Podcast: Which is a Greater Cybersecurity Threat: Rogue Hackers or Nation States?
DATA SECURITY PODCAST
In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, and Michael A. Echols, CEO of MAX Cybersecurity and senior cybersecurity executive/critical infrastructure protection strategist, discuss the latest views on data security, and the importance of system integrity monitoring and best practices for businesses regarding file integrity monitoring. The podcast can be listened to in it's entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today is Mike Echols, a former DHS cyber director, point person for the development and rollout of the information sharing and analysis organization concept under the Obama administration, and author of the recently published book "Secure Cyber Life, The Government Is Not Coming To Save You". Mike was a designated federal official for the President's NSTAC and also chaired the Communication Sector International Network Security Information Exchange. Welcome, Mike. It's great to have you with us today.
A: Thank you so much.
Q: So Mike, let's talk about how public private partnership is a winning formula for national resilience, starting with asking you: How powerful our road hackers and the threat that they pose versus attacks from nation states?
A: So over time, we developed signatures and we start to understand through various methods that the federal government has for tracking the pinging of different servers across the world. We understand who's doing what to us, to some extent, or at least what region, it's coming from. With the rogue hacker, almost like an independent attacker, we don't quite have that insight. They may not be as powerful but It only takes one hack to work to do damage or disruption. And so what is occurring, is the skillsets of independent hackers, rogue hackers, are growing based on the ability they have to share information with each other, and the ability they have to just go online and learn new techniques. And this makes them as powerful as state-backed hacks.
Q: How will the adoption of controls and best practices speed cyber maturity?
A: So one of the things that we've learned over a period of time - and this is through a lot of people working to mature cyber security - is that number one: We live in America. So the government does not tell individual organizations, what to do. All they can do in most cases is make a suggestion or provide best practices. What we've also learned is that when those best practices are implemented, you tend to lower the number of breaches significantly.
And so by implementing those best practices and controls, we now are helping to remove some of the uncertainty because risk is uncertainty. And so we're helping to remove some of the uncertainty by the use of those best practices, we're making a whole nation stronger, because we're all connected.
Q: So is there a methodology that the government can use to speed up adoption of those best practices?
A: Sure. Originally, the federal government tried giving out grants. And there will always be another exploit or another hack or some other process. So they quickly learned that we need to develop processes and better train people. And currently, they are developing risk assessments and processes like the NIST cybersecurity framework that any organization can download and use and receive technical assistance with. As we move forward, it is now time to move this process to where at the local level — not top down, but bottom up — at the state local municipal level, we are now training and providing tools and training to match the effort that the federal government is putting in. Clearly, through the growth of the hacking has occurred, the processes of doing a top down is not going to make networks secure throughout the nation. So the effort of training bottom up is the process that needs to be implemented.
Q: Okay, so how can stronger community-based programs make people care more and help better prepare businesses?
A: Well, they have to become a part of the process. Essentially, we have to create a culture of cybersecurity. There has to be an expectation of cybersecurity. Thus, if I am a business and I'm working with other businesses in my community. I should have an expectation that they are performing certain levels of cyber hygiene. No different than public health, right? No different than we have an expectation that food workers are going to wash their hands. We have an expectation that in a pandemic, people are going to take certain actions. That type of community-based approach has to be implemented and It has to be modeled. It's not just going to happen. And so this is where when the community comes together and they begin to share these practices — and these expectations are launched — this creates also a place for the federal government to tap into.
Q: So Mike, how do we lower the costs of providing appropriate cyber security and defenses?
A: There are a lot of people doing great work in cybersecurity. In a lot of cases, there is not an opportunity for them to join in the process of maturing cybersecurity. So one of the options is to find those people who are doing that great work and communities — no different than a community activist — and to incentivize and to support that. Additionally, we need to find those processes that work. And we need to standardize those processes, potentially even creating requirements. People don't like to hear the words requirements, because it sounds too close to regulation. But we need to create those requirements for what people should do.
Now, when I talk about creating those requirements, I like to remind people that we have standards even with our electrical system. If I am using my hair dryer at my house, and I need to go to your house and finish drying my hair, I already know that I can plug my hair dryer at your house and it will work. Right? That's a standard. With cybersecurity, we have to come to an understanding between government, industry, local community about an expectation that creates standards.
Q: Absolutely. Well, Mike, thank you so much for joining us today.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".