What's the Security Tipping Point? with Mike Watson
Mike Watson, CISO for the Commonwealth of Virginia, joins the podcast this week and shares perspective on the challenges and opportunities for security teams at the state and local level. He recounts a 2009 ransomware incident and details just how sophisticated ransomware attackers have become in the ensuing years since.
He provides perspective on shared responsibility, security standards, and compliance baselines of “good,” walking the fine line of multi-factor authentication, security ubiquity, and why he has optimism for the security path ahead (HINT: It involves security as part of the process, not bolted on after the fact).
What's the Security Tipping Point? with Mike Watson
[02:50] A Huge Job
Rachael: Today, we have Mike Watson. He's the chief information security officer for The Commonwealth of Virginia. It's a role he's held since 2011.
The Commonwealth of Virginia has more than 100,000 employees, 60,000 workstations, and 3,500 servers. This is a huge job. I'm really looking forward to today's discussion.
Mike: Thank you very much for having me. I've had a conversation with a couple of my coworkers about how you know when something is broken versus an actual compromise. It's really not easy to tell. I've seen some really great demos about hospital equipment that's out there. The difference between it malfunctioning and actually being attacked, you can't tell the difference. It just looks like it's broken.
Eric: With the lights off on an elevator, that's a pretty good leading indicator. That you’d want to at least assess it further. It's like ransomware. "Nothing happened. We're good." You got lucky.
Rachael: Having been in this role since 2011, I can only imagine the trajectory you've seen in the cyber landscape. Particularly how it's addressed at the state level, I’d love your perspective on the last 10 years and what you've seen.
Mike: It's been a wild ride. We have this weird thing that happens in cybersecurity where we'll have periodic whirlwinds of activity that happens. To put it in context, my agency does cybersecurity right around the 2007 mark. I had been working at the auditor's office, which is a great way to learn the state. You go and visit every agency, you get a feel for how they work.
The First Cyber Attack
Mike: I've been at the position for about 18 months. Then we actually experienced our first cyber attack, our first ransomware attack. This is early ransomware, in 2009.
Eric: Most people don't know what ransomware was in 2009.
Mike: What it came across was, at the time, they were starting a lot of the prescription management programs. Making sure that people were registering when getting any of the opioids and things like that. That program was the thing that got compromised. Somebody put up our pharmacies all logged into this application. Someone put a giant message up on the board that said, "You've been hacked. If you want your information back, you have to pay us $10 million," or something crazy like that.
Eric: No Bitcoin at that point. Brown paper sack on third and market at noon under the park bench.
Mike: The trench coat and hat and everything.
Eric: I better not be tailed or there will be consequences.
Mike: It was fascinating though. The governor went on for 60 minutes talking about it. It was an interesting experience. Even one of those first kind of landmark things for us because we were coordinating with different agencies, federal, and state, trying to go through this process. Figuring out how bad this could have been or how bad it was for the state is even just an exercise.
No one had gone through something like this before. Fortunately for us, this was not the realm of today where everything's a well-oiled machine on the exploit side. We had backups, and we were able to recover. We’ve figured out what was going on. It wasn't the end of the world for us.
A Good Cyber Event
Mike: It was a gut check and a half as far as starting out in that role and only having a little bit of time underneath my belt. There's nothing that intrigues your interest in security more than a good cyber event. You get to look at pretty much everything. It's a really great exercise and just how prepared you are. I’ve seen this dawn of ransomware even back in the early days. I have been watching it progress ever since.
Eric: You've seen this over time, progressing both on the adversarial side and on the defensive side, how we're protecting our networks. In 2009, who were you talking to at the fed level? DHS exists. There's no CISA. Who do you call?
Mike: It was mostly the FBI. We did interface with a whole bunch of different other folks as part of the process as well. It was great. The FBI were great supporters at that point. We had an awesome local agent. They were working with us pretty much every day. They’re fascinated by this as well. It’s something relatively new to them. It was also a big case. You don't really get $10 million, I forget what the amount of money was, that large of a ransom request for something like that before.
It was one of the first times they saw something like this. Working with federal government partners was huge at that point. It did help conversation-wise, put us into a "What's this going to look like in the future? What are the types of protocols that we've got to worry about?" It's been interesting watching that kind of progress over time.
