Can public/private partnerships prevent a Cyber Pearl Harbor?

Dave Bittner: Hello everyone and welcome to CyberWire-X, a series of specials where we highlight important security topics affecting organizations around the world. I'm Dave Bittner. Today's episode is titled "Can public private partnerships prevent a cyber Pearl Harbor?" For many years public and private sector cybersecurity experts have warned of a large scale, massively impactful cyberattack on critical infrastructure. Whether you call it a cyber doomsday, a cyber extinction or, as former Defense Secretary Leon Panetta termed it, a cyber Pearl Harbor, this notion of a catastrophic cyber event understandably captures the imagination of both cybersecurity professionals and the general public. But, given the history of nation state cyberattacks and the current global political situation in which we find ourselves, is the notion of a cyber Pear Harbor still a useful analogy or is it breathless hype good for generating clicks and selling cyber defense services, but no longer reflective of the way real world cyber conflict is likely to play out?

Dave Bittner: In this episode of CyberWire-X, our guests will discuss the benefits of public private partnerships for cybersecurity, the roles of each and how the threat of a cyber Pearl Harbor informs the priorities of both. Joining us today are three experts with a spectrum of opinions on the topic. We begin the show with my conversation with Keith Mularski, Managing Director for Cybersecurity Consulting at EY. Later in the show we're joined by Robert M. Lee, CEO of industrial control system security company Dragos. And we'll conclude our discussion with Egon Rinderer, Global Vice President of Technology and Federal CTO at Tanium, the sponsors of this show.

Dave Bittner: A program note, each CyberWire-X special features two segments. In the first part of the show we'll hear from industry experts on the topic at hand and in the second part we'll hear from our show sponsor for their point of view. And speaking of sponsors, here's a word from our sponsor Tanium.

Dave Bittner: Today, we rely on endpoints for everything from remote work to mobile banking, telemedicine and online learning. That's why managing and securing these endpoints has never been more important. Tanium provides endpoint management and security built for the world's most demanding IT environments, providing real time visibility, comprehensive control and rapid response for endpoints across distributed operations. That's why all six branches of the US Armed Forces and half of the Fortune 100 trust Tanium to secure and manage their IT operations. Want to try it for yourself? Visit tanium.com/cyberwire to get a 14 day free trial of Tanium as a service. That's tanium.com/cyberwire. And we thank Tanium for sponsoring our show.

Dave Bittner: Keith Mularski is Managing Director for Cybersecurity Consulting at EY. Prior to joining EY, he served as Cyber Unit Chief with the FBI, where he was responsible for developing and facilitating global cyber operations, including the infiltration and strategic targeting of the most prominent international cyber crime actors and organizations and leveraging relationships with law enforcement and private sector partners.

Keith Mularski: Well, it actually kind of started with the FBI and the public private alliance in Pittsburgh, where, where I'm located and I was fortunate to kind of be on the ground floor of that and kind of, it just kind of started organically. You know, my, my first boss, his name was Dan Larkin, and he was the Cyber Su-- Supervisor at the FBI's Pittsburgh office. So, he said, "Let's-- Can we just kind of get things together and have a place where we could share information?" So, he started talking to some of the lawyers at the Department of Justice and they said, "Well, what you want to do is set up, you know, a non-profit, a 501(3)(C)," and then have this neutral space where people can kind of come and share.

Keith Mularski: He formed, at that time and it's still called, the National Cyber Forensic And Training Alliance. It was kind of based on the framework that they, they used down in West Virginia at the National White Collar Crime Center and also the Internet Fraud Complaint Center, just having that non-profit where people can share information.

Dave Bittner: So, I mean, in your experience when, when someone reaches out from an organization like the FBI, are most people welcoming to that? Is, is there skepticism or how do you, how do you go about building the trust?

