When tensions with Iran escalated recently, the Cybersecurity and Infrastructure Security Agency was concerned about vulnerability to potential cyber retaliation. So it immediately began taking steps to protect federal, state and local networks, as well as critical infrastructure and private industry. Its first stop? Twitter.
When Iran shot down a drone the previous year, CISA had used Twitter, among other platforms and channels, to share information and resources about defending against potential hostile actions. So when that concern recurred, the quickest and most efficient way to begin responding was to ensure that relevant information was back in circulation and easy to find.
After that, CISA began looking to update those materials, and start putting together information-sharing phone briefings.
“There’s one thing that my team does really well,” Chris Krebs, CISA’s director, said during the Jan. 20 U.S. Conference of Mayors Winter Meeting. “[With] about 45 minutes heads up, on Friday after the event, we stood up a call, pulled everybody together. I gave about a 30 minute brief and answered questions for 30 minutes. We had about 1700 connections on the line. I don’t know how many people were on the other side of each of those connections.”
The following Tuesday, he said, with about 12 hours notice, there were about 5900 connections, some of which, Krebs said, had as many as four or more people on the other end of the line.
“So I suspect we had somewhere on the order of 10,000 people on the line, listening to me do my thing and then answering questions on what security officials can do to protect themselves,” Krebs said.
But as the Iran situation de-escalated, CISA did not. CISA took advantage of the heightened awareness, and continued holding calls. Just because Iran wasn’t currently threatening U.S. networks and infrastructure, doesn’t mean ransomware has gone away.
Because that’s CISA’s mission: to be the nation’s strategic risk adviser. CISA provides services like training, exercises, technical assistance and vulnerability scanning. They help security officials understand what the challenges are, and what they can do to defend against them.
He said CISA has five areas it intends to focus over the next few years:
Government networks (not just federal, but also state and local);
Sharing information, training and exercises;
Industrial control systems security; and
That last one, Krebs said, covers a range of issues. For example, what is the intersection of risk when making a smart city? Are we prepared for 5G, and its supply chain challenges? For autonomous vehicles, sensor networks, privacy considerations?
What CISA will not do, Krebs said, is come and rebuild your network for you.
“What I can do is come in and advise on what getting back to good looks like, what that path looks like,” he said. “[I can] share experience from instant response efforts that we’ve supported in the past, be that trusted adviser that doesn’t have a financial stake in how you get back up and running, but help you prioritize some of the tough decisions and investments that you’re going to have to make. None of this is easy. It’s going to cause a lot of pain.”
But it can share best practices that might help prevent, or at least forestall, potential cyber incidents. In fact, Krebs distilled down those best practices to six key attributes of a successful cybersecurity program:
It starts at the top. The chief executive has to buy in, and drive execution of the cyber strategy.
Foster a culture of cybersecurity. Everybody is part of the team, and everybody needs to be aware of threats. This can include exercises and education like phishing tests.
Know what devices are on your network. Effective governance programs are key.
Similarly, know who is on the network. If credentials get compromised, limiting the access those credentials have can help.
Have offline backups. If you lose your network, you can rebuild. It’s not the easiest or cheapest path, but paying ransomware demands only incentivizes the practice.
Have an incident response plan. Know who to call, how to talk to employees, constituents, and the press. Transparency is the way to go.