How the recent surge in teleworking has effected cybersecurity with Randall (Randy) Sandone, CCISO, CIRI Executive Director a Department of Homeland Security Center of Excellence.

A Dramatically Expanded Threat Surface

Randy: Whether it's individuals, groups or even nation states. We know that nation states are in that game. What we're really seeing of particular concern here is a dramatically expanded threat surface where virtually every home where someone is working out of becomes a target. We're beginning to see more attacks in that space. We're seeing financial fraud scams that are exploiting people's fear.

Eric: Tied to COVID-19?

Randy: Exactly.

Eric: I'm sorry. I've just decided not to sit this one out. Go figure.

Randy: No, like I said, bad guys do bad things. We've given them a significant opportunity here because of the expanded threat surface. I don't know the fact, but I can well imagine. Unfortunately, an awful lot of people are working from home connecting to their offices and they're not using a VPN, virtual private network.

Randy: They're not using multifactor authentication. It came on rather suddenly. Now, I would argue that even in a normal course of your life, if you have a computer at home and you're connecting to the internet, you probably want to use a VPN. But it came so suddenly and all of a sudden, that was shelter in place.

Randy: Unfortunately, I could well imagine that a lot of companies simply weren't prepared for it. There's a lot of work that's underway with employees connecting to business-critical systems without the use of the appropriate cybersecurity technology. That's certainly a big concern. We're also, just like we are right now. There's a huge increase in the use of these teleconferencing and video conferencing programs.

Eric: So many intact surface has expanded pretty significantly, some may say massively.

Randy: Order of magnitude.

Multifactor Authentication Aids in Enhancing Cybersecurityword

Eric: We're seeing it with the US government simply and things like their VPNs are failing. The ability to work from home is challenged in many ways. But we're also seeing it with the integrators, we're seeing with commercial companies. The adversary has a much more opportunistic and lucrative target, if you will.

Eric: Accessible target maybe is the better way to put it.

Randy: Yes, that's a good way of putting it.

Eric: We're seeing the adversary ramp up and evolve and change their tactics. What do we do? What's the recommendation? Obviously, lock it down, but how do you do that when the world changed?

Eric: Overnight, we decided to go from, "I'm going to go into the office and see you," to, "I'm not going to see you anymore other than Zoom or WebEx."

Randy: It happened so suddenly. In some cases, you have people working at home and connecting to their business systems to get business done. But they're not using VPN or multifactor authentication. It may be too late in those circumstances to correct that.

Randy: Because typically your average employee doesn't know how to install and configure VPNs and multifactor authentication and so forth. As I indicated earlier, we have to keep in mind that the technical cybersecurity professionals, they're in shelter in place as well.

Arika: I was going to ask you about that, Randy. How does that exactly work? Do you think that that really inhibits the ability to monitor and to combat these types of issues if when they're not able to be in their traditional workspace?

Randy: It may or may not. I would assume that most of these folks, if they haven't been laid off, let's keep that.

Basic Cyber Hygiene in the Current Environment

Randy: There's been huge, huge layoffs. But I would imagine that these guys and gals are technical professionals. I would imagine their laptops or the computers at home are well equipped with appropriate tools to allow them to access their networks and access their systems and continue to do remotely what they did internally now.

Randy: There's going to be bandwidth constraints and things like that that could get in the way. But I certainly hope and think that for the most part, these folks are still able to access their systems. Again, if they haven't been laid off and shut off. It's a mess out there and I'm sure every company is reeling and doing the best they can.

Randy: Now for most of us, there's a few things that are basic cyber hygiene that we need to particularly focus on in the current environment. One, you should be using a VPN and multifactor authentication to get into your business systems.

Eric: We're even seeing, especially in the DOD, from what I've seen and talked to peers, the commercial world is much more resilient in this way. In this manner, Randy, where they're more used to working from home. They're more able to, they don't have classified networks, things like that, so they have better VPN capability, bandwidth and you name it.

Eric: The DOD is getting hammered right now from what we're seeing where they just don't have the bandwidth. Everything home runs back. I saw something recently. It might have been this weekend, where DHS is looking to loosen up TIC 3.0 guidelines to get organizations going faster. Everything doesn't homerun back to the agency because they just don't have the bandwidth.

Developing Solutions With Significant Impact

Eric: That's what's crushing them. Even when they have VPN, you get kicked off because you can't stay on. Because it's like flying on an airplane where everybody's using that tiny little straw to stream YouTube videos. It just doesn't work.

Randy: I can well imagine that. The DOD and the government in general is simply not used to the amount of telework that the private sector has become accustomed to.