Keith Mularski: Sure. And, and that's, that's a big thing because, you know, people don't-- they don't want to give their information to the government. You know, we always had a joke as, you know, we would come and say, "Hey, we're from the government and we're here to help," and people would laugh. You know, so, so, what we found that was really important was you kind of had to go in with a theme that was affecting people. So, the first project that we started there at the NCFTA was a project called Anti Spam and at that time spam was getting to be a, a real big problem with legitimate mailing. So, you know, the Direct Marketing Association was saying, "Hey, we can't do effective legitimate adverti-- you know, via email." So, we found out there was just a lot of white hat, you know, hackers out there, or just, just white hats in general, that just wanted to clean up the Internet.

Keith Mularski: So we brought everybody together under that one topic with anti spam, to kind of first start sharing that information and we found out that industry was collecting a lot of information, you know, on who the bad actors were out there and so, from the government, we were kind of able to look at it and say, "Hey, well, with spam there's, you know, wire fraud involved. There could be, you know, some phishing related to that. So, you know, there could be violations of, you know, 1030 and 1028, US Code Violations 1030 and 1028 and 1029." So we were, like, "Well, we can, we can make cases off of this," you know, from the intelligence that private industry was collecting. So we found out that it was really important when, when you set these up, to really kind of go in with a, really a, a project in something that you wanted to accomplish.

Dave Bittner: And, and what does each side get out of these sorts of arrangements? I mean, what's the-- what, what are the benefits for them?

Keith Mularski: Well, from the government, I think it's just fantastic because, you know, unlike any other crime that the government investigates, really industry has just as much, if not sometimes better, information on the threat actors than the government does. When you think about it, the, the bad guys for the most part, they're not attacking the government. You know, they're attacking private industry to try to steal, you know, secrets or, you know, for financial gain. So industry is really at that tip of the spear of seeing the new, you know, tactics and procedures being used by the threat actors and then adjusting to that. So, the government really, you know, although they have great collection on certain things, they don't see that as much. So, to have industry being able to provide that on certain threat groups is just, you know, outstanding from a government standpoint.

Keith Mularski: And then from an industry standpoint, one is knowing that their, their data is going to good use, that the government is going to go after these threat actors to either disrupt or arrest them, you know, just knowing that the data that they've collected is going towards a good cause is a lot of times a big thing for industry.

Dave Bittner: I, I want to touch on this notion of a cyber Pearl Harbor, which is sort of a, I don't know, it's a notion that's-- that I think resonates with a lot of people, this notion that we could have a, a cyber event similar to what we experienced with Pearl Harbor before World War II. First of all, I mean, do, do you think that that, that is a useful metaphor? Do you think that that sort of imagery works in, in the cyber realm?

Keith Mularski: I think so. And I think people have always, you know, talked about either a cyber Pearl Harbor or a cyber 9/11. That, you know, is their biggest, you know, fear out there and, and I think, you know, you have to share information, you know, effectively between private industry and, you know, the government, in order to make sure that you're really seeing what you think you're seeing out there, you know, that there are no stones left unturned and, you know, and everybody is-- really has the complete picture on what the threat is out there. Because these threats, as you know, they, they change daily and, and you need to be able to respond very quickly and for the cyber threat, no one agency can, can do it all. So it really takes, you know, a whole government and really, you know, a whole of industry approach to really identify what the threats are out there, making sure that you're sharing that information and that people know what those threats are, so they can craft defenses or pivot, you know, to make sure that you thwart any of these type of attacks.

Dave Bittner: Robert M. Lee is CEO at Dragos, a cybersecurity firm focused on protecting industrial control systems. Prior to forming Dragos, Rob served as a Cyber Warfare Operations Officer in the US Air Force.

Dave Bittner: The whole notion of a, of a cyber Pearl Harbor, a cyber 9/11, you know, I think those are the two that you hear talked about the most, is that-- the point at where we are right now, are, are those still useful metaphors?

Robert Lee: No. And I don't want to critique the inception of those metaphors when, I think it was, like, Richard Clarke and folks were using those terms. I think it was him. He might yell at me if it wasn't. But a smart guy. When he and folks were using those terms, I think they were speaking to a largely technical and cybersecurity illiterate audience, whether it be directly to the President or also to Senate members and similar that weren't as tuned into the story. And in a conversation to illicit the-- there could be this kind of impact through cyber, I don't actually critique that too much. I don't-- I never use those terms, I've never liked those terms but in communicating impact to a non-technical audience at the time, I, I think it would be difficult to truly critique that, without some major hindsight bias.

