Cyber intruders have become a fact of life, and not just for the consumer whose identity is stolen. U.S. partners, public companies and utilities, private industries, government agencies and small businesses in a company’s supply chain all are potential cyber targets.
The University of Texas San Antonio hosted the first ever North American Cybersecurity Summit at the suggestion of the Canadian Consulate and included the participation of Sara Wilshaw, consul general of Canada, and Marcos Arturo Rosales Garcia, chief commissioner of the Mexican Federal Police. Congressman Will Hurd also presented, alongside Wilshaw and Rosales, perspectives on the North American partnership in place to address the cyber security threat.
“The relationship between Canada, the U.S. and Mexico has grown in cooperation because cyber security is important to all three nations,” said J. Tullos Wells, honorary consul to Canada, in his opening remarks.
“In putting together this first North American cybersecurity summit, UTSA is paying attention to what our society needs, added Dr. John Frederick, UTSA Provost.
Congressman Hurd talked about the impact of the Juniper breach on national security and businesses. Unauthorized “backdoor” code was discovered on computer network equipment and routers Juniper Networks sells to big companies and U.S. government clients. That backdoor code could have given hackers access to the encrypted communications of U.S. government agencies and private companies for the past three years.
“I think we need to balance protecting civil liberties and critical infrastructure and defend against cyber adversaries,” said Hurd. “The federal government should do everything it can share what it knows with private industry to enable businesses to protect themselves.”
The Obama administration is working on an encryption policy, but it is unclear whether it will call for stronger encryption or ask businesses to consider including backdoor code, to facilitate law enforcement investigation should it be necessary.
“The major national security issue for 2016 will be encryption,” Hurd said. “It is important to the national security of all three countries as well as to the commerce in those three countries.”
The next two speakers addressed cyber security information sharing and collaboration efforts from the Canadian and Mexican perspectives.
Wilshaw spoke on the U.S.-Canadian Joint Cybersecurity Action Plan, a coordinated approach between the U.S. Department of Homeland Security and Public Safety Canada to enhance the resiliency of mutual cyber infrastructure. The information sharing at the operational and strategic levels spans across public and private sectors.
“Cyber security threats have the potential to impact every single aspect of the North American relationship,” stressed Sara Wilshaw. “Cyber threats know no borders.”
Chief Commissioner Rosales García talked about how the U.S.-Mexico National Center for Cyber Incidents Response fits into Mexico’s overall national strategy, which includes cyber security for the first time. Not only does Mexico coordinate cyber incident response with the U.S. on relevant cyber attacks, CERT-MX also shares information with the private sector, institutionalizing information-sharing between the public and private sector in Mexico.
Two moderated discussion panels completed the UTSA summit. Participants in the first panel talked about the cybersecurity challenges facing critical infrastructure. The need for information sharing across the public-private spectrum, as well as across the borders the U.S. shares with Canada and Mexico was a recurrent theme.
“The (Canadian) electric grid developed in tightly connected regional networks over time, as the population centers grew,” said Francis Bradley, chief operating officer for the Canadian Electricity Association. “So a power grid outage in Boston affects Toronto, while Vancouver’s grid is connected to the one in the Seattle-Portland market.”
The cybersecurity threat is also evolving rapidly, as evident by the BlackEnergy malware behind the December 2015 power outage in Ukraine. Interdependencies like the U.S.-Canadian power grid reveal the need to share information so all sectors can prepare for more resilient infrastructure.
“Kilowatts don’t carry a passport,” said Bradley.
Another way the cyber threat has changed is the use of indirect attacks where hackers use compromised data, such as login credentials from individuals or smaller companies within a supply chain. This was the approach used to access customer data in the 2014 Target breach. Because hackers look for the weakest link in cyber defenses operations technology (OT) must be integrated with the information technology (IT) platform in any public entity or private company.
“We must have an enterprise level view of integration between IT and OT,” Greg Sarich, chief information officer for CPS Energy explained. “Cyber security is a critical business issue. It is not a small investment, but it has to become a priority.”
“The next stage is to automate intel sharing so that response is immediate,” Mark Hernandez of the Zachry Group said. “Companies need outside resources and perspectives to develop a comprehensive response plan because an attack will not be just a one-time event. We’re still too slow to respond.”
The statistics on how slow the cyber attack response time can be were sobering. Dan Scali’s Mandiant company works with businesses responding to cyber attacks. His company’s data revealed only 30% of companies detected the cyber intrusion in-house.
The other 70% of companies first found out about the cyber attack from an outside information source, such as the FBI. The average time to detecting a cyber intrusion was 205 days. The longest time to make the discovery was eight years.
Will Garrett, director of CyberSecurity San Antonio for the San Antonio Chamber of Commerce, moderated the last panel exploring ways to enhance North American competitiveness through collaboration within the commercial sector.
“What you saw in the OPM breach was a failure to identify the most critical assets in the agency and then failing to take the steps to safeguard all that data,” Dr. David Read of CGI emphasized. “If you own an industry, then your critical assets are those industrial control systems that will lose you money if they stop working. Preventing access to industrial control systems will be a good place to start.”
Ransomware was also discussed as an emerging cyber threat, as well as simpler ways to fool people into clicking onto a malicious link.
“Technology can’t protect your company if employees allow themselves to be ‘pwned,’ or fooled by a hacker,” Tom Pruszkowski from Mandiant explained. “Education will be key to helping small business and larger companies alike to protect themselves from ‘human engineered’ methods.”
Dr. Greg White closed the summit by telling the audience about the 2015 Department of Homeland Security awards grant for UTSA to create the Information Sharing and Analysis Organizations Standards Organization. The University will create standards to assist cybersecurity information sharing and analysis organizations that will support collaboration within the private sector and between the private sector and government.
The University will also work with existing information sharing organizations, owners and operators of critical infrastructure, federal agencies, and other public and private sector stakeholders to identify a common set of voluntary standards or guidelines for the creation and functioning of cyber security ISAOs.
UTSA will next host an all-day conference March 17 on cyber security insider threats. For more information, contact Jim Henderson, at (888) 363-7241 or firstname.lastname@example.org.
*Top image: Congressman Will Hurd talks with attendees during the 2016 North American Cybersecurity Summit. Photo by Scott Ball.