“Minnesota is adding tech jobs at the greatest rate of anywhere in the country,” declared Suzanne Spaulding, Under Secretary for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, a keynote speaker at Cyber Security Summit 2016 in Minneapolis. The flip side of that coin with regard to cyber security, she noted, is that “vibrancy makes us an attractive target.”
During her speech, Ms. Spaulding recited a litany of bad actors driven to wreak havoc: nation-states, cyber criminals, terrorists and political groups each are spurred on by their own motives. Russia, China, Iran and North Korea are among the nation-states aggressively seeking to penetrate U.S. cyber defenses to steal assets and damage infrastructure.
She attributed to a Russian company recent cyber hacks of the Democratic National Committee that were designed to influence voter registration processes in two states. Attackers bent on manipulating results of American elections “misunderstand the strength of the American electorate.” Voting machines across the country vary by design, and they’re protected from tampering, she said. Voter faith in registration integrity is critical to prevent lack of confidence among American voters.
Profit motive drives cyber criminal states in Eastern Europe, the source of increasingly sophisticated ransomware attacks. Political hackers seek to disrupt infrastructure of their chosen enemies. Terrorists use the Internet to recruit and attack officials and other targets.
In 2016, there have been 100,000 incident reports so far. Information-sharing is going on with countries around the world. Owing to mushrooming growth in the number of devices that communicate with other devices, “the Internet of Things has dwarfed the regular Internet.” Ms. Spaulding said there may be 50 billion devices by 2020.
“How should I be thinking about the threat?” she asked. “Assess your risk. Start with consequences. Mission-essential functions must be included in your business resilience (plan).” Consider marketing and other critical elements.
”How could a cyberattack affect data confidentiality and reliability? Control system disruptions and access to your data?”
Another looming concern is the interplay between cyber functionality and physical devices – “what the computer facilitates.” Ms. Spaulding cited old-school knowledge and techniques as remedy to some threats. For example, last December a cyberattack in Ukraine brought down the power grid. Some 250,000 Russian citizens were without power in the dead of winter. Technicians had to revert to old-school techniques, manually throwing on breakers, which returned the system to functionality in about six hours.
Ms. Spaulding’s DHS division, the National Protection and Programs Directorate, is charged with safeguarding 16 identified sectors that maintain our way of life. Its scope merges issues both physical and cyber, and it facilitates regional information sharing across the country.
“NPPD made the private sector a full partner in solving security challenges,” she said, adding that medium and small electrical companies are connected to the network, with Incident response playing a central role.
Machine-to-machine information-sharing is coming into practice. As IoT dynamics expand the universe of devices, Spaulding’s team is recruiting companies to join an automated information-sharing network. When one machine in the system is pinged, an alert goes out immediately to all other machines in the network.
“Adversaries can try something once, and only once,” Ms. Spaulding said.
Partial solutions include understanding inter-dependencies, such as relationships with vendors, joining information-sharing bodies and collaborating with private sector companies.
Protected Critical Infrastructure Information (PCII), a Homeland Security program started in 2002, built “a trust relationship we have with private companies” to encourage information sharing, she said.
“We work to try to get the market to be a more effective driver of cyber security. We’re not looking for new additional regulations.”
Ms. Spaulding listed several examples:
- “Insurance can be a driver,” she said, noting that little actuarial data exists owing to companies’ reluctance to share information about cyberattacks. The goal is to establish a third-party repository with anonymous reporting data available to all.
- Investors should pay attention to the cyber security status of companies whose stock they may buy.
- Her division is looking to Underwriter’s Laboratory to guarantee product cyber security.
A recent clarification that more clearly defined the duties of federal agencies regarding cyber security may encourage citizens and other stakeholders to engage and seek help.
The Department of Homeland Security “has the lead for asset response, to stop the loss.”
The FBI’s role is to identify the perpetrators, and the intelligence community is trying to understand what happened, to predict and prevent future incidents.
“Security is a C-level issue, a risk management issue,” Ms. Spaulding noted. “IT is not policymakers, (they’re) not running the business.”
If you need help, trust your instincts, she added. And call any federal agency you may be comfortable with.
“At times, we (federal agencies) all go in together.”