The Cyber Warfare Game: Managing Private Business Security Risks in a Geopolitical Threat Landscape
Click to view full transcript
Managing Private Business Security Risks
Gray: “Hello everyone, thank you for joining us this evening. My name is Gary Williams, I’m the Chief Security Officer at Burwood Group. Our guest this evening is Adam Rice, who is the Global Chief Security Officer for Cubic Corporation. Adam has 20 years of experience in Information Technologies and Information Security. He has built numerous security programs for a number of industry security verticals. Most recently of global defense manufacturers, telecommunications carriers and security service providers. As CSO, Adam oversees and coordinates all security efforts across the enterprise. Both cyber and physical. He is responsible for identifying, evaluating and reporting on strategic security risks in a manner that meets strict compliance regulatory and enterprise risk management requirements. Adam was also in the United States Army. From 1983 to 2007, he was a Team Sergeant for the US Army Special Forces, a detachment, and he served to combat to work in Afghanistan. He holds a master’s degree in Public Administration from George Mason University in Virginia. As well as Post Graduate work in Information Security Management from the University of Virginia. He is a published author of both books, as well as numerous articles on information security. Please welcome Adam this evening.”
Adam: “It’s good to be here!”
Gray: “You were first CSO for Global Telecommunications Carrier. And as a consultant you built programs for a wide number of industry verticals. Cubic, now makes the second time you’ve work for a Defense industrial. Is there something about this vertical that makes it different from or unique from a security perspective?”
Adam: “I think that it is, obvious we have threats, that are, certainly what you hear about that are in the news. Where targets of APT, everybody knows, I’ll use word APT. I use APT to describe a nation state for Cyber Espionage groups. The Russians and the Chinese and all the usual suspects. And, I think that, the Defense vertical has historically attracted these kinds of adversaries. Where transportation, telecommunications, more criminal kinds of threats. So, that’s not to say that there aren’t other industry verticals that do attract the attention of nation state or nation sponsored bad guys. But the Defense industry obviously does, right. Famously.”
Gray: “So APT, Advanced Persistent Threat”
Adam: “Advance Persistent Threat, is a term that was coined in the early 2000’s by an air force coronel. The guys name kind of escapes me. But APT is kind of recognized as the term for Nation State actors. Though, I have been noticing that criminal elements are doing what works and they there are using a lot of the techniques and kind of tools and process, what APT perhaps invented and operationalized. So there is a blurring of the line there.
Gray: “You wrote about that, in a article called ‘The Anatomy and Physiology of APT’. Where you also wrote that when national intelligent services began using these hacker tools and techniques that quote “Nothing in our past has happened so quickly or with as far reaching implications and dependencies” What did you mean by that?”
Adam: “I think that when, when, Government got into business of kind of getting their intelligent services into the electromagnetic space. As our global civilization, has moved in my lifetime, certainly, from a non-network world, you know, in a single direction, within a period of time that is in the bigger scheme of things, remarkable. We could no sooner give up our networked world as we could electricity at this point. And, you know, long ago, the days of a guy in a fedora and a trench coat under, you know, some lamp outside taking numbers down, right, the old spy stuff. That’s gone, right. It exists, but I think that when, National Security Organizations really kind of that light bulb went off and said, that you know, that everything that we need to steal, in the Defense world or Finance, or whatever they wanted, it’s all there. It’s all on this network, right. And from my computer, in Lubyanka square, I have a physical connection to that computer in Lackey Barton, thats building the stealth bomber. And when that epiphany happened, things begin to happen quickly, and cyber defense, I think, had about ten years of catch up. And before we even knew what to look at. Companies at least in the US Defense industry where being looted by the Chinese, and the Russians, Iran, and other, and they didn’t even see it. And once people began to recognize, what we call now IOCs, Indicators of Compromise, TTPs, and other things. Threat intelligence became the center of an act of cyber defense. Suddenly everybody was seeing something they hadn’t been seeing before. And it was an amazing amount of data left US defense companies, and went overseas, before anybody even knew how to stop it.”
