The Center for Public Policy Innovation (CPPI), in conjunction with the Congressional High-Tech Caucus and Cybersecurity Caucus, hosted a two cybersecurity roundtables for senior Hill staff. The events gave staff an opportunity to not only hear from nontraditional stakeholders on the Hill, but to engage, asking questions to better shape future policy.
Roundtable with Chairman Michael McCaul and Oracle’s Hayri Tarhan
Oracle, one of the world’s leading tech companies’ Vice President of Public Sector Security, Hayri Tarhan delivered a briefing before fielding questions and sitting down for an engaging discussion with
staff. Chairman of the Homeland Security Committee, Congressman Michael McCaul kicked off the event meant to create greater understanding in Congress about the constantly evolving nature of
cyber threats and what government can do to minimize risks.
“Congress is finally starting to pay attention to Cyber. It wasn’t a big issue previously, which is why I started the Cybersecurity Caucus,” began Chairman McCaul, adding he’s doing a lot of work related to
the Commission non Digital Security as well as recent cyber legislation.
In an ever-changing landscape, it’s important to continue educating Members and Staff by hearing from some of the brightest minds in the field of cybersecurity. Oracle’s Hari Tarhan rightly pointed
out, echoing the sentiments of Chairman McCaul, is that years ago, no one was paying attention to cyber, and that has led to many of the challenges we face today.
According to Tarhan, there is a new currency in IT and that currency is data. Furthermore, the value isn’t money, but trust. Mega breaches within the last two years have skyrocketed because hackers are
becoming more skilled and this threat is asymmetrical. The cost of protecting data is exponentially greater than an attack.
Anatomy of an Attack
Hackers will determine the database administrator using something like LinkedIn, learn what they do for fun via other social media sites, and social engineer an email where the administrator will click on
a link, downloading malware. If this malware is a key logger, the hacker gains vast information, including username and password. After establishing a foothold, the hacker will create multiple back doors, creating a relational database- that’s where data can be stolen very quickly.
In cases where the intruder wants to pull something like 10 terabytes of data from a network without anyone knowing, they do so a little at a time, using the administrator’s credentials to not arouse
suspicion.
“Don’t assume mediocre, assume exceptional when thinking about your cyber adversary,” noted Tarhan. Chinese hackers are exceptionally good, with schools dedicated to hacking U.S. networks.
Post OPM Breach
Following the cyber breach of the Office of Personnel Management, a cybersecurity sprint was implemented with four key components:
- Provide log-in information to the Department of Homeland Security
- Patch critical vulnerabilities without delay (including encryption)
- Tighten policies and procedures for privileged users.
- Implement multi-factor identification
In order to better encrypt data and prevent unauthorized access, a username and password will not suffice without pervasive monitoring along with auditing to improve cyber posture.
One of the major takeaways from Tarhan’s briefing is the fact that 96 percent of all breaches could have been prevented had the proper protocols had been implemented.
Q&A:
Q: Where do we go from here in terms of securing government networks?
A: From a network standpoint, it is pretty straight forward there are a few things to put in place including multi factor identification. Risk is a spectrum, which means there is a spectrum for
authentication. Unfunded mandates that are still out there. Hosting facility and a tenant, both must be in compliance, but neither is in a good security position and ended up pointing fingers.
Q: Where is the pushback coming for two-factor identification?
A: Secure ID is pretty good system, especially for administrators. The challenge is for very large organizations that need a help desk and dedicated team. The PIV card is the second factor, which is
very secure, but some agencies haven’t implemented this yet.
Q: Generational differences in approach to cybersecurity?
A: Security has traditionally been the responsibility of the network team, not the administrator. CISOs traditionally come from network background. The database team needs to place someone on the
security team within an organization.
More prevailing generational challenge, the expectation of the youngest generation is getting things when they want it, device-oriented, their digital life in a phone, they don’t use email. Their
expectation of what they want from IT is way different from generation before, but security needs to built-in.
Q: Thoughts on Internet of Things and cyber security applications?
A: Tailored marketing from IoT devices, such as the wristbands at Disney World that track all your movements and activities. The next change in cybersecurity is not the theft of data, but the modification data without anyone knowing it. Theft of data scary, change in data is frightening.
Q: Cyber Skills gap?
A: There aren’t enough people that are properly trained, the old curriculums are not up to date. Staffing levels, skills, expectations, these are realities on the ground for IT organizations.
Q: Hardware/software challenges?
A: Are the security measures you put in place really going to improve security? There are some realities, if you buy hardware without software in mind, that’s a problem. Hardware and software need to match-up, otherwise the system will be slow and people will want to back away. Government needs to come-in to explain the steps to properly secure data, need to be prescriptive. Government needs to figure out how to properly encrypt data.
Q: A lot of money being spent on cyber, why still so many unfunded mandates?
A: Money is going into network security, which is something you need. Need to also strengthen the supporting systems.