March 16, 2021 | 37 minute read
Now that President Biden has proposed the allocation of $10 Billion for cyber security and IT modernization, what specifically should the federal government focus on to restore confidence in our national cyber security defense posture?
Cybereason held a roundtable event with leading security industry CEOs to discuss increased security funding in the recently passed American Rescue Package legislation in the wake of two recent devastating attacks:
Nation-state threat actors are conducting offensive operations against the United States with relative impunity - whether for espionage or through the spread of misinformation to influence elections. The panel examines what steps the US needs to take to deter bad actors like Russia and China, and what effective deterrence would even look like in a larger geo-political context. Do we need to play better offense?
The panel also examines emerging threats focused on COVID-19 vaccine research and production, attacks against healthcare facilities and other critical infrastructure. What kinds of threats can we expect to see more of in 2021?
But it’s not all doom-and-gloom, as the panel also looks at what’s going well in cybersecurity with regard to better enabling defenders and some of the more promising developments in the cat-and-mouse game of security.
Lior Div, CEO of Cybereason: Lior is an expert in malicious operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Early in his career, his team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He was in charge of carrying out some of the largest cyber offensive campaigns in history against nations and cybercrime groups. He also received one of Israel’s highest awards at that time, the Medal of Honor. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary.
Theresa Payton, CEO of Fortalice: Theresa Payton is one of America’s most respected authorities on Internet security, net crime, fraud mitigation and technology implementation. As White House Chief Information Officer (CIO) from 2006 to 2008, she administered the information technology enterprise for the president and 3,000 staff members. Prior to her time at the White House, Payton was a Senior Technology Executive in banking.
Corey Thomas, CEO of Rapid7: Corey Thomas is the CEO of Rapid7, as well as Chairman of its board of directors. In 2018, he was elected to the Cyber Threat Alliance (CTA) board of directors and the Massachusetts Cybersecurity Strategy Council. He also serves on the board of directors for LPL Financial, as well as Blue Cross Blue Shield of Massachusetts, sitting on its audit and health care quality and affordability committees. He previously served on the U.S. Commerce Department's Digital Economy Board of Advisors.
Michael Daniel, CTA President: Michael leads the CTA team and oversees the organization’s operations. Prior to joining the CTA in February 2017, Michael served from June 2012 to January 2017 as Special Assistant to President Obama and Cybersecurity Coordinator on the National Security Council Staff. In this role, Daniel led the development of national cybersecurity strategy and policy, and ensured that the US government effectively partnered with the private sector, non-governmental organizations, and other nations.
David Spark, Managing Editor & Co-Host of the CISO Series (Moderator): David Spark is the creator, author, and producer of the CISO Series. He’s a veteran tech journalist and founder of Spark Media Solutions, and for more than 23 years, Spark’s work has appeared in numerous media outlets including eWEEK, Wired News, Forbes, PCWorld, ABC Radio, John C. Dvorak’s “Cranky Geeks,” KQED’s “This Week in Northern California,” and TechTV (formerly ZDTV).
Christine Ellsworth 00:43
Okay, we'll just give it one more minute and then we'll pick it up. All right, I think we can get started. Hello and welcome. Thank you everyone so much for joining today's virtual panel hosted by Cybereason. I'm Christina Ellsworth from high wire PR I'll be your host today. We have an amazing program in store for you today, we're going to be looking at the topic of restoring National Cyber Security taking a deeper look at Biden's first 100 days in office. Before I turn it over to our moderator just wanted to level set on a few logistics for today. We're going to have 40 minutes of a presentation followed by 20 minutes of q&a. If you have questions that come up throughout the course of the discussion, please hold on to them. Or you can drop them in the chat window, the little zoom chat window and we'll get back to those when we start the q&a session. With that it is my pleasure to turn it over to our moderator. David spark is the producer and co host of the seaso costs podcast series. Over to you, David.
David Spark 02:23
Thank you very much, Christine. Hello, everyone. I'm David Clark. I'm the host of the CISO series we produce a whole mess of podcasts and shows on on cybersecurity. And I'm also introduced every week on the panel, I got four really great panelists who have a lot of savvy in this area of government security. First Lior Div, who is the CEO over at Cybereason. And He is a former commander in the Israeli unit at 200. Also Teresa Payne, who is the CEO of shortlist and former White House CIO. And we also have Corey Thomas, who is the CEO of rapid seven and a board member of the cyber threat Alliance. And lastly, Michael Daniel, who is the president and CEO of the cyber threat Alliance, and Obama's former cyber czar. Alright, let's just get right into it right away. As Christy mentioned, there will be time for questions later. But we have crafted this to try to bring you sort of the best sort of topical information that you would want on this very topic, which is essentially government security environments first 100 days and which we're halfway through right now. So let's talk about the the $10 billion that has been allocated for cyber security. And it actually that was just up from 9 billion just recently. So this is a concern, as everyone is well aware of. It is under the American rescue package. So I'm gonna ask this question first. To you, Lee are we don't necessarily have insight into what the systems are. But how would you go about beginning to figure out how to allocate this money to potentially beef up and start to, you know, I guess, begin the restoration of America's cybersecurity defenses?
