Measures that help prevent unauthorized access to confidential data have been around since the dawn of IT. But sweeping cyber policy designed to protect highly distributed commerce systems and critical infrastructure has only been formulated during the past decade, observed Davis Hake, a defense expert and Adjunct Professor of Cyber Risk Management at the University of California, Berkeley.
Hake, who once served as a cybersecurity policy expert in the U.S. Department of Homeland Security, has spent his career immersed in the war on cybercrime. Bullish about a secure digital future despite the high-ticket ransomware attacks flooding the headlines, Hake operates at the forefront of the latest advances. Among them, he said, is government action to create digital defense maneuvers that parallel how the government has long worked with the private sector to protect cities and citizens against physical attacks.
Building a ‘Digital Military’
“Until the Obama administration, many of these cyber policies didn't exist,” at least not on par with nuclear force doctrine or counter-terrorism efforts that have been shaped by many, many years of consideration, Hake said.
“Now, there’s a digital domain out there that’s completely distributed and not fully controlled by any one entity. That domain is as important for commerce and personal lives as it is for running our water and energy systems. As such, it’s become a modern-day battleground” that needs the same types of strategic, comprehensive defenses the military uses.
The notion of creating a public-private “digital defense” partnership for the country has its underpinnings in the Department of Homeland Security, set up after the 9/11 attacks in the U.S. during the Bush administration, said Hake. Part of the agency’s charter, he said, was to push intelligence out to private sector companies, which could use it to protect themselves. “And so we began to work on how to also build this model in cybersecurity?”
The Obama administration, during which Hake served as White House Director of Federal IT Security in 2014, saw the agency make initial headway in organizing cyber defenses and building the required talent in-house to the government, he said. “A lot of this talent existed in the military, but not initially in the federal civilian space,” he explained. That has changed dramatically today after over a decade of building out the workforce.
With so much of the world’s digital commerce and critical infrastructure now interconnected, mounting a unified effort is critical, said Hake. He pointed to the Biden administration’s recent executive cybersecurity order, released in May, which in part calls for the private sector to “partner with the federal government to foster a more secure cyberspace.”
Similarly, last year, the U.S. Federal Bureau of Investigation announced a strategy that positions the FBI as an “indispensable partner” to federal counterparts, foreign partners, and private-sector companies to “help...defend networks, attribute malicious activity, impose sanctions for bad behavior, and take the fight to our adversaries overseas.”
Hake has his fingers in all of it. After earning his undergraduate degree in International Relations and Economics and a Master’s in Strategic Security Studies at the National Defense University, he got his cyber sea legs on Capitol Hill, when he began working for U.S. Congressman James Langevin (D-R.I.). Langevin today chairs the Cyber, Innovative Technologies, and Information Systems Subcommittee of the House Armed Services Committee.
“One of the things Langevin was hyper-focused on was cyber threats to critical infrastructure,” said Hake. “He [closely followed] tests that were going on at Idaho National Laboratory,” which in 2007 showed how a cyberattack could destroy physical components of the electric grid, Hake said.
That experiment demonstrated what’s now known as the Aurora Vulnerability, using a computer program to rapidly open and close a diesel generator's circuit breakers out of phase from the rest of the grid, causing it to explode. A video of the experiment became public through the media, bringing the potential severity implications of a data hack into mainstream consciousness.
“It was the first time the public saw that threats to our digital systems don't constitute only data breaches or worms that might lock down your computer,” said Hake. “They could mean the power going off along the whole Eastern seaboard.”
Insurance Models to Curtail Digital Losses
Hake continues to battle cybercrime across the private, education, and government sectors. For example, as co-founder of Resilience Insurance in San Francisco, he’s helping modernize the insurance industry to help avoid or minimize digital losses. In addition to insuring companies against ransomware and other breaches, the company also offers cyber education, protection, and recovery solutions to help fend off attacks and reduce the business impact of a breach.
Hake says interest in new insurance models has snowballed since many cloud data migrations were fast-tracked by COVID-fueled work-at-home setups.
These organizations have faced security challenges “not because of cloud technology, per se, but because they’ve quickly disrupted old ways of doing things. Their companies’ cloud projects were accelerated by as much as five years” thanks to COVID, Hake said. Those companies are “finding themselves in a hybrid environment” that they haven’t spent years learning to protect yet, he explained.
