Bad news about a cyberhack travels fast. Cyber threats, from the lone cybercriminal to foreign entities searching for proprietary secrets and financial data, continue to target our public and private sectors.
The U.S. Chamber of Commerce, in partnership with the San Antonio Hispanic Chamber of Commerce, North San Antonio Chamber of Commerce, and the Texas Association of Business hosted its first ever cybersecurity conference on Tuesday. The day-long program featured speakers from government, law enforcement, and the private sector addressing topics that will help businesses navigate the National Institute of Standards and Technology (NIST) cybersecurity framework released by the White House.
With more than 200 registered attendees, the conference at the Embassy Suites Riverwalk opened Tuesday morning with participants from public utilities like CPS Energy, private sector companies like Valero, and universities such as University of Texas San Antonio and University of Incarnate Word.
The chambers’ priority was to help small and mid-size business owners develop, assess, and strengthen cybersecurity programs, as well as provide ways for businesses to talk about and share best cybersecurity practices with their supply chain partners.
Critical infrastructure makes up the essential services we rely upon in the U.S., such as electricity, water, transportation, stores and businesses, or communications. The Department of Homeland Security (DHS) lists 16 critical infrastructure sectors, either physical or virtual, so vital to the United States that anything like a cyberattack immobilizing or destroying them could debilitate our national security, economic stability, national public health, or overall public safety.
In her opening remarks, Ann M. Beauchesne, U.S. Chamber senior vice president, reminded business owners how their risk management should include planning for cyberattacks.
“There’s always a way to breach cybersecurity,” Beauchesne said. “We want to encourage you to take steps toward improving your cyber resilience. In America, the private sector pretty much owns much of the critical infrastructure.”
Cybersecurity benefits from partnership among government entities, academia, and industry, in order to leverage each one’s strengths and resources. Suzanne Spaulding, DHS under secretary of the National Protection and Programs Directorate, explained the ways DHS works with the private sector on their response to cyber threats, and how DHS is sharing cyber threat information with the private sector.
“Once you connect to the internet, there’s (the possibility of) threats to your industry’s machinery, with cyberattacks having physical consequences for your industrial control systems” Spaulding said. “The key is to start your risk assessment by looking at the critical consequences of possible cyberattacks.”
Cyber Tools Available for Businesses, Public Sector
As more operational equipment connects to the internet, cybersecurity and physical security become inextricably linked. DHS is partnering with the critical infrastructure community in establishing a voluntary program to encourage use of the NIST’s Cybersecurity Framework to strengthen critical cybersecurity infrastructure.
The Critical Infrastructure Cyber Community (C³) Voluntary Program is a DHS-led public-private partnership focused on linking critical infrastructure owners and operators to resources to help businesses use the framework to manage cyber risks. The voluntary program aims to support industries improve cyber resilience, increase awareness and use of the framework, and to encourage organizations to manage cybersecurity actively.
DHS has free tools available for business owners to help them use the cybersecurity framework for business owners to better assess their cyber vulnerabilities.
“The estimate is that 50 billion devices will connect to the Internet of Things by 2020,” Spaulding said. “Cyber hygiene is really important, and it’s why we will need layers of defense to reduce cyberattacks on the critical resources important for us.”
Dave McDermitt, vice president, chief information security officer, and chief privacy officer for USAA, moderated a panel on the cybersecurity challenges facing the financial sector.
“For a large enterprise like a city, businesses providing local services need to be cyber resilient,” McDermitt said. “Multiple layers of cyberdefenses can help reduce the risks, while crisis management plans provide businesses ways to continue operations in the event those defenses fail.”
The challenges are not just in detecting and defending against cyberattacks, but in knowing how cyber threats change over time. Information sharing on emerging threats is a critical resource the Financial Services Information Sharing and Analysis Center (FS-ISAC) provides for the financial industry.
An industry forum for collaboration on critical security threats facing the global financial services sector, the FS-ISAC provides early warning of and expert advice on cyberattacks targeting public and private sectors, to help protect critical systems and assets from physical and cybersecurity threats. Created by and for its members, the FS-ISAC has become the global financial industry’s resource for cyber and physical threat intelligence analysis and sharing. FS-ISAC is unique in that it operates as a member-owned nonprofit forum.
