almost free reign to attack companies.  When an employee tries to sign in from home to work from a project at 9 PM at night, is it really them?  Are they really signing from Lithuania, or is it an attacker using stolen credentials?  IAM solutions try to assure that only the right person, with the appropriate level of access, is signing on to your network.  Simple, yet not so simple unless you are monitoring this access with a machine learning solution.  IAM solutions have gone from being a nice-to-have solution to becoming a must-have-for-business solution. Along with two-factor authentication they can really help limit access to your network.

2

Encryption and Micro-tokenization. Data encryption translates data into another form, or code, so that only people with access to a secret key (formally called a decryption key) or password can read it. MicroTokenization replaces data elements with tokens, transforming data in transit into random strings of characters that have no meaningful value to hackers.They can be used both “at rest” and “in motion.”  If data has no meaningful value to hackers, well, then…… sounds like a pretty effective defensive measure to us!  These methods of data anonymization are no longer just for large enterprises.  Middle market and private companies can afford them now as well as technology and efficiencies have improved.  So can military subcontractors in the DoD space.  We are beginning to think that for anyorganization storing or holding large, valuable data sets, encryption and micro-tokenization solutions are now beginning to be must-haves solutions.

3

Machine learning anomaly detection solutions — you have heard about these sorts of solutions before.  They look for anomalous network activity — like, e.g. the beginning stages of a ransomware attack — which if detected could serve to allow a company to stop the attack before it progresses. They are important for any organization that has valuable data. And lots of it to monitor.  They are extremely important in situations where companies may not have adequate resources (human and capital) to staff a fully functioning security or fusion center.  Here the machine learning solution can serve as another pair of hands, like a trusted advisor, to guard your network.  We have plenty of clients using them today.  Very few complainers.  Just happy campers.

4

Get help when you need it from a qualified MSP – finally, and again for resource-constrained companies, there are alternatives, like the professional cyber investigator, called in the business a managed service provider, or MSP.  They can handle almost anything you can throw their way.  Experienced MSP’s are very good when it comes to breach detection and remediation.  They also can add things like threat intelligence to the mix – which can improve detection time.  Any organization might consider an MSP to assist their security efforts.  For smaller ones, they can be a lifesaver.

Our Stop the IP Brain Drain Plan

We won’t claim that is short plan is the be all end all of cyber defense improvement plans. But the status quo isn’t a viable option anymore. We’re all in this together. It’s the fight of the twenty-first century. And it’s a fight that we must win.

Did we fail to mention one piece of technology? Most likely, and if you feel strongly about it, give us your suggestions, your ideas, but be ready to show that the tool you’re supporting is truly effective.

​We needed to have an actionable strategy.  Here is one.  None of its pieces are out of play in today’s target rich environment.  Our plan is not perfect.  But given we are losing $600 billion a year to IP theft, we should not let perfect get in the way of good.  Imagine using our plan and lowering this amount to $300 billion next year, $100 billion in two years.  You get the point.  Imagine the good we could do in this country with that money?

Paul Ferrillo

About Paul

Paul Ferrillo focuses his practice on cybersecurity corporate governance issues, complex…

Chris Veltsos

About Chris

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato

George Platsis

About George

George Platsis is a consultant, author, educator and public speaker.

George E Thomas

About George

Over his twenty-five year professional career, Mr. Thomas has held a series of positions in banking, trading, asset management and auditing at a broad range…

Shawn Tuma

About Shawn

Shawn Tuma (@shawnetuma) is an attorney internationally recognized in cybersecurity, computer fraud and data privacy law, areas in which he has practiced for two decades

Ken Holley

About Ken

Kenneth founded Silent Quadrant – a Washington, D.C.-based information technology services and consulting practice serving the nation’s top lobby firms – in 1993

Chuck Brooks

About Chuck

Chuck Brooks is the Principal Market Growth Strategist — Cybersecurity and Emerging Technologies for General Dynamics Mission Systems