ROUNDTABLE: Mayorkas’ 60-day cybersecurity sprints win support; also a prove-it-to-me response

The Biden Administration is wasting no time fully re-engaging the federal government in cybersecurity.

Related: Supply-chains become top targets

Homeland Security Secretary Alejandro Mayorkas has assumed a very visible and vocal role. Mayorkas has been championing an extensive portfolio of initiatives to rally public-private collaboration to fend off cyber criminals and state-sponsored threat actors.

The need is great, of course. The Solarwinds hack and Microsoft Exchange breach, not to mention the latest rounds of massive thefts of personal data from Facebook and LinkedIn demonstrate this in spades.

Mayorkas announced a series of 60-day sprints to quell ransomware and to bolster the cyber defenses of industrial control systems, transportation networks and election systems. Mayorkas also pledged to increase the diversity of the Cybersecurity and Infrastructure Security Agency’s workforce, noting that roughly a third of CISA’s workers are part of minority groups.

This reminds me of how President Obama used his bully pulpit back in 2015 to promote accelerated sharing of threat intelligence and to push for a consumers’ bill of rights for online privacy.

Although public-private efforts have continued, any added momentum initiated by the Obama administration was undermined by the Trump administration. Secretary Mayorka is attempting to pick up where the Obama administration left off. Last Watchdog asked a roundtable of industry experts for their reaction. Here’s what they said, edited for clarity and length:

Karthik Krishnan, CEO of Concentric.ai

While Mayorkas didn’t explicitly refer to the agile software project management framework, ‘sprints’ are a big part of agile. By co-opting the term, he’s signaling that he’s serious about getting things done. His focus on ransomware ought to inspire cross-disciplinary solutions across the industry.

A unified response would combine and focus disparate security technologies ranging from IAM to forensics to data access governance on the problem. Cross-pollination drives innovation and we’ll all benefit from it . . . I’m excited by his visionary focus on diversity as a source for cyber talent. We need expertise, and that expertise can, and should, come from all corners of our society.

Mario Vuksan, CEO ReversingLabs

The 60-day sprint language is a truly refreshing message coming out of DHS.  If past is to serve as a reference, the Federal Government is normally not associated with rapid software development.

Delivering on that cadence has a potential of truly aligning defenders around the same mission.  We can now start imagining rapid movement from policy to action.  Whenever the Federal Government moves by example it has an incredible potential of leading by example.  The public as well as the commercial sector will follow suit.  As such targeting Ransomware is a reasonable first move.

Software producers and consumers need visibility, mandated quality checks and easy to understand trust scores.  Software must be examined for malicious intent and anomalous behaviors regardless of whether we have cooperation from software publishers.  Software equivalents of Dietary Notice Labels and FDA Side Effect disclosures are necessary.  Automating Software Assurance through binary analysis is the missing piece of Supply Chain trust assessment.

Ralph Pisani, President, Exabeam

My biggest takeaway from Secretary Myorkas’s announcement is that there must be a reckoning in the cybersecurity industry – and the sooner, the better . . . To me, the answer is not only the lack of knowledge about technology, but also about the lack of refined processes needed to find a breach.

It’s still a common misconception that insider threats are only disgruntled employees. The reality is that most cyberattacks start with trusted employee credentials that have been compromised. Especially in a post-pandemic economy, I hope that the 60-day sprints serve to show that identity is the new perimeter.

Credentials are keys to the kingdom, but if the industry doesn’t change, adversaries will storm the castle. My hope is that Secretary Mayorkas’ initiatives have a heavy focus on the importance of securing credentials and the cybersecurity industry takes that advice seriously and shifts their focus. It’s beyond time.

Chloé Messdaghi, Founder,  WeAreHackerz

An important immediate step to improving cybersecurity is having a more diverse talent pool with a wider set of backgrounds and experiences. Diversity, equity and inclusion (DEI) must be on the forefront of cybersecurity, and he’s very transparent about that, which is wonderful.

He missed a few points. He didn’t mention the need for added cybersecurity resources at the local level. Will local, county, and state governments receive the federal assistance they need to transition them to better cybersecurity?

He also failed to make it clear that ‘hackers’ does not equal ‘attackers.’ By failing to make that distinction, he’s throwing tens of thousands of independent cybersecurity researchers under the bus.  He also did not mention creating and enforcing vulnerability disclosure policies. The hacker community has been finding and reporting vulnerabilities for a very long time, and have been putting themselves at risk when helping the government and major organizations.

Edgard Capdevielle, CEO, Nozomi Networks.

Critical infrastructure security has never been more important. In the face of so many threats and attacks, like SolarWinds, Microsoft and the Florida water treatment facility hack, we must step up efforts to develop effective coordination and collaboration across government agencies and within the private sector so that all are working together, and not in a vacuum or at cross-purposes.

Public/private cooperation is critical too, and the efforts to drive this must be carefully designed so they are not too heavy-handed. New efforts must be effective without infringing on rights to privacy  or unintentionally making it harder, or even discouraging the private sector from working with the government. Partnership – and access to technology advancements that often come from smaller private vendors – is key.