Gray: “So, in April of this year, you wrote another paper on the risk that industry faces due to the politics of cyber attribution. First, what is Attribution? And then, What are those risks?”
Adam: “So, Attribution is who done it, right. In my business, as a defense company, we really use cyber threat intelligence as our pivot against all of our APT defense. And that attribution is groups, you heard them called APT1, Mandiant called them APT1 the Chinese, but Fancy Bear, and Jade Panda, they all have these clever names. But, APT groups, are collected until you begin to get a commonality and techniques, processes, and indicators, compromised. Once you begin to get to see a pattern emerge, if they get tight enough, they spawn their own APT group. So we manage our Indicators of Compromise by country, by actor within the country. The Russians for instance, have two big groups, using the FireEye Mandiant, kind of vernacular, its APT28 and 29. APT 28 is an arm of their military intelligence, where APT29 is an extension of their FSB or previously called KGB. And for us to protect against these guys, who are capitalized in billions of dollars, their budgets are to come and take our stuff. And my budget is not as big as their budget, right. So, for me to effectively protect our data against any Russian or Chinese, any nation state actor, I need to focus that on threat intelligence. I need to know what it looks like, Indicators of Compromise. And that list is long and complicated. And the sources of that threat intelligence when you are cleared defense contractor, can come from the US Government. The Department of Defense has The Defense Cyber Crime Center, DC3, and the Defense Industrial Base, or DIB. And I’m cleared with the Top Secret Clearance, we have a secret like portal into their stuff. And we can get up to cleared secret threat intelligence directly from the government, as a member of the DIB. But when it comes to attribution, especially in the current political world, if you have a problem with Russia, and you go running to the DIB saying ‘We think we have a Russian problem. Please give us everything you have on APT28’. For political considerations, where quickly that threat intelligence or attribution, official attribution, that they are playing naughty games. Is classified a top secret. So suddenly it becomes unavailable. You can’t get it, right. Even though they’re actively trying to steal our stuff. Because of the election with Trump and all of this, and you want to know about the Russians playing and all that. It becomes a political sensitive issue. And we have noticed, I have noticed, that that classification level, when it comes to attribution, has a very large geopolitical component to it. It became popular to out the Chinese about five year ago, and all the IOCs became secret or less and they just flooded, everybody can see the Chinese now. But, if I went to the Government, to get IOCs on a frenemy, like France or Israel, or another country, they would not, they would not get back to us.
Gray: “During Sony’s travails from a few years ago, Dan Kaminsky, who was part of that conversation, and he is the Chief Scientist and Chief Technology Officer of White Ops. He argued pretty behemothly, that Definite Attribution is nearly impossible.”
Adam: “I would disagree.”
Gray: “So, why, why would you disagree?”
Adam: “I think that if you look at the, there are private companies, that are in the business of cyber threat intelligence. Specifically, around APTs, and there are more getting into the light of work every day. Kind of the old grandfather in this line of work, was Mandiant, before they were bought by Fire Eye. And they really, kind of, were the only player in town for many years. And then Crowd Strike is now in the game. Palo Alto is getting into it. And the way that you can do this attribution, all the way back to Shanghai. Is typically, if you are attacked, and the, your data is leaving your network, its not going to go straight to Shanghai, right. Its going to hop, skip, then jump. But you have the, you have the forensics to know where that next hop is, and if you sit on that hop spot, you are going to find out where the next hop is. And you can walk the dog back to the People’s Liberation army headquarters building in Shanghai, as Mandiant did when they outed APT1 after the New York Times hack. I mean, they really laid it out where they were able to deconstruct the malware and walk the dog all the way back to the front door of that building. So now, I would call that 100% attribution.
Gray: “If it is possible then for attribution. Right now, in the US, to my understanding, and this is per Senator Angus King, who is, I believe he is on both the Select Intelligence Committee and the Armed Services Committee. He has stated that there is no definition of what constitutes an act of war in cyber, if, and largely that was due to the difficulties of definitive attribution. So, you think that, if we can attribute these things, then why would we not have a definition of what a cyber act of war is?
