Today’s chief information security officers (CISOs) may be suffering from a bit of whiplash. From one direction are new rules governing disclosure for incidents involving public companies. From another is the continuing geopolitical unrest adding risk and uncertainty to an already complicated role. And from yet another is the ongoing litany of exposures, threats, and attackers relentlessly targeting businesses.
Last week at the RSA Conference, former National Security Agency Director Adm. Michael S. Rogers sat down for a discussion about the current legal, regulatory and threat landscape adding unprecedented complexity to CISOs regardless of industry.
“First of all, this is a tough time to be a CISO. Now, remember, tough times also provide plenty of risk but also plenty of opportunity,” said Rogers, who spent decades leading teams responsible for securing large Department of Defense networks against well-resourced actors. Rogers stressed the need to have solid foundational security practices in place as a starter, understand the fundamental processes that enable organizations to execute their outcomes, and prioritize accordingly.
“Fundamentally you have to be able to deal with people who have deep cybersecurity expertise, deal with others who are key components in executing the organization’s mission, and lastly you have to deal with senior-most leadership in your organization who may have limited knowledge of cybersecurity, but on the other hand are the overseers and allocate resources and make the assessment if it’s working,” Rogers said. “You have to be able to communicate in a language they understand and that’s not the technical side of cybersecurity.”
Rogers also covers the dichotomy between threat actors targeting enterprises, most of whom are criminals versus state-sponsored groups. The APT landscape, however, is concerning for CISOs in critical infrastructure sectors and responsible for cyber-physical systems. The Russia-linked Sandworm APT, for example, is notorious for targeting operational technology (OT) systems in addition to carrying out espionage and misinformation campaigns against Western targets and adversaries. This includes, Rogers points out, increased collaboration between criminal groups working on behalf of state actors in some instances.
“As a cybersecurity professional, the lines aren’t clean so you’re going to have to deal with a broader set of scenarios and a broader set of challenges,” Rogers said.
In terms of explicit targeting of critical infrastructure for political and military gain, China’s Volt Typhoon actor has been a focal point for CISOs for some time. The APT has been accused of embedding malicious code in CI networks with the implication of activating during a time of military conflict for example, not only causing destruction on electric or water systems for example, but also sowing chaos among society.
“This is a total change in risk calculus. I’ve never seen a nation state before engage in the emplacement of destructive malware in the critical infrastructure of another nation,” Rogers said, adding that previous intrusions from Russian or Chinese actors had been more in the vein of reconnaissance of network structures and security practices.
“They didn’t seem to be interested in manipulation of any software, implanting of any devices, or in any way in pre-cursoring destructive activity. What we’re seeing with Volt Typhoon is that the PRC has made a totally different decision and now has decided ‘We want to emplace capability that we can activate in crisis or conflict and use it to cause to execute destructive action against core infrastructure within the U.S. that will generate benefit for us at a time and place of China’s choosing.’ That is a big game changer.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.