CyberWire Daily - Can public/private partnerships prevent a Cyber Pearl Harbor? [CyberWire-X]
Episode Date: December 14, 2020For many years, public and private sector cybersecurity experts have warned of a large-scale, massively impactful cyber attack on critical infrastructure (CI). Whether you call it a cyber doomsday, a... cyber extinction, or as former Defense Secretary Leon Panetta termed it, a “Cyber Pearl Harbor,” the message is clear: it's not a matter of if, it's a matter of when, and it's not just critical infrastructure that's vulnerable. More recently, experts have started to raise the alarm around not just CI, but other systems as well, notably position, navigation and timing (PNT) services. PNT includes things like GPS devices -- extensions of IT systems which are widely used by both private and public sector organizations, and particularly vulnerable to attack thanks to their open source origins and lack of native security controls. While there is no magic bullet to solve the cybersecurity challenge, there's growing consensus that an effective strategy is going to require large-scale cooperation and coordination between the public and private sectors. While the government is uniquely equipped to source and promulgate guidelines and standards like the Federal Information Processing Standards (FIPS) and NIST Special Publication 800 Series, private sector partners have the expertise to implement these standards across industries. The private sector is also a major driver of innovation in security, making use of sophisticated analytics, AI, and other tools to improve not only native security controls but also hygiene, threat detection, and response. In this episode of Cyberwire-X, guests will discuss the benefits of public/private partnership for cybersecurity, the roles of each, and how the threat of a "Cyber Pearl Harbor" informs the priorities of both. Joining us today are Keith Mularski from EY, Rob Lee from Dragos, and Egon Rinderer from Tanium. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. affecting organizations around the world. I'm Dave Bittner. Today's episode is titled,
Can Public-Private Partnerships Prevent a Cyber Pearl Harbor?
For many years, public and private sector cybersecurity experts
have warned of a large-scale, massively impactful cyber attack
on critical infrastructure.
Whether you call it a cyber doomsday, a cyber extinction,
or as former Defense Secretary Leon Panetta termed it,
a cyber Pearl Harbor, this notion of a catastrophic cyber event understandably captures the imagination
of both cybersecurity professionals and the general public. But given the history of
nation-state cyber attacks and the current global political situation in which we find ourselves, is the notion of a cyber Pearl Harbor still a useful analogy?
Or is it breathless hype, good for generating clicks and selling cyber defense services,
but no longer reflective of the way real-world cyber conflict is likely to play out?
In this episode of Cyber Wire X, our guests will discuss the benefits of public-private partnerships for cybersecurity, the roles of each, and how the threat of a cyber Pearl Harbor informs the priorities of both.
Joining us today are three experts with a spectrum of opinions on the topic.
We begin the show with my conversation with Keith Malarski, Managing Director for Cybersecurity Consulting at EY. Thank you. the sponsors of this show. A program note, each CyberWire X special features two segments.
In the first part of the show, we'll hear from industry experts on the topic at hand,
and in the second part, we'll hear from our show's sponsor for their point of view.
And speaking of sponsors, here's a word from our sponsor, Tanium.
Today, we rely on endpoints for everything from remote work to mobile banking, telemedicine, and online learning.
That's why managing and securing these endpoints has never been more important.
Tanium provides endpoint management and security built for the world's most demanding IT environments, providing real-time visibility, comprehensive control, and rapid response for endpoints across distributed operations. Thank you. Visit Tanium.com slash CyberWire to get a 14-day free trial of Tanium as a service.
That's Tanium.com slash CyberWire.
And we thank Tanium for sponsoring our show.
Keith Malarski is Managing Director for Cybersecurity Consulting at EY.
Prior to joining EY, he served as cyber unit chief with the FBI,
where he was responsible for developing and facilitating global cyber operations,
including the infiltration and strategic targeting of the most prominent international
cybercrime actors and organizations, and leveraging relationships with law enforcement
and private sector partners.
relationships with law enforcement and private sector partners.