Mike: Obviously at this point, everybody's playbooks are pretty straightforward to be able to handle or at least know what we've got to do in a lot of these circumstances. Whether we have the resources to do it or not, it's a different question.
Eric: But you're saying at the federal and state level, the playbooks. I would argue that the local level may not even have playbooks in some cases.
Mike: Yes. But I will say that law enforcement is way more prepared to handle these things. They generally know who to reach out to. So, even at the local level, they don't have the resources and the preparedness in place most of the time. But if they need somebody to walk them through what needs to happen, we can find them a resource. You know how it is. Reading a book doesn't tell me how I'm actually going to execute something. That's really where the biggest problem is.
Eric: You were talking about the changes over time. What was it like?
Mike: It has evolved dramatically over time. It's a good kind of central point for the way security has evolved over time. We've always known. We always had these cyber hygiene things and we know exactly the areas that we need to focus on just to get things under control. We've just seen it get more evolved and concise and structured as time has gone on. Where we generally know the things that are going to work to keep a majority of the stuff out.
It’s the Same Thing at the Security Tipping Point
Mike: It's like houses and homes. We know, "Lock your doors, lock your windows. Make sure that you're not leaving anything super valuable out in the open." You're generally good. It's the same thing on the cyber side. We know what those types of things are that need to be done. We're generally good.
The problem is just like on the home side. We know that if somebody really wants to get in, they're going to. How we prepare and how we structure ourselves to respond to that is where a lot of the evolution has come over time. Making sure that we are ready for those large scale events and attacks either due to somebody leaving something unlocked or not doing cyber hygiene. Or that somebody who is really after us and wants to get in and do some harm.
Eric: I feel in some cases we haven't even put doors and windows in place to lock it in some cases.
Mike: Just like any other place, you run the gamut of what types of equipment you've got in place. Whether it's the steel reinforced door with lots of deadbolts on it or you've got the flimsy cardboard entered with the very loose lock.
Eric: Or a piece of plastic. Staple gun to the frame of the door because we're still under construction.
Mike: The screen door of the equivalent. I'm right there with you.
Rachael: I'm fascinated by this phenomenon. It ties into a quote. You were in this great Washington Post article. I was looking at state and local government ransomware attacks. Until there's a catalyst event like a Colonial Pipeline, for example, security isn't the number one thing.
[12:36] We Have to Wait for the Security Tipping Point
Rachael: It's almost like we have to wait for the bottom to drop out. When will that happen? But in order to get the right funding, at the state level, I know you're seeing this acutely. I'd be interested in how we get out of this routine of catalyst event. Then we put resources into it. Can we get ahead of that?
Mike: It's something we've been really trying to figure out how to deal with, especially as a security community over time. The media reinforcement has helped dramatically accelerate where it is that we are. We're seeing some pretty significant types of attacks. Everything from the crazy nation state stuff we saw with Stuxnet and nuclear secrets and nuclear-related style attacks. To the day where we're at with the Colonial Pipeline and critical infrastructure style attacks.
Where things are trying to disrupt the life of the average American, that to me is obviously pretty concerning. We're starting to get to this point where things are reasonably weaponized and can end up impacting our day to day. I'm not sure where that tipping point is that we get to where things are considered too much. We need to stop this now.
If you were to compare it to the pandemic that we're in now, something happened. We had a virus that ended up impacting a ton of people. It's shutting down businesses, it's causing loss of lives. We all, as an entire globe, work together to figure out a solution on how to address this. Obviously, we've got a little bit of different competition.
Nation States Leveraging Cyber
Mike: In this case, we've got some nation states who leverage some of these cyber things. There's not quite as central of a direction that we may have for cybersecurity as we did for something like a health-related pandemic. But we need to come up with whatever type of general response. Focus what we can to try to drive this to at least some level of closure. Or at least a restriction on how bad it can get.
We're at that point where it can get pretty bad. The Colonial Pipeline was a great example of something that impacted us pretty terribly. If we weren't in the middle of a pandemic, it would have been a large problem. We would’ve had the East Coast shut down and we wouldn't have been able to function. That is scary for the average citizen. We really lucked out that it wasn't as terrible as it could have been.
