2018 was a rough year for customers and companies impacted by cyber breaches. Businesses from Under Armour to Facebook to Marriott were targeted by hackers, leaving the data of hundreds of millions of customers exposed this year. According to Cipher Brief experts, 2019 isn’t likely to be much better and The Poneman Institute estimates that the global cost of a data breach rose 6.4% in 2018, to $3.86m.
Cipher Brief Expert and former Deputy Director of the NSA, Rick Ledgett spent a career in government that included leading the NSA’s Media Leaks Task Force from June 2013 to January 2014, just as the NSA was dealing with a particularly damaging insider threat named Edward Snowden.
Ledgett spoke with The Cipher Brief about finding more effective ways to build in resiliency in 2019 and about what concerns him most from a national security perspective.
(The conversation was edited for length and clarity.)
The Cipher Brief: As we look back on 2018, there was a lot going on in cyber. What should we be taking note of as we head into 2019?
Ledgett: A couple things. One, is the continued evolution of the information warfare threat, information as a tool of states to try to affect the behavior of other states, and the extension of what happened in the 2016 elections through to the midterms. Not so much the hacking of the DNC, because that didn't happen this year as far as we know, but the use of social media and the use of fake news, if I can use that phrase - to inflame people's opinions and pull apart the social fabric of the United States and attack our democratic institutions. So, that was one thing I think was significant. I’m happy to see an increase in awareness and discussion about that, although it's a really hard problem and it certainly has not gotten the attention that it deserves. It needs to happen.
On the business side, I’m seeing an increased awareness of cybersecurity as a key corporate risk that needs to be managed. Companies are also having a little bit of difficulty in thinking about how to manage that risk. Some companies are very good, some are not so good. I'd put the average at below where it needs to be.
The Cipher Brief: So, you obviously came from the NSA and now, you are offering consulting services to some companies. What is the number one thing that executives were asking you over the past year that they wanted you to help them address?
Ledgett: ‘How do I manage the complicated set of activities that I need to do to think about the cybersecurity threat, and the cybersecurity risk?’ I pretty consistently steer people toward the NIST framework, the National Institute of Standards and Technology cybersecurity framework, which is designed for just that purpose and lets you take the conversation out of the CISO's technical jargon and puts it in something that's more suitable for executive teams and the board to consider. That's really something that's important for people to understand.
You have to have this conversation at some point, but that's not a board conversation. That's a conversation that needs to be had within the organization. What the board needs to understand is here's where we're facing risk, here are the things we're doing to mitigate that risk, here are the places where we still have risk.
What I see too much of, is people who are pursuing a shiny new technical tool and missing out on basic blocking and tackling, really fundamentals of cybersecurity. Things like making sure your systems are patched on a timely basis, making sure that you're using multi-factor authentication to let people access your system, making sure your networks are segmented the right way, all those basic fundamental things that you need to do in order to have a hope of having a secure system. The number of breaches that we see as a result of an unpatched vulnerability is still in the high 90s.
The Cipher Brief: When you talk about the risk- based approach to cybersecurity, are the C-suiters getting it?
Ledgett: They understand risk. There's still a lot of fear of cyber as a weird technical thing and if you're not indoctrinated into the culture, then you'll never really understand it. So, really, I think it's incumbent on CISOs, CIOs to help translate that into language that boards understand. It's important for the CEO, the COO, and folks of that ilk, who bear that responsibility, to make sure that it gets the attention that it needs.
The Cipher Brief: Have you ever sat down with an unnamed person in a C-suite position where you were a little bit shocked at what they didn't realize about the risk to their business that cyber presented?
Ledgett: Yes, but more because of the difference in approach. Because of my background, I look at things from an attacker’s point of view. That gives you a different optic than if you think of things from a strictly defensive point of view. In fact, it's one of the reasons that the NSA and our partner in the UK, GCHQ, move our people around, is because you're a stronger attacker if you understand defense and you're a stronger defender if you understand attack. So, when you look at a network with an attacker's mindset, you look for different things and you find different things. That causes you to think about securing your network in ways that you wouldn't otherwise think of.
The Cipher Brief: So, red teaming?
Ledgett: It’s different from red teaming. Red teaming is one subset of that approach, but another way is to look at supply chains or to search up things that you're looking at. What are vulnerabilities - not just in the network security structures - but are there process vulnerabilities? Are there people vulnerabilities? Half of all cyber events - by some measures - are insider threat sourced.
The Cipher Brief: Insider threat indicates intentional, but there's also the accidental.
Ledgett: There's both. There's a person who finds the thumb drive in the parking lot and says, "I wonder what this is," and takes it into work and plugs it in.
The Cipher Brief: What concerns you the most going into 2019? What are those emerging threats that we should be thinking about?
Ledgett: Destructive malware as a tool is something that we're seeing increasing use of. That's concerning. But especially, if you recall, last year there was the Triton malware that was found in an unnamed network in the Middle East, that basically disabled the safety systems on industrial processes so that things would explode and potentially put people's lives at risk. That's concerning when people are going after safety systems that are designed to shut down the system in the case of a system fault.
There are also a couple of nation-states I'm concerned about now, China is one. It's been widely reported that there's been an increase in Chinese theft of intellectual property, an increase in Chinese cyber activity since the trade war started, and that whatever constraints the Chinese felt before, those are now gone. I'm not advocating for or against the tariffs. I'm agnostic on that, but that may have been the thing that unleashed the cyber actors. There were always Chinese cyber activities going on, going back to 2000 or so. But there was a slowdown from one part of the Chinese infrastructure after the agreement between Presidents’ Xi and Obama in September 2015. That slowdown is gone. Some people said that agreement gave them an excuse to reorganize the way they did things and become more efficient and less noisy. You could make that argument. But there's no argument about the increase in activity over the last few months.
The Cipher Brief: It’s very interesting that you talk about destructive attacks launched by nation-states. There's always been this question of ‘what would the motivation be?’ Today, attribution seems to be happening a lot more than it did in the past, so you have a nation-state that's taking a bigger risk if they launch an attack that might be destructive, yes?
Ledgett: From a nation-state point of view, I think if you look at Russia and China, both have the capability to launch destructive attacks against U.S. infrastructure, critical infrastructure like the power sector or telecommunications, financial sector, they're not going to do that for a couple of reasons. One, say the financial sector, that hurts them as much as it hurts us. That's not in any nation's interest.
Second is that we would almost most certainly view that as an act of war and retaliate in a way that they would not want. If we're in the run up to a kinetic conflict with one of those two nations, I fully expect to see cyberattacks in that run up, if they're convinced that there's going to be a kinetic attack.
The Cipher Brief: A new component of warfare in the future?
Ledgett: Not really new, new like in the last 30 years.
The Cipher Brief: It's been used in Ukraine already, which is widely seen as a testing ground for what might be launched elsewhere. Is that accurate?
Ledgett: That's very accurate. Yes. Then for Iran, Iran views cyber as a proportionate response to acts by the U.S. and other actors, Israel, for example. So, they're unlikely to launch an attack on the critical infrastructure unless they feel their survival is threatened.
The Cipher Brief: But there was some concern after President Trump decided to withdraw from JCPOA - that there might be some retaliatory efforts via cyber.
Ledgett: I fully expect that there will be. I don't think those will be widespread attacks against critical infrastructure. I think those will be, again, proportional attacks. Some people believe that the attacks against Saudi Aramco in 2012 and 2016 were by the Iranians in response to Saudi increases of oil production because of the sanctions. So, that's the kind of thing that I would expect to see. An attack against a company, that's not really national critical infrastructure in the sense that I'm discussing.
The Cipher Brief: Almost like cyberterrorism, though, if you could strike fear or some sense of concern among consumers, for example, is that something that you worry about seeing more of in 2019, intentional hacks that could be launched more in the sense of using someone as an example or making a political point?
Ledgett: Certainly. I think that's likely. I don't think that would rise to, say, an attack on the financial markets. The financial markets are basically a faith-based system and they work, as long as people believe that they're going to work. A strong attack against them could have some pretty dire consequences. When I think about things I worry about, one of them is the use of an attack like that by people, non-nation-state actors like ISIS, resurgent Al Qaeda, other organizations, that don't have a vested interest in the status quo and the stability of the financial system. I worry about them getting access to high-grade tools in a way that would make them have a step function jump in capability.
The Cipher Brief: The barrier to entry when it comes to cyber is fairly low. A lot of the tools are out there if someone really wanted to get their hands on them and use them. Why hasn't there been more of an effort on behalf of terrorist organizations to utilize cyber as a weapon?
Ledgett: That was one of the things that kept me awake at night when I was in service.
The Cipher Brief: So, that's going to happen sooner or later. Let's be realistic, right?
Ledgett: Let's hope that our defenses are robust enough to fend them off. Although, hope's not really a good strategy.
The Cipher Brief: How important is the relationship between the government and the private sector, that is coming up with a lot of the capabilities that the government then uses to protect things like critical infrastructure?
Ledgett: It's crucial. There's a really important synergy that goes on there. Something like 85% of the networks in the country are not run by the government. They're private sector. So, by definition, you have a lot of stuff out there that the government doesn't have direct purview over. So, the government's job is to organize and to enable and to incentivize and to provide key information that the private sector can then use.
So, what does that mean? What that means is things like encouraging entities, critical infrastructure entities, to spend more money on protecting themselves. That means we have to incentivize them in some way – for example, letting public utilities raise their rates, providing tax incentives, whatever sorts of things you need to do. The U.S. has very little capability right now under current law, to compel critical infrastructure providers to do things. They can suggest, they can enable, they can control, but they can't compel. So, I'm not a fan of the idea of heavily regulating that. But I do think that some kind of outcome-based regulation where the government says, "You need to get to a certain level of cybersecurity by point X in time and here's what we're going to do to help you get there."
The Cipher Brief: Let’s talk about supply chain. I understand how important that would be if you're running a business. How important is it if you're a consumer? We've seen the use of bots and other things that will use software that's in one of your devices at home, either your router or printer, whatever it is. How worried should all of us be, and how much should we place a premium on just educating ourselves on the basics?
Ledgett: Education is important, and folks need to understand at least a little bit about cybersecurity in the way that they understand a little bit how their car works when they drive it. If I turn the steering wheel this way, the car goes that way. When I step on the gas, when I step on the brake, when I flip the turn signals, that level of understanding from a cybersecurity point of view is important. So, I think for home users, the principal threat to them is criminal activity on a large scale. So, if there's a criminal bot out there that's gone to your home router and is stealing your banking credentials, if you do banking at home, then that's something you need to worry about. So, how do you prevent that? You reset your router periodically and make sure that it gets software updates.
Hear more from Ledgett in this week’s State Secrets podcast here.
(Ed note: Ledgett is a co-chair of the soon-to-be-announced Cyber Initiatives Group, launching early next year. The CIG is a membership-based group of both public and private sector experts sharing best practices in order to protect their businesses from cyber theft and damaging breaches. Stay tuned for the public announcement on that group and how to become a part of it on thecipherbrief.com.)
