If you are a history nerd you might happen to know that Kiev, the current day capital of Ukraine, was once actually the capital of Russia. That is until the Mongols seized Kiev in 1240, occupying most of Russia for the next two and a half centuries. It was during this period that Moscow first served as the capital of Russia, with the Mongols later being driven out of by Ivan the Great around 1480.
A few centuries later came the Thirty Years War followed by the Great Napoleonic wars, and in the 20th century there were several massive theater and world wars which shook humankind to its knees.
The instruments of war may be swords, tanks, or keyboards — but it seems that people will always fight in one way or another over resources and treasure. From a certain point of view – global cyber warfare is somewhat of an improvement, because it is generally non-violent (although the capability of actual physical harm does exist).
Watching the news cycles over the past few years, we have seen endless reports revolving around what are known in the cybersecurity world as “APT’s”, or Advanced Persistent Threats. The cybersecurity community groups who research and track these APT’s assign names to them in a way that is similar to how the national weather service names hurricanes, although APT’s just get numbers – “APT29” (Russia), “APT32” (Vietnam), “APT33” (Iran), APT38 (North Korea) “APT41” (China), “APT5” (Undisclosed). Undisclosed? Very comforting.
So what is an APT? An APT is a group of well educated, well-funded and highly trained hackers & crackers who are formally tasked with particular objectives such as stealing the engineering designs for warplanes or infiltrating electrical grids. Often times APT’s have the full backing and resources of their home country.
Like hurricanes, APT’s are a powerful and destructive force that can wreak havoc on cities, counties, and even entire states. Unlike hurricanes, the victims of APT’s seldom see the coming destruction – APT’s infiltrate networks and hide, like black mold inside of walls. Right up until they don’t. It’s for this reason that active Threat Hunting is one of many career specialties within cybersecurity. Threat Hunters actively seek out cyber threats in very aggressive ways; aggressive in the same way that a building contractor might tear apart walls looking for black mold.
I spent years working in what are known as “SCIFs” (Secure Compartmented Information Facility) –windowless super secure buildings patrolled by heavily armed Marines. Often, we knew what was going on in the world before things hit the news cycle, especially events that were related to cybersecurity. We all went home to frustrated spouses who knew that “we knew something” but could not talk about it. When Russia compromised the EOP (Executive Office of the President) in 2014, I had a seat on the 50-yard line for the whole thing, attending classified meetings and chatting with the NSA guys. Over the years, I sat through endless briefings and read hundreds of breach reports.
And guess what? The way that hackers get into these networks is nearly always by shrewdly tricking real humans into making bad decisions — reusing passwords, ignoring written policies, clicking on a malicious hyperlink. Pour over the APT10 reports and you will find that, once again, the attack vectors were humans. Remember Stuxnet? Iranian scientists were tricked (ostensibly by American and Israeli agents) into carrying infected USB sticks into their “secure” enclaves. Technology alone is not enough to keep bad actors out of municipal and other networks — you MUST build a culture of security and train your people.
In addition to funding challenges, the problem for local governments is that the overarching cyber security CBK (Common Body of Knowledge) is just as baffling as the tax laws. We security practitioners are not licensed like accountants and lawyers, so it can be very difficult to know who to trust with the protection of your vital business systems and data. Legally speaking, there is basically nothing to stop tattoo parlors and nail salons from offering cyber security services. Probably, the best evaluation currently available for determining who is qualified to work in cybersecurity is the freely available, vendor neutral, U.S. DoD Directive 8140.
Known to military cyber wonks simply as “Eighty-One-Forty”, this short directive lays out a simple three-tiered qualification strategy, mapping competency levels to common industry security certifications. Asking IT technicians who do not have the proper qualifications to perform cybersecurity work, is like asking a bookkeeper to file corporate tax returns – a poor decision fraught with major uncontrolled risks. Cybersecurity is not an IT challenge – it is an organizational challenge.
While common “best-practices” technology such as firewalls, back-ups, and anti-virus (the stuff that makes money for cybersecurity vendors) still comprises the basic elements of a cybersecurity program, they are only equally as important as written security policies and properly trained employees. These things taken together – technology, policies, and training, contribute to an overall culture of security (called Defense in Depth) like you would find at Cisco or Lockheed Martin.
Not only do local governments need to make sure they are hiring the right cyber talent, they have to have a plan in the form of a cybersecurity framework, such as the NIST (National Institution of Standards and Technology) CSF (Cybersecurity Framework), a widely recognized cybersecurity maturity-model designed around continuous improvement. Or, if the CSF is found to be too arduous, an excellent start would be NISTIR 7621, Small Business Information Security.
Imagine for a second a visit to an amusement park or an auto dealer garage and take note of all the safety precautions in place. Signs, lines, cones, vests, safety glasses, fire drills — it goes on and on. Every worker trained to a “T”. We are so used to safety in America that we don’t even notice it anymore – it’s a normal part of our culture. Local governments must make cybersecurity “normal” in the same exact way.
In enterprises (whether public or private) with mature cybersecurity programs, security professionals effectively operate a mirror of the safety program, but for cybersecurity. Security awareness flyers, security awareness training, security drills. Posters in the lunchroom — a culture of security.
Therein lies the challenge, and the way forward, for local governments where their cybersecurity is concerned. They have safety programs because they are mandated by law, but they must willfully choose to build cybersecurity programs on their own and pick the right people to help.