CHARLOTTE – Every day, cyber attacks of some kind make headlines around the world. And they are only getting worse so businesses as well as individuals must step up their efforts to fight back, warns a Charlotte tech executive who is a former White House chief information officer.
For example: News broke last week that China used a tiny microchip to infiltrate U.S. companies including Amazon and Apple by compromising technology supply chains through a tiny chip containing malware covertly installed on Supermicro motherboards. Almost 30 companies including a major bank, government contractors, and Apple and Amazon, are supposedly affected by the malware contained within the microchip, found to be inserted during the manufacturing process by what investigators and officials say were operatives of the People’s Liberation Army.
Despite Amazon, Apple, and Supermicro emailing statements disputing the reporting in the original story, Bloomberg’s reporting confirmed six current and former national security officials with prior knowledge of the discovery of the chips and the impact on each company.
“The supply chain is complex and security process often falters when there is complexity,” said Theresa Payton, a former White House CIO under President George W. Bush and current CEO of Charlotte-based Fortalice Solutions. “Audits and security frameworks can be helpful in finding threats and vulnerabilities but often these frameworks cannot foresee advanced threats from nation-states.”
Theresa Payton
If the reporting is accurate, said Payton, “this is a huge miss in the supply chain and there need to be hearings on the Hill and in other countries on this issue.”
What have we learned about cyber threats?
Risk management along the information technology supply chain has been among the top national security priorities since the tail end of the George W. Bush administration, said Payton. This is not a new risk, and cyber threats to national security and to corporate intellectual property are, sadly, now a regular concern. The cybersecurity industry is growing, both internally at organizations that are now investing resources into their own security teams, and the proliferation of security consultants and contractors, like Fortalice Solutions, that help government, and business entities manage risk.
- Related coverage: FBI warns against direct deposit scam
“People often forget about ‘the hardware’ as a potential threat vector,” said Payton.
Though hardware hacks are quite challenging to complete successfully, they are possible. But because security teams prioritize defending against easier cyber threats, they often don’t focus on the hardware side.
Fort Alice Solutions
The biggest risk to companies – and individuals – is always defined by the data that is most important to you or to the business, said Payton. For individuals, this might be privacy or identity. For businesses, this could be customer data, intellectual property, and the company’s money in the bank.
“The reality is that business executives can’t outspend the [cybersecurity] issue,” said Payton, “and they must be prepared.” Cybersecurity no longer exists in a vacuum, said Payton, and it must be elevated to the conversations held in the boardroom and with senior leadership as well as entire divisions, departments, and organizations.
“Cybersecurity is a team sport,” said Payton. “We’re all responsible.”
Mecklenburg County is an example
The threat is real. Anyone with a laptop and internet access can purchase a ransomware kit on the dark web for as little as $20. A ransomware attack nearly crippled Mecklenburg County in the time the county decided how to handle their data being held. They were attacked successfully despite a strong system designed to prevent a cyber attack.
“Ransomware is the new normal,” said Payton. “It’s one of the largest under-reported crimes happening around the globe.” Access to malware and other malicious tools has expanded, as has the knowledge and understanding of how to use them.
Luckily, Mecklenburg County had strong leadership and a talented technology and security team that was structured to be able to respond to threats quickly, she added.
“They had practiced a digital disaster ransomware event and they had the cyber playbook on hand to help them recover,” said Payton. “It was not easy but they did a great job being transparent, communicating, executing against the playbook, and ultimately coming out of a bad situation with a reinforced security posture.”
Even the most sophisticated systems can be vulnerable, and cybercrime is increasing. A report from Cybersecurity Ventures estimated the global impact of cybercrime as $6 trillion by 2021.
“Criminal syndicates are branching out into cyber because of its relatively low risk and high reward,” said Payton, and they’re targeting all kinds of businesses and individuals. It’s not just nation-states that pose a risk to businesses, governments, elections, or individuals. Even though most people don’t believe they’re a target, every individual and company could potentially have something that cybercriminals may want.
The Internet of Things also opens new pathways for attackers to hack systems and steal privacy or identity data. The topic is at the forefront of this week’s Southeast Region Cyber Security & Technology Symposium in Chapel Hill, led by the North Carolina Military Business Center (NCMBC).
“IoT is really taking the world by storm; there will be billions of devices attached to it in future,” said NCMBC Director Dennis Lewis. “This is a great breakthrough and it’s becoming an inherent part of our lives, but it’s also presenting more cybersecurity challenges.”
Safeguard strategies for individuals and businesses
“We may see a day in the next several years where the convergence of machine learning, behavior-based analytics, and artificial intelligence will instantly detect insider threat activities or wake up the moment malware is on a device,” said Payton. “We’re not there yet.”
Of course, cybercriminals are also building and deploying AI and machine learning to implement workarounds for today’s popular security products and solutions, said Payton, so the back-and-forth of the cybersecurity arms race will continue.
“We cannot simply hide behind security products,” said Payton, “we need to deploy creative strategies that segment data, hide data, encrypt data, and renders data useless in the event it is stolen.”
At the White House, Payton implemented a set of core strategies that set the foundation of cybersecurity. (She now uses the same foundation in the private sector, working with the clients of Fortalice Solutions.) They include:
- Admit all security measures are defeatable—Store your data differently like you would store your jewelry when you go on vacation. Protect your data by storing it in places that would be more protected from criminals than standard places.
- Understand adversarial targeting—Do you know the answer to key questions such as “who would want to steal my data” or “who would want to make my life miserable?” Companies, like individuals, need to think about who would benefit from gaining access to their data.
- Be on offense—Don’t wait for an attack to happen to implement a plan. Have a plan in place, and have practiced scenarios that result from a cyber attack. Companies can simulate cyber attack using their own security teams or by working with a security provider.
“It’s up to the user to trust, but verify,” said Payton, so blindly installing security products without implementing a strategy and plan to mitigate risk and respond should an attack occur is not an ideal use of resources.
Blockchain is an exciting new development, said Payton, but is not a silver bullet. “Hackers are going to hack no matter what,” said Payton, “however, the adoption of blockchain to protect transactions and data both in transit and at rest will help provide better confidentiality of the data as well as the integrity of the data.”
There is real promise that emerging technologies will help us advance our security posture, said Payton, but a critical step in understanding cyber threats is accepting that technology, by design, is open and interoperable, which leaves technology open to hacking.