“We look at 12 million attacks a year, or about 10,000 a day to determine what poses a threat to companies,” John South, FS-ISAC senior director said. “The ISAC shares that constantly updated threat profile with businesses, especially because speed of action is absolutely critical in addressing cyber threats.”
Jobs of the Future: Cyber Hunting and Data Analytics
Social engineering cyberattacks are not terribly high-tech — scam emails that get you to click on a malicious link, for example — but they are incredibly persistent. Advanced persistent cyber threats often do not manifest signs of intrusion.
“Cyber hunting focuses on threats internal to your systems,” said Nicole Beebe, director for the Center for Education and Research in Information and Infrastructure Assurance and Security at the University of Texas at San Antonio. “Cyber hunting is a proactive technique to search through networks or data sets to detect and respond to advanced threats that evade traditional security solutions.”
More and more, more cyber hunters skilled in data analytics, integrated dashboards, and visual data sets are needed to beef up cyber defenses across multiple industries and disciplines.
UTSA’s College of Business will launch a new one-year Master of Science in Data Analytics degree program in fall 2016 to produce highly-skilled and educated data analysts who can transform big data into usable information for decision makers across a variety of disciplines including business, healthcare and national security.
“It’s not about responding to alerts and detected incidents,” Beebe said. “Cyber hunting is a resourced, intentional mission that’s continuous and requires an active defense posture with skilled cyber professionals using cyber threat intel data.”
UTSA’s new degree program joins more than 20 available nationwide to fill the growing gap of 140,000 to 190,000 unfilled positions of U.S. data analytics experts by 2018.
U.S. Rep. Will Hurd (R-Texas) also stressed the importance of meeting the growing demand for cybersecurity expertise.
“We have to train people for jobs that don’t yet exist,” Hurd said. “We need to make sure we’re keeping enough skilled people in the pipeline to meet the needs for cybersecurity expertise in the future.”
Information sharing also needs to keep up with the demands generated by the increase in cyber threats.
“Vertical information sharing needs to improve,” Hurd added. “While we have the ISACs, there needs to be more businesses participating and sharing data on cyber attacks across the ISACs to make this program into a even more valuable asset, with robust intel.”
Given the traditional focus on keeping classified intelligence on threats within small circles of people to limit dissemination, the emphasis in the cybersecurity age has shifted to sharing intel on cyberattacks, so everyone can understand how businesses, government, and public sector organizations are being targeted.
“One of the biggest things to come out of the 9/11 Commission (report) is the (recommendation to) transition from sharing information on a need-to-know basis to need-to-share,” Hurd said.
An idea that is being discussed within Congress to attract cybersecurity talent to the federal government is to create a “Cyber National Guard,” where cybersecurity degreed graduates could gain work experience working in government, then transition to the private sector after two years.
“This could ensure that the federal government has the cutting edge cyber talent it needs to defend its assets,” Hurd said.
Federal agencies are in desperate need of improving cyber postures across the board. The Federal IT Acquisition Reform Act (FITARA) calls for a scorecard approach to report on agencies’ IT management. In the last scorecard, only one federal agency— the Department of Commerce— earned an overall score of “B,” the highest score reported. NASA earned the only overall “F” grade.
According to Rep. Hurd, the broader conversation about cybersecurity and national security is taking place at high levels, as many wrestle to define what constitutes an act of war in this era of digital attacks.
“What defines an act of war? Stealing OPM data?” Hurd said. “What level of attribution do we need to know who was responsible for the cyber attack? Is general attribution (that the Chinese government was behind the OPM data breach) enough or do we need to know which group of actors specifically were responsible? What is the appropriate response if we do decide to retaliate? Digital retribution, economic sanctions, or something else?
“This broader conversation about cybersecurity across government reflects the importance of these issues and will continue to be a focus for us in the remaining Congressional term,” Hurd added.
The message from today’s cybersecurity conference aimed at local businesses and the public sector was loud and clear.
“We need to ensure that state and local governments improve their cyber posture,” Hurd said. “Small businesses also need to do their part and improve their digital security hygiene. This issue isn’t going away.”
Top image: From left: Cybersecurity panelists USAA Chief Information Security Officer and Chief Privacy Officer Vice President Dave McDermitt,FS-ISAC Senior Director John South, Security Operations Center Global Head Delfim Martins, and Financial Services Roundtable Vice President Murray Kenyon speak about the state of cybersecurity in the financial services sector. Photo by Kathryn Boyd-Batstone.