2020 Government Cybersecurity Predictions, Part 2 of 2
2020 Government Cybersecurity Predictions, Part 2 of 2
Final three 2020 predictions: Cloud smart not dumb, Mature approach to data and privacy, Indicators of Compromise IoC to Indicators of Behavior IoB.
Nicolas Fischbach Forcepoint CTO, Phil Goldstein of FedTech and Mike Gruss of Fifth Domain weigh in on how they will effect Gov Predictions report here.
Table of Contents
- [00:56] A Preview of the 2020 Cybersecurity Predictions Part 1
- [02:00] The 2020 Cybersecurity Predictions on Cloud Dumb
- [05:53] The 2020 Cybersecurity Predictions of Movement From Cloud Dumb to Cloud Smart
- [12:06] The Data Privacy Officer’s Role as per 2020 Cybersecurity Predictions
- [16:59] The 2020 Cybersecurity Predictions on Where the Tension Lies
- [22:23] Will There Be a Clean up Based From the 2020 Cybersecurity Predictions
- About Our Guests
A Preview of the 2020 Cybersecurity Predictions Part 1
Eric: Welcome to To The Point. This is part two of a two-part episode with Mike Gruss, editor of Fifth Domain. He was on episode 53 with us Phil Goldstein, senior editor for FedTech and State Tech magazines. He was in episode 54 with us and Nico Fischbach, our CTO of Forcepoint. We're going over the Forcepoint 2020 cybersecurity predictions where we asked our researchers, engineers and strategists to predict what they believe will impact the cybersecurity landscape over the next 12 months.
Eric: Last week we covered deepfakes as a service, we covered 5G. Candidly Nico, I thought those were kind of not givens. I loved our perspectives on it, but they certainly weren't challenging from the perspective of challenging the authority. Cloud Smart, Cloud Dumb, we're saying our people are Cloud-dumb when they're rolling us out. Why don't you introduce the topic to us.
Nico: Yes, thank you again. Good to be back again. We still have a few to go, so let's dive in. Cloud Smart versus Cloud Dumb. Actually, I think you came up with that one Eric.
Eric: I did and that's why it's a little more controversial maybe than most. Let's push some buttons here guys.
Nico: So I think, the Cloud Smart side is pretty key. I mean, everybody is shifting to the cloud. We are in our private lives, enterprises are, the government is. There has been a lot of talk about GEDI in the U.S recently and we hear a lot about GEDI outside of the U.S. I mean there's going to be a massive shift to public cloud services in the next decade. And it's just the beginning.
The 2020 Cybersecurity Predictions on Cloud Dumb
Nico: I think at the government space, some players have been around for a very long time, but what happen is that I wouldn't say it's Cloud Dumb. I would say that we have another chance to educate and to train many people on how different Cloud Security is. Because the technology stack is so different from what used to be technology on-prem.
Nico: We've been building data centers, servers, racks, hosted applications for so long. The learning curve to move and to consume infrastructure services platform as a service or SaaS services is significant. So I wouldn't call it dumb, it's like saying that the user is the weakest link of the chain. In the chain, same as here, I think more than a prediction, it's a call to action.
Nico: We need to educate more people about what the Cloud is. How different it is and guys, get your basics right. Honestly, I think that's pretty much true, the base security you're going to get from any security provider in the cloud or any public cloud provider is going to be better than what you can build in-house full stop. Especially over time. They are better, they know how to read that scale, they know how to automate it.
Eric: They're faster.
Nico:They're faster but you need to understand the dependencies you have and the trust that it creates. What's on you in terms of security when it comes to protecting your applications and protecting your data and what's on them. Exposing your S3 bucket in AWS with all your company data is a very bad idea. But that happens all the time. Look at all the breaches.
A Call To Action
Nico: So again, more than a prediction to me, it's a call to action. Let's train people to understand the Cloud Stack.
Eric: Okay, so Mike, I'm going to ask you, are we being Cloud Dumb? Are you seeing that? You disagree? Agree? What are your thoughts?
Mike: No, I liked this prediction but here's what I think we're seeing. And this isn't necessarily with the IT community, but maybe with the broader business.