Eric: At what point do we as a society really decide to dig in and do something as opposed to allowing things to happen to us? I was just reading the article in the Washington Post on August 22nd. It talks about Baltimore county. Public schools in Fairfax County, are being attacked. I'm going to take it to the Commonwealth of Virginia.
It also mentioned Hampton Road Sanitation, Bristol Police Department in Virginia. There were some others mentioned there. I've been in this business for a good while now. We've been covering ransomware pretty extensively on the podcast. I didn't even hear about Hampton Roads Sanitation. And I didn't hear about Bristol Police.
Across the Security Tipping Point
Eric: There's so many things happening across the spectrum here. It's unlike 2009 where it was one of the first pieces of ransomware and we dug in. It is almost like commonplace and every day, which is a sad place to be.
Mike: We're running into the data breach problem. Going back to the first question about the evolution of what has happened over time in security. Data breaches used to be a huge deal. Now, we're at the point of, "Ah, I got breached again. All right. I'll just keep checking."
Eric: It's just like, "Oh, here's the new year's list. Let's look at how the bad actors have shifted their techniques." That's disappointing.
Mike: I get it to a certain extent. We ended up in this scenario effectively. When you look at it from a pure security vision, we came up with mitigating controls. We came up with this way to manage our credit. The credit card company stepped up their game to make sure that it wasn't as big of a problem.
The credit monitoring companies did a lot of changes to make sure it's not as bad of a problem. It's still a problem, but it's not as bad as it used to be. If your information is breached, there's education and information about what to do in those circumstances to keep it from becoming a large issue.
The ransomware component is where we were with the data breaches a few years ago. They're starting to happen consistently, and they're not necessarily making the news anymore. They're not as big of a deal. "Oh, yes. Another company got compromised. These people are down for ransomware. Just wait a few days and they'll eventually come back up." Work around it.
The Key Difference
Mike: It's concerning to me that the key difference here is that this is the first time it's impacting the physical world. The things that we worry about are somebody impacting our roadways or our gas supply or our water systems.
Eric: Or sanitation, you name it.
Rachael: Supply chain too. I don't know in Virginia, but there's this thing now, we call them tractor hackers. They’re targeting these farmers. You don't realize all of their things are now internet-enabled. John Deere has these crazy technologically advanced, that starts to get scary. That's the real supply chain impact. It is a place where, who would have thought to go that route, but they are.
Mike: We already know that we've got driverless cars on the way and smart city components. In my area, I've got both smart water meters and smart electric meters. We know that we're moving towards more of these types of highway beacons and things for our driverless cars. There's a lot of stuff that's going to be capable of interfacing with the physical world more than what it is now.
Simple things like traffic lights. A lot of our physical devices take a long time to update. At some point, our traffic lights will be more on that complete wireless IoT structure thing. All of a sudden, you've got the capability to interface or have it interfacing with some of these devices.
Whether that's through the cars or maliciously through a third party, those are all major concerns. The fact that we are setting ourselves up for the ability to interface physically in the environment without the right types of technical protections in place is scary. We've got to, as a community, prepare ourselves.
[19:38] Mitigation Techniques
Mike: Accelerate some of our mitigation techniques and approaches to prevent that from being a problem. We're obviously very concerned about it at the state level. We know that it's a shared responsibility. Our localities, they own some of this stuff. They own water systems and a whole bunch of critical infrastructure components. They’re not in a great position to be able to protect them a lot of times. They don't have the resources necessary to make it work.
If we don't do something soon, we will be in those scenarios where our physical critical infrastructure is being breached more than it currently is in the future.
Eric: I've got to imagine that's very frustrating and difficult at the same time for you. If we had an attack of some sort at the local level that impacted water, let's just pretend water. Wasn't it Oldsmar dam in Florida where they were going to dump a ton of lye into the water and pollute the water supply?
One of the first people getting called is the governor of the Commonwealth. I'm betting you get called pretty quickly after that. "Michael, what happened? Tell me what's going on. What are we doing about it?" You're like, "Hold on, what is that?" That's got to be a difficult feeling.
