Former NSA official: We’re pretty lucky we haven’t seen more horrible things
“If you would ask me if I am confident with all the apps, and all the tools we have, I would say absolutely not, it’s not protected adequately,” Marianne Bailey, head of cybersecurity practice at global management consulting firm Guidehouse, told CyberNews.
“I worry about this all the time. The average citizen is not a cyber person,” said Marianne Bailey, a former official at the National Security Agency (NSA) and three-decade government service veteran.
When she was still working at the NSA, she used to wonder why we didn't see more horrible things happening.
“I used to think that there was this line in the sand where even nation-states knew - if they cross that line, that would be considered an act of war to a nation, and loss of life is part of that. If there’s a loss of life, you are going to expect massive retaliation, and so I think a lot of times they dance right below that,” she told CyberNews.
We interviewed her about the current state of cybersecurity and looked together for a silver lining amid the global rise in cybercrime.
Would you describe cybersecurity threats as one of the major challenges that we are facing today?
Absolutely. For the moment and the future. We live in this hyperconnected digital environment. Even things that weren’t connected in the past, are being connected today. When you look at the energy sector, you look at things like centrifuges, and big pumps, and all these things that provide us power, electricity, water, all that stuff used to not be connected in the past.
Today because of all this great technology where we want to be able to monitor it all the time and make sure it’s operating appropriately, we are connecting all these other things to our digital environment. That means they need to be protected, and people don’t typically think of that. That’s one example. Just think of any type of system or technology - everything is interconnected today to users’ convenience.
A recent report by the World Economic Forum states that the next wave of cybersecurity risks will not be a continuation of current challenges, and incremental progress will not be enough to stop them. What do you think of that?
I don’t know if I actually agree with that. People have been saying that for decades. The technologies are more and more advanced, and we are going to see more advanced threats. But in reality, people never really like to talk about this, and maybe they don’t want to read about it a lot because it’s not really a whizz-bang sexy kind of thing. It’s still the basic cybersecurity things that you have to do. But it’s not easy. Companies have to do basic cybersecurity things, and it might make sense, especially to those of us in the field.
One of the things that we talk about, if we talk about financial services, is third-party risks. But that applies to every single sector out there: who you are connected to, who you are sharing your data with, who has the ability to come into your environment. That can be anybody from logistics, supply chain risk management, or you can talk about healthcare and maybe companies that healthcare companies share information with. For example, if you don’t pay your bills, they share your information with the debt collector to come after you.
The problem is definitely expanding. And it’s going to continue expanding because we keep expanding the interconnectivity. The things we are seeing today, we saw in the past. People have had their intellectual property and data stolen for decades. The thing that you are seeing more and more over the last couple of years and in the future, maybe they are going after different environments.
It used to be that people were after data, after designs, maybe it was a competing company, a nation with a competing business, and so they wanted to get your intellectual property. Today, you are seeing people using cyberattacks for all different types of things. You are seeing that obviously in the headlines. There’s so much stuff about whether there was interference in the election or not. You are seeing it in healthcare. We just had major ransomware attacks in healthcare companies. Why was that? It could have been purely financial. It could disrupt and make the US not have confidence in the healthcare system.
It’s complicated. You can’t do just a little bit of cyber. You have to have a very throughout cybersecurity program, and it takes a lot of money.
Even though the cybercriminals are innovating, the majority of the attacks are still based on well-known old-school techniques, such as phishing. And it works as a lot of people work from home now, and they don’t use basic precautions to be secure. It seems that the progress of people and companies becoming vigilant and aware of cyber risks is very slow. What are your thoughts on that?
I would think that progress is slower than it should be. But I definitely think it’s picking up. We are definitely seeing more interest and companies investing more in cyber. We are seeing more regulations coming out across the world for cyber. You are seeing big companies, big agencies force a lot more policy and regulation. You’re seeing a lot more data privacy regulations across the globe.
I say we are getting better. There are a couple of reasons why it’s taking so long. First of all, it is a cost center for every organization. Organizations don’t make money because they’ve done better cybersecurity. A bank doesn’t make money from that. It costs money. The other thing, and that’s for every company, is that you have to balance that with the benefits that you are getting from it.
We at Guidehouse work a lot with cyber resilience. It is getting a lot of traction. And that means that you are really looking at who has the keys to the kingdom. People have different names for them: high-value assets or crown jewels. It’s the bread and butter of their company. So you really focus on those crown jewels, those high-value assets, you understand what cyber threat is to them, and you invest your money in protecting them.
Another challenge is that it’s very complicated to take a technical matter like cyber, or a possible cyber risk, or a possible cyber intrusion, and turn that into a conversation that you can maybe have with your board of directors. We still have this communication gap between the technical folks and the people who are running the organizations. But certainly, they get it once they, for example, have to send clients to another hospital because they had to close part of their hospitals due to cyber attacks.
The means to get into your system has not really changed. Do you have multi-factor authentication, are you patching your systems so that there are no known vulnerabilities, do you click on a phishing email, do you have good antivirus software that looks for malware?
Once an adversary gets into your system, then they become very sophisticated inside the network. You see them maybe removing tracks so you can’t trace where they’ve been. When you hear people talking about bad guys becoming much more sophisticated, it’s in those areas that they do once they are in the system.