Mike: Government community. Which I think everyone understands there are benefits and efficiencies to moving to the Cloud, but I do feel that because there is maybe less physical infrastructure in front of them that they say, "Oh well, this security's concern is not so much ours." And I feel like the risk there is that all of the security responsibilities are going to be pushed to the cloud providers.
Eric: That's not the case.
Mike: So that's where we talk about Cloud Smart or Cloud Dumb I think to entirely trust a cloud provider for all of your security is Cloud Dumb. I think that the cloud is, especially at a government level, still kind of a shiny new toy in front of them. Even a document that came out, I was just rereading this, The DoD Cloud Strategy, which is like December 2018. There's hardly any mention of security in it. There's a ton of talk about, "Oh, what can be gained from the Cloud?" I think that's a real risk and potentially shortsighted.
The 2020 Cybersecurity Predictions of Movement From Cloud Dumb to Cloud Smart
Eric: I agree. When I meet with customers, it was cloud first. So how do we get everything into the Cloud and then Cloud Smart? A big piece of it is, should be in the cloud? I think we need to spend a lot more time on the risk though. A lot of times when we move into the Cloud, we do it without IT knowing about it with the shadow IT components. It's easy, it's fast, it starts out at least cheap. And we just miss security. Phil, have you had interviews? Have you met with people? What are your thoughts here?
Phil : I would agree with what you and Mike are saying. Sometimes security is definitely an afterthought when it comes to moving data and applications and workloads to the Cloud. In talking with both government officials and folks from cloud providers, they point out, yes ,the cloud providers do provide security for their infrastructure. But it's still your data as the government entity that is being hosted.
Phil: So you need to wrap all the protections that you would wrap around your data if it was in, an on-premise environment in the Cloud and I think that the focus that has been put on protecting high-value assets across the government in the last year to year and a half, that's going to become even more important as the more data gets shifted to the Cloud, that's likely going to include some data that is considered a high-value asset. I would bet most of that is going to remain on-prem but some of it probably isn't, and that data needs to be protected.
The Challenge In Applying Risk Considerations
Eric: I would argue with you there. The customers I talked to, especially from a security or an IT perspective, tend to have very little knowledge of the value of the data, which makes it really hard to apply risk considerations.
Eric: So IT seems to be divorced from the data in many cases. In fact, I'd say the preponderance of cases. They just aren't that entwined with the business. There's a lot of critical data, PII, sensitive data, CUI in the government space that's already going to the cloud. And I think a lot of it's lack of understanding of what it is.
Phil: I think that kind of goes hand in hand with another trend that we're starting to see in government, which is a real push for agencies and users, employees to become much more data- literate.
: And not that everybody's going to become a data scientist overnight, but to become much more knowledgeable about the data that the agency has. That they have access to and what those risk classifications need to be for different kinds of data. Everybody talks about using type of security framework from NIST and the NIST Risk Management Framework, which I think are incredibly valuable tools. But they actually need to be used and put into practice. You can't just say, "Oh yeah, everybody should do it," and then nobody does.
Eric: No, absolutely. There's certain places where we had Andy Wall on a couple of months back from the UK National Office of Statistics. They want to share everything. It's the people's data so they know what they're sharing because they want to share everything.
The False Prediction
Eric: From the intelligence and DoD side, it's very easy if it's classified, but there is a lot in the middle. So I do agree and disagree with you, but there's a lot in the middle.
Eric: Nico, anything else on Cloud Smart Cloud Dumb? Was I too over the top?
Nico: No, you have enough opinions on that one. I can totally see it was yours right? You have a good lead-in, moving the conversation from the infrastructure side of the house to data, which I think is the next topic we're going to talk about more.
Nico: The false prediction we want to talk about is a change we need to see in the industry and is for both business and governments to mature their approach to data and privacy programs. For the last couple of years now I think most of us have been watching to see what's happening in terms of GDPR. In terms of CCPA in the U.S. I think I would let you guys chip in on maybe some more government-specific ones that I'm not aware about.
Nico: But basically people are like, "It's never going to hit me". They took a very, for most of them a very reactive approach or very reactive process, say, "We will try to mitigate when we get to hit," right, rather than taking a proactive approach, which is to understand where your data is, to classify and label your data, to overlay data protection programs or information protection programs over it.