Lior Div 04:13
Yeah, absolutely. And very nice to meet everybody. And it's a pleasure to host and to be hosted here. I think that the first thing that I will think of is a little bit about the mindset and less about the money. I think that the if you think about it right now, we are basically worried anymore. Okay. This is a very, very different world than we used to see in the past. Nobody is dying, or most of the time, people are not dying. There is no smoke, there is no soldiers in the street. But right now, if you look at the situation, specifically in the past few weeks, that's happening with Russia and with China, that keep attacking us in our nation, almost on a daily basis. And I think that in the past few weeks, we saw An update of this type of attack. So, in a way, I think that we have to change our mindset to understand that what we're talking about here, government against government, nations against nation, this is kind of very remind me the Cold War. In the past, you tried to be stronger than the other one tried to be even stronger. This is a fight on information.
David Spark 05:26
Let me just ask a follow up, though. But you're talking about mindset. What do I need to understand what these nation states want out of us, like me as the average person or me as a government employee, like, what should I be concerned they want from us through these types of cyber attacks.
Lior Div 05:44
So if in the past, it was about espionage and sending spies, I think that today, you can go to the Espionage realm, but in a much more aggressive way, that that tribution is not linked directly to you. And you can gather information, and you can manipulate information as much as you want. In general, I would say two things. One is espionage. And the other one is to control kind of what people think. And we can go back all the way back to 2016, when we had the election, when the Russian tried to influence it heavily, and even in the last election, so
David Spark 06:24
I let me throw this one to Teresa. I know that you have seen a lot of this sort of behavior firsthand. What you know, going back to where should we beef up our defenses? What are we doing poorly right now that like this is the first thing we need to address?
Theresa Payton 06:44
Well, I think the challenge is, you know, first of all, I mean, my thoughts and prayers go out to all the CIOs and CSOs out there, because we have asked them to do some herculean work during the pandemic. So you two typically have many organizations where everybody wasn't work from home, they work sort of in the brick and mortar, if you will, and working from home for many large organizations was kind of like something you did a partial amount of the time, not everybody at the same time, right. And so if you think about the disruption that's been created within government organizations, nonprofits, commercial enterprises, they've had a really rough year, and cyber criminals know that. So the nation state cyber criminal syndicates, and the lone wolves. They all know that so so what's going on right now as organizations are reimagining a world where as much as possible, were encouraged to be contact lists versus in contact with. And so that means more and more transformation efforts are being accelerated. So while those are being accelerated, the CIOs and CSOs have got to figure out from an enterprise architecture as they're plugging in these new capabilities, how do you cordon them off. And there's some basic things that are being overlooked right now. So for example, super access admin accounts, those should be rare. And those passwords should be rotated. And those accounts have got to be monitored with behavioral based monitoring, segmentation of everything. So the more you can segment everything down to the most granular level, when that data incident happens, which it will, you have the ability to go shields up and flip kill switches so that you can actually mitigate the incident and still have resiliency in the organization. And then sort of kind of Lastly, where we're really failing. David, is I can't believe for all my time in this industry, that we still come down to, like we can and recycle passwords, and telling the user don't click on links don't open attachments, when good golly, that's actually their job. I mean, can you imagine telling your boss, I'm not going to answer my emails today, because there could be a ticking time bomb in there. So David, why, after all this time, and all that money that has been spent, why does the burden rests squarely on the shoulders of the consumer and of the user in the organization. So security, we need to step up in our design, and make sure that security is just inherently there as a safety net, in all of our thinking and the approach that we have in that and that's where sort of that intersection of business capability and and sort of enhancing resiliency and reliability, that's where security has to be there at that intersection.
David Spark 09:41
You know, before with regard to you can't live the the company fall down just because one person clicked the link. And we've just good old fashioned defense in depth planning. I'm sorry, I cut somebody off who is jumping in there. Yeah. So Michael, you jump in. I'm sorry. Go ahead.
Michael Daniel 10:00
Just wanted to build on something that Teresa was saying, which is, you know, you were asking about you were asking about why some of these problems still exist. And and I actually think that's a really, that's a really intriguing question to ask, right? Because it says that we've got something fundamentally wrong. Because it's not like, it's not like you ask companies, do you want to be hacked? Like, they're not going to say yes. Like, you know, nobody's going to say, I want to do cybersecurity stupidly. So the question is, why, why is it that we know what we need to do, and we're not doing it. And I really think there are sort of three things that feed into that. One is that we don't understand the economics, right? that some of this stuff is hard. And it takes time, and it takes money, and it takes resources. And that's taking my time, money and resources from other things. And so when a business is trying to prioritize what it gets done in the 24 hours a day that there are a lot of cybersecurity doesn't often make it because it's not core to the business. Which leads to the other point, which is that we, we may have the placement of cybersecurity wrong and the whole ecosystem that we keep putting it on all the way down on the end user. And we don't do that in most other we don't do that in most other places. Like if you think about automotive technology, like yes, but the user we've said, Yeah, we're gonna have putting on the seatbelt. We're gonna make you responsible for that. But we don't have a car say, Excuse me, you're about to have an accident. Would you like me to deploy the airbags? Yes, no. Like, it just does it right. So and then I would say the third thing is that we have a our mindset is still very much of the physical world. And the internet is a nodal network. So a discontinuous network that operates at lightspeed. And that's a very different the physics and math of that are completely different than the than the physical world. And I'll throw one more thing on for the federal government that I'm sure Teresa lived when, when she was there as well, which is that the, it is difficult to is difficult to overstate the amount of tech debt that the federal government has, the entire budgeting system of the federal government is designed to ensure that agencies continue asking for operating money to keep old systems going, rather than asking for new money to buy new systems, because it's almost impossible to get the new money. Whereas Congress will always appropriate you the money to keep the old systems going. And so the result is that the federal government has an unmatched tech debt compared to any private sector organization,
Lior Div 12:47
I will suggest that it's not just about the technology, it's about the fact that it's not it problem anymore. This is intelligence problem. You need a different mindset, you didn't need a different capability in order to deal with it. And if you keep thinking that it's it's the end user, and it's the IT person that's gonna solve it, it's never gonna be solved.
