Preparation: don't be like Equifax, and don't think it can't happen to you.
Conference participants hear of the importance of planning and exercises. Larry Canner
By The CyberWire Staff
Sep 22, 2017

Preparation: don't be like Equifax, and don't think it can't happen to you.

Several of the panels and keynotes offered specific advice to the executives in attendance. Some of that advice was close to direct consultation. Other advice, drawn from military experience, was offered in the form of analogy. US Cyber Command, like other military organizations, has benefited greatly from training against a capable, realistic red team. Such training tests plans and capabilities, and it dramatically increases readiness. A look at the recent Equifax breach suggests that nothing good can come from indifferently executed incident response plans. And not all response need be in the narrow, technical sense, a cyber response.

Strategic perspective from US Cyber Command.

Guy Walsh, Brigadier General (retired), US Air Force, and currently responsible for strategic initiatives at US Cyber Command, delivered the conference's opening keynote. He began with a quick observation about Equifax, saying that the incident should serve as a reminder that it can take time to patch and address known vulnerabilities.

He described the emergence of cyberspace as a fifth operational domain, joining land, sea, air, and space, and he described US Cyber Command as a warfighting organization recently elevated in status and sharply distinguished in its mission from the National Security Agency. 

Walsh reviewed some Air Force history, and claimed that the first insider hack of the USAF was done in 1963, by John Boyd, the leading thinker of the Fighter Mafia. Boyd is more familiar as the officer who formulated the concept of the OODA loop, the cycle of Observe, Orient, Decide, and Act that he outlined in his Discourse on Winning and Losing. Boyd argued that if one could execute that cycle faster than one's adversary, "get inside their OODA loop," one would have a decisive advantage in combat. Getting inside the OODA loop, Walsh argued, was as important in cyberspace as it was in air-to-air combat. 

After describing Buckshot Yankee, a Russian attack against US Central Command with Agent BZT, Walsh outlined the strategic adversaries the US faces. They are, as many others have said, Russia, China, North Korea, Iran, and terrorists. In this threat environment Cyber Command operates National Mission Forces, Combat Mission Forces, Cyber Protection Forces, and, against ISIS, Joint Task Force Ares.

One trend and two observations Walsh made have implications for most enterprises, not just Cyber Command. The trend he sees is that big data and artificial intelligence will change the dynamic in cyberspace. His two observations with broader implications were, first, the point that retaliation against cyber attack need not be exclusively or primarily cyber retaliation. It may not need to be cyber retaliation at all. And second, when he described the three major Cyber Command exercises (Cyber Flag, Cyber Guard, and Cyber Knight) he said they took their inspiration from Red Flag, the Air Force's realistic training against a dissimilar adversary opposing force. Like Red Flag, these exercises have been vital in increasing readiness and capability.

So what about security in the cloud?

Michelle Cohen, of Miles & Stockbridge, brought an attorney's perspective to her discussion of cloud security and third-party vendors. "The cloud's wonderful," she said, but using it involves a balancing act between convenience and access to industry advances on the one hand and loss of user control of data on the other.

Moving to the cloud is attractive for so many reasons of convenience and economy that it's clearly the dominant trend in IT. The cloud, however, isn't risk free, and migrating there requires some serious security due diligence. Its multiple categories of risk include service delivery, company infrastructure, sensitive company information, and, of course, personal information. 

Cohen reviewed some of the same recent hacks other speakers averted to, but she concentrated on the lessons to be learned from the Equifax breach. "Equifax is a PR disaster," she said. "We are forgiving as a people ('everyone gets hacked'), but we don't forgive stupidity or cover-ups." So she recommended approaching the cloud by assessing the players, and reaching an understanding about where possible liability arises. When you conduct your due diligence, you should do so with a view to implementing it into a contract, balancing best practices with business time and money concerns.

In due diligence, she recommended assembling a team that consists at least of the CISO/CIO, Security, Legal, HR, and affected business units. That team should drill down on privacy concerns, asking, "Can we do anything to our data before committing them to the cloud?" Think of the contract with a cloud vendor, Cohen advised, as being like a pre-nuptial agreement.