The Data Privacy Officer’s Role as per 2020 Cybersecurity Predictions
Nico: To look at the privacy angle and how you manage privacy of course in terms of when it comes to privacy by design and various methods as well as what does it mean in terms of the people who are impacted. The employees in the federal agencies and the government, the citizens in the countries.
: So take a much more proactive approach. The prediction is very much that both businesses and government, will actually tackle this end-to-end and look at it from this point of view. And not just like, "Oh, there's something we need to comply with. What's the bare minimum we need to do to not be hit. Or if we get hit, to minimize the impact?" Whatever the impact is financially to the business or either in terms of exporter, right?
Nico: The prediction is that the DPO role, the data privacy officer role is going to become much more prevalence in the organizations. There would probably be DPOs in the governments into federal agencies maybe there is today. I'm actually not aware about it. So I'm actually keen to hear what you guys have to say about it. So, become more proactive and deploy the tools that help you solve that problem end-to-end. We're also going to see I think, a convergence in terms of tools that will be used to satisfy privacy concerns as well as tools that will help you with data and information protection programs.
Eric: So we have to protect the business, but we also have to protect the privacy of the individual. You should be able to pay your mortgage bill online from work without the business spying in on you. Tough balance. Are you seeing any maturization here?
A Prediction on Maturity
Mike: I think I like the idea of this prediction here, which is that there will be maturity. What I'm skeptical of is how much maturity will actually come in 2020. There has been a movement, particularly in government toward protecting some of that high-value data and recognizing where they have PII.
Mike: Especially with what we've seen from Iran the last couple of weeks, and there's a lot of attention on a potential cyber attack from Iran that folks have said, "Hey, we want to make sure that that information that we value the most is the most buttoned-up and most locked down." But I would still argue that we're still in the pretty early stages of that. And especially when we're talking about privacy on a much broader scale.
Mike: I think there's going to have to be some kind of I don't even know what it would look like. Some kind of major catastrophe before this kind of legislation and agencies really moved at a fast rate to the change their current practices.
Eric: This is a hard one and I agree. I don't see this moving overnight right now. In the news we see Apple and the FBI and even President Trump in the U.S. here fighting over unlocking iPhones. We've got the same tension within government organizations that I visit. They don't have chief privacy officers today. But they do have an office of general counsel which carries a very, very heavy stick. And unless it's classified information, they tend to be very risk adverse. And when I say risk adverse, nobody wants to fight the office of general counsel, right?
Privacy Is Making A Comeback
Nico: Let me ask you a question then from the guy sitting on the other side of the pond. Sitting kind of in Europe, if you come to the Switzerland part of Europe.
Eric: We will today, go ahead.
Nico: We will today. I mean, we said last year in the predictions from 2019, that privacy is going to make a comeback. I think we, we're pretty right on that one, but if you look at it from a government vantage point, isn't the job of the government to protect the citizens? And previously it was physically. You need to make sure to kind of protect life, for lack of a better term, it's like, how do you save lives? How do you provide safety and security?
Eric: And they do it in many ways. I mean, if you look at FTIC with the banks, they protect you if the bank. So there are many ways, yes, that is the job of the government.
Nico: So the question is people now also have a digital life. And that digital life is embedded into government systems. I think in the U.S. you're part of the DMV, you've got Social Security numbers, you've got all those things.
Nico: Isn't there also kind of a drive from the citizens and the expectation that the government not just protects or provides safety and security in the real physical world, but also for the PII data, the government holds on all of us. Because once the data is out there, it's out there. It is hard to delete or remove.
The 2020 Cybersecurity Predictions on Where the Tension Lies
Eric: There are other factors. I mean, we can look at the OPM breach, right? Where we outsourced the protection of, we would argue probably some of the most critical data the country has. So there are cost pressures, their public privacy. So, what's more important? Protecting the data of the citizens, which is hard to capture, hard to measure. Or protecting the privacy of the employees and agents and contractors in an agency where we're not looking at their every move. We're not capturing every keystroke, every thought.
