The overarching message to organisations from the federal government’s cyber security strategy is – “you’re on your own, we wish you the best luck.”
So says Roger Hockenberry, former CTO for the National Clandestine Service of the Central Intelligence Agency (CIA) – a role he took on following a bout as chief of cyber defense for the CIO with the agency, among other roles.
“This should be a clear signal to every company that they have to engage in cyber intelligence,” Hockenberry says. “It’s now going to be incumbent on them to do their own research, analyse threats, understand how it affects the business and how it could impact them in a material way.”
With more than twenty years of IT experience, Hockenberry is a proven technologist and business executive that has chosen to focus his skillset on helping enterprises prepare for cyber-attacks as the CEO and co-founder of Cognitio.
In the wake of the release of the government's cyber security strategy, Hockenberry is touring Australia to discuss the importance of cyber intelligence to companies that want to stay protected and competitive.
“Cyber intelligence is more than IT security. You now have to be aware of all these new impacts. Cyber is a market of its own, and that market is moving and evolving quickly,” he warns.
Joining him in Australia is one of three co-founders of Cognitio, managing partner Bob Flores. Flores himself served an impressive 31-year stint at the CIA, in various IT roles including the directorate of intelligence, directorate of support, and the National Clandestine Service, and eventually CTO.
Flores left the CIA to form an independent IT consulting firm, before founding Cognitio with Hockenberry and additional partners, tech titan Bob Gourley (former CTO for the Defense Intelligence Agency, and joint chief of cyber defense for the Pentagon), plus tech consulting, marketing, communications and research guru, David Highnote.
“We all had our own companies doing consulting and we were all working together on a very semi-regular basis so we decided that we had a great opportunity to bring the three companies together to create something with a larger impact,” says Hockenberry.
The word Cognito was chosen as a shortened version of ‘cognition’, with the company tagline ‘how we think’. The unique team merge their varied and practical experience in consulting, technology and cyber intelligence and apply that practice to helping organisations make the right decisions and stay protected.
With their demonstrably strong expertise in this field, Cognito has grown rapidly, and is now turning its gaze to Australian markets in need of updated cyber intelligence practices.
Developing a cyber security culture
Cyber security is a growing and evolving threat that will require complete focus, continual retraining and awareness programs, and new roles devoted to it.
The duo tell CIO that tackling cyber security will not be about any specific technology, or even a combination of specific technologies, but about developing a strong security culture with good talent.
“Cyber security is finally being seen as a business issue and no longer a technology or IT issue,” Hockenberry says.
“You must focus on cyber as a business risk, make sure that is communicated at the CEO level all the way down, and that you’re sincere about that commitment to that, with constant retraining, because if not, it won’t work.”
This was a key message of a talk Flores gave earlier this year as part of Connect Expo’s Next Big Thing Summit in Melbourne, in which he also shared a number of key resources with crucial security and risk data for enterprise.
“There’s a movement towards having a CISO, but I think every organisation is going to need a dedicated chief cyber risk officer, because it’s going to be delineated from the IT security role. Cyber goes far beyond IT security,” Flores says.
Creating a cyber security culture includes building company-wide awareness and training of security best-practice such as behaviours and activities to be wary of, and what to do if you suspect there has been (or will be) an incident.
“Your employees know who to call if someone has a heart attack, so what about a cyber-attack?” asks Flores.
“Even if they just have a question about someone or something they saw. It’s very important that folks have a fundamental understanding of what’s important, how to report things, and what’s worth reporting,” Flores says.
“This is what we mean when we talk about the culture – people will just know: I report that to my regional IT manager and here’s his number on my desk.”
One of the key changes of a new cyber-aware business will be the need to take a data-centric view of security as opposed to keeping cyber security a technical issue.
“Traditionally, CIOs have been concentrating on how to protect their technical assets. With cyber, all enterprise architecture should be centred on data security. Really focus on how to secure that data, and how to allow access to the data,” says Hockenberry.
“Yes you have to protect your end devices, your networks and servers, and so on. But at the end of the day, you have to protect your data,” adds Flores. “No matter how much security you put on the perimeter, somebody is going to get through if they really want to.”
Once data-centric architecture and controls are put in place, then that system must be audited to see how sensitive data is sourced, collected and shared around the enterprise so data monitoring can be effective and informed.
“If you don’t do this then you’re not going to stop someone getting into your enterprise, whether it be an insider attack or from the outside,” says Hockenberry.
Flores recommends a tiered approach for different subsets of data, with one security plan for the most sensitive or valuable data, and another system for less sensitive (but still mission-critical) data to ensure hacking into one won’t mean hacking into both. Success also means not wasting energy locking down invaluable information.
