Interviews with three prominent SMEs in the world of cybersecurity: Rich Baich, Bill Crowell, and Anthony J. Ferrante.
As 2018 has arrived, I am honored to have a discussion with three of the most prominent SMEs in the world of cybersecurity: Rich Baich, Bill Crowell, and Anthony J. Ferrante. These experts come from different aspects of the cyber ecosystem and will offer perspectives as a top Fortune 50 CISO, leading cyber venture investor, and a cyber practice leader at top consultancy who was a Chief of Staff of Cyber at FBI. Their answers that follow offer advice on some of the market trends, key issues and innovative solutions that encompass the future of information security. It is worthwhile keeping their comments as a source reference for the board/C-suite and anyone charged with corporate asset protection.
Can you share a bit about your background and how you became involved in cybersecurity?
Bill Crowell: I began my professional life at the National Security Agency right out of college. During my career where I was fortunate to serve in a number of positions that gave me the opportunity for deep insight into information technology, software engineering and cryptology (the science of making and breaking codes and ciphers). While many of my assignments were in the intelligence side of the NSA mission, along the way I became more and more involved in understanding internet technology (NSA began using internet protocols for its communications during the early 1970s) and using it to support mission communications. Protecting the mission communications required that I use the computer and information security products and in some case develop new approaches to network security not available in the unclassified world.
During my career at NSA, I served in positions in Research and Development, Science and Technology, Signals Intelligence, Deputy Director of Operations, and the Deputy Director of the Agency, all of which required a deep understanding of cybersecurity. After leaving NSA, I moved to Silicon Valley and became the CEO of Cylink Corp., a public company that specialized in cybersecurity products, including encryption, authentication and key management. I was CEO of Cylink for 5 plus years until it merged with SafeNet, Corp. I served as a consultant to SafeNet for 8 years and then joined the board in 2009. I have served on the boards of many cybersecurity companies including ArcSight, SafeNet, Fixmo, Centripetal, iSight Partners, Lookingglass, Toopher, Narus, and AirPatrol. I am now the cybersecurity lead partner at Alsop Louie Partners, a venture capital firm.
Rich Baich: Today, I’m Wells Fargo’s chief information security officer and lead the Enterprise Information Security organization, within Corporate Risk. The four teams in my organization include Enterprise Information Security Strategy and Oversight, Enterprise Access Management, Information Security Engineering and Services, and Cyber Defense and Monitoring. Prior to joining Wells Fargo in 2012, I was a principal at Deloitte & Touche, where I led the Global Cyber Threat and Vulnerability Management practice. Other security leadership roles include serving as the Naval Information Warfare officer for the NSA, and senior director for professional services at Network Services (now McAfee). After 9/11, I served as special assistant to the deputy director for the National Infrastructure Protection Center at the FBI. I recently retired from the U.S. military after more than 20 years of service in various roles.
I hold an MBA and a master’s degree in management from the University of Maryland and a bachelor’s degree from the United States Naval Academy. Additionally, I’m a graduate of the Joint Forces Staff College and the Naval War College and qualified as an Information Warfare Officer and have numerous security industry certifications. In 2005, I authored “Winning as a CISO,” a leadership sourcebook for security executives.
Anthony Ferrante: I joined FTI Consulting in April as a Senior Managing Director and Head of Cybersecurity in the firm’s Global Risk & Investigation Practice. I previously served as the Director for Cyber Incident Response at the U.S. National Security Council and the Chief of Staff of the Federal Bureau of Investigation’s Cyber Division. I coordinated the U.S. government’s response to unfolding cybersecurity crises, including Russia’s attempts to interfere in the 2016 Presidential election. I’ve provided incident preparedness and response planning to more than 1,000 private sector and governmental organizations, including 175 Fortune 500 Companies. Over the course of my career, I’ve seen cyber risk evolve from a niche focus of select intelligence agencies and information technology professionals to a serious international challenge shared by all – even those who don’t own a computer.
Based on your view of the world, what three cyber predictions can you make for 2018? (These could range from: the threat, the market, the myriad of vendors from the overcrowded InfoSec world, managed services versus products, the shifting appetite of cyber buyers, cyber budgets, corporate cyberculture shift, VC/PE investor and acquisition interest or something else.)
Bill Crowell: First, I believe that 2018 will bring a continuing stream of new cyber threats that cut deeply into the IT systems of companies of all sizes. Our business systems are so interconnected that attacks on small to medium-sized businesses can enable the penetration of large enterprises in virtually all of the critical sectors of business and vice versa. Advanced persistent threats can be embedded in these networks to provide continuing access to the networks and the information stored in them. Today, large enterprises spend millions of dollars on cybersecurity, but small to medium companies spend very little, not just because of the relatively large cost of cybersecurity systems, but also because of their inability to hire the necessary talent to operate these systems. To solve this problem the cybersecurity industry must become more affordable and more automated. Much of the focus of the cybersecurity industry during the remainder of this decade will be focused on bringing machine learning, artificial intelligence and big data analytics to their products. In addition, there will be more focus by the industry on integrating the various tools into consolidated platforms that require fewer people to operate and can be provided as a service requiring less capital investment by the customers.
