January 19, 2022
I recently traveled to Las Vegas for CES 2022 to share USTelecom’s cybersecurity perspectives with an influential audience of industry and government leaders during two sessions:
Cover Your Sixes: Cybersecurity Beyond the Office
I joined a panel of security experts – including the CTO of a wireless networks company, the CEO of a cyber-focused venture capital firm, and the head of cyber risk at a major consulting firm – to discuss how remote work and billions of new Internet of Things (IoT) devices will shape security in our post-pandemic world.
Key Takeaways?
Working from home poses security challenges. Since the pandemic began, many companies have improved or increased cyber hygiene training for employees. But an expanding attack surface – including billions of new consumer devices – has resulted in more attacks and more damage.
There’s a human element to the problem. Too many employees use work-issued and personal devices interchangeably. Personal devices often have less than ideal security features or settings – and may lack the benefit of corporate firewalls. This creates a situation where malicious actors may not just infiltrate a personal device and expose sensitive data but also move laterally across a network to infect work-issued devices.
Employees are not (and should not be expected to become) cyber experts. It’s not realistic to put responsibility on the consumer or employee to implement advanced security features. Similarly, consumers may face difficulty distinguishing between secure and insecure products. Labeling initiatives underway at the National Institute of Standards and Technology (NIST) may help consumers make better choices. USTelecom is actively involved in these discussions.
Security tools and network architectures can help. Well-known security tools such as corporate firewalls and VPNs are important. Managed security services and IT staff capable of assisting employees are likewise essential to many companies. Zero trust strategies and network segmentation are increasingly popular among industry leaders. These steps can produce tremendous security benefits, but there are no guarantees. If an employee brings an insecure device into their home, there’s a chance for exploitation.
Employers and security teams have a visibility challenge. In the corporate environment, employers and IT teams can develop an inventory of connected devices. They can also access work-issued devices remotely. But for privacy and policy reasons, employers cannot inventory or access their employees’ personal devices in the home. Because remote or hybrid work is here to stay, security innovators must find ways to “do more with less.”
IoT device security is essential. Many of the security challenges companies are facing involve devices that connect to the internet. We need to build the expectation that devices are going to come into the employee’s home – which is increasingly also the workplace – already secure.
USTelecom has been working to improve IoT device security through the Council to Secure the Digital Economy (CSDE), a coalition of 15 global ICT companies co-founded and managed with our partners at CTA. CSDE publishes world-renowned security guidance to inform device technical standards and policy across the globe.[1] For more information, visit CSDE.org.
Cyber Crisis Handling: Who You Gonna Call?
Joined by security experts from USTelecom member companies, Lumen’s Kathryn Condello and Oracle’s Travis Russell, I moderated this session on how industry responds in a “crisis” when national infrastructure – such as communications infrastructure – comes under attack. We discussed CSDE’s crisis response guidance, which has earned praise from the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and industry experts. We discussed the recent Log4j vulnerability, which poses a continuous risk.
Key takeaways?
What keeps security experts up at night. Not all threats are created equal. In recent years, we have seen cyber-attacks against power plants, oil and gas companies, financial centers, military organizations, hospitals, governments, and virtually every other sector that supports the 21st century economy. Threat actors are evolving their techniques, tactics, and procedures (TTPs). Response, too, must evolve to meet the challenges of today… and tomorrow.
Who responds in a crisis. CSDE’s Cyber Crisis Report[2] provides a blueprint for how companies can coordinate in 12 different types of crises – based on real world scenarios. Some crises may fall under multiple categories. For example, Log4j would fall under the categories of Software Vulnerability: Open Source and Software Vulnerability: Zero Day.
Recommendations for cyber crisis response. The following insights are from CSDE publications, mainly the January 2022 Cyber Crisis Response and Handling paper[3] (developed with the CES panel in mind):
- Share knowledge of threats and confirmed incidents. Organizations must collaborate within their own sectors, the ecosystem at large and with governments to share knowledge of pertinent cyber threats and confirmed incidents. Information sharing and operational collaboration is key, and may differ based on the incident or threat. Indeed, enterprises are often the first to discover a cyber threat because their systems are directly impacted when an incident occurs.
- Build close government-industry working relationships. Government should build close working relationships with the companies whose leadership and experience in responding to major cyber incidents makes them valuable partners.
- Collaborate to address vulnerabilities. When vulnerabilities are discovered, organizations should collaborate to validate the vulnerability, develop a remediation, test it in various environments and coordinate the public release of the remediation in a manner that increases its adoption.
- Keep sensitive info confidential. The coordinated vulnerability disclosure (CVD) and handling processes may include multiple parties given the ecosystem collaboration needed for effective remediation. Information about the vulnerability should be kept in confidence and shared only with parties necessary to the process, until a remediation is available and publicly released.
- Mobilize rapidly when an incident occurs. Industry must be prepared to mobilize rapidly and to collaborate with relevant responders. This industry-led response should be based on voluntary frameworks and informed by international standards and industry best practices.
- Enhance international cooperation. Increasingly, policymakers recognize the need for international cooperation and coordination to address the growing epidemic of cyber-attacks.
USTelecom continues to work with our members on these key cybersecurity challenges, among a plethora of others. We look forward to deeply engaging with our government partners, including CISA, which established the Joint Cyber Defense Collaborative (JCDC) last year to bring together the public and private sectors to strengthen the nation’s security and reduce the risk of cyber incidents occurring.
Events like this one allow us to advance our members’ cyber leadership story. By presenting our members’ cybersecurity efforts in a venue that includes prominent government, industry, and civil society stakeholders, we increase the effectiveness of our policy engagement across the U.S. government landscape and internationally.
I invite members and their teams to reach out to me directly at any time we can be helpful.
[1] https://csde.org/projects/c2-consensus/
[2] https://csde.org/projects/ict-mobilization/
[3] https://csde.org/wp-content/uploads/2022/01/CSDE-Cyber-Handout_Final.pdf