Robert Lee: Nowadays we have much more literate cybersecurity staffers in Congress and the Senate. You have some of your senators and congressmen themselves that are fairly literate on the topic. You have more cybersecurity expertise in government than you've ever had before at the senior and executive levels. I don't think that it is as useful. And your public is hyper aware of the topic of cybersecurity where, you know, everything from election, you know, influence to hacking the Democratic National Convention to whatever, even sort of Mom and Pop have heard cybersecurity. Okay, bad people can do things to us over the Internet. There's some, at least, familiarity with it, but I think the sort of drawing on Pearl Harbor, 9/11, these kind of things, now more than ever, is overplayed and we've got to be careful on how we communicate the nuance to a wide audience of what we're actually referring to, such as the massive exfiltration of intellectual property of, of our next generation, related to everything from aerospace, you know, aircraft to intellectual property, manufacturing and chemical production.

Robert Lee: I mean, that theft is, is going to impact our country for the next 20 years, much larger than, than any single event. But expecting some massive single event actually deters people from thinking about what's happening today.

Dave Bittner: Hm. So, what do you suppose a, a useful message is? How do we, how do we dial in the appropriate level of concern, vigilance, however you want to describe it?

Robert Lee: Yeah. I think that number one, we really need to be careful when we use military terminology. I see so many folks who went, "We're at cyber war," and they've, they've fallen in love with that term. Some will argue it doesn't exist. Some will argue that we've seen every bit of proof of it. But when you start invoking military terms, this is at war, and we have, you know, conflict and here's this armed conflict taking place, you invoke a Department of Defense who is very well versed in war and you start getting a polarization of the field. You start seeing government want to bring to bear its powers as it relates to conflict. You get sort of missing the point, which is not to try to categorize this in any one thing.

Robert Lee: This isn't just crime. This just-- isn't just state activity. This isn't something that's easily parsed into any one field. It's a unique field of its own. And I think it's much more appropriate to explain to companies that there are risks that they have by operating companies, cybersecurity is one of those risks, and that if they'd like to mitigate that risk, they're going to have to take a variety of compensating controls to mitigate that risk and, in partnership with both private sector partners, as well as government partners, for when those roles and responsibilities overlap. We just need to speak cleanly and clearly about what the risks are and how we need to mitigate them and that's plenty for today's Board of Directors members, as an example, at the executive level of these companies.

Dave Bittner: Hm. But what about-- I mean, it seems to me, like, you know, the government is uniquely equipped to provide guidelines, you know, things like NIST publications, you know, the publication 800 series or things like that, you know, the FIPS, you know, those sorts of things that is in that government lane, that then the private sector-- to put the guard rails on the private sector. I'm thinking of the sort of push and pull between those two things.

Robert Lee: Absolutely. And so, are they uniquely equipped to know what should be in the standards? No. Most of the insights in cybersecurity are coming from the front line companies that are dealing with the attacks or their service companies that are helping them respond to them, doing intrusion analysis, getting intel, understanding adversary tradecraft etc. But should the government be the one calling for the quorum and saying, "Hey, let's all come together and quantify this and we'll put the guard rails up and we think this is actually appropriate?" Yes. I remember my guidance to CSA when it stood up, my guidance was you're going to get asked by Congress to do a lot of things. You're going to get told you're responsible for a lot of things and everyone is going to judge you at the end for doing 70% across the board peanut butter spread. What you should do is pick, like, two or three things you want to be successful at and go do it.

Robert Lee: So, to plainly state kind of a summarization of what you prompted with, the government has the ability to amplify, the government has the ability to help fund and influence and the government has the ability to regulate and the government has the ability to create partnerships and ecosystems. Those are great areas for it to focus on. The Department of Energy has done an exceptionally good job of creating an eco-ship of collaboration in the electric sector. The Department of Homeland Security, Department of Energy co-created with the electric companies the Electric Sector Coordinating Council. They meet multiple times a year with board objectives as it relates to national security, as well as private sector needs, between government and private sector, with all of their industry partners along there at a CEO level that sets strategy and has influence across the sector. Well done! Like, that's what winning looks like.

