Inside Job

Many experts say the “human element” in cybersecurity is responsible for 80 percent or more of the incidents that take place.

 

A news headline announces yet another breach of consumer data, one where the personal information (perhaps credit cards and customer transactions, identifying records, even credit scores) are scooped out of what was supposed to be a secure spot on the internet.

Someone has clearly messed up, but we’re not sure how and, worse, we’re not sure the corporation who was responsible for the safety of that now stolen data is prepared to make sure it doesn’t happen again.

More to the point, the company itself doesn’t seem to be sure.

And what about the security of information, stored in servers located who knows where, that drives systems and facilities like power plants or even airports?

In a world where bad people are seemingly running amok, how can we be sure that the data is secure and protected?

And can we be sure the information we count on to pursue our goals and dreams is protected?

We start with Maj. Gen. Mike Stone, currently the assistant adjutant general-installations for the Michigan National Guard. As the state’s Dual Status Commander for domestic response situations, Stone is responsible for Army armories and installations, strategic communications, strategic level cyber initiatives, and National Guard employment initiatives.

No place is truly safe
From Stone’s perspective, protecting electronic systems, whether they’re at the government level or anywhere else that’s connected to the internet, starts first with a basic assumption that no place is impenetrable from malicious hacking.

“You will waste a lot of time and energy dwelling on whether someone can get in to your systems,” he said. “Assume everything and every system can be compromised.”

From that point, the questions become related to what is the information being stored, who would want access to it, and is it worth the time and effort for them to acquire it.

What is clear when talking with people like Stone and others is that there is very much a community of experts involved in either directly protecting data online or establishing ways that others can do the same.

One of those is Rajiv Das, the chief security officer for the State of Michigan, who understands that the critical issue on his plate is a data breach, the penetration of online systems.

“We focus all of our preventive work and our security efforts around preventing those from happening,” said Das, who has been in his role for about two years, coming from the technology consulting sector.

With responsibility for the wide range of systems under the state umbrella—including Treasury, Lottery, Corrections, and Transportation—Das says one of the most important ways he and his staff can reduce the risk of a data breach occurring, is to improve what he calls the “cybersecurity posture.”

Das sees keeping the trust of the citizens of Michigan as one of his primary goals.

Prevention of a data breach is the second part of an ongoing strategy, one that includes adoption of layered security steps, as well as continuous monitoring of networks. Das and his team are also looking for so-called “phishing” emails, a technique often used as a fraudulent attempt to have the recipient give out sensitive information, including user names, passwords, and even credit card information.

“We analyze those attempts when we see them and take corrective action,” said Das.

 

Both military and civilian cybersecurity officials are seen working one of the multiple exercises that are conducted every year. The purpose of these ongoing exercises is to make sure authorities are able to plug any “holes” that could lead to breaches of data security before they occur.

 

Social engineering is much of the problem
Phishing and other forms of attempts to get information or even control related to information online are known as “social engineering” and Das and his group have a strategy designed to reduce the number of attempts that ultimately become successful.

“We do it with a structured training program that we roll out to about 55,000 state employees on a regular basis,” said Das.

His group also uses “phishing campaigns” to help educate employees around ways they can protect against the type of breach a malicious attempt would achieve.

The strategy is nothing new for Das and his group, who have been proactive on the issue for about four years and who in October will gather for an annual cybersecurity summit. This year’s event will be October 17 at the Amway Hotel in Grand Rapids.

Twelve days later, on October 29, Michigan will host the North American International Cyber Summit at Cobo Center.

These events seem to reflect a community perspective that’s widely held by those who see cybersecurity as something that gets better when more people participate in a consistent strategy to protect online information.

One of those is Joe Adams, vice president of research and cybersecurity at Merit Networks, the state’s research and educational network, and the oldest and largest in the country.

Started in 1966 through a collaboration between Michigan State, University of Michigan, and Wayne State, Merit had a foundational role in building out the internet, operating the network operations center before commercialization took place in the early 1990s.

Today, Merit, a nonprofit that is owned by Michigan’s 12 public universities, serves all K-12 school districts in the state, as well as its community colleges.

Adams, who joined Merit five years ago, had previously served as its interim CEO. He is the former chief information officer at the National Defense University and an associate professor at the United States Military Academy, having earned his doctorate in computer engineering from Virginia Tech.

Today, one of Adams’ principle contributions has been the building of the Michigan Cyber Range, a virtual training and exercise platform that leverages Merit’s 4,000 miles of fiber network that exists throughout Michigan, Ohio and Wisconsin.

With that, Adams said, a barrier to accessing cybersecurity education was broken.

Working together makes us all stronger
“We’ve been able to build community and we do that by providing the content necessary to qualify people for jobs in the field,” said Adams, talking about key initiatives such as workforce development through certification and training.

“We’re working hard to put these folks in a position where they’re qualified and can get interviews with employers,” he added.

Adams’ role goes beyond cybersecurity, however.

