Though the U.S. government has ignored prior opportunities, former strategy chief of the National Cybersecurity Center, Mark Weatherford, says this time is different.
- You can’t have data privacy without good cybersecurity, so the U.S. federal government needs to do more in security to support privacy regulations.
- Recent mega-attacks will drive new U.S. cybersecurity regulations.
- Work-from-home employees bear more of the cybersecurity burden—but CISOs are still ultimately responsible.
- “Technology debt” in public and private sector increases cyber exposure—and cost.
- Transparency is needed in the software development “supply chain.”
- The time is coming when CEOs will be held personally liable for cybersecurity.
The arrival of a new administration in Washington is a hopeful sign for U.S. cybersecurity policy at the national level, says Mark Weatherford. He noted President Biden has said cybersecurity is a priority, made key related appointments and pledged to devote almost $10 billion to various cybersecurity initiatives to support the federal government.
“It's an indication that he's going to put his money where his mouth is,” said Weatherford, chief strategy officer of the U.S. National Cybersecurity Center. “I am hopeful that the administration is going to follow through on a lot of what we see as promises right now.”
During his career, Weatherford served as Deputy Under Secretary for Cybersecurity at the Department of Homeland Security during the Obama administration and as CISO of the states of California and Colorado.
In a Q&A with Mimecast, Weatherford, who is also CISO at Alert Enterprise, spoke about the outlook for cybersecurity policy at the national level and how the private sector’s focus on digital security is evolving.
Editor’s Note: This is the fourth in a series of interviews with leading cybersecurity experts from academia, research institutions and the private sector.
Mimecast: Based on your experience with the Obama administration, how do you think the Biden team should approach cybersecurity?
Mark Weatherford: That's something I wrote about in a Forbes piece, the three key policy related decisions they need to make.
One is to get somebody back in the State Department as global cybersecurity liaison with other nations. In fact, I think Congress is actually crafting legislation right now—maybe not legislation, but they've been calling for a cyber ambassador at the State Department. This is critical because if we've discovered anything over the years, it's that we cannot do this alone. We can have the best security and the best people and the best policies in the world, but unless we're cooperating, collaborating and aligning with other nations, we simply cannot be successful. It's critically important that we reestablish this international cyber ambassador role.
From an advice perspective, the one thing that I hope to see more of is people with private sector cybersecurity experience, not just staffing a lot of these roles with career government people. That takes nothing away from the government people, because the ones that have been nominated so far are very, very well qualified. But from my time in the government, both at the state and at the federal level, the one thing that I learned over and over again is that government folks look at cyber security differently than the private sector. They address problems differently, they prioritize problems differently and they look at risk differently than the private sector does. So having people in the administration who have operational cybersecurity experience, that understand profit and loss, who have had to make decisions on things like: "Do we spend money on this or do we spend money on this?" I think that's really key.
The other one was that the White House needs to make good on appointing the national cyber director. This person needs to have authority over the executive branch agencies with respect to cybersecurity, for both policy and funding across the federal government.
So many efficiencies can be gained in the federal government spending on cybersecurity right now. A lot of money is wasted because organizations kind of go off and do their own thing, with no alignment between federal departments and agencies around cybersecurity.
Mimecast: You wrote that the U.S. has abandoned leadership in the Internet. At the same time the states have stepped up with regulations like CCPA and the New York SHIELD law, establishing some responsibility over data. Has the regulatory environment evolved to more consumer-focused, personal responsibility where individuals should be expected to protect their own data?
Weatherford: I don't think it's an evolution. I think it's pretty much always been the case that the government focuses on protecting the consumer. Now, are they making the consumer more responsible? Perhaps. But I tell you, the bar has gotten higher for companies that are charged with protecting their customers' private information.
This is the difference between privacy and security. The government has always been more proactive on privacy-related issues than they have on security. That's the reason we're having this conversation; the government needs to do more around security to help support the privacy legislation and regulations that they have put in place.
I heard this a long time ago, and it has never changed: Security can exist without privacy, but privacy can't exist without security. There's a security dependency there from a privacy perspective that we haven't seen enough government support for.
Mimecast: With the COVID pandemic, we have seen a speeding up of the digital transformation and new security challenges. Are we shifting more of that responsibility toward individuals and less on organizations? Does that vulnerability need to be addressed?
Weatherford: Well, I don't think we're going to see regulation around that, because it's industry- and company-dependent. There's certainly been additional responsibilities shifted to work-from-home employees, no doubt about it. But most of the CISOs and the security teams I know of have taken the approach that: "OK because we're pushing more of this responsibility on the employee, we have to do more to help them." So they're employing more end-point technologies that can screen and identify vulnerabilities. They do more training for users on things they should and shouldn't do.
I guess the bottom line is that companies and CISOs are still ultimately responsible. So while there's a little bit more responsibility being put on the employees, the companies and CISOs cannot avoid that it's still ultimately their responsibility. They have employees working from home, it's their responsibility to make sure that their employees are doing the right thing. I wouldn't say it's less organizational focus, but rather, that it's probably an expanded suite of responsibilities for both employees and organizational security change.