Well, it actually kind of started with the FBI and the Public-Private Alliance in Pittsburgh,
where I'm located. And I was fortunate to kind of be on the ground floor of that. And it just kind of started organically. My first boss, his name is Dan Larkin, and he was the cyber supervisor at the FBI's Pittsburgh office.
So he said, let's can we just kind of get things together and have a place where we could share information?
So he started talking to some of the lawyers at the Department of Justice and they said, well, what you want to do is set up a nonprofit, a 5013C, and then have this
neutral space where people can kind of come and share. He formed at that time, and it's still
called the National Cyber Forensic and Training Alliance. It was kind of based on the framework
that they used down in West Virginia at the National White Collar Crime Center and also the Internet Fraud Complaint Center,
just having that nonprofit where people can share information.
So, I mean, in your experience, when someone reaches out from an organization like the FBI, are most people welcoming to that?
Is there skepticism or how do you go about building the trust?
Sure. And that's, that's a big thing because, you know, people don't, they don't want to give
their information to the government. You know, we always had a joke is, you know, we would come and
say, Hey, we're from the government, you know, and we're here to help. And people would laugh.
So what we found that was really important was you kind of had to go in with a theme that was affecting people.
So the first project that we started there at the NCFTA was a project called Anti-Spam.
And at that time, spam was getting to be a real big problem with legitimate mailing. So, you know, the Direct Marketing Association was saying, hey,
we can't do effective, legitimate advertising, you know, by email. So we found out there was just a
lot of white hat, you know, hackers out there or just white hats in general that just wanted to
clean up the internet. So we brought everybody together under that one topic with anti-spam to kind of first start sharing that information.
And we found out that industry was collecting a lot of information on who the bad actors were out there.
And so from the government, we were kind of able to look at it and say, hey, yeah, well, with spam, there's wire fraud involved.
There could be some phishing related to that.
So there could be violations of 1030 and 1028, U.S. code violations 1030 and 1028 and 1029.
So we were like, well, we can make cases off of this from the intelligence that private industry was collecting.
know, from the intelligence that private industry was collecting. So we found out that it was really important when you set these up to really kind of go in with a really a project and something that
you wanted to accomplish. And what does each side get out of these sorts of arrangements? I mean,
what are the benefits for them? Well, from the government, I think it's just fantastic because, you know, unlike any other crime that the government investigates,
really, industry has just as much, if not sometimes better, information on the threat actors than the government does.
When you think about it, the bad guys, for the most part, they're not attacking the government.
The bad guys, for the most part, they're not attacking the government.
You know, they're attacking private industry to try to steal, you know, secrets or, you know, for financial gain. So industry is really at that tip of the spear of seeing the new, you know, tactics and procedures being used by the threat actors and then adjusting to that.
So the government really, you know, although they have great collection on certain things, they don't see that as much. So to have industry being able to provide
that on certain threat groups is just, you know, outstanding from a government standpoint.
And then from an industry standpoint, one is knowing that their data is going to good use,
that the government is going to go after these threat actors to either disrupt or arrest them.
Just knowing that the data that they're collecting is going towards a good cause is a lot of times the big thing for industry.
I want to touch on this notion of cyber Pearl Harbor, which is sort of a – I don't know.
It's a notion that I think resonates with
a lot of people, this notion that we could have a cyber event similar to what we experienced with
Pearl Harbor before World War II. First of all, I mean, do you think that that is a useful metaphor?
Do you think that that sort of imagery works in the cyber realm?
I think so. And I think people have always talked about either Cyber Pearl Harbor or Cyber 9-11.
That is their biggest fear out there. And I think you have to share information effectively between
you know, you have to share information, you know, effectively between private industry and,
you know, the government in order to make sure that you're really seeing what you think you're seeing out there, you know, that there are no stones left unturned and, you know, and everybody
is really has the complete picture on what the threat is out there. Because these threats,
as you know, they change daily
and you need to be able to respond very quickly.
And for the cyber threat, no one agency can do it all.
So it really takes a whole of government
and really a whole of industry approach
to really identify what the threats are out there,
making sure that you're sharing that information and that people know what the threats are out there, making sure that you're sharing
that information and that people know what those threats are so they can craft defenses or pivot,
you know, to make sure that you thwart any of these type of attacks.
Robert M. Lee is CEO at Dragos, a cybersecurity firm focused on protecting industrial control systems.
Prior to forming Dragos, Rob served as a cyber warfare operations officer in the U.S. Air Force.
The whole notion of a cyber Pearl Harbor, a cyber 9-11, you know, I think those are the two that you hear talked about the most. Is that, the point
where we are right now, are those still useful metaphors?
No. And I don't want to critique the
inception of those metaphors when, I think it was like
Richard Clark and folks were using those terms, I think it was him, he might email
me and yell at me if it wasn't,
but smart guy.
When he and folks were using those terms,
I think they were speaking to a largely technical
and cybersecurity illiterate audience,
whether it be directly to the president
or also to Senate members and similar
that weren't as tuned in to the story. And in a conversation to elicit the, there could be this kind of impact through cyber,
I don't actually critique that too much. I don't, I never use those terms. I've never liked those
terms, but in communicating impact to a non-technical audience at the time, I think it'd be difficult to truly critique that without some major hindsight bias.
Nowadays, we have much more literate cybersecurity staffers in Congress and Senate.
You have some of your senators and congressmen themselves that are fairly literate on the topic.
You have more cybersecurity expertise in government than you've ever had before at the senior and executive levels. I don't think that it is as useful. And your public
is hyper aware of the topic of cybersecurity, where everything from election influence to
hacking of Democratic National Convention to whatever, Even mom and pop have heard cybersecurity,
okay, bad people can do things to us over the internet.
There's some at least familiarity with it,
but I think the drawing on Pearl Harbor, 9-11,
these kind of things, now more than ever is overplayed
and we've got to be careful in how we communicate
the nuance to a wide audience of what we're actually referring to, such as the massive
exfiltration of intellectual property of our next generation related to everything from aerospace,
you know, aircraft to intellectual property manufacturing and chemical production. I mean, that theft
is going to impact our country for the next 20 years much larger than any single event.
But expecting some massive single event actually deters people from thinking about what's happening today. So what do you suppose a useful message is?
How do we dial in the appropriate level of concern,
vigilance, however you want to describe it?
Yeah, I think that number one,
we really need to be careful
when we use military terminology.
I see so many folks going, we're at cyber war
and they've
fallen in love with that term. Some will argue it doesn't exist. Some will argue that we've seen
every bit of proof of it. But when you start invoking military terms, this is at war and we
have, you know, conflict and here's this armed conflict taking place. You invoke a department
of defense who is very well versed in war, and you start
getting a polarization of the field. You start seeing government want to bring to bear its powers
as it relates to conflict. You get sort of missing the point, which is not to try to categorize this
in any one thing. This isn't just crime. This isn't just state activity.
This isn't something that's easily parsed into any one field.
It's a unique field of its own,
and I think it's much more appropriate to explain to companies
that there are risks that they have by operating companies.
Cybersecurity is one of those risks,
and if they'd like to mitigate that risk, they're going to have to take a variety of
compensating controls to mitigate that risk and in partnership with both private sector
partners as well as government partners for when those roles and responsibilities overlap.
We just need to speak cleanly and clearly about what the risks are and how we need to
mitigate them. And that's plenty for today's board of directors members, as an example, at the executive level of these companies.
What about, I mean, it seems to me like the government is uniquely equipped to provide guidelines.
You know, things like NIST publications, you know, publication 800 series or things like that.
You know, the FIPS, you know, those sorts of things
that is in that government lane, that then the private sector, to put the guardrails on the
private sector, I'm thinking of the sort of push and pull between those two things.
Absolutely. And so are they uniquely equipped to know what should be in the standards? No.
Most of the insights in cybersecurity are
coming from the frontline companies that are dealing with the attacks or their service companies
that are helping them respond to them, doing intrusion analysis, getting intel, understanding
adversary tradecraft, etc. But should the government be the one calling for the quorum and saying,
hey, let's all come together and codify this and we'll put the guardrails up and we think this is
actually appropriate? Yes. I remember my guidance to CISA when I stood up, my guidance was,
you're going to get asked by Congress to do a lot of things. You're going to get told you're
responsible for a lot of things. And everyone's going to judge you at the end for doing 70%
across the board peanut butter spread. What you should do is pick two or three things you want
to be successful at and go do it. So to plainly state kind of a summarization of what you prompted with,
the government has the ability to amplify, the government has the ability to help fund and
influence, and the government has the ability to regulate, and the government has the ability to
create partnerships and ecosystems. Those are great areas for it to focus on.
The Department of Energy has done an exceptionally good job of creating an
eco-ship of collaboration in the electric sector.
The Department of Homeland Security, Department of Energy, co-created
with the electric companies, the Electric Sector Coordinating Council.
They meet multiple times a year with board objectives
as it relates to national security as well as private sector needs
between government and private sector
with all of their industry partners along there
at a CEO level that sets strategy and has influence across the sector.
Well done.
That's what winning looks like.
Egan Rinderer is Global Vice President of Technology and Federal CTO at Tanium, our show sponsors, an endpoint security and systems management company. I mean, I think it's a blend of probably a little bit of reality and a little
bit of media influence and a whole lot of experience, frankly. You know, we've learned
over the years that this is definitely a game of leapfrog. And it seems that as each year ticks by, we see the threat get substantially more serious and the investment that it takes to keep up with it, if you will, become greater.
But I think the net result of that is, we're sort of cognizant of the fact that there's going to be, or at least there's a pretty high likelihood of some sort of major event.
Again, whether it will be cataclysmic or whether it's a true Pearl Harbor scale attack, we don't know.
But that's just it.
We don't know.
And in the absence of assuredness, I think it gives our minds the opportunity to kind of assume the worst.
And I think this is one of those areas like I never want to be one of those people that aggrandizes the potential severity of something.
But we also have to be honest with ourselves and understand that this is the new battle space. This is where wars are fought.
And it is, frankly, the path of easiest entry
in terms of a large scale and very serious attack.
And so we have to treat it as such.
You know, not to be all doom and gloom,
but why don't we go through some of the potential scenarios
that caught your eye?
I mean, can we kind of go through the spectrum from, you know,
things that I suppose could be categorized as, you know,
not much more than a nuisance to, as you say, you know,
perhaps something more cataclysmic?
Well, I think we deal with the nuisance things every day.
I can't speak for anybody else, but I can tell you,
I have a pretty hefty collection of free credit monitoring services at this point from just the sheer number of breaches out there where my private information has gotten owned by somebody.
And so, you know, as recompense for that, they dole out a little freebie here and there.
It's a shame, frankly, like it really does bother me that that falls in the
category of nuisance, but it does. It doesn't have any substantive impact on my day-to-day life.
And then you take that up a level and you start thinking about, you know, you put yourself in the
shoes of the adversary, right? If you want to inflict harm on a society, what are the things you do, right? And you start sort of escalating
that and you start looking at, okay, how do I impact somebody's day-to-day life? Well,
I can shut down normal services, right? So maybe take down non-critical infrastructure sites,
shopping, the ability payment card systems, that kind of thing. That puts a tremendous amount of pressure on businesses. You think about
the amount of revenue lost every minute that a large payment card system
is down, something along those lines, and you start to think about it from the standpoint of
financial warfare. There's certainly precedent for that
historically. Going after a financial system is just easier
now. And then you take it up another step and you start looking at, OK, well, what about national critical infrastructure?
Coincidentally, that's probably some of the poorest protected systems that we have out there because of the density of legacy systems involved.
And the you know, a lot of those legacy systems at the time that they were fielded, there simply wasn't the kind of threat that there is today.
And therefore, there weren't the security measures.
And in many cases, the security measures that are needed just simply aren't possible.
And then you take it up yet another level and you look on a nation state scale and you look at attacks against our government, against our DOD, against our ability to conduct mission.