Eric: And there's that balance and that's where I see the tension. Office of General Counsel is aware that the mission of an agency, pick IRS, to protect those tax returns from getting out people's Social Security numbers, income, all that data around them. But I'm not seeing it at the expense of increased observables on employees who might be exfiltrating that data. That's like a near term target and near term threat. And they don't want to cross a line in many cases. Phil, any thoughts there?
Phil: I think that it's going to be hard to get the federal government to move the needle on this. Obviously there are state efforts underway. Obviously California is the most prominent example of a data privacy law going into effect. Mike was saying, it's going to take some kind of catastrophe in order to really get significant changes in terms of citizen data privacy moving at the federal level. I don't really know what that disaster could look like after massive breaches like Equifax, which affected a huge number of Americans.
A Political Food Fight
Phil: So I don't know what more it's going to take to really kind of move the needle on that. Then this gets into politics because once you start talking about citizens data privacy, even if the aim of potential legislation is to ensure that citizens data is as secure and protected as possible, I think that that is going to become a political food fight in Congress where libertarians and folks are going to say, "Well, I don't want the government touching any kind of my data because who knows what they're going to do with it and I don't want them involved." And I don't really see a lot of movement on this. I think that we should have in this country a law that is similar to GDPR. But I don't know realistically how quickly something like that is going to happen.
Eric: I see Europe taking the lead on this one. I want to get down, I know we lie to our listeners every week and say 15 minutes or less, but I do want to keep it under an hour. It's been a great dialogue. Nico let's hit the last one.
Nico: Last but not the least, and not because I came up with it is, we're going to see a shift from what we call and the industry has been using for like plastic, IOCs, indicators of compromise to indicators of behavior, right? So I mean what I'm saying here is that IOCs are part of your security hygiene. They're part of your security one-on-one. They're part of your infrastructure play. They still a must-do and a must-have in any organization, enterprise or governments, but it's not enough anymore.
The Intersection of User and Data
Nico: If you want to understand the interactions new users, be it your employees, contractors, partners, cold desks, you name it, have with any of your data. Data that sits either internally in the Cloud somewhere, you need to look at this intersection. The intersection of user and data and how the behavioral elements of that are likely to drive mistakes, confirmations of users, data experience and so on.
Nico: One of the prediction is that CZOs and vendors will elevate the conversation from IOCs, from security hygiene to actually really, having a good understanding of their users, a good understanding of the data they have and all the interactions, all the actions that people, users, employees and others have with that data, and not just this in terms of indicators, but also, any external stressors.
Nico: Applying your sentiments and appeal to it, maybe looking at your external stressors that you will get as part of background checks like reputation. Basically, taking behavioral analytics and insider threats technologies to the next level, but not by becoming more intrusive by respecting people's privacy with just spending 10, 15 minutes on privacy, but enabling them to do their work, their best work, but providing a safety net. So that's the last one of the five that we had on the list for Forcepoint in 2020.
Eric: In the U.S. Government, we're seeing this manifest itself in the form of continuous evaluation. On the people with clearances where we're going to continually look at you, "Did you have a traffic offense or a DUI last month and how are things going?" What do you think Phil, did our CTO get it right or did he totally miss the boat here?
Will There Be a Clean up Based From the 2020 Cybersecurity Predictions
Phil: I think this is totally dead on. I think that attackers are going to become more sophisticated and leave fewer traces, fewer indicators of compromise in systems and networks when they attack.
Eric: They'll clean up.
Phil: They're going to either be cleaning up after themselves or intentionally injecting noise to kind of fool people. And so I do think that moving to an indicator behavior model is going to become more prevalent. And I think that that continuous evaluation part of it is also going to become more prevalent. I was talking with the deputy CIO from a small business administration back in October and he was talking about using AI algorithms.
Phil: I think like we talked about last time, and this is pretty basic, but really kind of check-in on where people are logging into networks from and seeing if that is anomalous. The user behavior and the applications that they're using, the data that they're downloading, what people are doing inside your network I do think is going to become what people look to, to see whether or not there really is a security threat that they need to keep an eye on.
Eric: Now we built a whole company on this. We're kind of betting the farm here at Forcepoint, but I'll tell you, it's really hard, right? Checking log-ins, those are a little easier but really understanding what you feel the employee may be thinking or doing or why you're downloading data at night. Especially if we look at prediction number four with data privacy thrown into that. This is a hard problem to solve.