Another threat that will become massive in 2018 is the growing use of social engineering to gain access to targeted networks. Phishing, spear phishing, Call Center spoofs, Help Desk spoofs and Storage Media compromise are mainstream attacks that will continue, but there will be a number of new ways to fool the computer users in the future. One of the reasons that these social engineering attacks are so successful today is that they largely occur “out of band” to the enterprise IT systems that are ultimately attacked and so they cannot directly observe the behavior, only the effect or impact of the attack later. Particularly insidious is the rise of drive-by attacks that fool people into compromising actions. These include contaminated hyperlinks on otherwise legitimate websites that take you to “legitimate looking” websites that harvest data about you or your credentials (I have been vectored to drive-by websites by hyperlinks on Amazon, who generally practices very good hygiene).
Another technique that is growing is the use of ransomware that is engaged by the use of compromised hyperlinks or “look-alike” hyperlinks. Engaging users with various social engineering attacks is getting easier by the day as the amount of personal information available on the web grows, dark-web sale of PII from large-scale breaches expands, and as legitimate artwork and other “legitimizing digital content” becomes more widely available to mimic the brands of major enterprises. Also, criminals are registering new domain names in the order of thousands a day, making it easier for them to set up bogus websites and look-alike domain names. Knowing what is “real” on the internet is becoming increasingly more difficult. There are very few cybersecurity tools, other than education and periodic test emails that can help mitigate these types of attacks.
The third area of concern for 2018 is the growing shortage of skilled cybersecurity specialists. Last year, the Labor Department released a report that there were over 200,000 vacant cybersecurity jobs in the U.S. The rate of growth of vacancies in the cybersecurity field is 37 percent per year. This amounts to a crisis in the IT-enabled businesses. With fewer jobs being filled, there will be more successful cyber attacks because the protection systems for the enterprise will not have enough trained people to operate them. This is already having the impact on the cybersecurity industry where the sales cycles are getting longer because the customers will not buy new products when they do not or will not have the people to operate the systems.
Also, turnover in key jobs, particularly CISOs and cyber-aware CIOs, is becoming alarming as that turnover is itself becoming a threat to successful deployment and operation of effective cyber defenses in the enterprise. According to the Poneman Institute, CISO turnover is now at 2.1 years and getting worse. Keeping up with the threats, finding effective cybersecurity products that can mitigate those threats and then build and training an effective workforce to find and remediate the threats is the CISO job and if the turnover remains at 2.1 years and lower then that job will not be done effectively.
What is needed now is a large scale effort to grow the cybersecurity workforce very rapidly. That will require major investments in advanced education at universities and the growth of specialized training methods, systems, and techniques for the cybersecurity industry. There will be a tremendous growth in this area in 2018 as evidenced by a growing number of cyber centers at universities, the emergence of cyber training academies in major cities around the U.S., and growing investments in training systems for large enterprises, government, and the financial community.
Finally, I would observe that the U.S. government has not developed effective policies in the area of cybersecurity. There is a need for more effective laws, international cooperation, support for better and more rapid education, and more investment in research and development of cyber defense tools. This requires leadership in the Executive Branch and the Congress that has been lacking.
Rich Baich: First, a renewed focus on IT & application hygiene/modernized IT Infrastructure which will harden and reduce the attack surface but also provide greater visibility enabling more big data value through cyber correlation engines.
Second, greater use of cyber ranges to evaluate new technologies and improve cyber defense operations. Organizations will enhance their cyber effectiveness through the various lessons learned that will be a result of moving from paper exercises to the reality of virtualized attacks which require the actual deployment of defense technologies and tradecraft.
Third, in 2018, a vendor’s security posture will become fully integrated into companies’ purchasing decisions. Companies will work to better integrate their own security operations with their key vendors, ensuring that vendors are held equally accountable for security incidents that occur throughout the life of the relationship. 2018 will also see a greater awareness of and concern with so-called “4th party vendors”—the suppliers of your suppliers.
Anthony Ferrante: First and foremost, I expect to see a dramatic surge in IoT issues, fueled by the proliferation of connected devices in the workplace and in our homes. IoT devices, like autonomous vehicles and other “smart” technology, often lack security features, making them incredibly susceptible to malicious cyber actors. In the past year, we’ve seen household items, including online cameras, DVRs, and home automation systems, overtaken and deployed to perpetrate distributed denial-of-service (“DDoS”) attacks against mainstream websites, including Twitter and Spotify. As we become increasingly connected and dependent on IoT devices, technology hijacking is only going to increase in prevalence and severity in 2018.
My second prediction is that we will continue to see the weaponization of cyberspace. Specifically, I think we will see cyber attacks against key platforms as a form of mounting cyberwarfare and the misappropriation of stolen information to create havoc or further an agenda. Cyberspace is a sophisticated platform – a potential battlefield – where state-sponsored actors can steal money, steal data, disclose sensitive data, and cause complete chaos. Cybersecurity researchers are increasingly reporting on state-sponsored activity involving the use of ransomware and other more destructive malware.
For example, Dragonfly, a group believed to be nation-state-run, successfully infiltrated networks that control elements of the U.S. power infrastructure. This kind of attack could cause significant devastation. And politically-motivated actors are gaining momentum are targeting private industries, making it imperative for vulnerable businesses to bolster their defenses not only to avoid victimization but to ensure they aren’t made pawns in sociopolitical warfare.
Lastly, as demonstrated in the past year, emerging privacy concerns will continue to drive new requirements in 2018. New laws designed to enhance cybersecurity are being implemented across the globe. Europe’s General Data Protection Regulation (“GDPR”) and China’s Cybersecurity Law are just two examples. According to the GDPR, companies must adhere to established cybersecurity practices and report a breach within 72 hours of its discovery. Any organization that houses sensitive data needs to prepare for similar, increasingly strict cyber legislation in the coming months.