Mike: It's interesting being a public sector figure and stuff. What it really comes down to is not only are you trying to protect, in my case, the state. We're also acting as a level of expertise to be able to advise in scenarios like that one.
Part of what we try to do is to make sure that we're always out there stumping for preparedness. Making sure folks are aware, but recognizing that the government struggles planning for the long term.
In the Position of Security Tipping Point
Mike: We are in the position of being ready for the inevitable compromise that will happen. What do we need to do? How do we need to react? We've at least thought through some of these items. Ultimately, there isn't really a great scenario that we're going to come out with when something like that happens.
Inevitably, you've got the problem that Flint runs into you. Where does the government step in to help manage the quality of the water if that lye scenario had ended up coming to fruition? I believe that was the right case. The only reason that they caught it was the guy was sitting there. That guy was sitting at the station and saw the little dial change.
Eric: That or a mouse cursor moved or something. It was random luck, we can all agree to that.
Mike: It was just dumb luck that that ended up being a thing. You're never going to turn down something that ends up being lucky, but I'm with you. It’s really scary that that's what we ended up with. If somebody wasn't watching that, I'm sure some alarms would have eventually tripped. But how much damage was going to be done first?
We're not prepared as a country to understand where the blurred lines are for a response like that for coming in. Does the governor send in someone like the National Guard to help? Do the feds come in to help? Who is going to step in, in that scenario, to address those issues if the private company isn't able to make it function correctly?
A New Security Tipping Point
Mike: I'm never a proponent. I like letting folks handle their own components and let them work it out. Be there to help and advice and say, "This is what you need to do". But realistically sometimes, just like if it's going to be a locality or someplace that's under-resourced. I'm not trying to knock Colonial Pipeline too much, but they posted within two days of the compromise for a new security position. They didn't have anything before.
Eric: No, that was actually posted before. It was a couple of weeks prior, but it wasn't for a CISO. I got the impression it was a very sparse cybersecurity team.
Mike: I'll have to take a look. We were joking as we were seeing this. What happened is the postings came through LinkedIn.
Eric: Somebody noticed it a couple of days after, but it was actually posted before.
Mike: Then they were working towards filling that out and trying to make that better. The fact that they were posting for a security position when something like that happened is always a difficult message, first of all. Second of all, indicative of where we are with our kind of under-resourced and minimally resource areas. It's not super surprising to see something like that.
Again, not trying to knock on Colonial Pipeline, in particular. It is just the easy example or recent one that people can think back on. It's not all that different from any of the places that have been compromised. You typically go back and say, "All right. I guess I need to shore up my security stuff now that this has happened."
Locking Doors for Security
Eric: I always like to go back to the physical world. It's almost like a lot of these organizations, agencies, and businesses don't think about locking their doors and windows, physical security. If you're going to build a new building at the county or local level, you're going to put locks on the doors.
It's just part of the architecture plans. You may put security cameras in, you may have an alarm contract. In a lot of these cases, they don't think through from a cyber security perspective the same types of considerations. We're just not mature enough yet. That's the issue for me.
It's the basics. I hate to go back to compliance. We've talked about compliance a ton on the show. Some compliance is not necessarily good security, but there's got to be some baseline level. NIST has great documents out there. There is tons of information out there where you can say, "Okay. I'm a state organization that controls all the traffic lights."
A local county, what do we need to think about? Maybe you decide, "I don't have the budget right now," or "We're not going to do anything." But maybe you decide, "Take it off the network," or have basic level protections in place.
Mike: The idea of what needs to be done, the basics. The things that we need to do to basically make sure that our day to day is safe are really well spelled out. I give major props to the feds and everybody at NIST and DHS. They do a wonderful job of communicating what that basic framework looks like.
[26:43] What Needs to Be Done at the Security Tipping Point
Mike: What needs to be done in order to secure the household, the basic components of it. There's people that are consistently making a choice. They're going to do this later if they're not doing it quite yet or they're not ready to make the investment. Some of them pay the price for not being able to.
Eric: Or they just don't know. There’s an article by Brett Callow from Emsisoft cybersecurity firm. He said, "Local governments are not necessarily targeted more by ransomware groups. Rather, they're hit as an operator of inadequate security systems caught in a wide-cast net."