Dave Bittner: Egon Rinderer is Global Vice President of Technology and Federal CTO at Tanium, our show sponsors, an endpoint security and systems management company.

Egon Rinderer: I mean, I think it's a blend of probably a little bit of reality and a little bit of media influence and a, a whole lot of experience, frankly. You know, we have-- we've learned over the years that this is definitely a, a game of leapfrog and it seems that as each year ticks by, we see the threat get substantially more serious and the investment that it takes to keep up with it, if you will, become greater. But I think the, the net result of that is that we don't feel safer over time. And so it's in the back of people's minds, we're sort of cognizant of the fact that there's going to be or, or at least there's a pretty high likelihood of some sort of major event. You know, again, that, you know, whether it will cataclysmic or whether it's a, a true Pearl Harbor scale attack, we don't know. But that's just it. We don't know. And in the absence of, of assuredness, I think it gives our minds the opportunity to kind of assume the worst and I think this is one of those areas, like, I, I never would want to be one of those people that aggrandizes the potential severity of something.

Egon Rinderer: But we also have to be honest with ourselves and understand that this is the new battle space. This is where wars are fought and it is, frankly, the, the path of easiest entry in terms of a, a large scale and very serious attack. And so we have to treat it as such.

Dave Bittner: You know, not, not to be all doom and gloom, but why don't we go through some of the potential scenarios that caught your eye. I mean, can we, can we kind of go through the spectrum from, you know, things that, I suppose, could be categorized as, as, you know, not much more than a nuisance to, as you say, you know, perhaps something more cataclysmic.

Egon Rinderer: Well, I think we deal with the nuisance things every day. I can't speak for anybody else, but I can tell you I have a pretty hefty collection of free credit monitoring services at this point from just the sheer number of breaches out there where my private information has gotten owned by somebody. And so, you know, as recompense for that, they, they dole out a little freebie here and there. It's a shame, frankly, like, it, it really does bother me that that falls in the category of nuisance, but it does. It doesn't have any substantive impact on my day-to-day life. And then you take that up a level and you start thinking about, you know, you, you put yourself in the shoes of the adversary, right? You want to inflict harm on a society. What are the things you do, right? And you start sort of escalating that and you start looking at, okay, how do I impact somebody's day-to-day life? Well, I can shut down normal services, right? So, maybe take down a, a non-critical infrastructure site.

Egon Rinderer: Shopping. You know, the ability payment card systems, that kind of thing. That puts a tremendous amount of pressure on businesses. You know, you think about the amount of revenue lost every minute that a large payment card system is down, something along those lines, and you start to think about it from the standpoint of financial warfare. You know, there's certainly precedents for that, historically. You know, going after a, a financial system it's just easier now. And then you take it up another step and you start looking at, okay, well, what about national critical infrastructure? Coincidentally, that's probably some of the poorest protected systems that we have out there, because of the, the density of legacy systems involved and the-- you know, a lot of those legacy systems at the time that they were fielded, there simply wasn't the kind of threat that there is today and, therefore, there weren't the security measures and in many cases the security measures that are needed just simply aren't possible.

Egon Rinderer: And then you take it up yet another level and you look on a nation state scale and you look at attacks against our government, against our DOD, against our ability to conduct mission and that's where it starts to get, frankly, pretty thought provoking, right? That's where-- and we really do, as a community, we need to spend some time on that in understanding what the real threat is and how we truly protect against that. And, hopefully, that's, that's why we're talking today.

Dave Bittner: Yeah, you know, I, I think that, that notion of uncertainty is, is really an important one. I think about how, you know, we recently just made it-- made our way through the elections and a lot of people, people leading up to it were saying that, you know, adversaries wouldn't necessarily have to change a lot of votes or take down the whole voting system, that, you know, if they were targeted and hit one or two areas, that, that could erode our confidence in the system and that could be enough to achieve what they were after. And I wonder if that's not true with other types of critical infrastructure? You know, if you, if you turn the lights off somewhere, well, does that have everyone looking over their shoulder wondering, "Hey, are we next?"

