CISO Calls For Sweeping Policy Changes To Address Cyber Concerns
Russian sanctions and a cyber security “moonshot” initiative were topics of discussion on the March 26 episode of “Task Force 7 Radio,” with host George Rettas and Turner Chief Information Security Officer (CISO) Peter Chronis.
In the show’s opening segment, Rettas referenced a March 15 WIRED Magazine article from Andy Greenberg on sanctions leveled at the Russian government by the Donald Trump administration.
Rettas said the sanctions came as many in the U.S. were “clamoring” for action against the Russians – long believed to have meddled in the 2016 presidential election. Rettas said Russian hackers are “emboldened to interfere in the internal matters of their adversaries.”
“Every American would agree,” Rettas said, “that interference, especially in elections, is completely unacceptable. We must do everything we can to ensure that it doesn’t happen again.”
See Related: Is Cryptocurrency Cyber Security's Next Big Threat?
The sanctions come from the U.S. Department of Treasury and are aimed at 19 individuals – public officials, private citizens and five Russian organizations. Rettas believes these named individuals are “acting to promote a tumultuous environment in the U.S., to escalate the culture war here.”
Rettas also cited a Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) joint statement suggesting that Russian cyber actors have been targeting critical infrastructure systems since at least March 2016.
In addressing cyber security professionals, the “TF7 Radio” host said, “What you do every day is imperative to the national security of the U.S. … It’s essential to (our) long-term security and survival.”
In the show’s remaining segments, Rettas was joined by Chronis, who has 15 years of experience using technology to manage risk. He’s developed cyber security technology that has prevented cyber threats, and has been a CISO in several public and Fortune 500 companies. He’s also the author of a recent book on cyber security called “The Cyber Conundrum.” The book suggests that our current capabilities are failing to address larger cyber issues.
Chronis said that the thesis of his book is that we require a “comprehensive and dramatic strategy to address cyber security challenges.” He calls it a “moonshot initiative,” much like the Space Race or the push to eradicate polio. Essentially, the moonshot calls for an abundance of extra effort.
Because the resulting strategy must be centralized, Chronis said that the “moonshot” must entail “unique sets of criteria,” from “centralized leadership” to a “vanguard movement that pushes and promotes a ground swell that is harnessed to get things done.”
“To solve this problem, it can’t be incremental,” Chronis said. “It needs to be comprehensive. And you can’t have a comprehensive solution in this scenario without a ‘moonshot.’”
The “TF7 Radio” guest called the current cyber security strategy between the public and private sectors “disjointed.” He suggests a policy that aligns the two.
“Speed to market over security is the norm today,” Chronis said. “We can’t address those types of challenges without a fundamental national strategy.”
Legislators Ready For Cyber?
On assessing the federal government’s ability to put forth a workable cyber plan, Chronis said, “I’ve spent a tremendous amount of time as a member of the National Technology Security Coalition in Washington, talking to members of Congress, members of the federal government. I see a lot of hesitation on the part of legislators in particular to venture into this space.”
He continued: “If we don’t have policy makers that are all in, we won’t end up having comprehensive solutions.”
Chronis said more must be done to bring the sectors together. “We need more technology thought leaders in the federal government, influencing and helping to influence the legislative agenda, the priorities of Congress. I think that’ll help,” he added.
Despite the push for more governmental cooperation, Chronis still said that, overall, “human beings haven’t figured out how to write software that’s free of security vulnerabilities, free of performance vulnerabilities.”
He added, “Part of the moonshot is to address that in a more comprehensive way… (That means) really baking security into the speed-to-market paradigm that we have right now.”
In making security a higher priority, Chronis even discussed the evolution of the Underwriters Laboratories – which helped to establish a safety framework for electricity in the late 1800s and early 1900s. He said electronics must be the same way, and those with the “UL” mark today indicate progress on that front.
Chronis also suggested thorough software testing before products make it to the marketplace, as well as establishing policies that create incentives for better security – with a preference to software and services that are tested and meet a minimum security standard. The Turner CISO said “that’s the world we need to be moving toward.”
Are humans a part of the cyber security problem? According to Chronis, they’re “certainly an element of it.” He used anecdotal evidence on the widespread adoption of smartphones without true security training (because the devices are so intuitive) as well as lengthy guides for these devices that can go unseen just because the security behind apps, devices, the IoT sphere, etc., are quite complex.
Chronis said security must be made easier for the consumer, which would help alleviate concerns across the board.
Privacy vs. Security
“If you take a look at the digital ecosystem today,” Chronis said, “there is a debate going on between privacy advocates and security advocates. Unfortunately, I don’t think they’re aligned.”
The “TF7 Radio” guest said that it’s especially apparent in the iPhone encryption case. Privacy advocates say: We can’t create technology capabilities that are abusive by design. Chronis said that means to protect citizens, foolproof solutions must be created that don’t allow people to reverse engineer their way into devices/data. Yet, government advocates say that if a real crime is committed, and lives are at stake, there is a pressing need to access the iPhone (or other device) to crack the case.
Chronis said that there does not appear to be a convergence of the two ideologies. “There has to be a balance for us to operate a company securely,” he suggested.
Rettas and Chronis spent the remaining minutes of the show discussing the security presence in media.
Chronis said that Sony wasn’t the first “smoking-hole” attack meant to destroy and interrupt the operations of a company, but it was the most high-profile. His hypothetical: “Imagine a world with geopolitical conflicts with an adversary, where they can take out legitimate news sources. Then all that’s left is fake news disseminating… Inside the eco chamber, the only thing available is propaganda – leading to mass confusion and a tremendous disruption…"
In closing, Chronis again called for tighter and more consistent information sharing to address a multitude of cyber issues.
The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes of "Task Force 7 Radio," click here.
Find Chronis on LinkedIn, here.
Be Sure To Check Out: Overwhelming Majority Of Businesses Have No Cyber Incident Response Plan