And that's where it starts to get, frankly, pretty thought-provoking, right?
That's where we really do as a community, we need to spend some time on that and understanding
what the real threat is and how we truly protect against that.
And hopefully that's why we're talking today.
Yeah, you know, I think that notion of uncertainty is really an important one. I think
about how, you know, we recently just made our way through the elections, and a lot of people
leading up to it were saying that, you know, adversaries wouldn't necessarily have to
change a lot of votes or take down the whole voting system that if they were targeted and
hit one or two areas that that could erode our confidence in the system and that could be enough
to achieve what they were after and i wonder if that's not true with other types of critical
infrastructure you know if you if you turn the lights off um somewhere well does that have
everyone looking over their shoulder wondering hey are, are we next? That's right. That's right. I think you've absolutely hit the nail on the head.
You don't boil the ocean, you erode confidence, exactly as you said it. And whether it's in our
system of government or whether it's in our power distribution system, you look at what will be,
I don't think it is today because not enough people are aware of it,
but you think about for a moment, the, the erosion of confidence and the erosion of trust
that something like, um, deep fakes can, can have on a society, the, the erosion of confidence and
trust in the news media that rampant misinformation campaigns on social media can have. I really do believe we desperately,
desperately underestimate the impact that that has on society. We're so focused on
the outright and the overt attacks that I think we tend to miss the more nuanced attacks like that.
Yeah, I tend to agree. I mean, I think of us as being kind of a, in general, being sort of a reactive species,
you know, that things have to get really bad before we're able, before we're willing to make
changes when it comes to the big things. And I think that flows down to a lot of things like
what we're discussing today. Well, I mean, what are some of the potential solutions to this?
How are folks coming together to say we can do a better job?
Well, so here, I'll just tell you what I see.
Observation.
It would be really nice if I could say, gosh, it's great how private sector and government have come together or are working in lockstep to solve this problem.
But we're not, like, fact of the matter is we're not there yet.
We are seeing progress.
I think we're certainly seeing progress in the private sector among organizations coming
together within the private sector and working together.
World Economic Forum just recently released a nice document about how like not only within
private sector, but private public can come
together and work on these things. People are at least thinking about it. They're at least trying
to make strides to do that. At the same time, though, you get back to that issue of trust that
we talked about and that erosion of trust. And when you do, when you broach the topic of bringing
public private together, like the first thing people have to talk about is well in order
to do this we're going to have to share information we're going to have to share data and the data
that we collect is sensitive and then all of a sudden you get into the problem of there's this
innate mistrust or distrust rather between the private sector and public sector you know it's
almost adversarial at times and if you think about it it makes sense it goes back to human nature and the the government's job is to put mandates on businesses and businesses sometimes don't like
those mandates because they cost money and right there's this sort of natural tension that occurs
and then you have other issues where you know the government has had some some black eyes over the
years uh with regard to their handling of personal information on people.
And certainly the public sectors or private sector is not innocent of that either.
But that idea of marrying the two up makes people very uncomfortable, I think.
What we can do at a more macroscopic level, though, within the business world and certainly within the vendor community, and this is something that I think we as the vendor community have to take very seriously.
We're more than happy, generally, to continue churning out those compensating controls, right?
Yeah, that's, you know, I totally understand your plight, Mr. Customer.
You do a poor job of the basic blocking and tackling, but I have this new thing and it directly addresses
that new threat that came out six months ago. And so, you know, give me your money and I'll
give you this shiny thing. And it's an addiction. That is a disease within the private sector,
constantly chasing, you know, whatever the new niche product is for the new niche threat,
all the while letting those baseline, you know, the basic
hygiene, the blocking and tackling the baseline controls, if you will, go untended and focusing
our spend and our effort and our time and our energy on how to compensate for the fact that
we do a poor job of those basic things. Yeah, you know, I think about, you know,
we talk about hygiene and it makes me think about public health efforts as a comparison.
You know, when you talk about something like, you know, eradicating smallpox or eradicating polio, you know, which is we're very close to eradicating polio, but it's hard.
