When it comes to cybersecurity federal agencies, along with many large organizations and small ones, are still digging out of the cybersecurity hole. Kris Lovejoy, the global advisory cybersecurity leader at Ernst and Young, joined Federal Drive with Tom Temin to discuss the big picture of how the pandemic has inflamed the cybersecurity picture and what to do about it.
Insight by Veritas and Carahsoft: Learn about the range of data practices and strategies needed for today’s policy and compliance environment in this free webinar.
Tom Temin: Ms. Lovejoy, good to have you on.
Kris Lovejoy: Hi, Tom, thanks so much for having me.
Tom Temin: I think every agency in many organizations, many companies felt that there must be a horrible cybersecurity effect because all the people had to go telework. And we had to set up all of these virtual private networks, which are supposed to be encrypted. But from your standpoint – and you’ve done some surveys across organizations – put a fence around what the real effects on cybersecurity have been of the pandemic.
Kris Lovejoy: Yeah, I have to say, unfortunately, a lot of what you’re hearing is true. There has been an amplification in cybersecurity events over the past six, eight months, due to the COVID pandemic. And let me explain the why. And I’m going to try to simplify it as much as possible, for those who may be listening and thinking, geez, that cyber discussion, let’s tune out because it can be a little academic and wonky. If you think about cybersecurity, from the perspective of a practitioner, it’s actually pretty easy to understand. In our world, the way we think about cybersecurity risk is there’s a threat out there, that’s an actor or a piece of malware that’s out in the wild. And that actor is going to try to exploit a vulnerability. And that could be a gap in somebody’s knowledge, it could be lack of a patch or misconfiguration. And they’re going to do that to create an impact. And that impact could be something like a ransomware attack, or what we call a denial of service where the services get disrupted. So you think about it that way. And you say, gee, even before COVID, we were seeing an escalation in the sophistication of the attackers, the people that were attacking the number of pieces of malware that were out in the wild, for which we had no signature diagnostic to find it. And there were more vulnerabilities than ever, because of all of the IoT devices, etc., we were introducing. And so now you think about COVID and what’s happened. Well, overnight, about half of the world introduced new technology to enable work from home. And of those about 60% just skipped over or abbreviated security checks. So if you think about that, just from a landscape of what can be attacked, it’s a significant number of devices that have been introduced into the wild that can be attacked. And oh, by the way, the bad guys recognize that there are a lot of people sitting at home using these systems that are scared. And so they recognize that it’s a great time to begin to hook individuals through things like phishing, to get them to double click on malware and get themselves infected.
Tom Temin: I think it was Microsoft that said that the phishing attacks have gotten even more sophisticated, in part, preying on what they called the generalized anxiety that people have. And therefore there’s more things they’re likely to click on.
Kris Lovejoy: Oh, exactly. And that’s such a big issue. And they’re calling people, they’re using emails, they’re using a lot of social media channels. That’s the other thing that we have to –
Tom Temin: And what about the cybersecurity practitioners? There’s this big complex of people in federal agencies – CISOs and their staffs, IT staffs – and of course, they’re all backed by, almost 10-to-1 by contractors doing a lot of work for them. And how could it be that people were in effect, the way you describe it, I would say almost running from the beach as a storm approaches and leaving their wallets and valuables out there on the chairs.
Kris Lovejoy: Yeah, I think you know, the unfortunate reality behind cyber is historically cybersecurity. The reason why we actually invest in it is because there’s a compliance requirement out there. So somebody comes in with a checklist and says, You must do this, or alternatively, there’s a crisis. And you know, in response, I will buy something to solve the problem. What we’re not very good at is investing in managing the risk before we actually roll out the new project. So think about this as we build a bunch of cars, but we’re not actually building the seat belts in the cars until after the fact, when somebody is looking at it coming off the line and saying, gee, I forgot to put that seatbelt thing in. So what’s happening in general is that with the CISOs – there’s a dissonance between what they do and how the business perceives cyber. So what they’re doing is they’re rolling out these new initiatives, and then bringing the cyber guys in. And as a result, cyber is kind of seen as a noose or an anchor around the neck of the business or the given organization. And so this has been historically the challenge, is trying to change people’s perspective to realize that, cybersecurity is part of the resilience planning of any given project or initiative and trying to bring the cyber folks in as a partner as opposed to somebody who should try to be avoided. We believe and we see that when you design security inside from the beginning, it’s a much more effective way to go.
