By Paul A. Ferrillo
Regarding the actions of Russia during the dark days of World War II, the great Winston Churchill once said, “[Russia] is a riddle wrapped in a mystery inside an enigma; but perhaps there is a key. That key is Russian national interest.” The quote was meant to give his British subjects some idea of allegiances at the time given the sweep of Nazism through Europe. It was meant to rally the British to understand that if attacked by Germany, Russia would no doubt respond in kind. And Germany did attack. And Russia responded as Churchill and others had predicted.
This quote is meaningful to me when it comes to cybersecurity, because today, years and years after the first mega cyberattacks, like Heartland Payment Systems and Target, business people are still trying to figure out the key or keys to cybersecurity. Figuring out this “key” is critically important, because given its inherent complexities cybersecurity is hard enough to explain on its own (the term “distributed denial of service” comes to mind). A “key” might act as a “secret decoder ring” for the laypersons what run and guide public companies, like its directors and officers. And especially general counsel who often find themselves right in the middle of the big “mess” of the day where an “uphill” fight is all but assured.
What are the keys? What makes cybersecurity tick? There are many vendors that might like to lob an infected USB stick my way for approaching this subject. But tough noogies. The stakes are too high. Think Russia, China, Iran and North Korea. Its going to be a long hot summer. We think we have figured out the keys to cybersecurity. They should not be a secret. If they were, there may not be anything left soon for our adversaries to steal 5 years from now:
5 Keys to Cybersecurity:
Cybersecurity is not so complex; its better to “deal”: Why overly complicate something that is inherently complicated and filled with mystery. I don’t know. I have never understood this point. Especially when most of cybersecurity finds its foundation on protecting your “Crown Jewels,” i.e. your most important IT, IP, PHI, or customer digital assets? If you are a hospital system, your most important asset is the PHI of your patients. Yes, there are other things that are important, like your medically connected IoT devices. But HIPAA regulates and demands you protect your PHI to within an inch of your life. So….. you had better think about doing so. See? Not so complicated.
Its your people, not your technology that matters most: Huh? I don’t get it. I though cybersecurity was mysterious, filled with computers, servers and clouds. No, not so much. Should a hospital, vendor, or service provider for a hospital leave a patient database on an AWS server open to the public, without proper configuration and a strong password? No you should not. Should doctors, nurses and residents share passwords on the floor as they try frantically to save lives, and reach to any terminal available to get mission critical information? Yes, I get it, that is their job. But they should not share passwords. Training and education can save companies loads of trouble if it’s religiously instituted and followed. Spearphishing training is remarkably effective. If its given the chance to be effective. Complicated issues here? Not so much.
Mission critical question to ask IT, “how long does it take us to patch critical vulnerabilities?” — you might not like the answer — One recent article notes, “Forget the stealthy hacker deploying a never-before-seen zero day to bring down your network. IT security professionals admit that one in three breaches are the result of vulnerabilities that they should have already patched.” See “Cybersecurity: One in three breaches are caused by unpatched vulnerabilities,” available at https://www.zdnet.com/article/cybersecurity-one-in-three-breaches-are-caused-by-unpatched-vulnerabilities/. There are a lot more issues around the concept of patching. Too many patches, not enough people, not enough time, and the every present, “and then there was another patch Tuesday.” I get it. I understand it. But I am just telling you the truth. Some of the major breaches you have heard of like Wannacry were caused by an unpatched vulnerability. Note that this is not a fault based question, its really a resource based question. If an organization doesn’t have enough resources to effectively patch all critical vulnerabilities within a week or two, then it needs to find/get/hire those resources. The stakes here are too high, especially when the bad guys prey on unpatched vulnerabilities.
Breaches stink! But a bad breach response (or an untimely one) could get you in even more trouble. What people learn in cybersecurity is that, for the most part, if Company A gets hacked today, it is more than likely that Company B will be hacked Monday, and Company C will be hacked Tuesday. What do we mean by this? Simply put, if you are straightforward with your customers, patients and investors, they will likely forget your breach pretty quickly and move on to focus on the inherent value of the company instead. There will always be another breach. But if, for instance, you are slow to respond, slow to disclose, or inadequately disclose what happened to your constituencies, you will likely be tortured a good long time.. by the media, high activity bloggers, and most importantly, the regulators too. Why the torture? I truly think it is a “risk allocation” problem. As between a company and its customer, it was the company that stored the customer’s data. So if there’s a breach it is the company that needs to inform the customer what happened, so the customer can protect himself or herself. So what is the moral to this story? Memories of bad breaches that were handled well and timely disclosed tend to fade. Bad breaches that get badly handled or where disclosures were delayed for months or years? Big problem – and a potentially big regulator problem as well if you are a public company or regulated entity.
How do I best protect myself? Encrypt or tokenize your data to make it useless to the attacker — if everyone is or will be hacked at some point regardless of defenses (especially when a nation-state comes knocking at your server door), then protect your data by encrypting it or by tokenizing it so that if stolen it will be useless. So what do we mean here? If the ingredients of the “secret sauce” on your Bronco burger are your most critical asset, do something so that the ingredient “ketchup” looks like “XQ1%5HWP” if the attacker steals it. This topic doesn’t get talked about much. It is more confusing than not for some. But the point is, if you data looks useless to an attacker, maybe the attacker will decide you are not worth the hack, and will go somewhere else.
So these are the “keys” as we describe them. Yes there are more, but these are pretty big. Perhaps the biggest key? Adopt the NIST cybersecurity framework (or one of its regulatory variants) and stick to it. The Framework will assist you with many of these keys. And it many even provide answers to some of the major questions a layperson general counsel might have about cybersecurity. We need to take the mystery out of cybersecurity. More people need to get to the basics as we describe them about. If we do, this nation will be far better off down the road. And the ingredients to the secret sauce for your Bronco burger will likely not end up on the menu of one of your competitors in a foreign country.