On 18 May, teissTalk host Jenny Radcliffe was joined by a panel of four cybersecurity experts in a wide-ranging discussion that covered government actions, ransomware attacks and the future of the CISO.
Will Joe Biden’s new cybersecurity executive order change the IT landscape?
The executive order, even if its impact is mostly limited to federal institutions and their contractors, is a milestone in cybersecurity legislation. Thanks to major ransomware attacks against key US infrastructure and the Vice President’s advocacy of reasonable security and compliance with CIS (Centre for Internet Security) controls going back to her days as Attorney General in California, the Biden administration is expected to have the fight against cyber-attacks at the top of its legislative and law-enforcement agenda.
The fact that the executive order talks about IoT security standards also suggests that we’re witnessing a watershed moment. Although the executive order’s main objective is to make federal institutions and their supply chains more transparent, it’s very unlikely to leave the rest of the private sector intact in the long run.
Mandatory disclosure of data breaches and hacks has already been around in critical industries such as pharmaceuticals and healthcare. Now, as a result of the executive order, an even wider circle of institutions and private enterprises will need to comply.
Internet providers can also play a more prominent role in fighting cybercrime in the future by blocking internet traffic coming from rogue states and known threat actors.
Governments, automation and people: the three pillars of cyber-defence
Ransomware attacks were originally driven by financial gain. However, as the number of incidents disrupting critical infrastructure and threatening human lives is growing fast, it increasingly needs to be seen as a form of cyberterrorism. As the perpetrators of cybercrime are often financed or even commissioned by nation states, governments of western democracies have recently taken a firmer stance on putting up a fight against them.
The UK’s Integrated Defence Review published in March “reserves the right” to use nuclear weapons against “emerging technologies that could have a comparable impact” to chemical, biological or other nuclear weapons,” although it’s not completely clear whether this was meant to cover cyber- attacks.
Meanwhile, in a statement, the US administration didn’t rule out authorising a kinetic response, or, in other words, active warfare in the event of a large-scale cyber-attack by a nation state.
Attribution, however, is much trickier in the case of cyber-attacks than in traditional warfare, therefore, in order to avoid escalation and a potential cyber war, retaliation must be only the very last resort.
The current situation, where private businesses need to defend themselves against national threat actors without the support of the state is unprecedented. Therefore, what the business sector needs to better tackle cyber threats is a more active cyber-defence posture adopted by their governments.
There have already been examples in the past when governments provided protection for private enterprises to ensure the uninterrupted flow of global trade on the Mediterranean or the Atlantic. Businesses need a similar kind of support now in the cyberspace.
Although for medium-size and small businesses the scope for cyber defence is much more limited for lack of human and financial resources, automation and the use of secure software and multi-factor identification can go a long way.
As about 85 per cent of all breaches start with an employee clicking on an attachment or link that they shouldn’t, taking the human element out of the cyber threat equation is key. With the number of breaches in the cloud exceeding those on premises first time ever, cloud security is another area that needs to get to the forefront of the fight against cybercrime.
What will be the CISO of the future like?
The role of the CISO has been changing a lot over time. Originally the CISO was seen as a compliance and risk guru. Forrester has established five more types of CISOs (transformational, post-breach, tactical/operational, steady state and customer-facing evangelist), which will probably whittle down to no more than two or three as the role will get more mature.
Demonstrating some self-deprecating humour, CISOs sometimes refer to themselves a Crisis-Induced Sacrificial Officer, which points to the irony that people fulfilling this role are often held responsible for incidents which are beyond their control.
In the future, CISOs will probably have more leverage and will increasingly report directly to the board. For this relatively new role to get more established, CISOs need to see and evaluate their own performance through the eyes of CEOs, asking themselves how many customers their efforts helped the business to attract and retain.