Tom Temin: We’re speaking with Kris Lovejoy. She’s global advisory cybersecurity leader at Ernst and Young. So to make a parallel, it’s almost as if the financial arms of government rolled out trillions of dollars in aid. And now they’re just getting around to figuring out how to audit where that money went, instead of having the controls in place in the first place.
Kris Lovejoy: That is, generally what happens exactly. And especially when we’re in such a rush to get these new technologies out for existential reasons, it becomes all that more important. And one of the other things that we’re seeing, by the way is that, you know, during the pandemic, a lot of people have been collecting personally identifiable information about employees, and they’re doing it because they think they’re doing the right thing. But what they’re not recognizing is this data is very sensitive data, and is also leading to a set of breaches that we hadn’t expected.
Tom Temin: Yeah, so you’re seeing identity and credential harvesting, for example. And Lord knows how that could be used against individuals or organizations in the future?
Kris Lovejoy: Exactly.
Tom Temin: Well, can anything be done? What’s your best advice for agencies and companies that have to do this catch up?
Kris Lovejoy: Yeah, and I’m calling this the, sort of the silver lining in the COVID cloud, if you will. You know, one of the things that I’ve seen is that over the past 20 years or so we’ve tended to just rack up a lot of point products in our infrastructures to solve these problems. Again, because of crisis and compliance, we tend to buy technology that solves the smallest problem at the cheapest possible cost. And so over time, what we’ve seen is just this unbelievable complexity, there’s just a lot of stuff. And you know, in good economic times, you can’t take that stuff out. Because no regulator, no business leader is going to say that’s okay. Because it’s just going to increase our risk. But what I am advising organizations to do is go through a radical process of streamlining and simplifying this economic climate is the perfect opportunity to go and clean out your closet, if you will. You know, figure out what you have in place, is it working? Is it providing you the value that you expect, and if not get rid of it, because complexity equals risk. And we really need to reduce that.
Tom Temin: And I guess that’s especially important for contractors now, because they have a couple of other mandates on the cyber front that are not related to the pandemic – one is excising from their supply chains and from their own systems, the Chinese-made telecommunications gear, and the other is the Cybersecurity Maturity Model Certification, the CMMC program is coming their way. And they’re going to be audited to see if they can control their cybersecurity and that of their suppliers, which would seem to aim at all of this reduction in complexity, so they can actually get good at it.
Kris Lovejoy: That’s exactly right. And I think that’s the other opportunity area for us is to improve how we look at the supply chain. And I always urge people to think about it like this: When you’ve got a smartphone and you’re buying an app from the App Store, how many of you are looking to see who built it, where they built it? And guess what, when we build things for our businesses, any given application, we’re building that application using third party components that we haven’t sourced, so we don’t know where we’re getting them from. What we’re essentially doing is we’re building these applications by going to these widget stores, pulling widgets into a frame, and then handing those over to the customer. And so what we’re seeing is that a lot of those widgets are actually infected with malware already. And so this is another opportunity that we have in this process of the certification process is to better explore how we test the components that we’re getting from third party vendors to ensure that the quality in and around the technology that we’re ingesting is adequate for our means.
Tom Temin: It sounds like if agencies don’t do that, there could be some really bad effects down the line because some of these things lie in wait and launch themselves at some indeterminate point in the future.
Kris Lovejoy: That’s exactly right. So again, it’s like thinking about that, like a biological model. It’s like a sleeping virus. It’s sleeping bacteria that can be detonated at some point in the future.
Tom Temin: And as we all know, they can go right to the top, can’t they?
Kris Lovejoy: Oh yes.
Tom Temin: Kris Lovejoy is global advisory cybersecurity leader at Ernst and Young. Thanks so much for joining me.
Kris Lovejoy: Thank you.
Tom Temin: We’ll post this interview at FederalNewsNetwork.com/FederalDrive. Hear the Federal Drive on demand. Subscribe at Apple Podcasts or Podcastone.