The fallout from the recent Equifax breach, which saw 143 million records stolen by hackers, has been swift and severe. The chief information officer (CIO), the chief security officer, and the chief executive officer (CEO) all “retired” in the days following the public disclosure of the breach at the major credit rating agency.
Congress then grilled the former CEO, Richard F. Smith, about the breach, which he said was due to a lone employee failing to deploy a patch for a software vulnerability. No one asked Smith why the security of so many records, which included social security numbers, driver’s license numbers, and other sensitive information, depended on one person.
“How does this happen when so much is at stake?” asked Rep. Greg Walden (R-Ore.) during the hearing with Smith. “I don’t think we can pass a law that, excuse me for saying this, fixes stupid. I can’t fix stupid,” the New York Times reported.
Clarke weighs in on Equifax breach
Richard A. Clarke, chairman and chief executive officer of Good Harbor Security Risk Management and former cybersecurity czar under President George W. Bush, offered his assessment of what could be learned in terms of enterprise security from the recent Equifax breach.
Speaking at the annual conference of the Advanced Cyber Security Center (ACSC) held Nov. 2 at the Federal Reserve Bank of Boston, Clarke said that a primary lesson learned from the breach is that companies can be secure if they make security a priority and invest the necessary resources in security infrastructure. In both cases, Equifax failed.
“It is possible to secure large enterprises. Just because a lot of them haven’t done it, doesn’t mean it can’t be done. It doesn’t mean people aren’t doing it today,” he said.
Hackers are able to get into the networks of large enterprises that prioritize security, but they are identified rapidly once they are in. When these hackers try to steal data, they can’t because there is good micro-segmentation on the network. Data is encrypted, and it is paired with strong privilege access management, Clarke observed.
Equifax got 'governance all wrong'
Second, Equifax got “governance all wrong.” Good cyber risk governance involves having an “empowered” chief information security officer (CISO) who is not suppressed by the reporting chain.
If the CISO reports to the CIO, that is a “mistake” because they have different “interests,” Clarke said. Instead, the CISO should report to the general counsel, the chief risk officer, or the chief operating officer. “You cannot succeed in an organization as a CISO unless you have a supporting governance structure,” he added.
Third, the Equifax breach demonstrates that American businesses have not priced security appropriately. “The list of things you need today to secure a network is very long,” Clarke said. Many companies don’t know what percentage of their IT budget they spend on security. He recommended that companies spend around 10 percent of their IT budget on security.
Fourth, there is a need for more skilled cybersecurity professionals and for national certification of those professionals. He said the average company has 22 IT security products, and there is a huge need to integrate and maintain them, which requires skilled cybersecurity professionals. Equifax had to admit that its chief security officer had a master’s degree in music.
Fifth, there is a need to “futurize” enterprises. The pattern over the last 20 years has been that a new technology is developed, rushed to market, and then secured only later as an afterthought. That was true with the cloud and mobile technology and now it is true with containers and Internet of Things, Clarke opined.
Security: Missing IoT component
“Almost nothing in IoT has security built-in. So we are going to hook up Coke machines, cars, railroads, and airplanes, and all sorts of SCADA [supervisory control and data acquisition], control systems, and manufacturing, and very few of those things have security built-in. In fact, many of them are engineered in such a way that it is impossible to secure them,” he said.
Sixth, most organizations and institutions are relying for identification on data that is available to anyone that wants it. “I can find out the social security number and date of birth of anyone in this room in few minutes…We are using identification methods that don’t work. We know they don’t work, and yet we continue to use them in our organizations,” he said.
There are companies today that will provide new ways of providing access control and privileged access management. At the same time, we can never have a national ID card, but we can have federated IDs across organizations, Clarke said.
Seventh, there are few consequences for companies that are hacked. While the CEO at Equifax was forcibly retired (that is, fired), not all CEOs of companies that are hacked get fired, Clarke noted. For some companies, it is a cost of doing business.
Clarke recommended that companies be fined per record lost, following the example of the oil tanker industry. He explained that the federal government wrote a regulation that fined companies operating oil tankers a certain amount per gallon of oil leaked into the ocean. The oil companies realized that a major spill would cripple them financially, so they retired all single-hull tankers and replaced them with double-hull tankers. That resulted in many fewer oil spills.
“Data is the new oil… Data is what is being spilled in these cyber attacks,” Clarke said. He recommended that companies be fined $100 per record. So the fine for the Equifax breach of 143 million records lost would be $14.3 billion. “That might get somebody’s attention…Until and unless there are serious consequences for failure, there will still be the dumb companies that don’t do enough,” he concluded.
AI and cybersecurity
A panel discussion at the ACSC conference tackled the issue of how artificial intelligence (AI) and machine learning can help with cybersecurity.
Carla Brodley, the dean of the College of Computer and Information Science at Northeastern University, told the audience that AI requires that companies have enough data and the right data. “If you have those two things satisfied and you have people who understand machine learning and cybersecurity and how to put the two together, then it can be very helpful,” she said.
AI and machine learning prioritize security alerts and identify the highest risks, said Jen Andre, senior director for orchestration and automation at security firm Rapid7. She admitted that it is hard to get companies to share their cybersecurity data to enable researchers and subject matter experts to build AI models.
Andre said that technology moves faster than our ability to secure it. There is a problem of complexity as the CIO and CISO try to secure all of the new technologies being introduced into the enterprise. Understanding what risks these technologies introduce is a big problem, she said.
“It’s not just cloud, or mobile, or SaaS [software as a service]—it is all of these things together. That creates a huge problem for the security organization to try and protect because you have your data in all of these places and you have to prioritize. You have to think about where the risks are to the business given where the data lives,” she cautioned.
“Teams are going to struggle with managing all of this complexity introduced by these technology changes and balancing that with the needs of the business to make sure they are making the right technology investments to be competitive,” she added.
Lack of interest in security
Richard Solely, CEO of Object Management Group, disagreed with Andre’s assertion that technologies come out faster than the ability to secure them. “I don’t think they come out faster than our ability to secure them, they come out faster than our interest in securing them,” he said.
Cort Johnson, a partner at Reverb Advisors, told the audience that AI should stand for augmented intelligence, not artificial intelligence, when it comes to cybersecurity. Humans need be involved in the process from the beginning. “You need someone to analyze the results of AI. It’s super important,” he said.
Johnson said that “security is a data problem. We can address some of the security flaws based on how good the data is that we are collecting.” The success of using AI to solve security problems will depend on the quality of the data being collected and the skill of the people handling that data, he added.
While AI can help IT security pros focus on high-risk threats, it can’t fix the problem that led to the Equifax breach: poorly trained IT security staff and poorly designed security governance. Fixing that requires companies implement security best practices. As Rep. Walden said, “I can’t fix stupid.”
Photo credit: Freerange