Mike: I completely concur with that assessment.
Eric: He goes on to say, "Most ransomware attacks are spray-and-pay in nature. They hit the ones with the weakest systems. Local governments seem to have the weakest systems." You’d think there would be a baseline, low watermark level you've got to get above. You’d at least temporarily elevate local government systems above the weakest that are caught in the wide cast-net. I don't know. I'm not a ransomware attacker.
Mike: It's about the amount of resources that we're applying to any location. The localities tend to be under-resourced across the board. We want to have inefficient government as the American public. Generally, that means maintaining whatever the lowest amounts of cost attached to the government as we possibly can.
Unfortunately, the way that that works is when we have an event with some particular area, it doesn't really make a difference whether it's education or some sort of service. Cyber's no different until we start seeing it consistently. Say, "Hey, we really got to invest in something or it's going to cost us more money than the investment."
The Government Always Lags Behind the Private Sector
Mike: We end up in this scenario and the government will always lag behind the private sector for that particular reason. Private sector has incentives to protect their bottom line that they will adopt. Government tends to lag a lot of times in those areas. That's not to say that there aren't places that are doing it right. I don't want to generalize too much. Of course, I'll say Virginia's doing whatever they can, especially at the state level.
Eric: But even if you do, the best you get is you're not in the news. Nobody says you did a crappy job. You just did your job. I wonder how much recognition you even get for doing your job.
Mike: That's almost a whole thing in itself, of course.
Eric: We want to unpack that on the show today. Don't worry.
Mike: Trying to figure out just how well somebody is doing is actually a really hard thing to do. I talk to a lot of my fellow CISOs in other states. We do talk about that a lot. It's like, "Where's that line? How much is too much? And how much is not enough? What are other people doing?" We try to figure out a way to meet in the middle there.
As much as we have great standards and structure for what needs to be done to maintain a program, the devil's always in the details. There's little things that need to be done. How far do you expand a particular topic, like multi-factor authentications. It's a really great example. For those that might not be familiar, that's the little code that you enter whether it's from a fob or something that's sent on a text message.
Mike: The security folks like myself, I always say just do it for everything because it's easier.
Eric: To me, that's a no-brainer. MFA, two-factor authentication, call what you will. It should be on everything.
Mike: It's the balanced response. There are some things that probably don't need it. But we also know as security practitioners, you know that differentiating between them. When it comes down to it, you're going to go to the appointment rather than make sure that you've actually used the two-factor. Or that you've checked everything out before you've gone in because it is the nature of the way that humans react. We know that it is going to be a consistent problem.
Applying multifactor everywhere is a challenge. As much as I'd love to say that I have a cart blocked to turn it on in any scenario, there are a lot of very specific, weird interaction things that they basically come and say, "The citizens just won't do it. If we end up doing it that way, the citizens won't leverage the services that we need them to leverage."
Eric: That's accurate. Watch this, Michael. Rachael, what would you rather have? A complex password for each website that you can't manage or multi-factor authentication for each website?
Rachael: If it's multifactor, can it be on my face, on my phone?
Eric: No. There is our problem. It's hard. Therefore Rachael does not want it. Even though she doesn't want you stealing her credit card information or understanding. Getting into her photos on her phone or whatever it may be, that's the problem that we have to deal with.
You Want To Leverage the Security Tipping Point
Mike: It's representative. That is the normal citizen. You want to be able to leverage that. I love the phone generation components for being able to use your face now. At least, as part of that multifactor.
Eric: Apple, in that case, or Google has already authenticated you. You see some of this in the ecosystem where if you have an Apple watch, you don't have to constantly log in. You're there. It recognizes you. As the technology matures, we can take advantage of some of these mechanisms that do exist.
Security goes way up. The difficulty, the impact to the user and ease of access probably stays pretty manageable. But you wouldn't care if you could just look at your screen and it said, "Hi, Rachael." You're in. But that text, that's just one step too far.
Rachael: What if I don't have the phone with me? I've had that happen because I have two phones. A lot of times it wants to multifactor on the phone that I don't have with me because it's charging. It's like, "Urgh," and then I can't get into it, and it's very frustrating.