David Spark 13:11
Absolutely. Let me throw a question to you, Cory, you know, one of the things that I hear in the private sector with regard to security is, you know, make it so difficult for the attacker, that it's not worth attacking them. But when you're dealing with nation state tax, which seemingly have unlimited budget, and that it's not necessarily a financial gain, what they're going after, and again, sometimes not clear what they're going after. How do you create a defense against that? Like, what is the thinking to Leo's point that you have to have at that point?
Corey Thomas 13:43
Yes, I would just point out two things. So keep in mind is that part of the reason that there's an unlimited budget, so to speak, is it's just not intelligence, is that if you think about the means that nations compete against each other, you know, it shifted from land to the needs of production. And now we compete on data. And we actually compete on IP and technology. So there's very real world consequences. And so if you think about the value of the technology ecosystem, as we actually go forward in the value of data, it changes how we actually think about how much money we should actually spend and how much effort we should actually spend on modernizing. So that's the first thing. The second thing to your question is, just because something is unlimited, doesn't mean that there's value in making it more difficult. Let me spend money is that if it takes me if I have, quote unquote, unlimited man hours to actually spend for you, well, unlimited is still something now it just may feel insurmountable, but it's still something. So if I have 10,000 man hours X has been for you. There's a very, very big difference in the man hours, produces, you know, produces sort of like 1000 compromises versus 200 compromises. So I think one of the mistakes we make is just because we just because it doesn't go away doesn't mean there's not a big value in making it better. And I think there's things that everyone is everyone has actually talked about in the panel, that can actually make a material difference, even though there will still be compromises. The analogy that I use of boards, and we'll talk to them that aren't technology sophisticated, is that if you think about cities, if you think about the best city in the worst city, the most crime ridden city in the paradise, they both have crime, they both have death, they both have murder, they have all types of things. But there's a really, really big difference in how often that happens, I'll quickly identify how you respond. So I would just say we can't fall into the trap that there's no difference just as bad things to do.
Lior Div 15:46
I have to hurt somebody's career. Look, I spend more than 20 years of my life of being on the other side, meaning being a nation state hackers for the West, for the good side for this is what I do. Okay, I can tell you from the inside, that you don't have unlimited budget, you can run the project, same way that you run any software company, you have timeline, you have bosses, you have guns that you have to report progress, at the end of the day, if you managed to develop or find a zero day and use it and exploited. And if somebody block it, it's throw you back, like six months to rebuild the fee, and rehash and reuse the things that you already developed. So I think that I don't view nation state hacking is a big thing that we cannot deal with. I think that that was an excuse for for many, many years for many companies of saying, Oh, this is nation state, we cannot do anything about it. I think that by now we have a technology, we're 10 years into that after this event, I think that there is enough innovation that we drove collectively, in order to fight against them. And I have a list of examples. And one of the example that I can give you is the salary that that that basically, when hackers, the first thing that the Russians did, he picked up the machine, they stopped the effect they ignore, continue hacking. Okay, so I'm saying, okay, we're a relatively small company, 700 people that we manage to convince the Russian not to attack if we're there. That's it. So I think that there is many things that we can explain, cuz
David Spark 17:29
I'm confused by that explained to how you discovered the fact that they saw that you were on and that they sort of were spooked, like seeing the ADT sign in front of somebody's house.
Lior Div 17:41
Yeah, absolutely. So we basically reverse engineer the code that they injected into the right software. And in that code, you can see a check if this driver exists, and the hash that describe the driver, this is the Cybereason driver, basically, they stop the operation of this DLL and has stopped the attack. Okay, so it's a very kind of technical way, we discovered it. But I'm saying if we can do it properly, there is many, many others that can help in this fight.
David Spark 18:13
So and you bring up a good point. And by the way, you just teased up our next topic, which is solar, micro, micro Microsoft Exchange here as well. The you know, you bring up the point that I keep hearing again and again from cybersecurity leaders just make it not worth their effort for, as you said, send them back six months in their effort to make the whole process more difficult because my feeling if they are in a cyber war, it's not like that's gonna stop. But you can make the process more difficult for them, when it's out what you're going with their Leo.
Lior Div 18:46
Yeah, absolutely. Think about it as a continuous incident response.
Tom Foremski 18:51
Lior Div 18:52
they're attacking, you're preventing or throw them back. Every time that we found some way to finagle ourselves to say, Hey, this is what they're doing. This is how they're doing. You can read it in our blog. And when you expose something like this, that usually if they're not from China, they're not going to reuse the same thing. China is a different story. They keep using the same thing. They don't care.