Eric: From a CIRI perspective, I know you do all the work with DHS, but have you changed any recommendations so far? Are you thinking about it as a result of this or you are already thinking about it?

Randy: No, we were already thinking about it. CIRI is not an advisory-type organization, we are a research organization. We're not called on to provide timely guidance on disruptions and things like that. We are called upon to look ahead to think through big problems. Look ahead to develop solutions that will have a significant impact.

Randy: The critical infrastructure in this country is massive. It's extremely complex. It's totally interdependent. We all recognize that it all relies on cyber. If we're to have an impact in the marketplace, which of course, this is our mandate. We have to do research on things that will have impacts for multiple companies and multiple industries. And across multiple critical infrastructure sectors.

Randy: We're not in an advisory capacity where we look at immediate attacks and the threat landscape as it currently exists and try to respond to that. We try to identify problems, address those challenges and develop and transition to the market solutions that will have this broad multi-industry multisector impact.

Enhancing Cybersecurityword by Rescaling Our Employees

Arika: Randy, just on that note, my friends and I have been talking about what does life look like from a socialization standpoint, a health standpoint. What does life look like on the other side from a cybersecurity standpoint?

Arika: Do you think that the government and companies will be thinking differently about the types of solutions that we need? Because even when this is all over, you will still see large parts of the workforce working from home that traditionally did not work from home.

Randy: I certainly hope so. I'm a glass half-full kind of guy. I hope we're learning a lot of lessons. I think there's going to be some opportunities as well. In particular, sadly, as I've just remarked, there's been some huge layoffs.

Randy: Whether we like it or not, we have to recognize that there are a number of businesses that simply will fail and will not recover. That's going to leave a lot of people in unemployment, looking for the next thing to do. Sometimes necessity being the motherhood of invention, that may present opportunities for employees to rescale.

Randy: Maybe some of those employees will want to rescale into cybersecurity domains. Now, we're on a bit of a kick to really accentuate the fact that the cybersecurity space is not just your system administrator. Your security technical geek people. Cybersecurity involves everyone, everyone in the company. We're really focused on the process and the people aspect of cybersecurity.

Randy: We're seeing a significant increase in reliance and I think it will continue on standards. We're seeing a reliance on, for instance, the NIST cybersecurity framework. The new Department of Defense standard, the CMMC, the Capability Maturity Model Certification.

Enable Businesses by Enhancing Cybersecurityword

Randy: We're seeing increased interest in the NIST NICE Framework, which is the National Initiative for Cybersecurity Education. This is a very well thought out human resources management tool specifically designed for cybersecurity personnel for cybersecurity human resource management.

Eric: Randy, you're seeing that right now during the COVID-19 pandemic outbreak?

Randy: Yes, absolutely.

Eric: People are still looking at that as opposed to, "Damn the torpedoes, I just need to get VPN tunnels up. I just need to get this capability. I need to roll out some work from home," whatever it may be.

Randy: I hope that's a lesson learned for the C-suites and the managers and owners out there. They really need to give their head a shake and stop looking at cybersecurity as a cost to be avoided.

Randy: It is a business enabler and it's going to be increasingly part of their competitive landscape or their competitive position. The DOD CMMC, for instance, they'd made it very clear this is going to be go or no go. There will be procurements and the contractors that want to bid on the procurement either meet the requirements or they don't. If they don't, they can't even bid on the contract.

Eric: They're out. I've thought during this time, are you going to work on that because that's your lifeline, your potential lifeline? Do you have enough time to do that or you're not even going to get there because COVID-19 hits you?

Eric: You're just trying to stay alive and you're making masks or something now that you weren't making before. You were making aircraft parts, now, you're making ventilators or masks or something. You're not even thinking CMMC because you're just trying to keep your operations alive.

Certification as a Cyber Risk Management Professional

Randy: That's probably true, but I'm trying to think beyond post-COVID.

Eric: As we look at the pandemic and the nature of cybersecurity education, do you think there are opportunities to bring new people to the workforce?

Eric: We talked about how many people are laid off. In the last couple of weeks, 10 million people or more have applied for first time unemployment. Who could benefit from nontraditional training and they're coming from a different industry?

Randy: As far as going with the notion of, "Maybe there will be opportunities and people will take advantage of opportunities to reskill." One of the things that we're looking at is developing a certification program for nontechnical people.

Randy: Not the systems administrator, the software gurus or what have you, but for your traditional non-technical people. A certification curriculum that would allow them to get a certification as a cyber risk management professional which would include things at core cybersecurity concepts.