Mike: Well, I'll give you the one that my wife gives me a hard time about. We share a single Amazon account, we have a multifactor set on Amazon. So, whenever she's trying to log in to get something, I have to send her the text for whatever it is that she's trying to get in. Let me tell you, if there's anything, she does not like that.
Eric: Mine likes to reset the password there which just goes to me anyway.
Mike: That's where we were before I ended up setting up, at least, the token. It's that problem. That usability isn't quite there for everything yet. It'll be a while, but I see a day when we have our phones effectively. You just walk up to a system and everything's just authenticated. Everything's squared away when you get there. I can't wait for that to be there. They need to accelerate that technology just a little further.
Eric: People who don't want an iris scanner or they don't want a facial scan, that's fine. Go to multifactor authentication. We even have mechanisms if you're not comfortable with that. We have to make things easier because there isn't enough money. The attack surface is so massive.
As you talked about in this article, most defenders aren't thinking about security. It's not their number one. They're not thinking about it all the time. As Brett Callow mentioned, the adversary just casts a wide net. Why not? There's not a lot of risk.
Mike: The cost is so small for them to do that versus us who are trying to plug every hole that's out there. The cost of doing that is huge. Unless we come up with better tools and better approaches across the board to make security more ubiquitous on all of our product sets and as part of everything that is done.
Security's got to stop being looked at as an add-in or an additional thing. It is got to be part of whatever service it is that you release. Microsoft learned this lesson years ago. I was around long enough and I'm dating myself a little bit before patches were deployed by Microsoft.
[36:15] Five Major Security Tipping Point Events
Mike: We posted them on this site somewhere and you went to download them. There wasn't this Microsoft update thing. You had to know to go look for them. They suffered through four or five major security events that drove them to change that policy pretty quickly.
They've been great ever since recognizing that it is painful if you don't structure yourself to be able to maintain and set up these updates in a consistent fashion. There are lots of companies that still haven't learned that lesson though.
There's lots of places that just don't understand that security has to be built in or you will end up paying the price later on. Whether it is paid by the consumer or paid by the provider, somebody's paying for it. It never ends up good for us as citizens in the end. It's always a painful process.
Eric: Microsoft literally went from the reason malware exists. People created malware to hack Microsoft operating systems. Whether it was DOS or Windows to the number one company in the world from a security investment. What a transformation if we can get society to shift that mindset.
Mike: They are the poster child for somebody that adopted and embraced what is necessary to be done for their products. But you can imagine the conversations happening at Toyota and Honda and Ford right now. I suspect that they're still based off of, "Okay, we've got to do something to protect cyber." But that's part and separate from the design of the systems.
Cyber Is Critical
Mike: When they should be saying, "Cyber is just as important as how many RPMs I can get out of my engine." It is critical that we get that stuff built in upfront. We've got to be able to adopt that and recognize that that is crucial. Otherwise, as we move into this physical component of digital interaction, that's really hard to replace. Those things are really difficult to fix if you end up in a scenario where there's a compromisable asset that has a physical presence.
Eric: It's a lot more costly in my experience to bolt it on after the fact. We will oftentimes go in to talk to customers and they're like, "Here's what I've got." It's really a problem. I was talking to a friend a couple of weeks ago about air gapping critical infrastructure. His response was, "That horse has kind of left the barn."
There are so many holes, so many connections from critical infrastructure components to the internet now. It's so convenient. In most cases, you have no chance of telling the operators they're going to have to air gap their networks and turn off all of those features. Some of them are contractually obligated.
Mike: I was going to say, even the people that manage the environments at that point are relying on that internet connectivity for it to function. At this point, there's no way around it.
Eric: But if you build it securely from the beginning up, we'll pick on VPN for a second. You have a single VPN tunnel maybe in, and that's the only way to connect. Get data out and move patches up and everything else. That could have worked.
The Zero Trust Architecture
Mike: We haven't really talked too much about it, but the zero trust architecture structure. That concept of the "Hey, we're going to build this bubble around and as close to the data as possible. So that regardless of wherever or whatever the data or interaction you need, it will be protected. Any interaction will be considered untrusted until we can verify that it's supposed to be there." That concept is really powerful.