John Dickson, Principal, Denim Group

It’s significant that the Secretary is weighing in this early into the Biden administration on the topic of cybersecurity, and not simply delegating that to the leadership at DHS CISA. That is a good sign. Appointing Deputy National Security Advisor for Cyber, Anne Neuberger, so early in the administration is another good sign.

From OPM to Shadow Brokers to Solar Winds, what will the upcoming Executive Order do differently than previous administrations? For example, concepts like collaboration and awareness have been central to DHS thinking for nearly two decades, but has that materially changed our trajectory in cyber? I’m not sure it has, at all.

In general, the Secretary said all the right things, checked all the boxes, but I felt the announcement was ‘light’ on actions and I didn’t see anything that jumped out at me that was innovative or potentially game changing.

Patryk Brozek, CEO, Fudo Security

Ransomware is a serious issue, but security is not just segmented to one attack vector. In our discussions with clients and CISOs we continue to hear that misuse of privileged access is their most serious security concern. Compromised credentials are still one of the leading causes of breaches, this was once again confirmed by Verizon’s DBIR 2020.

The future will see more attacks, and by various means including: hacking, brute forcing, credential stuffing, or privileged misuse. In other words, we must be careful not to assign one attack vector as more important than another.

The next few months will show us how the administration and the DHS’ plans will affect the public-private partnership across the economy. Plans to bolster CISA and mustering more cybersecurity talent is also a decisive step. There is also a need to utilize solutions that monitor critical control systems and critical access; this will be vital moving forward.

Rajiv Pimplaskar, Vice President, Veridium

Ransomware is a huge problem for governments and companies alike, and it’s great to see DHS implementing an agile mindset in response to such threats.

Ransomware attacks have increased by more than 72 percent in the past year!  This increase actually correlates to an increase in compromised credentials from infected personal computers and devices.  Many home computers have, in fact, been infected for years, but what has changed recently is that they are now carrying ‘more interesting’ corporate data with the COVID19 pandemic and the abrupt shift to remote work.

There is an urgent need for stronger digital identity for employees and consumers.  However, this cannot happen at the expense of adding friction, as users are already stressed from the increased overhead of traditional Multi Factor Authentication (MFA) solutions.

Bill O’Neill, VP of Public Sector, Centrify

Hopefully, this should spark further dialogue toward a national standard that protects consumer privacy and gives individuals control over how their data is used. We advocate for organizations to adopt a least privilege approach to reduce unnecessary and potentially damaging lateral movement inside of networks, in addition to using solutions that enable secure remote access to data centers and cloud-based infrastructure.

With these key issues in play, it’s great to see momentum gathering in Washington through Myorkas’ sprints that provide major regulatory change to better protect government organizations and constituents alike. Another example, if passed, is the Improving Digital Identity Act of 2020, which will direct the National Institute of Standards and Technology (NIST) to create new standards for digital identity verification services across government agencies.

Jonathan Couch, SVP of Strategy, ThreatQuotient

The sprint areas are in line with where I think we, nationally and globally, need to focus our efforts. Ransomware and Industrial Control Systems are two areas that have caused severe issues in the past and will continue to be a major focus of threat actors in 2021 and beyond.

While I was very pleased to hear about the focus on these areas, I was also left very underwhelmed with the actual plan of action. It left me with many questions and wondering if this initiative will actually do some good . . . What are the goals associated with each sprint? How will state and local governments and commercial industry benefit?

There was a lot of talk about diversity and inclusion in the workforce, which is great for workforce development, but what will these groups be doing to address ransomware, ICS, transportation, and election security?

Eddy Bobritsky, CEO, Minerva Labs

We are happy to see that the problem of ransomware attacks is being taken seriously by the government. As Mayrokas stated, threat actors ruthlessly target all kinds of organizations for ransomware attacks, and we have seen an increase of such attacks during the pandemic.

Most cybersecurity solutions rely on detection and response, while the most risky attacks are evasive and can’t be detected. That’s why it is important to take these threats seriously and aim for prevention, before the malware can penetrate the organization’s environment.

The threat actors are becoming smarter and faster, and the world can’t keep relying on detection and response. It only takes one successful penetration attempt to result in a lot of damage to an organization. We need to prevent and protect first, and detect and analyze later.

Adam Gordon, Edutainer at ITProTV

Risk and change are inextricably linked, but we often view them as elements that have no connections or logical association with each other. The innovative element that Secretary Mayorkas has built into his vision is the creation of a simple cause-and-effect driven bond. The most crucial element of all is awareness. Awareness is an enabler of directed, purposeful action to drive problem solving and transformation.

Secretary Mayorkas identified the exact catalyst to unlock the potential he has articulated in his remarks, “For too long, cybersecurity has been seen as a technical challenge couched in bureaucratic terms. But cybersecurity is not about protecting an abstract cyberspace. Cybersecurity is about protecting the American people and the services and infrastructure on which we rely.”

If the Biden administration, Secretary Mayorkas and the DHS can individually and collectively keep their eye on the ball, then the opportunity to enable stronger cyber resiliency through smart goals makes sense.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

 

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/roundtable-mayorkas-60-day-cybersecurity-sprints-win-support-also-a-prove-it-to-me-response/