Chertoff offers cybersecurity lesson: Layers of defense — and backups

Former homeland security secretary tells utilities convention that limiting impact of breach is key

At this point, everyone in the business community knows two things about cybersecurity:

  1. Don’t open up attachments unless you are sure of their origin;
  2. And it’s a matter of if — not when — your company will have a cyberbreach.

This is not to say those old-school axioms should be ignored, but rather to talk about the next generation of defenses needed to stop or — better stated — contain an attack.

So said Michael Chertoff, the former U.S. secretary of homeland security, who now runs his own security risk consultancy, the Chertoff Group. He recently detailed new strategies as a keynote presenter during the New Jersey Utilities Association conference.

His advice was relevant to all business, he said, but it was particularly important to sectors with great societal impact, such as utilities and health care.

Chertoff’s biggest takeaway: Cybersecurity protection today is not about trying to build an impenetrable wall around your information technology infrastructure, but having layers of defense that enable you to mitigate problems when they arise.

Chertoff compared it to life on the seas during wartime.

“When you have a warship, you have individual hatches — so, if you ever have a torpedo that penetrates the hull, you can, ‘Batten down the hatches,’ and that lessens the damage,” he said. “When you think about cybersecurity, you need to think about hatches and battening them down and not a Maginot line (a World War II reference) where you try to build a single fortress.”

Chertoff suggested two possible ways to do this:

  1. Have different systems for the vitally important operations, as opposed to business transactions;
  2. Have backups to backups, so — if your operations are hacked — you have a way to keep operating.

The importance of this cannot be stressed enough. Cyber, Chertoff said, is the new battleground.

“Where we are now is in a dynamic situation where the threats and the challenges continue to evolve — even as we make positive changes to improve our security, and to develop strategies for dealing with this,” he said. “But there’s no question that the cyberdomain of conflict is now as much of a domain as air, sea, land and even space.”

One of the biggest issues is that cyberattacks can come from anywhere (and often can be done in a way that hides their origin) and, more importantly, can come from another country or simply a rogue individual or organization.

Chertoff said the threats from nation-states are the most troubling.

“Increasingly, our nation-state adversaries look to the cyberdomain as an area in which they can undermine us, injure us and even affect our unity of effort and our trust in our leaders,” he said.

“A single individual can do an awful lot of damage, although, when a nation-state gets involved, typically what they are able to do is bring a lot of different resources to an attack. It may be your ability to obtain individual imports that are not widely available — and it can be used to penetrate or undermine systems.”

Chertoff, of course, stressed individual responsibility — the whole ‘don’t click on attachments’ lesson. He stressed the need to have business-only devices on trips and for those working remotely — another age-old warning.

Chertoff, however, said the precautions need to go deeper than that.

While everyone knows getting public Wi-Fi at a coffeeshop or airport opens a company up to hacking, Chertoff said the company’s own infrastructure can be a problem. One test his company does is sitting in the lobby of a client’s building to see if their internal Wi-Fi is properly encrypted.

Spoiler alert: It often is not, he said.

The biggest warning he gave is one many may not think about: Having someone with approved access to your system (unknowingly) being the conduit for the attack.

It’s a situation where artificial intelligence can have great impact, he said.

“You have to have systems logs that detect who accesses the network, when they do and how long they’re in their network,” he said. “This is actually a positive area for artificial intelligence, where you can look to see whether people who have, in theory, the right or the privilege to access a network are behaving on the network in a way that seems anomalous.”

The other big piece of advice: Don’t hide failures from other employees.

Whenever a company finds a breach, it should use it as a teaching lesson for all employees — it’s a way to give life to the repeated warnings that mostly go unheeded today.

“When there is a slip-up, instead of viewing it as negative consequence, it’s a way to periodically remind people about being careful about this as part of the consistent training and refresher courses,” he said.

When it comes to utilities, there cannot be enough training, Chertoff said. The potential damage is that great, due to the threat of ransomware.

“They figure, if they shut down your utility, you’re going to have to pay them a lot of money, otherwise, people are going to freeze or not have water or the sewers aren’t going to work,” he said.

“If they can hack into your network and can get to your operating system, they can really mess up the ability to manage the utilities, by either making the data unavailable, altering it or having it basically shut down or rendered inaccessible.”

A variety of defenses — including backups — are key, Chertoff stressed.

“It’s a matter of architecture, it’s also a matter of resilience.

“You need to say, ‘What happens if they do shut down my network, including my operating system — do I have a way of disconnecting my operations from the internet and operating them manually or with a backup system?

“And, if not, do I have a way to work around it to make sure that I can still provide necessary services?”