You've seen the federal government talk a lot. I know in Virginia and a couple of the other states, they're talking a lot about saying, "Okay. How do we do this because it's going to be necessary?" Especially with the way that we've recovered from COVID, everything went out. We had this nice job, security strategy. Orderly structure for saying, we're going to adopt a zero trust model over the next four to five years. We will have different components in place.
By the time we're done, everything will be great. COVID hit, everything went out. All the applications that weren't really exposed to the citizen, all of a sudden became exposed to the citizen. Everybody moved to third parties like SaaS and Cloud. Everything was a mess very quickly.
Now we're like, "We got to accelerate our model a bit," and try to figure out how we can interpose. Put something in place that's going to at least emulate the zero trust model as quickly as possible. Without something like that, these critical infrastructure components and such aren't going to survive these cyber attack interactions.
The Physical Space Versus the Security Tipping Point
Mike: It's extremely costly in the physical space because you physically go out there and do something with it. You can imagine trying to fix a common bug on traffic lights. We can't visit every traffic light in the state in any reasonably quick fashion. It will take years to do something like that. That's daunting.
Rachael: For someone who's been in the cyber world for a really long time such as yourself, do you have optimism for the cyber path ahead? Are we going to get ahead of this threat here in the next five years, 10 years? Or is this just something we got to look to the next generation to solve?
Mike: Hopefully it's not like climate change where we're trying to figure this out a little bit too long. The urgency is being built and is being recognized further every day. We know what strategies need to be employed, we do have some great success stories. We've talked about a couple of them today. Microsoft's a really great example.
What I suspect about some of the stuff and how we reacted and handled some of the conversations with Colonial Pipeline, those are conversations that were great to start and have. We still have ways to go to understand where we are comfortable as a country policy wise. Who's going to be responsible for what parts of response for a truly significant cyber incident? That's going to take some time to work out. Any type of conversation like that is going to take time to work out.
The Most Important Part
Mike: But I do think that people recognize the need. That's probably the most important part. Now we've just got to take the steps and continue the process of pushing and making sure that we don't forget. We don't address those things before it becomes a major problem. The nice thing about having so many people after us all the time is anytime you start to forget, somebody's there to remind you.
Eric: The press is helping. The executive leadership at all levels is really understanding this is becoming a bigger problem.
Mike: Honestly, even the last three presidents have all had something cyber-related in their crosshair somewhere. Everybody dealt with it differently. I won't pick on one versus another to say someone did great or not. But everybody had it as something to recognize. It was an important part of the way that they were managing the country as a whole.
Continuing to embrace that and make sure that it is part of our policy direction is going to be crucial for us to get it fixed. I would love nothing more than to be in a scenario where cyber doesn't have to be called out as its own thing. It should just be part of the process. But we are quite away from being there yet. I'll be surprised if it happens by the time my career is over, but we'll see.
Eric: It's the ultimate job security in our lifetime. Not that that's a good thing.
We’ve Got a Road to Go
Mike: I'm optimistic that we're at least on the right path to deal with a lot of the problems. Until we get to the point where it doesn't have to be called out separately, we're going to be in a little bit of a struggle for a while. We've got a road to go, but that's not unusual for any large complex problem.
Rachael: With that, thank you so much, Mike, for joining us. This has been a wonderful conversation. For such a complex problem, it's nice to be able to have a little levity too. Listeners, just smash that subscription button. You'll get a fresh episode every single Tuesday right to your email inbox. Don't forget to subscribe. Until next time, stay safe guys.
About Our Guest
Michael Watson is the Chief Information Security Officer for the Commonwealth of Virginia at the Virginia Information Technologies Agency (VITA). With over 17 years of experience working in the information security field, he leads the Commonwealth Security and Risk Management team which provides security governance, oversight, and risk management for the executive, judicial, and legislative branches of government in Virginia.
Michael holds a graduate degree in telecommunications with a focus on security and management from the University of Pennsylvania and earned his undergraduate degree from James Madison University. He is a Certified Information Systems Security Professional (CISSP), incident handler, intrusion analyst, penetration tester, and information systems auditor.
Listen and subscribe on your favorite platform