Egon Rinderer: That's right, that's right. You-- I think you've absolutely hit the nail on the head. You, you don't boil the ocean, you erode confidence. Exactly as you said it. And whether it's in our system of government or whether it's in our power distribution system, you, you look at the-- what will be. I don't think it is today, because not enough people are aware of it. But you think about for a moment the erosion of confidence and the erosion of trust that something like deepfakes can, can have on a society, the erosion of confidence and trust in the news media, that rampant misinformation campaigns on social media can have. It's-- Like, I, I really do believe we desperately, desperately underestimate the impact that that has on society. We're so focused on the outright and the overt attacks, that I think we tend to miss the more nuanced attacks like that.

Dave Bittner: Yeah. I, I tend to agree. I mean, I, I think of us as being kind of a-- in general being sort of a reactive species, you know? Things, things have to get really bad before we're able-- before we're willing to make changes when it comes to the big things. And I think that flows down to a lot of things, like what we're discussing today. Well, I mean, what are some of the potential solutions to this? How, how are folks coming together to say we can do a better job?

Egon Rinderer: Well, so here I'll just-- I'll tell you what I see, what observation. It would be really nice if I could say, "Gosh, it's, it's great how private sector and, and government have come together, are working in lockstep to solve this problem." But we're not-- like, the fact of the matter is we're not there yet. We are seeing progress, I think. We're certainly seeing progress in the private sector among organizations coming together within the private sector and working together. The World Economic Forum just recently released a, a nice document about how, like, not only within private sector, but private public too, can come together and work on these things. People are at least thinking about it and they're at least trying to make strides to do that.

Egon Rinderer: At the same time though, you get back to that issue of trust that we talked about and that erosion of trust and when you do-- when you broach the topic of bringing public, private together, like, the first thing people have to, to talk about is, well, in order to do this, we're going to have to share information. We're going to have to share data and the data that we collect is sensitive and then all of sudden you get into the problem of there's this innate mistrust, or distrust rather, between the private sector and public sector. You know, it's almost adversarial at times. And if you think about it, it makes sense. It goes back to human nature and the, the government's job is to put mandates on businesses and businesses sometimes don't like those mandates because they cost money and, right, there's this sort of natural tension that occurs.

Egon Rinderer: And then you have other issues where, you know, the government has had some, some black eyes over the years with regard to their handling of personal information on people and certainly the public sector. The private sector is not innocent of that either. But that idea of marrying the two up, it makes people very uncomfortable, I think. What we can do at a more macroscopic level though within the business world, and certainly within the vendor community, and this is something that I think we, we as the vendor community have to take very seriously, we're more than happy generally to, to continue churning out those compensating controls, right?

Egon Rinderer: "Yeah, that's-- you know, I totally understand your plight, Mr. Customer. You, you do a poor job of the basic block that you're tackling, but I have this new thing and it directly addresses that new threat that came out six months ago. And so, you know, give me your money and I'll give you this shiny thing." And it's an addiction. That is a disease within the private sector. Constantly chasing, you know, whatever the, the new niche product is for the new niche threat. All the while letting those baseline, you know, the basic hygiene, the blocking and tackling, the, the baseline controls, if you will, go untended and focusing our spend and our effort, our time and our energy on how to compensate for the fact that we do a poor job of those basic things.

Dave Bittner: Yeah. You know, I, I think about-- you know, when we talk about hygiene and it, it makes me think about public health efforts as a, as a comparison. You know, when you, you talk about something like, you know, eradicating smallpox or eradicating polio, you know, which is-- we're very close to eradicating polio. But it's hard. And when you, when you go down one of those paths, it's easy for people to say, "Well, that's-- I mean, that's too big a thing to take on. How, how are you poss-- That's going to take decades to fix that." But on the other side of it, you know, the world has no more smallpox. The world has no more polio. And I wonder, you know, is this, is this a similar sort of thing where it's going to take one of those long term efforts where people have to get together and say, you know, "Yes, this is a, this is a big job, but it's important and this-- the, the work on this job may outlast any of our individual careers, but it's still worth doing."

