IFSEC Global Influencer Talks All Things Cyber Security
From private to public sector to emerging tech to talent crisis and more
Attackers are becoming more sophisticated and so are threats, which is why technology can sometimes be a double-edged sword according to Chuck Brooks, Principal Market Growth Strategist for General Dynamics Mission Systems for Cyber Security, and the IFSEC Global #2 ranked Cyber Security Influencer for 2018. He joined Monday night’s episode #69 of Task Force 7 Radio, with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies.
Brooks’ background consists of a mix of government, industry, media and academia roles. He started out in Chicago and headed to Washington D.C. to start his career in government and politics. Cyber security didn’t come up on his radar until 2004 in the Department of Homeland Security. They had created a cyber division then (that was not well-funded at first), which has now become one of DHS’ biggest missions. That quickly led to what Brooks now refers to himself as being a ‘cyber security junkie.’
Some of Brooks’ accolades consist of:
-Named by IFSEC as #2 Global Cyber Security Influencer
-Named by Thomson Reuters as a ‘Top 50 Social Influencer in Risk, Compliance.’
-Two-time Presidential Appointee
-Named top person to follow in tech by LinkedIn
-Cyber security marketer of the year
-MIT Technology Review Advisory panelist
-Cyber Start Up Observatory Hall of Fame, and more.
Brooks is also part of the adjunct faculty at Georgetown University, so far teaching courses such as risk management and cyber security, pulling from his background in both government and private sector work.
According to Brooks there are several differences between working in government and private sector organizations. “Government missions are different,” he said. They deal with more with programs and protecting networks, whereas in the private industry, they’re protecting profits.
Another significant difference in government is that you’re dealing with classified materials. But Brooks noted, “I think that they both can learn from each other.” For example, the private sector should look more into protecting data versus just purely protecting profit.
Rettas posed a question about a big push for militarization in private cyber security that eventually died off: "What do you think of that?"
“I think everybody needs to be judged on an individual basis and not the fact that they come from a certain agency or department,” said Rettas.
Brooks agreed, however noted that both sectors are beginning to unify. “Just like everything else, if you’re looking at militarization, cyber is a form of warfare and when you’re in the government you have to look at all aspects including the implications of actually being the attacker or a defender. But on the commercial side, it’s actually more about defense,” Brooks said.
See Related: When Politics And Cyber Security Collide
Rettas then brought up some of the organizations that Brooks is affiliated with including mentoring with the air force and Georgetown University. “Mentoring is really rewarding for me,” said Brooks, who further explained that he has already taught some courses as well in risk management, and more recently a cyber security online course about blockchain.
“The students are fantastic,” he said as a lot of them are already in the industry part-time, “so it’s a two way street.” Brooks is learning from his students as well.
Emerging Technologies And Threats
Rettas opened up the second segment bringing up how “attackers are becoming more sophisticated and so are threats.”
Brooks talked more about how emerging threats are affecting businesses, how companies are combating the threats around IoT, cloud, mobile, and, third parties, and how new technologies being deployed as mitigating controls are actually introducing new threats into the environment.
See Related: “Cyber Security Challenges, Focuses 2019”
Brooks noted that along with more technology access (such as machine learning and AI), that can help organizations, but at the same time can also make hackers’ job of finding vulnerabilities much easier. Further, it doesn’t just include individual hackers anymore, but also state sponsored nations and organized crime. “It’s a dangerous environment out there,” he added.
Brooks agreed with Rettas that IoT is dangerous because there are no standards. With no standards, there’s no security built into these devices. It makes it difficult to protect these devices, which in turn can affect the full supply chain “as you have connectivity through the supply chain.”
Mobile is particularly dangerous as we move to 5G. “More people are operating off of mobile, so unless you separate the system from personal and work, it’s easily cross-contaminated,” he explained. Again, comes down to question of cost to consumers using mobile – should they pay for extra security hardware/software?
Rettas asked ‘how high on the prioritization list is third-party risk?’ “Near the top,” said Brooks. Even the government is looking at that he said, because it goes back to that full connected supply chain. For attackers, they’ll always look for the weakest point of entry. When you have variety of parties linked to a network, they go for them. He added that usually spear phishing is an easy entry. “One person opens it up and that’s all it takes.”
