Cybersecurity in the Wake of Ukraine
On this episode of The View With Vizard, Mike Vizard talks with Conquest Cyber President & Chairman Jeffrey Engle as he explains what will be required to defend companies against attacks from nation-states in the wake of the invasion of Ukraine. The video is below followed by a transcript of the conversation.
Mike Vizard: Hey, guys. Thanks for the throw. We’re here with Jeff Engle who is president and chairman of Conquest Cyber. They are a provider of a cyber security as a service platform and we’ll get into what that means and all the details thereof. But Jeff, welcome to the show.
Jeffrey Engle: Thanks for having me.
Vizard: We hear a lot about the Ukraine these days, and so my first question to you is what should companies really be thinking about here when it comes to cyber security these days? ‘Cause we’re all anticipating some major attacks. They have not, at least as far as we know, happened yet, but maybe they will. So what’s going on?
Engle: So we’re definitely seeing an uptick in activity across all of the critical infrastructure sectors that the Department of Homeland Security has identified. Organizations should be thinking that they’re either likely already being targeted, may already have been breached and just not be aware of it, or they’re on someone’s list overseas or even in the United States that to be exploited eventually. So they should be thinking about the fact that they’re a part of this conflict, whether they’re fully aware of it or not, and they need to start prioritizing what their most important assets are so they can properly protect those.
Vizard: Do you think that there are areas that people are just not paying attention to or have not? We’ve been dealing with cyber security issues forever and a day and every time there’s an incident, we always say, “This is the wakeup call.” And then a lot of people just roll over and go back to sleep, anyway. So my question to you is what makes this scenario any different than previous scenarios?
Engle: Well, this is the real normalization of cyber as a domain of warfare, so I think that’s the critical element of this that there needs to be broad recognition. But there is a really significant risk of the 400,000-plus organizations within the US taking this going as a wakeup call to start doing something, but as soon as this conflict ends, going back to business as usual. And there are a number of areas that are just not getting the attention that they need.
Really the connection between risk and operations, the appropriate patching of critical assets, the planning and practicing for response and recovery. None of those areas are really given the level of business attention that is needed in order to build resiliency against scenarios like this in the future. And it really has made the organizations and the critical infrastructure sectors that are non-governmentally controlled the soft underbelly that’s now becoming part of the geopolitical conflicts.
The example here is the Colonial Pipeline. That was essentially a shot across the bow that if you were to engage in more active kinetic activity in response to Russia’s invasion of Ukraine, you would likely see greater and more significant attacks against oil and gas infrastructure in the US by the more robust capability that the Russian government and their proxies bring to bear.
So we are part of this conflict, whether you’re a commercial services provider around oil and gas, healthcare, financial services, a state and local government entity, or are operating at the federal level, we’re really all in this together and any weak link in that ecosystem could be the reason that an exploitation occurs that fundamentally changes the way of life for everyday Americans.
Vizard: A lot of folks I talk to don’t believe they have the capability to defend themselves against a nation state or their proxy. The assumption is that those guys have skills that are beyond the capabilities of the average organization, whereas may be able to defend itself against your average script kiddie or some fraud kind of mechanism, but that this is just too big a challenge. Is that a real assessment or is there things that can be done at this level?
Engle: Well, I think there’s a number of fallacious arguments associated with that statement. One, I think on the backside of it, the script kiddies, what we just saw with the Lapsus$ group and the activities that they did, those are literally the definition of script kiddies. And they were able to take down and breach Okta, and Nvidia, and a number of other significant organizations that are dumping tens of millions of dollars, if not more, into their cyber security program, and probably have a more robust cyber posture than most government entities.
So when you look at that, I think the dividing line between the capacity of a script kiddie and a nation state has really started to blur. At the same time, organizations can definitively defend themselves against kind of the spray type of attack. So when you’re one of 400,000 critical infrastructure sector organizations, you just have to be a little bit harder to gain access to in order for them to say, “I’m gonna move past you,” unless you’re intentionally being targeted by that nation state.
In those cases where you’re intentionally being targeted by the nation state, it probably has something to do with your organizational activity, your profile, and that’s where you definitively have to make greater investments in building a stronger cyber posture. But if a 17-year-old in London or in Oxford can break into the most sophisticated cyber security companies and governments, then we would think that our security programs would have a heightened ability to defend against the equivalence on the other side of the chess board.
Vizard: Do you think a lot of the damage that might be inflicted is more of a collateral nature? ‘Cause some of these attacks get launched at one entity and then they wind up just spreading out because they don’t really have that much control over where the malware winds up, at the end of the day. And the next thing you know, you could be halfway around the world and have nothing to do with this conflict and suddenly be hit by something.
Engle: I think there’s definitely a possibility of that and I think there are capabilities that are being tested and developed in this cyber conflict that will ultimately get repurposed for use outside of it. So I think the attack surface has fundamentally changed over the past decade from both of a defender and an attacker standpoint. And I think we’ve seen an acceleration that based off how this conflict has evolved both with the nation state cyber activity and against critical infrastructure leading up to it and then the counter attacks, as well as the use of proxies across the board.