And when you go down one of those paths, it's easy for people to say, well, I mean, that's too big a thing to take on.
How are you – that's going to take decades to fix that.
But on the other side of it, you know, the world has no more smallpox.
The world has no more polio.
And I wonder, you know, is this a similar sort of thing where it's going to take one of those long-term efforts where people have to get together and say,
you know, yes, this is a big job, but it's important. And the work on this job may
outlast any of our individual careers, but it's still worth doing.
Yeah, I could not agree more. And so here's the problem with that, I think,
is that in the case of the former former like put this in context it's
not been that long ago that we were dealing with polio and that we were dealing with smallpox in
the grand scheme of things it was an existential threat to everyday people and it was a clear and
present form of suffering that they observed in society. And I think with what we're dealing with now,
it's easy to trivialize it because it's ones and zeros.
It's intangible.
And until it hits people directly and until it affects people
on a, I think, a more common basis,
I don't believe that we'll have, as a society, I don't believe
we'll have the stomach for doing what it takes to actually resolve it the way that we did something
like, you know, polio and smallpox. Is that what it's going to take? Yeah, 100%. Until you have
that level of buy-in on a community level level within our society um i think it will the adversary
will continue to successfully perpetuate it there are other parts of this where so step away from
like yes it's pain to do these things and and we don't really want to focus our time and energy
and money there there's a more sort of a a i think a deeper problem with the social aspect of this when you get into
social propaganda social social manipulation things like that i don't know frankly how you
fight that because that's playing on the very thing that keeps people from from being able to
stop and be be objective about decision making and say say, okay, this is dangerous. This is dangerous to us as a society.
And that's a piece of this that's really difficult to solve.
Yeah. Yeah.
Well, I wanted to wrap up and sort of end things on,
on a positive note, if we can. I mean, what,
what are your thoughts on ways that folks who want to be a part of the
solution? What are some of the things that they can want to be a part of the solution,
what are some of the things that they can do, the people who are in the public sector,
the people who are in the private sector, how can they be working towards this better future together?
Well, I think we truly do all have a common goal.
And that's where it starts, is getting a shared vision of what that goal is.
And that, frankly, that was sort of one of the points that the documentation that came
out of the Global Economic Forum pointed out was, look, we've got to have this shared narrative
and a collective understanding of what are we trying to do here.
And then we've got to do things and very intentionally do things to build trust between
all the parties involved.
There has to be mandated guidelines.
They have to be followed. Nobody's exempt from them, right? You don't get to pick and choose
where you're compliant with these things. If you're going to participate, then you're going
to comply with these rules so that that trust doesn't get broken. Without that basis of trust,
we don't have a foundation to build on. that's in place then i think we need to take
a very hard look at the way that we're doing things today because we've gotten a bit off track
we've we've gone and chased far too many shiny things and we've neglected the again those those
baselines if you will um there's certainly some modernization that's going to have to take place
that's going to take money.
Nobody wants to spend that money, right?
Everybody wants to keep shareholders happy.
And I think we're going to have to take, though, a really hard look at some of the legacy, not only the capabilities, but the legacy processes that we have and go through a really hard and fast modernization of a lot of our critical infrastructure and the protections around that this is not a new idea right people have been talking about digital
transformation for well over a decade it's to the point now where folks roll their eyes if you bring
it up it's not a cliche it's no more like it's still as applicable today as it was 10 or 15
years ago when people started
talking about it in earnest and we've done very little about it so i think you know we need to go
back and revisit those things and understand where those hard changes are going to have to be made
and be willing to have conversations and this is probably one of the most important things we need
to get back to in society we need to be able to have conversations that are contentious without getting emotional and just talk through the facts and be willing to say,
this thing we've been doing for a very long time that we have a lot of people doing
is not a good idea. And just be willing to reassess those things.
Our thanks to Keith Malarski from EY and Robert M. Lee from Dragos for sharing their expertise Thank you. Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity startups and technologies. Our coordinating producer is Jennifer Iben.
Our executive editor is Peter Kilpie. I'm Dave Bittner. Thanks for listening.