RSAC: resilience, and the imposition of consequences.
We spoke with Adam Isles of the Chertoff Group about some of the issues being raised at the conference. Isles, currently a Principal at the Chertoff Group, has an extensive background in Government service, where he has served as Deputy Chief of Staff, U.S. Department of Homeland Security, Counsel to the Assistant Attorney General, Criminal Division, U.S. Department of Justice, and Director of International Economic Affairs, National Security Council.
Isles thought one unanswered question was, how can an organization know it has an effective security program? Cyber security is by no means a new challenge, but we still find ourselves, in 2018, in a position where major American companies can still be victimized. Consider, he said, the consequences of the Equifax breach, where thousands of customers are suspending contracts. These are clearly revenue issues.
He noted that the US-CERT paper issued at the beginning of the week had put ISPs and manufacturers on notice that they're expected to lean into the defense. The expression "staging target" had come up repeatedly in the earlier CERT warning about Russian activity.
Isles said he trusted US intelligence agencies to be careful about making a call on attribution. That caution is commendable. "There's a conflation of expertise and tactics, techniques, and procedures between state actors and organized crime" that can make attribution problematic. He thought it important to make sure that the Government had the expertise "that can serve as a guard rail." Such experts should have a continuing voice in attribution, which should be based on disciplined intelligence analysis.
The Government's retaliatory toolbox.
He regarded Homeland Security Secretary Nielsen's talk at the conference as significant. The Department of Homeland Security is the Government's principal interface with critical infrastructure, and Secretary Nielsen was in Isles's view here as a senior Administration official to deliver a warning.
There are many tools in the toolbox when it comes to action the Government could take in response to cyberattack: sanctions, tariffs, criminal prosecution, and so on. He thought watching the effect of recent tariffs particularly worth watching. In any case, the US Government, in Secretary Nielsen's speech and elsewhere, has "laid down a marker that consequences will be imposed."
What Russia wants.
With respect to Russia, we're seeing, Isles said, "a constant state of testing." Part of Russia's goal is to undermine trust in their adversaries' institutions. Consider NotPetya: tax software was the initial infection vector. If you undermine trust in a basic business tool like tax software, you're undermining one of the basic building blocks that makes businesses run.
Resilience and preparation.
Enterprises should look to resilience. NIST has a new publication out which Isles thinks likely to be important. We're recognizing the importance of assuming you'll have to operate under degraded conditions, and preparing to do so. Disaster recovery, testing, exercises: all of these are important to prepare for resilience. Asked about proposals to involve the National Guard in cyber incident preparation and response, Isles thought they would have their best effect if they enabled people with IT skills to receive focused training in Guard or Reserve units in such a way that they were able to take those skills and lessons back to their jobs.