Speakers at the 2017 CyberSat Summit emphasized that improving technology capabilities is only a piece of the larger cybersecurity puzzle. During a panel assessing the evolving threat landscape in aerospace, a group of experts agreed that it is equally important to monitor the “people and processes” that form the foundation of companies’ every day operations.
Specifically, the panelists said that cyber security precautions must originate from the very top of the totem pole with senior executives and board directors. “One of the big problems we have to face is that the folks in the boardroom don’t understand how things work and why,” said Cyxtera Federal Group President Greg Touhill. “We need to have folks continually keeping their skills up to date. And we need to make sure the folks who are making those decisions on risk are adequately prepared. It takes homework.”
The speakers noted that there has been a recent shift in corporate culture, hefting responsibility for scenarios such as cyber breaches toward company leaders. Randy Sabett, head of the cyber practice group at Cooley, pointed to the 2013 Target breach for which the company had to pay an $18.5 million settlement as a salient example. After the incident, Target shareholders pointed the finger at the company’s board of directors and C-suite executives for not fulfilling their fiduciary responsibilities, and recommended that seven out of the 10 board members not be voted back into their positions. The company’s Chief Executive Officer (CEO) at the time, Gregg Steinhafel, also resigned amid the blowback.
That vigilance, however, must also trickle down to mid- and low-level employees, the panelists said. James Turgal, executive assistant director of the FBI’s information and technology branch, noted the FBI recently arrested a technologist who was identified as an “internal threat” at an undisclosed company. Turgal highlighted third-party vetting as a more secure way of ensuring companies are hiring the “right talent,” and said too that such responsibility ultimately comes back to “accountability and leadership.”
Touhill added that during his tenure at the Department of Homeland Security (DHS), “careless negligence and indifferent people” caused a majority of the cybersecurity incidents he witnessed. “Too many folks go right to the technology,” Touhill said. “We’ve got a lot of antiquated technology but we also have a lot of antiquated procedures and folks who don’t have the mindset of thinking like a hacker.”
Sabett also emphasized the importance of training employees to be prepared for the different forms an attack may take — saying that being proactive means “being ready for the punch.”
“We’re seeing some incredible attacks these days with business email compromise. It’s getting somebody to click on an email that’s not [from] the Nigerian prince, but your friend,” Sabett said.
According to Turgal, part of being prepared is establishing a resiliency and recovery plan for the day an attack inevitably occurs, which includes having the right communications channels in place to work alongside the FBI. “When the FBI comes and knocks on your door … you need to have that plan in place,” Turgal said. “The sooner we get there, the sooner we can stop the bleeding.”
“The time to exchange business cards is not during a crisis. You need to plan ahead before that day,” Touhill added.
Still, despite companies’ best efforts to manage the behavioral and social side of cybersecurity, the panelists acknowledged that cyber attackers will come up with more creative ways to infiltrate satellite technology — such as “monkeying with the rocket” so it doesn’t make it to orbit, Touhill said. Hackers may also attempt a Denial of Service (DOS) attack to interrupt the transmission of data from the ground station to the satellite, or worse yet, in the case of a compromised employee, include a vulnerability in the satellite’s design that doesn’t manifest until later — not unlike the Death Star from Star Wars.
Modernizing the infrastructure satellite communications relies on can help mitigate some of these attack vectors, said Lisa Donnan, managing director of Option3Ventures. Donnan brought up Artificial Intelligence (AI)/machine learning as an example of an emerging technology that can be leveraged to improve cyber resiliency. According to Donnan, Option3Ventures recently invested in a company that uses machine learning for automated threat intelligence. The technology has allowed the company to turn near-time awareness of cyber threats into real-time detection. Comparatively, she said, “you’re done” if you’re forced to wait for an analyst or Chief Information Security Officer (CISO) to manually assess the threat.
Near the end of the discussion, Touhill stressed that while government regulation can help standardize responses to cyber threats, it shouldn’t be the first line of defense. “We need to work together as part of the cyber neighborhood watch,” he said. “We don’t expect the police to check our doors every night to make sure they’re locked. We don’t expect the National Transportation Safety Board (NTSB) to make sure the air in our tires is at the right level. We’ve got to accept some responsibility.”