Egon Rinderer: Yeah. I could not agree more. And, and so here's the problem with that, I think, is that we in the case of the former, like, put this in context. It's not been that long ago that we were dealing with polio and that we were dealing with smallpox in the grand scheme of things. It was an existential threat to everyday people and it was a clear and present form of suffering that they observed in society and I think, with what we're dealing with now, you know, it, it's easy to trivialize it, because it, it's it's ones and zeros. It's intangible. And until it hits people directly, and then still-- until it affects people on a, I think, a more common basis, I don't believe that we'll have, as, as a society I don't believe we'll have the, the stomach for doing what it takes to actually resolve it the way that we did with something like, you know, polio and smallpox.

Egon Rinderer: Is that what it's going to take? Yeah, 100%. Until you have that level of buy-in on, on a community level within our society, I think it will-- the adversary will continue to successfully perpetuate it. There are other parts in this, where-- so step away from like, yes, it's a pain to do these things and, and we don't really want to focus our time and energy and money there. There's a more sort of a, a, I think, a deeper problem with the social aspect of this. When you get into social propaganda, social, social manipulation, things like that, I don't know frankly how you fight that, because that's playing on the very thing that keeps people from, from being able to stop and be, be objective about decision making and say, "Okay, this is dangerous. This is dangerous to us as a society." And that's a piece of this that's really difficult to solve.

Dave Bittner: Yeah, yeah. Well, I, I wanted to wrap up and sort of end things on, on a positive note if we can. I mean, what, what are your thoughts on ways that folks who want to be a part of the solution, what, what are some of the things that they can do, the people who are in the public sector, the people who are in the private sector, how can they be working towards this better future together?

Egon Rinderer: Well, I, I think we truly do all have a common goal and that's where it starts is getting a shared vision of what that goal is. And that, frankly, that was sort of the-- one of the points that the documentation that came out of the Global Economic, Economic Forum pointed out was, look, we've got to have this shared narrative and a collective understanding of, like, what are we trying to do here. And then we've got to do things and very intentionally do things to build trust between all the parties involved. There has to be mandated guidelines. They have to be followed. Nobody is exempt from them, right? You don't get to pick and choose where you're compliant with these things. If you're going to participate, then you're going to comply with these rules so that that trust doesn't get broken. Without that basis of trust we don't have a foundation to build on.

Egon Rinderer: Once that's in place, then I think we need to take a very hard look at the way that we're doing things today, because we've gotten a bit off track. We've, we've gone and chased far too many shiny things and we've neglected again those, those baselines, if you will. There's certainly some modernization that's going to have to take place. That's going to take money. Nobody wants to spend that money, right? The-- Everybody wants to keep shareholders happy and I think we're, we're going to have to take though a really hard look at some of the legacy, not only the capabilities, but the legacy processes that we have and go through a really hard and fast modernization of a lot of our critical infrastructure and the protections around that. This is not a new idea, right? People have been talking about digital transformation for well over a decade. It's to the point now where, where folks roll their eyes if you bring it up. It's not a cliché. It's no more-- Like, it, it's still as applicable today as it was ten or 15 years go when people started talking about it in earnest and we've done very little about it.

Egon Rinderer: So I think, you know, we need to go back and revisit those things and understand where those hard changes are going to have to be made, and be willing to have conversations. And this is probably one of the most important things we need to get back to in society. We need to be able to have con-- conversations that are contentious without getting emotional and just talk through the facts and be willing to say this thing we've been doing for a very long time, that we have a lot of people doing, is not a good idea. And just be willing to reassess this thing.

Dave Bittner: Our thanks to Keith Mularski from EY and Robert M. Lee from Dragos for sharing their expertise and for Tanium's Egon Rinderer for providing his insights and for sponsoring this program.

Dave Bittner: CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the Startup Studios of DataTribe, where they're co-building the next generation of cybersecurity startups and technologies. Our coordinating producer is Jennifer Eiben, our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.