“A lot of my job includes taking someone who has an interest in IT and teaching them how to do that securely.”

The former military part of Adams (he retired with the rank of colonel) is a strong believer in a “crawl, walk, run” mentality of getting better at what you do.

“In the crawl phase, we introduce the tools and techniques,” he said. “In walk, it’s about working with groups and relying on other people’s skillsets. And in run, that’s where we’re into the softer skills, where you start seeing the flashy cyber exercises.”

Adams says having a better understanding of what people are actually exposing themselves to when it comes to cybersecurity issues might be a good first step.

“We’ve stuffed our lives into the ether and that’s a broad attack surface where we’ve exposed ourselves to hackers,” he says. “But we’re also exposed to natural disasters and just plain bad planning.”

One of the areas that has Adams’ attention is electronic voting and specifically the vulnerability made possible by the fact that a significant number of counties in Michigan—about 15 percent, representing about 10,000 voters—have no backup, obviously a concern in light of news reports (and speculation) around hacking by so-called “state actors.”

“You wouldn’t have to change those results by much to affect an election,” said Adams.

At another level—how governments are equipped to respond to data vulnerable from natural disasters—Merit stepped up during Hurricane Sandy, which hit the East Coast in 2012.

Faced with a potential loss of ALL its data, the state of New Jersey reached out to Merit, which had just four hours to successfully back up the entire repository of data, becoming its disaster recovery center.

“We have a relationship there,” said Adams. “They picked up the phone and said ‘help’ and we were happy to do so.”

Cooperation is key
Maj. Gen. Mike Stone relies on the kind of interagency cooperation he gets from members of the Michigan Civilian Cyber Corps, more than 50 vetted experts who train with the Michigan National Guard and police, participating in tabletop exercises that are made possible in no small part by Merit.

The cost of putting on the kind of exercise that took place last fall at Cobo Center and involving 10 states, and eight foreign countries, is almost unbelievably low—about $30,000.

Stone was also asked to participate in an exercise for the City of Houston, the scenario being a deliberate cyberattack, concurrent with a hurricane hitting the city and closing the Port of Houston, which translates into millions of dollars a day in lost revenue.

On the civilian side of the cybersecurity issue are people like David King, CEO of Red Level Networks, which is based in Novi, Mich.

“Because we’re human, without the training to know and understand what to do, we tend to open things online that we shouldn’t,” he said, making the point that 80 percent of security breaches are somehow related to the human element.

With phishing being the primary method for online attacks, monitoring the responses of employees to those attacks and putting user training in place to reduce the impact is a strategic move.

“We focus on the quick identification of a breach,” said King, who makes the point that it takes an average of 270 days before a breach is actually detected.

For King’s company, the overwhelming need for robust security practices has resulted in the transformation of Red Level Networks into a managed security service provider, with IT services becoming part of that offering.

“It’s a change in not only our industry, but in business as well,” said King.

There’s also the legal implications of cybersecurity to be considered, which is why folks like Jeffrey May and Claudia Rast are kept so busy.

May is an associate attorney with Kerr Russell, a firm with offices in Detroit, Troy and China. His graduate degree in Information Technology, coupled with his law degree, helps him deal with clients concerned with data breaches and the protection of their customers’ data.

“We also work with them on questions about who they have to report to, and when, if a data breach occurs,” he adds, noting that the procedures and responses are on a case-by-case basis.

Understanding the statutory requirements flows through to areas like the new General Data Protection Regulation, a legal framework whereby the European Union has set guidelines for the collection and processing of personal information of individuals.

“That’s a big one right now and it’s driving security discussions, with companies having to be clear about the data they’re collecting, using and storing and how they respond to customer queries,” said May.

How blockchain could make a difference
Claudia Rast, an attorney with Butzel Long’s Ann Arbor office, has put her background in forensics, IT environments and security to good use for clients with concerns around cybersecurity.

“Theft is one thing, but we’re also moving into an era where it’s the corruption and manipulation of data that is
having a significant impact,” said Rast.

Think about the effect of an intrusion into company networks, where the terms of a deal are adjusted or the balance of negotiations is altered, and it doesn’t take long for the sweat to break out.

It is one reason why blockchain (the underlying technology for cryptocurrencies) could be something of a savior when it comes to keeping an impenetrable lock on contracts (often called “smart contracts”), largely because of the
nature of how blockchain transactions are sealed.

The methodology—known as a hash, that comes before and after a digital record of a transaction—may not be perfect for all data, but it is at least a bright light for some forms of data records that might otherwise be subject to hacking.

“Frankly, you want parties that you may not trust to be part of a blockchain,” said Rast. “It makes them step up to the ‘authentic’ world.”

So should we be worried?
Experts like Joe Adams of Merit might suggest turning worry into a highly tuned sensitivity would be a better course of action.

The good news is that a growing community of cybersecurity warriors is committed—working collaboratively and without ceasing—to keeping an eye on things and training the rest of us to take better care of how we treat our own data and that of others.