Security Technology Executive

SEP-OCT 2018

Issue link: https://securitytechnologyexecutive.epubxp.com/i/1030460

Contents of this Issue

Navigation

Page 45 of 59

46 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2018 • www. SecurityInfoWatch.com SECURING THE GRID Engagement with the U.S. Government These factors all suggest the need for more active private sector engagement in defining how the U.S. government will support and defend the private sec- tor. Of the above-cited private sector examples, all but one (Uber) have been either explicitly (Merck, FedEx 13 ) or implicitly (Equifax 14 ) tied to a hostile state actor. The U.S. Director of National Intelli- gence's 2018 Annual Worldwide Threat Assessment recently warned that "the risk is growing that some adversaries will conduct cyber-attacks—such as data deletion or localized and temporary disruptions of critical infrastructure—against the United States in a crisis short of war." 15 Moreover, the notPetya attack reportedly leveraged exploits used for offensive pur- poses by the U.S. National Security Agency that sub- sequently leaked. 16 It's tempting to say that defenses against state actors should simply be left to the U.S. govern- ment, but this ignores the very real operational business disruption that can occur in these attacks. We have seen a similar dynamic in the context of terrorism, whereby airlines, entertainment com- panies and other private- sector firms are basically pawns targeted by terrorist groups to achieve geo- political objectives. There are several steps the U.S. government can take, perhaps in part through the auspices of the Department of Homeland Security 's Risk Manage- ment Center, including timely sharing of actionable threat information, more actively disclosing vul- nerabilities, advancing research and development efforts and imposing meaningful consequences on those actors to whom it can attribute malicious cyber activity. Moreover, while there is no such thing as risk elimination, the federal government can provide incentives to bolster defenses. One such incentive is the Support Anti-Terrorism by Fostering Effec- tive Technologies (SAFETY) Act, which was passed by Congress to encourage the development of anti- terrorism "technologies" — this term has been inter- preted to include products, services and programs — by limiting liability related to the deployment of capabilities that could pass a meaningful govern- ment vetting process. The SAFETY Act vetting pro- cess at the Department of Homeland Security is real: applicants must prove to the SAFETY Act office that the security capability in question offers substantial utility and effectiveness and is immediately available for use, among other factors. Over the years, proposals have been made to extend the SAFETY Act beyond terrorism to cyber incidents, most recently by Sen. Steve Daines (R-Mont.). We need investment from private-sector organizations in defending their own systems against these sorts of attacks. Amending the SAFETY Act to cover state actor-initiated cyber attacks would be a key mechanism for incentivizing that investment. Conclusion Notwithstanding a rapidly increasing level of busi- ness, technology, threat and regulatory complexity, building an effective security program is both possible and necessary. Doing so requires continuous, disci- plined private sector planning, enterprise-level align- ment and focused effectiveness monitoring. Given the nature of the threat facing critical infrastructure, it is also imperative that the U.S. government provide meaningful capabilities and incentives to support private sector security risk management. Attributions: 1 Likewise, in the physical security domain, the benef its of globalization of travel, f inance and communications also armed terrorist organizations with a more global reach for recruitment, f inancing and the operationalization of actual attacks. Airlines, entertainment companies and other private-sector f irms are basically pawns targeted by terrorist groups to achieve geopolitical objectives. 2 See https://www.dhs.gov/national-infrastructure-protection-plan. 3 See https://www.fema.gov/national-preparedness-goal. 4 See https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft. 5 See https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf. 6 See Testimony of John Flynn, Chief Information Security Off icer, Uber Technologies, Inc., Senate Commerce Committee, Feb. 8, 2018, available at https://www.commerce. senate.gov/public/_cache/f iles/7d70e53e-73e9-4336-a100-67b233084f12/75728554E9 90488D71625DFA69B05494.uber---john-f lynn---testimony.pdf 7 See US CERT Alert TA18-074A, "Russian Government Cyber Activity Targeting Energ y and Other Critical Infrastructure Sectors," March 15, 2018, available at https://www. us-cert.gov/ncas/alerts/TA18-074A 8 Four key factors inform security planning priorities: (1) actual risk reduction value, (2) ease of implementation, (3) eff iciency gains, and (4) regulatory/legal drivers. 9 See https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/ documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf. 10 See https://attack.mitre.org /wiki/Main_Page. 11 See http://www.aon.com/attachments/risk-services/Aon-OM-Reputation- Review-2012.pdf. 12 See Id. 13 See https://www.whitehouse.gov/brief ings-statements/statement-press-secretary-25/. 14 See https://www.bloomberg.com/news/features/2017-09-29/ the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros. 15 See https://www.dni.gov/f iles/documents/Newsroom/Testimonies/2018-ATA--- Unclassif ied-SSCI.pdf. 16 See https://www.wired.com/story/korea-accountable-wannacry-nsa-eternal-blue/ About the author: Adam Isles is a Principal with The Chertoff Group, a Washington D.C.-based risk consulting firm. Isles is tasked with leading and managing securit y risk management engagements, and oversee development of firm's securit y risk management methodology.

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2018