“There’s a whole class of data that’s not worth paying to protect. If I send you an email that says ‘hey let’s go to lunch’ - from a corporate standpoint nobody cares, and from a hacker standpoint, nobody cares,” says Flores.
Data security goes beyond just locking down sensitive information though, the duo tells CIO Australia, with a growing need to duplicate and back-up as part of a cyber security strategy due to the growing prevalence of ransomware attacks.
Preparing for advanced threats
Flores says ransomware is going to be huge in the next few years, especially as many targeted companies are disclosing the fact that they paid the ransom to the hackers – an action that doesn’t always deliver the results promised.
He cites an incident in Washington DC where MedStar Health suffered a ransomware attack. All the hospitals’ data was encrypted by the attackers, who promised to release it after a ransom payment.
Doctors and clinic staff couldn’t access important patient files and thus couldn’t offer treatment, so MedStar decided to pay the ransom to access data straight away, rather than risk patient health. The cyber attackers, demonstrating unusual integrity, then did as promised and unlocked the data after $40,000 was transferred via bitcoin, rendering them untraceable.
“Here we have a hospital probably with some big IT infrastructure, and I have to believe they had no incident response plan in place,” says Flores.
“As the FBI advises kidnap victims: don’t ever pay the ransom. And they may have said ‘no we would never pay these bad guys, it sets a bad precedent’, but when it happens to your business, or when your kid gets kidnapped, and I only ask for $10 and not $10 billion, you’d think ‘sure okay, let’s pay up’.
“We’re going to see this stuff continue, because if this result gets shared in the press, people will say well – it worked for them! Maybe we could do that. We’re just at the very infancy of that.”
To avoid being backed into a corner, Hockenberry and Flores say everything must be backed up, scrutinised and protected so that if the bad guys one day call to say, ‘you can’t access your data anymore’ you can say, ‘we got this’, delete everything, and load it back up.
“That’s much harder than it sounds, but it’s crucial,” Flores says.
“Prevention is something that you have to do - you really need to focus on discovery, containment, remediation and restoration of services,” adds Hockenberry.
“If you think you can prevent an attack, then you’re absolutely incorrect. The goal is to figure out how you can quickly identify something and restore trust with both my internal people and my customers to keep my business moving.”
More funding, less mandated reporting
Regarding the federal government’s Cyber Security Strategy released in April, the duo say every initiative is “absolutely correct”, yet there remains a real glaring omission – the funding.
“Just $230 million is not going to go very far. It may be all the budget can bear right now, but I really hope the government understands that this sort of thing costs billions and billions of dollars,” says Flores.
This reflects the tone of a recent discussion paper by the Australian Centre for Cyber Security (ACCS) that found the government’s cyber strategy was “lagging” behind many of our international peers in combating advanced technology threats by as much as 10-20 years, particularly in financial commitment.
“The government has to determine the same thing that a risk officer has to determine - what are my most important assets? Where am I going to spend the most to protect that?” says Flores.
“You can’t have a constant effort against everything because there’s not enough money or resources in the world to do that. Decide what’s important and really concentrate on that, that’s going to be different with each government agency just like it is with each business.”
Hockenberry says one area of the strategy that concerns him is the mandated public reporting of cyber incidences which, though good for the consumer, could actually be used as a blueprint for other cyber criminals in future, as well as stifling the progress of many smaller firms.
“Once an incident is reported, every company is going to have to take steps to ensure they don’t have those same gaps – that’s not necessarily a bad thing, but how many resources does a small company have to constantly be chasing that patch? You can spend all your time doing that patching instead of getting ahead,” he says.
“Smaller companies are always going to struggle. When you’re a large company, typically you have the resources to put against cyber, but for a small business of 50-100 people, you don’t really have the sophisticated IT resources.”
Everyone is a target
Smaller firms will need to hold their own in the cyber arena despite lacking the resources of larger enterprise, as they’re just as likely to be targeted.
“There’s this misconception that cyber is only a problem for large companies and banks – it’s actually every industry that’s targeted, and businesses of all sizes,” says Hockenberry. “If a bank is really well defended and I can’t get in, I’d start to look for targets of opportunity that are smaller but can still yield me some result.”
But it’s not just smaller firms that are at great risk, with many of their larger counterparts held back by outdated processes and a false sense of security.
“In our meetings with Australian businesses, we see a lot of them falling back on things they’ve always relied on, which is usually some kind of compliance framework, IT security controls and financial controls, so on. Those companies are a great risk because compliance does not equal security, especially from a cyber perspective,” says Hockenberry.
“If they’re not updating all those controls, and taking into account cyber intelligence, they’re going to check a lot of boxes but still be very exposed.”