Adam: “I think that, and we’re speaking to an American audience pretty much here. And this conversation usually gets a bit weirder when you have a very international group, right. But the thing is that I put blocks on our network against the equation group and the NSA. Just like I do the Chinese and the Russians. And the thing is, we are, my company is bystander in this great game. The NSA is probably the best in this kind of field craft. The Russians are very good. The Chinese not as much in my experience. But what we do is we, our government will just, you know they just say shocked, shocked I am that the Russians are getting involved in an election, right. And you the people in Chile and Guatemala, these other places are rolling their eyes like ‘Really!’. And the list goes on and on. So what we cry about, America actively participates in continuously. And does a very good job of it. My understanding of it is that our NSA is among the best at playing these games. It is the great game that nation states play with each other. Its really not the rule of law. We can indict people, we’ve done that before. With some Chinese people, the People’s Liberation Army, we indicted them and so on. But it doesn’t rise to an act of war, to spy on each other, it’s what countries do. Now I would say if they went in and crippled a portion of our electrical grid, that might rise to the occasion. And I would be worried that that would certainly be a precursor to a kinetic boar, would be a cyber attack that would be destructive in nature rather than just stealing stuff, right.
Gray: “That sounds very much in line with what Richard Clarke, who is the former National Coordinator for Security Infrastructure Protection and Counter-Terrorism under the Bush Administration has said that ‘A cyber war is likely to end in a physical war’. But of course, first you got to have that definition, and I think you put it rather eloquently that in the Great game, the United States is certainly a player, if not, the player.”
Adam: “I would like to think big in America, that we’re the best at it. [laughter]. I mean, I got to pick a side.
Gray: “Speaking of the United States and the Great Game, and Cyber Security. So, Sean McGurk. Not sure if that name rings a bell. He is the former Director of the DHS’s Cyber, I believe I’m pronouncing this right, NCCIC, called Stuxnet, a trinity moment. And what he meant by that, was after the New Mexico, atomic explosion test. Because the destruction, so Stuxnet which is, first of all, tell us what Stuck Snap was all about!”
Adam: “So Stuxnet was a, an incredible clever piece of malware, besides its sophistication, and the grace of how it was just put together. And the way it was targeting, it targeted Siemens industrial controller that ran the centrifuges for the Iranians plutonium enrichment. And it was delivered by just dropping thumb drives around because their industrial network was air gapped, and people went to cafés and they pick these things up and walked them in the building. So, if you think about just the risk that people walking around, Islamic Republic of Iran, were doing with these in their pocket right, you get caught you die. But the industrial controllers exploited a couple of zero days or Microsoft unpublished Feature sets, as they like to call it. And while these centrifuges were hoping and skipping down the floor, burning themselves to pieces, the controllers’ like ‘everything is great’. And it also self-propagated, once in, it would look for other controllers, and it would self-replicate it. So, it had a worm component as well. And it was apparently just hugely successful, it just wrecked their plutonium enrichment for a while.
Gray: “So, and that’s the key, because the destruction of the Iranian centrifuges was so complete, uhm.”
Adam: “I’d call that an Act of War. I’d say that’s getting close.”
Gray: “That’s exactly what Kim Zetter of Wired wrote, that Stuxnet, and Shamoon, which didn’t get as much press.”
Adam: “Yes, Shamoon is just a derivative of Stuxnet.”
Gray: “Which destroyed 85% of all Saudi Aramco, which is the oil company of Saudi Arabia.”
Adam: “Which ironically is Iran going back in their religious strife between Sunni and Shia. So rad slayed launching these smu attacks into the Sunni muslims, not to steal stuff but to break it.”
Gray: “As she said ‘these are acts of war, without the war’. That Stuxnet opened the door, that many countries have now since, ran through it at top speed. And this dispersed them, specifically the destruction Iranian’s centrifuges and the destruction of Saudi Arabia IT infrastructure. Demonstrated the physical impact of cyber, and that is why, as I mentioned Sean McGurk called it ‘this trinity moment’ because you have, you’re representing the physical impact of a cyber threat.