Hake said Resilience clients make their own decisions about whether they pay ransom demands in cases of ransomware attacks. Whether or not to acquiesce to cyber-blackmailers is a controversial issue. Some private-sector organizations have adopted no-pay policies, and some U.S. states are pushing for legislation to ban payments at local and state levels. The thinking is that making the payments provides criminals with an incentive to hold data hostage for monetary payoffs likely to only grow larger. However, Hake pointed out, organizations like hospitals and energy companies provide life-essential services and can’t endure prolonged data outages without risking the loss of life and public safety.
“And so we work with every one of our clients to ensure that they have secure backups, that they're running endpoint protection, that they've deployed multifactor authentication, and that they've secured their administrative accounts,” said Hake “This is all basic cyber hygiene that can be very effective at providing options for recovery, even if the attackers do get in.”
Prevention and Recovery Both Paramount
While an ounce of prevention is worth a pound of cure in many situations, Hake said organizations would do well to acknowledge that their digital infrastructures are going to be compromised and put incident recovery protocols in place.
“There needs to be more focus on what you do ‘right of boom,’” military parlance for how to quickly pick up the pieces following an attack and avoid catastrophic repercussions, he said. “To date, most emphasis has been ‘left of boom,’ on prevention.”
Prevention is important but there more that needs to be done.
“Every company, even Bob’s Pizza, now has a digital footprint. Operating safely should be a core business priority and no longer viewed simply as a cost center,” he said. “Today, cyber risk should be a board-level focus.”
He pointed to the SolarWinds 2020 compromise as a lesson that some compromise is simply unavoidable. In that situation, perpetrators inserted malware into a software patch of the company’s network monitoring software, kicking off a supply-chain reaction that affected tens of thousands of companies.
“It’s a best practice to regularly patch software, but in this case, the patch was the attack vector,” said Hake.
“So you have to be ready to respond. Your business has to be set up in a way that is flexible enough and you’re prepared enough that if a large attack does happen, it’s not catastrophic.”
Private and Public Sectors Team Up
Hake and Resilience are doing their part.
“We asked the administration to come forward with strategies that put pressure on countries that might look the other way when some of their citizens commit digital attacks,” Hake said. “It’s been reported that the administration has had these discussions with these countries.”
Resilience is also working with other companies, such as Microsoft and CrowdStrike, as well as the U.S. federal government to share information and “squeeze attackers down” to make ransomware and other attacks far less profitable.
Hake pointed out that the federal U.S. government can’t order private sector companies to take protective actions, except in very rare instances.
“We saw this with the [U.S.] Defense Production Act discussion around the COVID vaccine,” he said, referencing a law enacted in 1950 that gives the president power to "promote the national defense," such as protecting its citizens against the coronavirus.
“That’s how our country was set up. So from the beginning, working on cyber policy, we've always acknowledged that the private sector has a huge role to play in defending our national critical infrastructure. And, and this is why we were so interested…in raising cybersecurity standards across the board.”
What the Cloud Future Holds
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) acknowledges on its home page that: “The threats we face – digital and physical, man-made, technological, and natural – are more complex, and the threat actors more diverse, than at any point in our history.”
Yet Hake remains optimistic.
One reason is that the high-profile attacks have driven public awareness and actions by governments and private sector companies to act with executive orders and bigger tech budgets, he said. He’s also teaching the next generation of IT professionals the ins and outs of digital hygiene as cloud environments start to dominate.
“[The cloud is] very secure,” Hake said. “The insurance industry has looked at what the threat would be from an aggregated cloud event that hit multiple customers. One thing that reassures us is that there is a multicloud environment out there; not everyone is using a single provider. That creates a security ecosystem that keeps you more resilient.”
He cautioned, however, that it’s essential to keep track of cloud assets and manage them properly. Among the most common breaches, he said, are misconfigured cloud storage resources and systems left exposed with default credentials. This happens most often, he said, when programmers create new applications on cloud development platforms and then forget to decommission those resources when they’re done.
Hake underscores once again the role of beefing up incident recovery best practices to build a bright future. “A lot of research we’re seeing is going into determining best practices for being able to take a punch but come back quickly with minimal disruption.”
Joanie Wexler is a contributing writer and editor with more than 25 years of experience covering the business implications of IT and computer networking technologies.
© 2021 Nutanix, Inc. All rights reserved. For additional legal information, please go here.