If you look at any big intrusions that we’ve had and how did they get it, it’s still the same - someone didn’t patch something, or somebody clicked on a phishing email. Phishing emails are getting pretty sophisticated, so all of us have to have tremendous vigilance at everything that we read.
Which sectors are more vulnerable to cyber attacks?
I don’t think that there’s one that is more vulnerable than the other. Every single sector has tiers. The bigger banks, the bigger healthcare companies, the bigger energy sector companies, the people who have money to spend on it, and some of the biggest financial institutions have thousands of people working for them. When you get to the next tier down, and the next tier down, they just don’t have that kind of money.
The thing that will help us, and is helping us is technology. On one side, it really helps you, and on the other - it opens more opportunities for an adversary to have access to your systems and your networks.
On the side that really helps you, we have tons of cybersecurity companies out there doing things. And automation is a huge deal. Even if you look at Microsoft and Windows with all the security that you get, it's not as complicated to keep things safe and secure as it used to be years ago because we have this great technology. When you look at new data analytics platforms, especially from looking at adversarial behavior and knowing how adversaries react, they can track and pick up on things, so it’s much faster in finding an adversary because you are looking for very standard types of practices.
The reason I believe that is so hard is that you have to do it really well. I’m not sure most people really have a pulse on how well they are doing it. And it’s not just well once. You have to keep up with it all the time. It’s not simple.
We provide support to a lot of companies and organizations. Nobody’s perfect. You just can’t be perfect.
Cybercrime is organized now. This means that criminals are sharing knowledge and the know-how. Are there enough combined efforts from government institutions and intelligence agencies across the continents to share their knowledge and come up with ppropriate responses? Is there enough counter-effort to prevent cybercrime and to punish cybercriminals?
I would say yes, and it’s growing all the time. The interconnections of various nations are very strong when it comes to cyber threats and even joint initiatives to counter them. In the United States, we have Cyber Command, we put a lot of resources in that, and it’s our full-time job to combat cyber threats. And they work with foreign partners very closely. There’s a lot of collaboration and cooperation. I think we are in good shape.
But it is complicated. In cyber, it’s not physical battles and physical enemies like we’ve had in the past when you knew who it was. Now they hide behind all those types of personas, they masquerade and hop around a lot, so you have to really track them on the net. They put bots out over the net and use them as their actors to do things. But we have people who are very skilled and very talented and understand this in many countries. They work very closely together.
How hard is it to paint a cyber threat landscape? Is it possible to know who the enemy is? Who is behind the attack? Now, we trace some ransomware attacks to Iran, and we can track something to Russia. But most of the time, it’s unclear whether threat actors are after money or intelligence. Do we know who the enemy is anymore? How can we tell if they are just random criminals, or are they state-sponsored hackers?
People who have a job to paint a landscape do a pretty good job. The intelligence agencies do a pretty good job, and there are some commercial companies out there that are doing a good job painting a landscape. They probably put them in tiers.
So there are definitely nation-states, and they are pretty good at identifying which nation-states are behind certain very sophisticated attacks. They tend to be very well funded and very sophisticated. And there are criminals who go after intellectual property or disruption.
I do think that those organizations that have that as their job to bucket them and define them do a very good job.
Most of the stuff that has a huge impact, it’s usually organized. Whether it’s criminally organized or nation-state organized. Criminals do share tools, and that’s the scary stuff. And there are hackers for hire now. They do it as a service, just like a business. That makes it a little bit more complicated, but we do a great job categorizing who they are.
How do you feel about the future? Do you feel optimistic that people like you are getting ahead of some of the attacks?
Well, ‘some’ is the word. ‘Some’ is the big word. I think we are making progress, and I think we have a long way to go. If you would ask me if I am confident with all the apps and all the tools we have, I would say absolutely not - it’s not protected adequately. If you would ask me about new technology coming out, I would talk about the culture of convenience in general. We want the latest and greatest things, and we rarely ever say 'how secure is that, and I’m not really going to buy it if it’s not secure', whether it’s cameras that you put in your house for protection or the latest cool automation for your car.
People don’t require it to be cyber secure, and they don’t even ask that question, so it’s not. And then maybe 3-4 iterations down the road, they will build security into it. Security is not built-in.
I don’t think we are in a great place from a cyber perspective. We need to be more vigilant. Companies need to focus more on cyber. I don’t think they’ve done things that I’ve talked about - like identifying and protecting their crown jewels. I actually think we’re pretty lucky we haven’t seen more horrible things.
When I was in my previous job at NSA, I wondered why we didn’t see more horrible things happening. I used to think that there was this line in the sand where even nation-states knew - if they cross that line, that would be considered an active war to a nation, and loss of life is part of that. If there’s a loss of life, you are going to expect massive retaliation, and so I think a lot of times, they dance right below that.
I’m not comfortable. I don’t think we have things protected well, but I think we are getting better. We have to look into technology that can do things in an automated way. We don’t have an army of people, we can’t put humans on this, and that has to be the technology that solves it.
One of the biggest threats that we have is the human threat. It’s very hard to keep everybody updated to know what they have to do. And it’s not just for your company. It’s for you personally. I worry about this all the time. The average citizen is not a cyber person.
People tend not to know where their data is. There’s all this software as a service, all these apps out there, that do all kinds of great things for you. You may not even know. You may have a relationship with the business, and they do something on your behalf. You don’t know that they have relationships with other businesses. Where’s that data going? How are they protecting it?