Adam: “Right, cause if they steal your stuff, they are stealing a copy, right, typically you loose data, it’s copy of data, you still have your data. Uhm, I have lived through many data breaches involving APTs and we always had the original data. It was typically copies of the data. So the impact on us, was reputational, we had to report it to the US Government and so on. But if those same people after they stole the data, went ahead and wrecked, like the destroyed the hard drives or somehow wrecked our network, the impact would have been unimaginable.”
Gray: “I love your phraseology of the Great Game. How much of today’s Cyber threat landscape is due to the Great Game. these competing Nation States, competing in, is it fair to call a Cyber Arms Race.”
Adam: “I don’t think the analogy with an Arms Race, is probably accurate, that the cost of entry into APT is not as high. You don’t need to have big manufacturing, you just need to have people who have computer science degrees. And you don’t even, you can buy zero-day vulnerabilities, there are companies that just fuzz operating systems and will sell you that stuff. Most of the things, I mean, you saw what happened with WannaCry, that ransomware, the vulnerabilities with WannaCry, were part of the Shadow Brokers release. Microsoft issued a patch the day it hit the wild, and a month later, the National Health Services UK is cratered, FedEx is cratered in all this. So, I don’t think you need to be so clever to do a lot of damage, I think there are a lot of companies walking around with their pants down, every day. And I they need that moment to probably fire some people to get serious. So, I don’t think you need to be terribly clever, I think a lot of commodity malwares still is very effective. What you do, and Nation States do, is they have this precious thing called zero-day vulnerabilities that are unknown. And when they burn one of those, of course then they are known. But I promise you every big player in the APT space has a couple of those in their war chest to use on a very important target. And its very hard to protect against that.”
Gray: “So you mentioned earlier that these groups are funded to take our stuff and.”
Adam: “Or break our stuff.”
Gray: “Or break. So how, its actually these APT groups, are actually setup like business units, their set, I mean they have business justifications. How does, how does that process work where an organization decides, how do they decide what to go after and whether or not.”
Adam: “Its not if, if you’ve been in the Intel business, you would recognize it instantly. So, the way it works is a guy goes to a, they will go the Paris Air Show, right. They represent the Government of China, they’ll go to the Paris Air Show and they will see a radar or an aircraft or a novel technology that they could not buy because of Arms Export Regulations out of the US or it would just be very hard to buy or license that technology. Or maybe they want to, but, they will take pictures. I, when I worked at ATK, we were at the Paris Air Show, we would have people, and maybe I’m paranoid. But they would, under their jackets, it looked like rulers. And they would stand next to mockups of our technology, with like a ruler next to it and take the pictures, right. And then they go back and they say ‘hey, we really want this stuff’. And it goes straight into their intelligence organization apparatus. They prioritize the collection, they just do what they did in the traditional spy days and then they say ok, we’re going to steal this stuff from ATK. And then they begin their research on the company, they do all the open source stuff, they start getting some spear fishes together, they do their research and then they begin the campaign, to try to steal it.
Gray: “So, they make a shopping list.”
Adam: “Yes. I believe they do.”
Gray: “And then the military, well. One thing that I think in the west, that we don’t appreciate as much. Is that, in China, the CPC, which is the Communist Party, they, they have an office in your business site. On the top floor, the party representative is there. And there is such a direct line into the Communist Party which controls that military. And so, you put in your shopping list, and you say, here’s what its worth and you do your two page business case. And then they take that back and say ‘Ok, is this, is this worth the zero-days that we’re gonna use to get it.”
Gray: “Or perhaps we don’t even need a zero-day because that organization, hasn’t passed or put in place.”
Adam: “China has gone quiet. Obama went to visit China and the day he left Chinese APT activity across the Defense Industry, went way down. We don’t hardly ever see the Chinese anymore.” Gray: “China is not the only one, of course. Iran recently, was considered to be the fourth strongest in the world, in terms of Cyber armies. Their cyber defense command. North Korea’s Unit 121 and Office 91. Hasbullah, ISIS even has.”