Rettas followed up on insider threats asking if it “gets the attention it deserves?” No, said Brooks citing insider threats as the number two reason for breaches. The problem is, it’s very difficult to detect. Employees have admin privileges and leave the company – they can always come back to it for example.
Brooks went on to talk about some of the biggest challenges in cyber security including the lack of talent resources, “just because so many companies out there just don’t have the ability to find or hire people.” And, it’s not just companies, it’s the government too, he shared. Until the issue is rectified, it’s going to remain a problem. Some companies are trying to fix the shortage through automation and other technologies but the fact is, computers are still hacked every 39 seconds and millions of dollars and records are stolen every minute — so for now, it’s not working … and it’s only going to get worse.
And in regards to the controversial talent crisis, “I think in the US alone, there’s a 300,000-person shortage.” The new generation doesn’t want to go into cyber security. “I think there’s a lot of effort being made from companies and academia, but it’s a catch up game,” Brooks said. Plus, the best people are poached.
Brooks noted that he’s looking at some of the more futuristic technologies for now such as cognitive technology and AI which he said are “down the line, but look promising.” Brooks also believes that eventually everything will be automated.
“We do machine learning, but not real AI yet,” said Brooks, who explained the other piece of technology he is looking at is quantum/super computing. “It’s getting closer. That could be a game-changer (solving the personnel crisis). Those are most exciting for me and every day there’s a new development to watch,” he said.
However, along with new technology comes new risks. First, people need to understand what the new technology does. Not only can new technology be used against you, vulnerabilities are typically exploited by attackers. In cyber security, you have to look at people, process and technology: Brooks reinforced, “The right people have to look at the tech and where they’re best integrated. If they’re not integrated properly, there’s more risk.”
The State Of Information Warfare
Rettas asked Brooks if there is a cyber war in the US with china and Russia right now.
“It depends on how you define it. If it’s pursuing weaknesses and detecting attacks – yes, that’s been going on for a decade or more,” said Brooks, who also noted that it’s typical of diplomacy and military actions.
According to Rettas, it may be more accurate to describe it as a cold cyber war. “That’s a good way of saying it,” agreed Brooks. However, Rettas brought up the notion that while the US is confident in its offensive capabilities, it is very vulnerable because every “facet of our society is connected to the internet. What’s it going to take for everyone to wake up to this and do something before the catastrophic event happens? Do you think the American people realize the repercussions of what a full scale cyber security attack would look like?” Rettas asked.
“I think it’s going to take something major, unfortunately. We tend to forget things very quickly (we think, it’s just another breach),” answered Brooks. “A lot of this stuff has been simulated, but Americans are walled off and continue with business as usual. No – we’re dependent on electronic devices, but we don’t pay attention to what could really change our lives and in what instance.”
And Brooks noted that it’s not just cyber, it’s physical too. So, what can the average American citizen do about it?
Brooks said, “You want to have ways to communicate to your family and loved ones if something does happen.” For example, Brooks explained an earthquake that happened in Virginia where no one knew what was going on, so phones were overloaded. Nothing was working except text. There are other ways to communicate, but he advises everyone to reinforce having enough batteries, food, and a plan if something does happen. He cautioned that after 9/11 happened the American people started to think about preparing for events like that, but “we have to do that for cyber too.”
“Preparation, business resiliency, continuity,” said Rettas, before he asked “How important is intelligence for cyber security programs to be successful?”
Brooks believes that it is a critical element, explaining that a very slow change is that there are more secret service in cyber security who know how to manage risk and look for vulnerabilities. They are being put in the C-suite, so “it’s not business as usual, but how to be resilient and survive.”
Brooks closed out the segment by offering career management advice for those looking to navigate the sophisticated and complex cyber security space.
“First, look what’s out there,” he said. There are a lot of certifications depending what you want to do. It also depends on how strong you want to learn the subject matter at hand. You can be certified without a graduate certification, although Brooks recommends that too. You need to have a background in policy and how things operate with IT and network security.
“Listen to shows like this where you can connect to people. Stay involved in social media. So many people participate in LinkedIn groups in sharing information, data and threat experiences. Sometimes the best way to go for a breach is right to social media. It’s just amazing the amount of resources we have online,” Brooks advised. “The information security community is not a competitive community, it’s more of a collegiate community and collaborative community.”
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.
To listen to this and past episodes, click here.