Randy: They need to be trained in that but not to the technical detail that a tech would but also governance and policy issues. We intend to emphasize standards. Because the NIST standards and the new DOD CMMC standards, they're really pretty complex and expensive.

Randy: They're good and I think increasingly be required. You're going to need people that are well versed in that. Understand how the different standards interplay and so on and so forth. Because of the nature of who we are, we will also, as a part of that curriculum, focus on the notion of resilience.

Randy: As opposed to this notion of we're just going to stop them at the gate. You're not going to stop them at the gate.

Striking a More Holistic Balance

Randy: Maybe you'll stop most of them at the gate. But what happens if the gate goes crashing down because of some kind of natural disaster or a pandemic.

Eric: You know some will get through.

Randy: I think I said this last time. I've been at cybersecurity now for a little over 30 years. For those 30 years, we have been continually throwing products at the problem as if we've never seen a problem that couldn't be addressed by more technology. But the human dimension, the process dimension is critically important and we need to strike a more holistic balance.

Randy: We're certainly seeing that today with the pandemic. Again, we look to the future. That's what we're supposed to be doing. We're addressing the immediate problems within our own team. Obviously, we're all in shelter in place as well, so we're teleconferencing and collaborating online and doing all those things.

Randy: But for our mission from DHS, we're looking past COVID-19. Where we think some of these themes that we have been researching and things that we have been promoting will take on even greater urgency. Hopefully, we'll actually get some purchase with it.

Eric: You may have a shot here. I think COVID-19 just shook the world up. As we come out of it, it was a very rude awakening to the art of the possible from a cybersecurity perspective, from a medical perspective, for many. But I think people may look at this depending on how the adversaries attack us and the impact. Different chains.

Randy: I think you're absolutely right. Let's hope we take positive lessons away from it. I'm particularly concerned as I indicated that we don't want to go back to business as usual.

Taking the Necessary Measures in Enhancing Cybersecurityword

Randy: Where, "Okay, all right. Everybody's back." I saw something that just blew my mind. An FBI released alert, recommending people not use rented laptops.

Randy: How in the world? I can imagine that you have a bunch of employees that maybe are using towers or desktop computers. And now they got to work from home. "We got to give them laptops and here we go." You're renting a laptop.

Randy: You're bringing a laptop in that you have no idea what's installed on there. Things like that. Hopefully, we don't go back to business as usual and return in our laptops. We don't arm everyone with laptops with VPN and multifactor authentication.

Randy:  Then God forbid, it happens again and we're right back in this space. I hope the lesson that we take away from this is we really have to look at resilience in the broad sense of what resilience is about. And we take the measures necessary to enhance the resilience of all of our businesses and our government and all of our critical infrastructure.

Arika: Randy, I really appreciate your outlook. The focus on being resilient and just taking everything that's happening as an opportunity to learn from and not to repeat in the future. That will only make us stronger as a nation and as a world. Thank you so much for your insight today. I think you've given us lots of good advice, but also a lot to think about.

About Our Guest

 

Randall J. Sanmvbcc done, a Certified Chief Information Security Officer, is the Executive Director of the Critical Infrastructure Resilience Institute (CIRI) which is a Department of Homeland Security, Center of Excellence. In this position Mr. Sandone is responsible for the operational, administrative and financial management of the Institute.

Since joining CIRI he has guided research, technology transition, education and workforce development resulting in a portfolio of impactful cybersecurity solutions for both the public and private sector.

Mr. Sandone has a comprehensive career leading research and technology projects in environments ranging from start-ups to Fortune 100 companies. His strengths lie in strategy development, business development and project management with a strong emphasis on cybersecurity.

He has managed the development, testing and certification of numerous cybersecurity products used by customers ranging from the U.S. Department of Defense, the Intelligence Community and other Federal agencies to private sector companies worldwide.

In his current role, and in other executive leadership positions, he was responsible for technology transition and licensing, commercialization, product development and financial management.

Mr. Sandone is a former member of the University of Illinois College of Engineering Advisory Board and a member of the Strategic Advisory Board of the Maritime and Port Security Information Sharing and Analysis Organization.  He was a finalist for Ernst & Young’s “Entrepreneur of the Year for Illinois and Northern Indiana” and a finalist for KPMG’s “Illinois Technology Award.”

Mr. Sandone began his professional career in the U.S. Army as an Airborne-Ranger Infantry Officer with the 82nd Airborne Division and in the Air Cavalry as a helicopter gunship pilot. He is a frequent speaker at security conferences througho