The Government’s Speed of Response
Mike: I think this will happen. I'm worried here about the speed of response on the government side. I think we've seen a lot across government. Exactly the example that Phil gave, where you could say, "Hey, this person is downloading two gigs of data and they usually only download two meg," or, "This person is accessing these applications at an odd time of night." The sophistication level is pretty high.
Mike: Even like, "This person's typing pattern is not exactly the way they normally type." But I think that's only identifying someone who may be doing something odd. I think the impetus will then be on governments to act and say, "Hey, now we're going to shut down access. Now we're going to have someone come to your desk or do whatever."
Eric: Or increased monitoring or something.
Mike: There has to be a next step so that what we're not talking about a year from now is, "Oh, here's someone who stole all these classified records," or, "All of this PII, and then released it. We saw that it was going on, but we weren't able to do anything in time." People have to have the responsibility and the authority to act as a way to deter this from happening. And I think that's really difficult.
Eric: I agree with that, the detection piece and then the actual action piece. What are we going to do? It's tough. Awesome. Well, we got through five of these. I know this was a good bit of time here. I do have one question for both you and Phil, Mike.
Expectations for 2020
Eric: If you had to pick one prediction for 2020 what are you expecting to see more of? I know this is off the cuff. What would you expect though?
Mike: One thing that I'm particularly interested in, and it's top of mind right now is, especially on the defense side, I think what we're going to see more of is one state or one bad actor pretending to be another actor, using the techniques that are known from someone else.
Mike: That's going to become especially difficult and kind of that fingerprint or that signature that you expected is just going to become increasingly hard to point attribution to. And that creates a lot of problems on national security fronts.
Eric: And why not? It's easy enough to do. Phil prediction?
Phil: I think that we talk a lot about using AI for cybersecurity defense. But I anticipate that we're going to see malicious actors using artificial intelligence-based tools to make their attacks more sophisticated, more effective, more elusive and more able to evade the defenses that are put up. So it's a kind of a two-way street and I expect to see more of that.
Eric: Nico, what do you think? I mean they have access to pretty much the same technology.
Nico: I think, exactly. I mean, they have access to the same technology stacks. So, the cat and mouse game, is not stopping anytime soon. I see the velocity is increasing enabled by the tooling, the capabilities that exist. Both in terms of technology and in terms of people who have been trained being it in nation-states or criminal gangs.
Eric: We definitely have a lot of work for all four of us to do going forward. Gentlemen, I really appreciate, I could have this conversation all day. I'm fascinated by your views into what's happened, what's going to happen and what you think. We will definitely get you back on. Nico, thank you for your time. Phil Goldstein, senior editor for FedTech and State Tech. Thank you for your time, Phil. And Mike, Mike Gruss from Fifth Domain. Thank you.
Eric: Great episode. To our listeners, please tune in every week, every Tuesday we release the latest podcast. Appreciate your comments and your feedback. Apologies from me again for going a little bit over. When you have experts in the room, I really just love talking to them and Phil, Mike and Nico were great audience today, so thank you everybody. Until next week. This is To The Point Cybersecurity. Have a great week.
About Our Guests
Phil Goldstein is a web editor for FedTech and StateTech. Besides keeping up with the latest in technology trends, he is also an avid lover of the New York Yankees, poetry, photography, traveling and escaping humidity.
Mike Gruss is the editor of C4ISRNET, a battlefield technology news site and magazine, and Fifth Domain, a news site focused on government cybersecurity. Previously, he served as managing editor of FedTech magazine and as the senior national security writer at SpaceNews.
He has written for newspapers in Virginia, Indiana and Ohio and his work has been published in a series of regional and national magazines, including Runner’s World.
Nicolas (Nico) Fischbach is the Global Chief Technology Officer at Forcepoint. Nico is leading Forcepoint’s cloud-first transformation as the CTO for the company’s cloud security business, where he oversees technical direction and innovation. Before joining Forcepoint, he spent 17 years at Colt, a global B2B service provider, and was responsible for company-wide strategy, architecture and innovation.