Mimecast: Another column you wrote discussed how the pandemic had exposed a "tech debt" among state governments and the need for centralized cyber structure. How does that tech debt affect cybersecurity? How can states correct it?
Weatherford: I wouldn't call that tech debt itself. That's technology maturity. I'm seeing the same thing here in Colorado and I hear of it in other states. Where the tech debt comes in is because of funding: For the most part there's still a lot of very old technologies that are employed today that cost a lot of money to keep running. And by the way, this is not specific to state and federal government and local government, you see it in a lot of private companies, as well.
One of the clearest examples, pandemic related, was with the people that were immediately unemployed, when the federal government approved funding for unemployment insurance, many states have very archaic unemployment systems. Many of them are still COBOL-based platforms, which is crazy, because they had to go out to find COBOL programmers to maintain these systems. I don’t know of anyone who even teaches COBOL anymore. That's one very visible example of tech debt.
Another example, in the private sector: the small water company in Florida that got hacked. They were running Windows 7 in that environment, which isn’t unusual, by the way. A lot of these critical infrastructure companies are still using this kind of old technology. Microsoft doesn't even support Windows 7 anymore, which means any vulnerabilities that are discovered are not easily mitigated. There's not much you can do about it, except apply compensating controls.
That kind of tech debt costs a lot of money and results in risk to the organization. But at the same time, if companies can't afford to upgrade, they can't afford to upgrade. That's kind of the technology world we live in, where we have to employ compensating controls in order to manage the risk and the vulnerabilities in these old legacy systems. And unfortunately, those compensating controls impose a tremendous amount of resource cost.
Mimecast: In the early stages of the pandemic, there was a focus on the supply chain and we saw an uptick in ransomware attacks. Is that also increasing the focus on cybersecurity in logistics and supply chain?
Weatherford: When we say supply chain, people often think of the physical logistics, that is, how do we get a product from point A to point B. When those of us in the cybersecurity business think of supply chain, we think of the digital infrastructure. I was on a panel talking about this from the perspective of: how do you ensure that the software that we're building is secure? Very few software developers sit down and write all their code. What they're doing is they're going out to libraries or repositories and they're pulling chunks of code in and tying them all together. That's a tremendous, tremendous vulnerability to understand where that software was originally developed and what an entire package looks like.
NTIA [National Telecommunications and Information Administration] is sponsoring an initiative called the Software Bill of Materials where, when a company delivers a software product, it comes with a list of the ingredients or an inventory of where all the code came from. That's one of the things that's going to help address software insecurities in the supply chain. SolarWinds, however, proved to us in very dramatic fashion that the supply chain is vulnerable. We still don't know the full implications of SolarWinds, and we probably won't for a while, but it's going to be significant and it's going to cost a lot of money and take a lot of time to get it completely—if we ever get it completely back under control.
Mimecast: It seems like everybody talks about how information sharing should be a part of building better defenses. Is there more urgency after events such as the SolarWinds attack, or the reported North Korean hack of Pfizer?
Weatherford: We can always do more, but are we doing enough? Probably not. I don't know if you saw the 60 Minutes report where the president of Microsoft said essentially that we need to do more information-sharing and it may require regulation requiring companies to share more information. My fear and I think that of a lot of people in the security community is that SolarWinds will die down and then we'll just go back to the way it was until the next big breach. Which is kind of what we've done over the past decade: We lurch from event to event without ever actually fixing them.
I do think SolarWinds is a catalytic event because it affected so many companies, so many big companies and so many government organizations. I think the government has to act. They're going to create some regulatory framework around reporting and security standards that will formally elevate security across the private sector.
Mimecast: But hasn't the federal government had opportunities to do this before?
Weatherford: The federal government has had multiple opportunities to do this. We had the (Office of Personnel Management) breach in 2015; that was at the time called a catalytic event. But what has happened? Nothing, or not much has happened. So the answer is yes, the government has had plenty of opportunities before now.
Mimecast: How can cybersecurity professionals become more proactive? How can they become a strategic resource?
Weatherford: Most CISOs I know view that as part of their job, to be that point person on technology and security for the organization. However, I think in far too many organizations they aren't viewed as critical to the business, but rather kind of supporting cast members. Too many technology decisions are still made without consulting the security team—bad decisions, in my opinion. Because then, you have technology that's brought in and technology that's developed that you have to put Band-Aids and bolt on security onto it after the fact.
It's changing a little bit. More and more boards of directors now are embracing that they need to know more about security and they understand that they're not going to be the expert. However, I still think there's a mismatch of expectations. I still hear CEOs and board members say: “That's the CISO's responsibility.” I'm always quick to push back on them and say, "No, that's not the CISO's responsibility. It's your responsibility. The CISO carries out that responsibility for you."
Mimecast: Are businesses starting to understand that being responsible for data is part of protecting the company's business?
Weatherford: To put it in kind of a clichéd term, CEOs are more and more fearful about doing the cyber perp walk, about getting called to Congress or getting called in front of the board and being held accountable. Gartner put out a report that said—and I'm paraphrasing here—by 2024, 75% of CEOs would be held financially liable for cybersecurity incidents. When we get to the point where CEOs are being held personally responsible for security, then we're going to start seeing more emphasis on security and more support for the security organization.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly