Industry and government share tools and techniques in evolving challenge
BY: GERRY MONIGAN
Ken Peterson has been focusing on security of digital information for more than 30 years
Although it took the 2016 presidential election to fully bring cybersecurity into the consciousness of the average American, it is an issue that has been building exponentially for decades.
Ken Peterson, a longtime Solebury resident, has been on the case for more than 30 years. The company he founded, Churchill and Harriman, has become a major player in setting the standards for protection of digital information. Recently, he shared his thoughts on the industry.
Q. Who needs protection?
A. In this day and age, whether you are a privately held small business or a multibillion-dollar global multinational corporation, everyone needs to protect intellectual capital and digital assets.
Q. How is it done?
A. There are three elements: There are tools, there is talent, and there are techniques that one must bring to bear to successfully address this problem.
The most important, in my mind, are techniques, because unless you are employing the proper techniques, you can have the best and most current tools available, but you’re not going to get the maximum result.
Q. What are the tools?
A. They are ever evolving. There is encryption at the email level; there are what are called borderless security tools at the enterprise level, and the latest thinking is that protecting one’s borders, whether they be cyber borders or brick-and-mortar borders, is really not the best use of one’s assets, because, in all likelihood, the bad guys are probably already in your network.
So it then becomes a better use of one’s tools, talents, techniques and budget to address these issues at a network level and try to put a ‘box’ around the damage that the bad guys can do.
Q. It’s a given the bad guys are already in?
A. It is accepted as a given that they are already in most places.
Q. Where do they come from and what do they seek?
A. Geographically, the most proficient hackers are coming from countries such as Ukraine, Iran, North Korea and China.
Hackers can come from anywhere, whether it be based here in the United States or in the United Kingdom or the counties I mentioned, but they come in two different varieties. One is that they are conducting their affairs with the intent to gain financially. In other instances, they are acting either directly for, or on behalf of, a foreign government.
Q. What are the stakes?
A. When one considers the damage a hacker could propagate on the electric power grid or on an entire global financial system, the stakes are very high. With regard to the power grid, I’m also talking about nuclear plants and other installations where if things were to be taken offline, or even more seriously damaged – for example, contaminating a water system – it could cause wide-scale civil disobedience.
Q. Is it assured mutual destruction that keeps these things in check?
A. I think so, but you still need security. No one is depending on the fact that some unforeseen event is not going to spur on the people who are out for financial gain or acting on behalf of another nation’s interest. We can’t take for granted that something isn’t going to put them over the proverbial top and have them try to cause us harm.
We’d better be ready, and we’re not.
Q. Will we be?
A. One accepted paradigm that industry leaders bandy about is that the bad guys will always be a little bit ahead, and that’s because they have all the time in the world – and they need to be right only once. Whereas the defense has to cover all contingencies, foreseen and unforeseen, 24/7.
So one of the most dramatic and important changes is that there are now industry-level information-sharing apparatuses.
In the health-care system and the financial industry and other industries, organizations are sharing real-time threat intelligence with members of their own industries and outside their own industries in a very trusted forum, so that if one company is being attacked, it can alert everyone else that these attacks are going on, and here are the actions we are taking to limit the damage.
This a powerful new change in the thinking around global information security.
Q. What does Churchill and Harriman provide?
A. Churchill & Harriman is privileged to work directly with a number of entities that are part of the solution with regard to these information-sharing and analysis centers, and I do feel a special responsibility in discharging our duties in that regard.
The efficacy of our work and the quality of our output; the completeness of our results; the accuracy of our data are all being shared sometimes across an entire industry.
Q. Is there synergy with the government?
A. There absolutely is. There is direct collaboration with agencies such as the Department of Homeland Security, the Department of Health and Human Services, and the National Council of Information Sharing and Analysis Centers (ISACs).
Q. When someone hires your firm, what are the steps you take?
A. The very first thing you need to do is conduct an assessment of your entire operation, and the output of that exercise will give you a list of items that need to be fixed. You then prioritize those items. It’s called a risk ranking and remediation exercise.
The first step is to understand the issue at hand and validate that what the customer believes is the issue truly is the issue.
Once that is flushed out, we conduct a risk assessment of the client’s information. We normally focus in a prioritized way on that customer’s intellectual property and information assets, and we seek to protect their most valuable assets.
Then we work down the chain on their next level of valued assets, and so on.
This includes, in many cases, working on the vendors who support our customers. In many of the reported breaches that have taken place in the past several years,
The root cause turned out to be that a client’s vendor was breached, and through that, the client got breached. It’s really the old story that you are only as strong as your weak link.
So we really do, in an overall cybersecurity strategy, formally take into account the security of the relationship with the critical vendors or suppliers.
Q. Anything else?
A. One element that I want to offer to my neighbors is places they can go that have the very best information that will allow them to better protect themselves and their families and/or will allow them to learn more about elements of cybersecurity.
Here’s a list:
Safe and Secure Online https://safeandsecureonline.org
U.S. Department of Homeland Security https://www.dhs.gov
U.S. Computer Emergency Readiness Team (US-CERT) www.us-cert.gov
SANS Information Security Training Cyber Certifications www.sans.org