Should there be litigation, "the best offense is a strong defense." And, as bad as the Equifax breach is, Cohen didn't think much would actually happen to regulate data brokers at the Federal level, and she thinks that goes for cloud vendors as well. But the states are getting aggressive in this area, and state regulation will bear watching.

Dealing with issues of data privacy.

Data privacy was the topic of the conference's panel discussion. The panelists were Robert Wood (Nuna), Howard Feldman (Whiteford, Taylor, Preston), Bryan Patrick (Network Alliance), and John Shuey (Johns Hopkins Institutions and ISACA). They began with moderator Anton Dahbura's question: why do we need regulation in this area at all? Aren't market forces sufficient?

The short answer is "no," for many reasons, some practical, others practically anthropological. Shuey saw regulation as necessary for accountability. Patrick saw them as necessary in the absence of some standards-setting body.

Feldman described the "proverbial regulatory pendulum," which he regarded as an enduring feature of the way we balance risk and opportunity. Sometimes the pendulum swings toward deregulation, sometimes toward regulation. This is a reactive process: the Equifax breach is swinging us toward increased regulation. In the US, Congress and the states have taken different, complementary directions in data privacy regulation. Congress enacted HIPAA and laws governing financial services. The states fill the gaps with data security laws and data breach notification laws that cover just about all sectors that handle personal information.

Feldman also noted the importance of contracts in ways that complemented Cohen's observations in her talk. You may be entering into contracts you're barely aware of, Feldman said. "Your privacy policy on your website is a contract." And data are dangerous. He advised looking closely at the data you hold. There must always be a good business reason for keeping data. Carefully chosen insurance coverage can help here, too, with insurance not only for data security, but for first-party losses like those ransomware exacts.

The panel agreed on these larger points. You cannot pass your data risk on to a vendor. If the data are yours, you're responsible for their protection. When you design your security program, don't make it self-defeating. In any organization, when security gets in the way of people who are generating value, those people will work around security. The best way to mitigate financial loss is to prepare for it. Run tabletop exercises against various scenarios. And, in a point COMPASS's Bob Olsen would take up at the end of the day, the panel thought that security professionals needed to get out of their own way when they talk about risk. They need to get better at telling stories, and at making it personal for their executives.

Tools for protecting intellectual property.

Michael Jacobs (Crowell & Moring) delivered a presentation on rights in a digital age that focused on intellectual property. He said there was a traditional IP toolbox that held copyright, trademark, trade secret, and patent. Of these he thought copyright and trade secret the most interesting.

Basic copyright principles protect "original works of authorship fixed in any tangible means of expression." Jacobs noted that the concept of "literary works" also include computer code. Copyright does not protect concepts, ideas, algorithms, or processes. It doesn't protect patentable subject matter. It generally does not protect compilations of facts, and if affords only very limited protection for trade secrets.

Remedies for copyright infringement include injunctions, impounding and destruction of infringing articles, and actual or statutory damages. The Digital Millennium Copyright Act (DMCA) focuses not on what was taken, but rather on how it was taken. It imposes both civil and criminal penalties.

The trade secret is an equally important tool. A trade secret is information that derives independent economic value from not being known to others, and it must be subject to reasonable efforts to keep it secret. The Uniform Trade Secrets Act has been adopted in forty-eight US states, the District of Columbia, Puerto Rico, and the US Virgin Islands. There are also Federal remedies for trade secret misappropriation.

Jacobs concluded with an overview of best practices concerning IP protection. First, establish adequate security with respect to third-parties. (Most IP theft is committed by employees and business partners.) Second, include copyright and confidentiality notices on electronic materials. (This will limit claims of innocent infringement.) Third, routinely use contract provisions that include choice of venue, injunction provisions, alternative dispute resolution, and DTSA compliance. Finally, log your intellectual property assets (especially important for trade secrets).