Many of the tools that are being developed, that are being actively used, being tested, and the techniques that are being proven out, really we need to do a deep and constant forensic analysis on how those are playing out and use that to build into our cyber defenses. Because to your point, where it starts may be very targeted and where it ends up really is based on the connectivity of the Internet that goes everywhere.
Vizard: Mm-hmm. Do you think the average organization has the ability to defend itself? A lot of times, I’ve talked to folks in the past and they’re kind of, “Well, cyber security is too important to give it to somebody else to manage.” And yet, they don’t have the resources internally to do it themselves. So are we reaching some sort of inflection point where security really needs to be consumed as a service because I just can’t fight the fight, anymore?
Engle: Yeah, I think there’s critical elements of collective defense that has to be broadly understood. If you’re monitoring your network, then you only know when you got specifically attacked. When you’re working with a trusted partner ecosystem, then you’re gonna have visibility into when any of those organizations might have been attacked, and then you can take the collective resources of that centralized hub and apply the defenses across the entire ecosystem. So that’s one aspect of it I think that if you have trusted partners, then they can add value to you.
At the same time, no organization is actually doing their cyber security internally. They can believe they have their own 24/7 security operation center. They can deploy all of the tools themselves. But ultimately, their access points into those technologies, into their supply chain that enable access from outside that they just can’t monitor. So supply chain, and third party, and service provider, and subsidiary risk, and those organizations and technologies as access points into the environment are going to exist regardless of whether or not you feel as a CISO that you’ve got centralized control over your security program.
And if you take that route, you’re always going to have an issue with visibility into what is coming even through purchase of the best threat intelligence feeds, there’s nothing like being able to see an attack on one point of an ecosystem, being able to respond to that attack, and then apply the protective measures across that entire ecosystem.
Vizard: Do you think that the playing field is going to get leveler in the future? And I’m asking the question because we hear a lot about AI and we hear a lot about automation, and maybe that will be our salvation going forward, or is this just gonna be an arms race forever and a day?
Engle: I think it’s gonna be an arms race forever and a day. I mean, as we developed a capacity during World War II for mass destruction, our counterparts then developed that capacity and we ended up back in a stalemate. I think there’s always going to be an effort to seek an advantage which ultimately drives the establishment of some equilibrium in the system. So the incremental capacity advantage that an organization, or a government, or an entity might enjoy is always gonna be something that’s fought for in a spy versus spy type of world that we live in in cyberspace.
Vizard: So what’s your best advice to folks? What should they be thinking about today and what should they be driving for? I mean, ’cause it can be daunting, and sometimes you just throw up your hands and most business executives are, “Well, it’s dangerous crossing the street, so cybersecurity is just as dangerous, so it’s a business risk and we’ll just assume that if we get hit, we’ll hopefully have insurance.”
Engle: Yeah. I think everyone needs to start shifting their mindset to resiliency. Yes, there is risk associated with being connected to the Internet. There’s also business advantage to it. The use of technology reduces the number of employees that you need. There’s numerous advantages to accepting a level of cyber risk, but that doesn’t negate the moral and fiduciary obligation, particularly in organizations that are across critical infrastructure from preventing everything that’s reasonably predicted within their business constraints and having mechanisms in place to be able to adapt to everything else.
You would think if you build a building in South Florida and you don’t have hurricane glass on that building, you’re probably going to be held liable in the event that you have that type of damage and you won’t get insured. That’s just really what we’re seeing in cyberspace now. If you don’t have minimum controls in place, cyber insurers aren’t willing to take the risk.
So as we move forward, I think we’re gonna see more equivalency to building codes being established around cyber and I think that’s a healthy thing. It needs to be built into the calculus in business. You can’t just do nothing. You can’t transfer all of the risk because your business and your shareholders, all of those entities that that supports, you have to at least do your due diligence and then take appropriate action. And that doesn’t mean sticking your head in the sand or thinking if it’s a nation state, we can’t do anything.
There is a lot that can be done to prevent scenarios from happening, be able to detect them early, and then being able to respond in a way that protects both your business, and your shareholder value. And ultimately, if you need insurance, at that point, they’re more likely to pay you if you’ve at least done your basic due diligence.
Vizard: And as part of the resilience, it’s all about the recovery process, too, because I think you should expect to get hit at some level. It’s gonna happen. The question is how quickly can you respond, contain it, and then get the business back up to where it should be, and hopefully minimize the disruption, right?
Engle: Absolutely. To your point, cyber is not an IT issue, anymore. It is just a part of business. You wouldn’t expect a CEO to only look at his financials once every year in a board meeting where he didn’t prepare and understand the in-depth nature of those, making sure that he’s hitting targets. I think we’re going to start to see more cyber risk, and posture management, and resiliency take an equivalent status to some of the financial aspects of business.
Because recovery isn’t just activating your backups and cutting over. Recovery is cross-reputational, strategic operational, financial, and external elements of business risk that ultimately, if done well, it can be a catalyst for growth. And if not given the appropriate due diligence ahead of time, it will be the reason that businesses no longer exist.
Vizard: I agree. Hey, Jeff, thanks for being on the show and sharing your knowledge and insight.
Engle: No, my pleasure. Thanks for having me.
Vizard: All right, back to you guys in the studio.