Adam: “Syrian Electronic Army. I have experience with the Iranian’s, those who called A-Jacks crew. And they like social engineering as kind of like their sweet spot. They social engineer you, they get their target list. There was a LinkedIn profile for Maria Altimas, was her name. And a lot of people at the last company I worked for. This beautiful picture, you know, of this woman who was a doctor in Astrophysicists, totally fake. Kinda of LinkedIn profile, but and a lot of guys, well linked with her. They got everybody’s home email addresses and then mailed everyone’s home computer with malware. And then when they came to work using remote access, they were able to jump in that way.”
Gray: “You were, you were in India at the time of the Mumbai attacks on the Taj.”
Adam: “I got to, and then we worked together. I got to Mumbai when the building was still on fire.”
Gray: “And I think one of the things that shook me the most after reading about that. I am, the terrorists that were walking through that hotel, had a gun in one hand and a gun in the other. It was a smartphone, and they literally borrowed from the IT model of having a support center. Wherein, they could go room by room, take a picture of the individual that was cowering in that room. Talk to their support center.”
Adam: “To see if they would kill them or not”
Gray: “To try and identify who that person was. And there were recorded conversions were, the terrorist is saying ‘well, he’s a teacher’. Well, Is he bald? Is he of a certain weight? Show him, Does he look like this? And then he would, they would send back a picture either from LinkedIn or Facebook. And they made the identification, and then the command came from that operation center, ‘kill him!’.”
Adam: “Kill him!”
Gray: “So, so my question to you is. CSO, you’re responsible for physical security, strategic security as well as cyber. How in this environment, from a policy perspective, are you incorporating this into your risk management program? Do you restrict social media, in some way? To protect your.”
Adam: “We do a lot of, we do a lot of awareness training. We let our employees know that, our adversaries use social media, as a way to get into the company. And even individual social media is a conduit for, more the criminal element to steal your social security number or so. So we do that kind, kind of awareness training on a continuous basis. I don’t know if you’re asking, do we have contingency plans against terrorist actions, that would involve our employees!”
Gray: “Yes, but.”
Adam: “We have three hundred and fifty employee independents. That are working for US Forces Korea, in Seoul, right now. And we’re sending 5 iridium phones, with unlimited sims. And we’re talking to an airline, or charter, to see, what are our options be. I mean, what do we do. We’ve got, we’ve got, three hundred family members and employees that live in Korea, full time. And what do we do if the blue goes up, right. Or we think its going to go up. Or maybe there’s indicators, that hey, now would be a good time to do voluntary evacuation. That’s hard. It’s hard to predict the future.
Gray: “I mean, you, you have a particular experience set that, where you’re a little closer to this, than probably anyone that I have ever met. And in about a month, we’re going to hit November 21st. And, so, where were you? Thirty-eight years ago.
Adam: “Long time ago! November 21st, 1979, I lived in Islam by Pakistan. I think I was a long haired, sixteen-year-old dependent, from the State Department. My parents were both in the State Department. And, the hostages had just been taken into Iran, and a crowd formed, and burnt the US Embassy down. Very big embassy compound, they killed a friend of mine. He was shot in the head. Another American burnt to death, and then, and then they showed up at the school. When we were at school, they held us at the school. And I saw the tops of the buses full of these guys stacked. I couldn’t see over the wall, but I could see the top of the buses. And I was like, buses, and all these guys start coming over the wall. And I can honestly say in my whole life, I do not believe, I do not believe I have run faster. I remember running, and telling myself, ‘I am running faster now than I ever will in my whole life.’ But it was trouble, we had to hide, I got hurt. I got my arm smashed. You know, people were dying, there’s fire. And we ended up getting evacuated.
Gray: “So, that had to be an incredibly formative experience.”
Adam: “You know, I thought it was very exciting.”
Adam; “I did.”
Gray: “So a couple years later, you graduate high school. And then.”
Adam: “I joined the army.”
Gray: “Did that experience. Looking back, did that have anything?”
Adam: “Absolutely. Very much part of the motivation. Because I had revenge on my mind.”
Gray: “So, how long after boot camp, did you, get select, past selection?”