David Spark 19:18
Well, go ahead. You know, I
Corey Thomas 19:21
just think it is important to highlight, I think everyone should use advanced technologies like yours. But Michael said something really interesting, I think that's incredibly important, is that when you actually have a ecosystem, that's massively out of date, you just have a much larger attack surface than is necessary for a good defense. And so and the reason I want to what you mentioned earlier about the mapping and assembling hours going when it does
David Spark 19:51
take money, it does take
Corey Thomas 19:51
attention, it does take conversation and resources to actually get the basics right. And the thing is that we talk a lot lots about advanced stuff, which I completely agree with. But there's lots of basics that require time, energy and effort and also better designs as to what's the point earlier. And we're not doing that. So I do want to call that out. And I'd also say that I don't believe and I haven't met the very last bill, that that can create dollars that end up being $10 billion after the final Senate resolution. And the last meeting that I had, it actually ended up being substantially less. So we're still deferring some of the fundamental work that has to be done. And I think lots of times, we actually talk from a defeatist perspective in the technology industry, but there are no basics and fundamentals that we can and shouldn't be doing that cost, enter time consuming, and those that do require harmonization. But that make a huge difference, especially in conjunction with some of the advanced technologies that we're always striving
David Spark 20:48
to reach. I want to throw this to you now, with like, looking at the solar winds, taking a look at Microsoft as well, here. These are direct attacks against supply chain, but it's so spread out, do we understand the motivations behind this? Is this just to cause horrific disruption? Or essentially, the way I'm seeing it, like a, like a never ending pipeline for whatever it is that they want, which could be nation state, which could be financially motivated, not clear?
Theresa Payton 21:18
I mean, I love the question there. And also kind of what my fellow panelists have been sharing, which is, so there's a there's a short game and a long game, right. So in the short game, you have nation states and cyber criminal syndicates, where its intellectual property, smash and grab, causing just general mayhem, flexing muscles and letting people know that you're there, potentially moving cryptocurrency markets, values, potentially moving stock market values. So there's like short term, then there's the long game, which part of solar winds part of that is a long game. So that is economic espionage, political espionage, potential future blackmail, they have comps, between different units. And so stepping back, because in talking about this, it always occurs to me that it may make business executives just want to crawl under their desk, and government executives just crawl under their desk. And there is, there is something we can all do about this. And so like from the standpoint of really, truly understanding your ecosystem. So one of the things that I tell federal executives and business executives is, even if you didn't use solar winds, and even if the latest tech with Microsoft Exchange servers, there's an a bigger ecosystem that are your third party suppliers. And so you are swept up in that challenge. And these will not be the last smash and grabs and long term hacks that happen. And this is where you have to just assume, you know, robberies occur. So what are the things that you do to mitigate damages? Right. So, you know, when I think about I came from the financial services industry before I went to the White House, and so we think, long and hard in our brick and mortar, if there's going to, we know, robberies will happen. So we mitigate damages, everybody is trained in what to do when the robbery is happening. we mitigate damages by not having all of the bank's assets in one particular branch. We have cameras so that when something does happen, we can seek legal recourse of people safety and say, you know, at play there, I'd also like to David just kind of throw out maybe some opportunities for thinking big and different about this issue and reimagining how we think about things. So we often spend time with budgets, talking about protecting and defending what we have. Would we be better served in the long run to say, you know what, there's some basic protecting and defending of what we have. But what if we build something new and move there? Here's the decision you have to make, like, do I live in a historic home? So it's like the decision you make around? Do you continue to restore the historic home and do the things to sort of honor and preserve the historic home? Or do you build something brand new for what you're trying to get done? and I, we don't often think about budget spend in the business world and certainly not in the federal government space around. You know, what if we just just for a moment said, over a three year span, what would it take to build from scratch something new with the newest and greatest technology advancements in cybersecurity leveraging artificial intelligence leveraging tokenization of user access and authorization tokenization of data requests? What if we did that? What would that actually cost? And what would be the long term operating costs for supporting something like that, versus continuing to try and protect and defend legacy systems weren't built for today's realities of cyber criminal tactics and techniques.
David Spark 24:55
I love the point that you brought up in the beginning there, Theresa Where you talked about the fact that even if you're not using Microsoft Exchange and solar wind, this is affecting you. And we just did a, and I can I'll send this to Christine, she can send it out. We just mentioned that we quoted some report, and I can't remember, but the people surveyed said, within the past year, 80% of them had a third party vendor that had been breached. So it's, we're constantly being affected on time. I want to close this out with you, Michael, with this question. And that has to do with in the market, the responses to move back to be, you know, if you want, if you want to be successful, you got to move fast. And sometimes security, like is lag behind and what the government and regulations do to make people not move too fast is to throw out compliance requirements and have regulations attach up. But as has been said, over and over again, compliance does not equal security. Do should they be addressing cyber security more to make everyone's behavior better, so we can have a more secure, holistic environment, like what we needed to recently pointed out?
Michael Daniel 26:15
I actually think that the government should play a strong role in this, but it's got to play the right role. And it's got to, and you're absolutely right, David, like it can't be from a compliance standpoint of we're going to tell you the technology, you know, we want to see that you have the snort five, or six, you know, 6500 in your network, and that can be a check, and then, you know, because that that's clearly not going to work. And so instead, there's really needs to be a collaboration between the government and industry to talk about what are those? What are those outcomes that we can see that you can demonstrate that you've actually paid attention to and have invested in cybersecurity and in the right way. And, you know, I think to get to some of the points that Dr. was making, I actually think that one of the really key metrics that we don't look at enough is what's the mean time between incidents? Like, and we should be driving that, you know, we should be driving that apart, right? You want that that mean, time to be getting bigger? What's your mean time to discovering an incident when it occurs? Right, and you want to get it getting that smaller, so that you discover them more more quickly. So we start thinking in those terms and saying, Okay, if you can demonstrate that you've got the capability to do that. Then, you know, then you've met the you've met the standard, right? In other words, so it's not about compliance. It's about looking more at the outcome and the output that you that you want. The last thing you know, I'll just say on that score is and I think this is actually doable, but we've got a we've got to invest the time and effort to actually come up with what we want those metrics to be. And we haven't really figured that out.
Lior Div 27:56
And once you do it to keep pushing it them up. Yes. Because the hackers are keep evolving. And we have to vote with them cannot stay the behind.
Michael Daniel 28:05
David Spark 28:06
All right, let's go. We have just couple more things. And I want to leave time for questions. So let's try to get the last bits in the next 10 minutes. When we talk about emerging threats, okay, so there is the cook vaccine or protecting the the essentially the pipeline of vaccine. There's healthcare facilities, water treatment, plants, automobiles, the DMV, all bad actors have been attacking all these sectors. I mean, we don't know what could be next in our lives and cause it's possibly costing lives with their actions in this has been sort of the chronic fear in the back of our head. So are, are there threadedly? I'm going to throw this to you right now. Because obviously you have you seen this kind of behavior when you were with the 8200? Or I'm assuming? What are the kinds of threads that you're foreseeing you're preparing for, or that scare you the most right now?
Lior Div 29:00
I think that that I can divided into almost two groups. There is group number one that we talked about, this is the solar wind, like the attack from Microsoft. And this is usually it's about espionage. It's about gaining access. And and basically the ones that control the information will control the world. So everybody understand that. So there is one kind of frame of attacks. There is another one that usually it's not talked about. And this is a new dimension of influence. Then I said it a little bit at the beginning, when Russia wants to decide who's going to be the president in the US. They're starting to influence the social network heavily. And they're starting to use heavily fake news in order to control the narrative. For example, we have a few example right now that that from Russia came from a lot of influence, not using the Pfizer vaccine, why they decided to influence that thing I don't know. But it's like we know for sure that it's influenced enough people that decided not to take this vaccine. Is it weakened? us as a society? Probably? Yes. So they're playing kind of different games, I'm not sure that we are understanding the western more that we have to pay attention to.
David Spark 30:19
And let me ask Corey, the very same question where, you know, and you probably have a lot of visibility into with your work as well. Where are you seeing the greatest threats at this point?
Corey Thomas 30:31
And so when I look at threats of change that much, I would say, the fear side of the equation, I think we are nailed it one additional one, that in some ways, it's the, it's the follow on of the solar winds, which is I worry a lot about the control aspects of it. And not just the Espionage, not just the economic because again, even for even for nation states, and cyber criminals, the economic aspect is huge. I worry increasingly about the control aspects. And what does, I remember sitting down with folks in the city of Atlanta when they were sort of like waffles and steel. And the implications of that, and thinking about sort of like, our supply chains out logistics. So we have, we've seen instances, that should actually raise concerns, but we haven't seen it, do the damage, that's potential. So that's where my personal worry is on one side of the equation. The other side of the equation, I would just say it's worthwhile, I'm saying, keeping in mind is that we talk about ransomware a lot, is I spent more time in the last six months with community hospitals that have actually been hit,
Lior Div 31:41
you just see the
Corey Thomas 31:44
just the disastrous impacts of those things and what they have on communities, and it actually has real consequences. We sometimes say it's just sort of like economic. But there's real consequences happening today.
David Spark 31:57
These things are manageable in some ways, but it definitely hit our no and very good point. And we and we're gonna, and especially healthcare, when essentially, bit we talked about what bytes hit, you know, you know, selves and physical atoms to, you know, bytes to sell to atoms to cells, essentially, the progression, and that's when things get very, very scary. Let's, we're gonna end this on a bit of try to end this on a positive note before the questions which may bring us around again. But here, I want to know, and I actually asked this question the community to, I want to know what's working well, in cybersecurity, what are we doing both in the government sector and the private sector that you feel is doing well, and I want everybody coming from this? And then second, you know, attached to that, like, how can we promote with doing things well, so that every time a story comes out in cybersecurity, it isn't the who screwed up story. Or, you know, that we can say, hey, they're doing well, like, how can we promote the positive angles of how we're doing? Well, like, you know, police forces promote positive angles to, although they get negative as well. But we want that in the in this kind of the same way in the cybersecurity space. So let me start with you, Michael.
Michael Daniel 33:12
I mean, I think there's a couple of things that you can actually point to, not the least of which and I think we should not undervalue the fact that we don't have to go around trying to convince people that cybersecurity is a worthwhile national security problem, and that it belongs in the boardroom. I mean, even as recently, as you know, 2012 when I came on board as the White House cybersecurity coordinator, I was still having to convince people in the West Wing and across the government that cybersecurity was a topic that belonged in the sickroom. In the White House situation, it's unimaginable today. I mean, I know Cory has talked about this in CTA meetings where it used to be, it was an uphill slog to get boards to pay attention to cybersecurity, we would not have that problem anymore. And that's actually a huge, a huge step forward. I would say the other piece is that the end you see the beginnings of how the industry through working through different intermediary groups and things like CTA, you know, the industry came together to form CTA and, you know, work it is a membership Association and use that to actually work as an intermediary with governments and others, you can begin to see the outlines of these new types of organizations emerging to deal with these new types of problems. And I think that that's a very positive step for that, as well.
David Spark 34:32
All right, and Teresa, which what See you in terms of what we're doing positive how we can tell the tell a positive story about cybersecurity?
Theresa Payton 34:40
Yeah, I mean, I everything Michael said I completely agree with and I would say a couple of things just from an industry profession. The industry profession used to be much more exclusive. It was very focused on certain pedigrees, certifications and backgrounds and if you didn't have that, you weren't But in the clubs, so to speak, and the industry has really expanded to be incredibly open, and we're getting much better problem solving sets as a result and much better offensive capabilities as a result. So in that runs the gamut from you don't have to have a college degree to, uh, you know, everybody who's is welcome, that is a, you know, just just sort of the tenacious problem solver. So, that's really a positive thing is to see the diversity and the variety of different skill sets that have entered into the profession. I would also say that we have matured in our thinking as a profession around where we can add business value and mission set value. So very much I used to be the security team was the team that was telling everybody No, and they were like the last little speed bump, everybody had to try and speed over, hopefully, to get to production. And I say that as a reformed CIO. And so which I'll refer to myself, right and no, no, I got to get to production. So what can I get away? You know, what can I do? What's the bare minimum I can do. And so that has changed because our relationships to the mission set have changed. And we realized that it's not our job, right? The job is enablement. And actually not being just a compliance checklist, but actually creating trust and confidence in digital transactions like like that we've really changed the mindset there. And then I would also say that as it relates to, because it's really people at the end of the day, so yeah, we're big tech systems are protecting data. We're protecting critical infrastructure. But why? Because it impacts people's lives. And so the other thing that I've seen is sort of at that nexus point of physical security, intelligence operations, and cyber security. Not only are we doing more for the greater good around critical infrastructure, protecting businesses, and protecting government organizations, but we're also find the skill sets to helping the weakest among us. So ending human trafficking, ending child exploitation, helping solve fraud trends. So I started off on the front side of things, right. So how we're able to kind of take our profession, and actually make it do more for a wider range of needs in the world. And so I think those are a lot of the things that are that are going right.
David Spark 37:31
All right. Let me I want to last answered from Leon and Cory on this man want to get to the question. So let me throw this in you. Thank you being the both of you are CEOs of your organizations. Maybe you do this already. Maybe you're already sort of telling positive stories to, to your own staff, to your clients to the world. What What is the thing that we're all doing? Right, I'll start with you, Leo.
Lior Div 37:57
Yeah, I think that the first i don't i agree with everybody that we don't need to convince anybody that the reason major cyber security call, and we need to do something. But I was very pleased with the reaction of the government for the last sole. Instead of finding somebody to blame or pointing the finger. They asked for people to testify. Sorry, in front of them, and asking them, what can we do more what we can learn. So I think that the fact that the government decided not to punish anybody, is actually to try to, to make it almost comfortable for people to talk about it and put it out there, with the understanding that we have to fight against it together as an industry, as a government, with universities with everybody. And I think that that was a very, very positive sign from my point of view, because basically, I'm on a quest right now, to push everybody in closing, push everybody on losing ourselves to do more, because I think people will do more together, we can be any tool start pointing fingers, it's not gonna happen.
David Spark 39:06
Bitcoin Core, you got the last word on this, and then we'll go to questions.
Corey Thomas 39:10
Get two quick things. One, I think the government is improving its capacity to make policy. And I would say, you know, policy was a barrier before in lots of ways. And people are steadily getting smarter and smarter because you're actually getting more time. Next up. So I look at something like the vulnerability disclosure policies, which has come a long way in improving transparency. We're making progress there. And if we continue to trend actually make that to the point though, made earlier we'll have the government playing the right role, especially when it comes to policy. The second thing that I would actually point out is digital transformation is an opportunity to be a bit a bit, it's off to a good start. And the reason I say that is that I'm impressed with when people are starting new projects, about how they're thinking about security as the front end of the system. And again, it's universal, but it's definitely a distinct difference from what it was when people started the project, even five years ago, and I think that's a positive thing.
David Spark 40:07
Yeah. I mean, just the fact that well, the whole shift left mentality that is now sort of becoming more and more standard, rather than because they realized the detriment of nuts, not doing what you just said, Alright. We got questions that have just rolled in we, but please either raise your hand if you want to actually ask the question, or you can just type it in outside. But we'd love to hear from you. Either way. The first one from Tom Prensky. Hello, Tom, could they hear from you and see you or I could just see your name? Here's his question. I'm gonna throw this one until you're What should we do about foreign vendors, such as the Chinese who are known to spy on us companies? But also, what about Israeli vendors when Israel has been known to spy on us companies? And the government? What's a? Yeah,
Lior Div 40:55
so I think that to keep thinking that we can keep things out. Okay. This is something that maybe it worked as Michael, say, in the physical world, you can create a wall and the good is inside and the bed is outside. But this is almost irrelevant anymore. Okay. I know that we really wants to try to do that. But it's irrelevant. I think that the Chinese and the Russian managed to prove that they can spy, even if they are inside the system, or even if they're not inside the system. So just in the last weekend, the Chinese showed us how they have access to every cent server that Microsoft developed. So now we're not going to use Microsoft. So I think that we have to adopt this mindset of understanding that the days that we can create a line and say, This is good, this is bad, I'm only going to use that thing. Those days are gone, we have to assume that everything is going to go we have to assume that very sophisticated attacker will be able to pass no matter what you're going to put in front of them. And you have to give away we
Tom Foremski 42:00
still have we still live in the world. Yesterday, was tenses. Nations about countries, and this is what we're doing in terms of like with Huawei, for example. And so on. So yes, in actual practice, that your source files don't exist. However, they do exist in the minds of our governments and politicians. And the actions have been so
David Spark 42:28
core, you want to speak up on that. Let me just add, if it's cool for you to Tom, to add to your question, what we think is as ethical and what we think we should do, speaking for the US government is not necessarily translated to every country in the world, like everyone had kind of has their own policies of privacy and things like like European privacy issues, or are more secure than ours are more stringent permission to query Go ahead. Yeah.
Corey Thomas 42:54
You started off on it is, yes, it's true, that people that are opposed and allies spy, and we do it too, by the way. I think though, what the opportunity you have is, I do think that we should actually look at what software we allow in but use that as one of the tools to actually improve international courts and international agreements, because I didn't want in the areas that we're actually falling down is that we
Lior Div 43:21
Corey Thomas 43:22
we are enabling a link in the ecosystem from a lack of leadership, where every country is bespoke approaching their own standards for cybersecurity around the world. And I do think there is an opportunity for leadership specifically from the US more of it than what we've seen in the last several years about how we actually approach those international standards. And part of that, then, is the ability to say that countries that actually have a basic set of standards that we agree on, allow each other to trade. That's an old school trade, some like model of engagement, and I think it can certainly leverage here.
Michael Daniel 43:58
And I'll just I mean, I'll just add to that, you know, countries also evolved in their thinking over time, I find it quite fascinating that, you know, the Chinese have actually shown much more willingness to engage on questions of intellectual property theft over the last few years. And why is that because it is actually starting to come out that Vietnam and Malaysia and Indonesia are spying on China and feeling very intellectual property, because all of a sudden, China has intellectual property that people want to deal with. And suddenly, they're much more interested in protecting that intellectual property. You can leverage that we can leverage that as the us in our negotiations with them because they now have an interest to stake in that in that system, and I think when you think about the international space, you can never separate the cyber issues from the broader geopolitical issues. We don't have a cyber problem with Russia. We've got a Russia issue, right? We don't have a cyber problem with China. We can Got a china issue. And you have to you have to put it back into those broader geopolitical contexts in order to actually deal with it, in order to deal with it persuasively.
David Spark 45:11
Alright, I'm just gonna make a recode. Teresa, let you answer, I just want to make a call out to all the journalists that are online right now, please raise your hand or type a question in if you've got a question. And I know Tom has another one loaded. Theresa, what was your answer? Yeah,
Theresa Payton 45:25
I mean, just in complete agreement with my fellow panelists here. And I just add a couple things. Tom, I would I would love to see the Biden administration do and based on the people he's been choosing, so far, I do think he is setting sort of the chessboard to do this is to go after those international courts, as Corey mentioned, and but in such a way that we go with our allies. And we actually have a conversation around what constitutes a cybercrime against private sector enterprises, against individuals like the stealing of identities to commit identity theft, or to package it and sell it for identity theft, cryptocurrency mining on other people's infrastructure. So really, truly starting to define sort of the what defines a cybercrime, what defines cyber espionage against governments and actually coming up with those reports, just like we have in the kinetic sense, right. So everybody knows, you know, you spy on your enemies, and you just keep track of your good friends, right. And so we should come up with those upwards in the cyber realm, they should be updated on a regular basis as technology and capabilities change. And also, we need to change the conversation because you notice, Tom that when a breach comes out, and attribution is very thoughtfully done, either by the FBI or the military, or a private sector cybersecurity company. You notice if we point the finger at the nation states, what's the first thing they do? They deny it? And they said, We don't condone it? Well, as part of these accords, we need to say, it's not enough to say don't condone it, you must condemn it. And there must be a legal proceeding that happens when we find these things. And if not, then that's where we go back to what's the right thing to do here. as Michael said, you know, it's a it's an A relationship problem, not a cyber problem. And so what's the right course of action?
David Spark 47:28
It's a good point, like when we see China hacked, and they literally identified the building where the hacks are coming from. And it's not a condone, it's not like, Oh, well, then we'll get on it. Not that focused on it. We actually funded that building. I mean, see how this happened. Let me go to the to Tom, second question here. The nation states are focused only on attack. And then those advanced malware developments leak into the world and are used by criminals such as in the rising ransomware driven by ad enables billions of dollars incredible. Thanks to the malware developed by our own government, hackers, chickens come home to roost, the criminals don't need to do any of their own r&d. They get it for free from the government. Let me add to your question, Tom, it's not just that, as we know, we've seen ransomware as a service, so you can just pay for it. And anybody with low morals can pay for this. So Tom's question is, how do we get out of this conundrum of third, Juilliard first.
Lior Div 48:31
So first of all, we have to understand that people will, it's like there is a new dimension right now. And there is a great way to make money by doing the ransom. And by the way, a ransomware report from a single ransomware to a double extortion, that they're not just encrypting your files, but they are sifting through the files, finding the interesting stuff, and saying, if you're not going to pay us, we're going to release to the world so that we have to understand that there is a whole economy around ransomware and criminal understood that this is a great way to make money. Okay. So once the economic incentive is in the process, what we should expect is that thing will keep evolve, as they want to make more money. So it's
Tom Foremski 49:12
technology was developed by nation states to attack each other. And now it's being used by criminals to make a lot of money again, this is one of us. sifting through that data that might take a lot of people. I mean, we face a big operation, but fundamentally is made possible by hackers. You know, it's being used back against us.
David Spark 49:43
isn't the only source time I mean, we hear many sources. Yeah.
Lior Div 49:47
And I think that this is it's true. If we're talking about government, 20 years ago, government understood that they can leverage those technology in order to do espionage and develop it so they were ahead The past like 20 years. But I think that right now, there is a whole ecosystem in China, you can learn in the university, how to develop a malware, you don't need to go to the government over there. So it's like, I think that we have to understand that these dimensions, it's not something that it's going to go away. It's the genies out of the box, and it's running. So and we have to do something about it. Yeah,
Corey Thomas 50:24
I do. I do think to Tom's point, though, is that we can insured, and I think we are doing right now a better job of protecting our own sources and technologies there. I that's one of the underlying questions. So I would say yes, you know, every country has probably, I'm not gonna argue, political philosophy, but every country is gonna do espionage and fields as part of their charter to actually gather intelligence. But that doesn't mean that you actually have to make that intelligence not secure or broadly available. And I would say that if people are aware of that, and have learned the lesson, that doesn't mean it won't happen again. But I think there's probably even stronger measures being taken. But I do agree with your point is that that's still the minority of the stuff that's actually out there compromising people, so I wouldn't over focus on it either.
David Spark 51:15
Alright, I know we have two questions right now, Jennifer. So Ronnie, do you want to speak up and ask your question? myself
there. Hi, everyone.
Jennifer Zarate 51:26
Thanks again, for having me on today. But I'd love to bring the channel into the conversation. You know, what are you doing differently with channel partners? Or what conversations are you having? You know, as we talk about the need to double down on the nation cybersecurity events,
Lior Div 51:41
I can say one thing, I switch my whole business and corporate role, we can talk about
Tom Foremski 51:45
Lior Div 51:46
well. But my whole business 100% of everything that I'm doing, I've been with chunks. We have a value in the company when as one, we believe that together, we can change. Many things are not alone. And that's the reason that we switch the business model. And we're going after those channels with them to distribute, of course, it's it's beneficial financially. But more importantly, it's enable us to really push, for example, the ransomware solutions that we do have those hospitals, although of those people that need it out there.
David Spark 52:20
Corey Thomas 52:22
So we've had a significant expansion, and we're scaling that expansion and, and the bottom line is that only the very largest companies can actually maintain the workforce. People need help of companies like Teresa's who actually have skills and expertise. They need expertise, and they need the capacity. And so what we have done is we've actually really shifted our focus, though, to actually doubling down and increasing our investment in organizations that are less about distribution. Because you know, we believe we can do distribution well, and much more about customer helping customers and organizations get value, and manage your cyber security and get a good response. And so we're shipping like our economics and our incentives to say like, it's not just about did you sell it to them? The same way that we hold our company accountable? And then they, where they deploy, where they deploy? Well, are they meeting their success? criterias what's the meet, you know, my talk my meantime to response. And so we're in the process of shifting our whole ecosystem that says it's not just about companies and vendors like mine, and channel partners, we're so long focused on distribution, and not enough focus on like, what we actually helping our customers manage their cybersecurity effectively. And that's probably the biggest change. We're shipping all of our dollars about the effectiveness of management, cybersecurity.
David Spark 53:40
I have a question that came in from Lita, and she has the budget administration is signaling that antitrust is going to be a focus. Do you think the antitrust focus may have an impact on the security industry? What's up? Michael?
Michael Daniel 53:57
Yeah, I can take this when I have running. In running CTA, I have ended up learning more about us anti European anti trust law than I ever wanted to know. I can just tell you that right up.
David Spark 54:09
So tell us what you do know.
Michael Daniel 54:11
Yes. I think that the I think that that is a concern. Yes. But I also think that the government has already clearly, you know, set out very clear boundaries, and has said if you are sharing, for example, information related to what the bad guys are doing, that's not a violation of antitrust statutes. If you are sharing information about how you're going to disrupt what the bad guys are doing, that's not a violation of antitrust statutes. And so I think as long as the cybersecurity industry is clear about that, what you're not going to share is pricing. product information. You have all this stuff. They wouldn't want to share it anyway. Because it's about, you know, the competitive nature, then I don't think that antitrust concerns are going to end up being a huge problem for the collaboration in the industry that we need to do. We just do need to be mindful of it and make sure that we have those guardrails in place. All right.
Theresa Payton 55:19
Yeah, Michael, that was really spot on. And thank you for that. Because that I just, I took away a few nuggets for myself on that. And if I could just pivot a little bit on that question, because when you think about the antitrust that's also being discussed for big tech and social media. My concern there is, some of the governance requirements that may come out of any type of antitrust or legislation will create a situation very onerous for any kind of startups to beat. So they're either going to be out of compliance, or they're gonna die under the burden of compliance with any type of antitrust that comes out. Additionally, as the tech and social media respond, necessarily to antitrust to look at what's in their best interest for the shareholders, the board and the users. That's going to be money. They're not spending on cybersecurity. So I do have some concerns around we're antitrust alien that may not have been in your question, but I just thought Michaels answer was so perfect. I've nothing to add to what Michael said. But just a little pivot, I do have some concerns that antitrust movement, although it's welcome conversation, and it's and it's something that needs to be discussed, which is great about America is that we can discuss this and then make a decision about what's right. I do have some concerns. It's a distraction.
David Spark 56:43
The point All right, we are at the end of the hour. And I want to thank my guests, and all the journalists who came and joined us today. Thank you so much. If you have any follow up you'd like to do I would start with Christine. I think she can quote coordinate all of this. But let me just quickly, thank my panel here. Lior Div, CEO of Cybereason. Teresa Payne, CEO over at borderless Cory Thomas, CEO of rapid seven. And finally, Michael Danielson, the CEO over at the cyber threat Alliance. Thank you, everybody for participating. I hope it was valuable for you. I got a lot of it. And by the way, great, great insight across the board. Thank you.
Christine Ellsworth 57:19
Thank you so much, everyone. Appreciate taking the time for us today. Have a good one. Bye.
The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.All Posts by Cybereason Security Team