Adam: “I was, I was what they called a Special Forces Baby. So, I went straight from basic training to the Special Forces pipeline. Because Raegan was President. They were opening up, they were growing the military. Usually you’d have to be on your second enlistment, a couple other things. So, I went straight in to the Special Forces training, and was just too stupid to quit. And I think it took me a year and a half or two years, then I graduated at the other end of the pipeline. And was assigned to the Fit Special Forces Group. The Legion. The best group of all time.”
Gray: “If we think about a Venn diagram, where you have these bubbles of, Digital Security, Cyber Security, you have Physical Security and then you have National Security. You, you are sort of in this interesting nexus, where you have, you’ve lived it. As a war fighter, you’ve lived it as a citizen who has had your security put at risk. Due to National Security. Where competing National Security interests.”
Adam: “Yup! That’s been a pretty good ride so far.”
Gray: “Leon Panetta, who is the former Defense Secretary and the CIA Director, ex-CIA Director. He warned not long after the Stuxnet event, that the US faced the Cyber Pearl Harbor. And then this was recently echoed by former Nato Supreme Commander, James Stavridis. What’s your reaction to this? Given your unique perspective, your experience set.”
Adam: “I would say that, if you said that five years ago. I would say that we were a lot closer to that Pearl Harbor event. I think in that last five years. I think that, Cyber Security, certainly from the defensive way, I’m not talking these APT units, I’m talking about defending yourself. I think that the, that the, the ways it means in how to structure your teams, and the types of things you need to put in place to effectively defend against advanced types of threats, this could be, if you run the electric grid or nuclear power plant or defense company. It’s kind of industry agnostic. I would say that that mystery has been solved. And I would say that, that, if you are in a critical piece of infrastructure, that the ISAAC, or the Information Security, that threat intelligence sharing infrastructure is being put in place. And is pretty effective against most things. So, I don’t think someone is going to wake up one day, and a piece of critical infrastructure, and see that, that its game over. I don’t know. I would say that if it is, it would be, because people aren’t doing what they know they could have done. But I think five years ago people were helpless because they had no idea on how to stop these guys. And now, it’s, there is way to stop them. It, It, I’m not saying that our network is impervious but I’m telling that it would be hard to get into our network.”
Gray: “So, hard to get into your network.”
Adam: “I just juju’d myself. And now, I’m going to get a call tonight. Right!”
Gray: “Hard to get into your network, but, according to the most recent cloud report this June. The average number of cloud applications between the common enterprise. Has now gone over a thousand. As more and more companies place more of their critical infrastructure, both on the internet and into the cloud. How do, how does private ind, at the same time that we’ve talked about, competing National Security interests who are building up offensive cyber capabilities that have the ability to impact both the physical as well as the digital. How do, how does private industry manage that risk?
Adam: “I don’t think they do a very good job. I think that a lot of people think that when they outsource or push stuff into the cloud either as Platform as a service, or Infrastructure as a service, or even software as a service, that some how. They have also outsourced the risk and responsibility for that data. Now, certainly the model changes. And, if you use Software as a service, there is the leap of faith that your provider is going to do what the terms and conditions say. And you have some diligence, you have to make sure you do what is expected on your side. Which is primarily access control and making sure you that have none regional backups and a bunch of other stuff. But, to your point, would be completely inconceivable that, a nefarious group can get into Amazon web services background global management plan and wreck the whole thing? You know, it wouldn’t be unlikely, but it wouldn’t be impossible. And that would be a big deal, if all of Amazon web services just turned off tomorrow. I mean.”
Gray: “Salesforce, service now.”
Adam: “I mean, it would be really big deal.”
Gray: “Yea. Let’s talk a little bit about solutions then. Ransomware and malicious code outbreaks have been in this year’s headlines, almost nonstop.”
Gray: “In a paper you wrote earlier this year about threats like WannaCry, you closed by saying that the issues leading up to these events are complex. Obviously, we’ve talked a lot about complexity here. But the solutions are fairly straight forward. Could you explain what you meant by that?”
Adam: “I mean, everybody knows the cure to WannaCry, right? It’s patch. So, I get it if you got hit by WannaCry, maybe, maybe if that worm was released the day the patch was released. Then, maybe you would have some impact. But I used WannaCry as a very good example, the cure to that worm, has to be version 2, is two things. Either, turn that off, but if you use Samba or other legacy technologies, you can’t. Or just apply a patch, right. I mean you couldn’t even say that you have XP or other unsupported systems on your network, is an excuse. Because Microsoft even did the extraordinary task, of releasing a patch for unsupported OSs’. So, if you are in my shoes and you get stumped by a, a serious vulnerability that is over a month old, because you’re exposing SMB to the internet, which is a mistake. And you haven’t applied your patch. You failed your company, right. I don’t see, I mean, when we. Sounds like right. I was on my knees and praying this thing was just going to past over our company, right. Because I, you know, maybe its just one or two machines, then they grab the shares, then they can take off and so. But we, if you don’t do the basics. If you don’t do just those things that, that you like see and ISO27000, 1 and 2. Not to say that if you did everything like that, you still couldn’t have a problem the next day, you could. But, you certainly need to, you need to keep the basics in mind. Patch management, Vulnerability management, and configuration control. All of those things will take you a lot further down the road than those people recognize.”
Gray: “What’s the hardest part about building that. So, you’ve come into, now, a number of different Organizations. What is the hardest part, as CSO, about building a new program?”
Adam: “So, the.” Gray: “It does those basics.”
Adam: “You know, know the truth, and it will set you free. So, what I did is, when I came in and joined. I had a KPI, Key Performance Indicator, that we would, that we wanted on a thirty day rotation basis, greater than 98% currency patch across our enterprise. Cause it’s a journey, right. You never going to finish patching. And so, its going to be a continuous thing. So, I said. We needed to have 98% patch currency, and I always have, a report or a document that goes upstairs to people who own the corporate risks. The CEO, the CIO, CFO. They all get my report. And where there is a problem, I say, we’re not meeting the patching requirement. I don’t know the people who do the patching. I tell the CIO you need to patch. And if its not a priority, then I go upstairs and say. Look, here is the risk that you are going to undertake if you do not do this. And its your risk. But I’m telling you what it is. And if you choose to not take it seriously, then the consequences are, you know, I’m not just trying to say ‘it’s not my bad’. But, I think that what you have to do at my position to be effective is. Articulate, in a business kind of vernacular, what kind of risks people are incurring by not doing things like that. And if you tell them, hey, all the stars line up, and we get smoked by ransomware, we might loose a lot of data and we’re certainly going to be down for a day or two while we try to restore. Or maybe we got to get a bitcoin account and pay it.”
Gray: “So, so how do you prioritize. Of all the things you could be doing, how could you prioritize efforts?”
Adam: “It’s the crocodile closest to the canoe. That’s what you got to keep your eye out for. Right?”
Gray: “And how do you identify, in a, in a corporate environment where?”
Adam: “A lot of it is subjective. I always got my eyes on APTs, cause once they’re in, its going to be a train wreck. But there’s been this big rising criminal activity, pretty sophisticated criminal activity. Fraud attempts, a lot of it is commodity, but now they’re using malware, sophisticated spear phishing, very focused spear phishing. So, that’s why you got to have your ear to what’s going on. We’re members these information sharing groups within industry, as well with DOD, and the transportation industries. And we’re not alone. What they see, we’re going to see the next day. It hits us, its going to hit them in a couple of days. We stay engaged across the industry. And we, we have a good sense. We also understand what’s within the kill chains, if we see a lot of domains, cubicenterprise.com, all these domains starting to get registered. We know that that’s a hybrid malware attack that’s going to come down the road in a couple of months. And we will start paying attention. We’ll proactively put those blocks in. we’ll see stuff coming down the road. Right now, things are pretty quite. And so, we have guarded optimism. But usually, it picks up near Christmas. So.”
Gray: “What do you know today that you wish you knew when you first took on the job of CSO?”
Adam: “Where? Cubic?”
Gray: “When you first became a CSO. If the Adam Rice of today could go back and talk to the Adam Rice on day one of becoming CSO. What, what do you wish you could tell yourself back then?” Adam: “Ask for more money.”
Gray: “For you or for your security organization? Both?”
Adam: “Both! No. I think, I think that when I was working at the TELCO, I think that we were, we really had our stuff put together a bit kluge. I think I would have focused our efforts a little cleaner towards the risks that at hindsight we had. That I just, just didn’t have any experience. And more money.”
Gray: “How do you know policy, how do you know the policy is working? What are you measuring?”
Adam: “Uhm. So we. KPIs is the way you measure compliance. Policies are in place, just so that you can point at it and say. It’s not me, it’s the policy. So, go do it. And also our compliance requirements, the ISO, and PCI, and DFARS, and this who lit require that everything within the, the maturity model. You got to have, you got to have written comprehensive processes and policies, and they have to be followed.”
Gray: “Do frameworks help?”
Adam: “Frameworks help because it is what is reasonable because the, in the old days, when you got a breach, everybody was the victim. We’re the victim, you’re the victim. It was your data, sorry, we got breached. We’re all victims here. Now, the narrative has changed to, you didn’t do what was reasonable to protect my data and now a class action lawsuit is going to tear you and you won. So, the risk, the risk focuses has shifted that organizations that have data, that are, that have a compliance standard around them. If you do not do what is reasonable to protect that data, and that data gets lost. There is criminal and civil liability that a company and individuals in a company will, will endure. And if you say that you do what is reasonable, right. Stuff happens. But if you’re doing what is reasonable, then you have a lot of, you got a lot more wiggle room. So, going with the ISO standard or NDIS53 or 171 or whatever. By saying you do follow a framework, then, you didn’t pick your controls, you let industry, Gods of industry, pick those for you and you’re follow them. Otherwise you could get in trouble. You get sued.”
Gray: “Are there are last parting thoughts? Any, any words of advice for council that you would like to give to, to executives who are struggling with, with the Cyber Security challenge?”
Adam: “You know I think that if your organization doesn’t, I mean. I got, I got hired into Cubic, during Cubic is going through transformation. There is new CEO, there was a new board. Cyber was something that was on their mind. They, they wanted us to have a good cyber practice. And so, my role was positioned very well in the organization, and I report to the board Directors, I report to the CEO. I worked with CIO. I have a grown up CIO that gets it, that cyber is important. But if the role is not positioned well in the organization or the organization is paying lip service to. Saying, oh we just need the role, but don’t spend any money, and you know not really interested. My advice would be, change jobs. Because something bad will happen and then you are going to be hold in the water, right. Uhm, I think if organizations are serious about the role, I think there are couple good metrics that you can judge. You should get at least get ten percent of the IT budget, should be going to Cyber Security. Right, there is a lot of, lot of things that you can measure what you’re doing in relationship to the broader company to see if you’re doing what is expected. And I would, I would make sure that was the case. It’s a hard job, and if its not positioned well in an organization or its treated as an overhead you know. Nobody cares, and everybody can say the same old thing. Oh, you’ll save millions, by just avoiding one breach. That’s kind of hard to, kind of qualify when it gets into the guts. So, the organization has to want it as part of their DNA to be super successful. And I’m lucky, at Cubic they take cyber very seriously. And I get, reasonably, what I need to do the job.”
Gray: “Adam thank you so much for joining us this evening.”
Adam: “Thank You!”
3 seconds. That is the estimated time it takes for machine-enabled algorithms to dynamically change exploit attack profiles, devastating your operation. Making matters more complicated, today's marketplace provides a staggering number of security vendors and options. How do you evaluate and select the right providers for your organization?
In a special fireside chat this month in Del Mar, CA, we hosted Adam Rice, Vice President and Chief Security Officer at Cubic Corporation, in a discussion about the ever-changing landscape of cybersecurity risk.
With over 20 years of established experience in information technologies and information security, Adam is responsible for establishing the security strategy and direction for Cubic. He spoke with our Gray Williams, Chief Security Officer at Burwood Group, at length about building security programs to thwart today's increasingly sophisticated and frequent attacks, including the following topics:
Threat Landscape's Evolutions -- APTs
Cybersecurity on the GeoPolitical Stage
Technology & Terrorism
A special thanks to Adam for a stimulating cybersecurity discussion. Thanks to all who attended!