The CIA Is Driving Cyber Intelligence In Australia

Cyber security is about any specific technology, or even a combination of specific technologies, but about developing a strong security culture with good talent.

The overarching message to organisations from the federal government’s cyber security strategy is – “you’re on your own, we wish you the best luck.”

So says Roger Hockenberry, former CTO for the National Clandestine Service of the Central Intelligence Agency (CIA) – a role he took on following a bout as chief of cyber defense for the CIO with the agency, among other roles.

“This should be a clear signal to every company that they have to engage in cyber intelligence,” Hockenberry says. “It’s now going to be incumbent on them to do their own research, analyse threats, understand how it affects the business and how it could impact them in a material way.”

With more than twenty years of IT experience, Hockenberry is a proven technologist and business executive that has chosen to focus his skillset on helping enterprises prepare for cyber-attacks as the CEO and co-founder of Cognitio.

In the wake of the release of the government's cyber security strategy, Hockenberry is touring Australia to discuss the importance of cyber intelligence to companies that want to stay protected and competitive.

“Cyber intelligence is more than IT security. You now have to be aware of all these new impacts. Cyber is a market of its own, and that market is moving and evolving quickly,” he warns.

Joining him in Australia is one of three co-founders of Cognitio, managing partner Bob Flores. Flores himself served an impressive 31-year stint at the CIA, in various IT roles including the directorate of intelligence, directorate of support, and the National Clandestine Service, and eventually CTO.

Flores left the CIA to form an independent IT consulting firm, before founding Cognitio with Hockenberry and additional partners, tech titan Bob Gourley (former CTO for the Defense Intelligence Agency, and joint chief of cyber defense for the Pentagon), plus tech consulting, marketing, communications and research guru, David Highnote.

“We all had our own companies doing consulting and we were all working together on a very semi-regular basis so we decided that we had a great opportunity to bring the three companies together to create something with a larger impact,” says Hockenberry.

The word Cognito was chosen as a shortened version of ‘cognition’, with the company tagline ‘how we think’. The unique team, merge their varied and practical experience in consulting, technology and cyber intelligence and apply that practice to helping organisations make the right decisions and stay protected.

With their demonstrably strong expertise in this field, Cognito has grown rapidly, and is now turning its gaze to Australian markets in need of updated cyber intelligence practices.

Developing a cyber security culture

Cyber security is a growing and evolving threat that will require complete focus, continual retraining and awareness programs, and new roles devoted to it.
 
The duo tell CIO that tackling cyber security will not be about any specific technology, or even a combination of specific technologies, but about developing a strong security culture with good talent.

“Cyber security is finally being seen as a business issue and no longer a technology or IT issue,” Hockenberry says.

“You must focus on cyber as a business risk, make sure that is communicated at the CEO level all the way down, and that you’re sincere about that commitment to that, with constant retraining, because if not, it won’t work.”

This was a key message of a talk Flores gave earlier this year as part of Connect Expo’s Next Big Thing Summit in Melbourne, in which he also shared a number of key resources with crucial security and risk data for enterprise.
“There’s a movement towards having a CISO, but I think every organisation is going to need a dedicated chief cyber risk officer, because it’s going to be delineated from the IT security role. Cyber goes far beyond IT security,” Flores says.

Creating a cyber security culture includes building company-wide awareness and training of security best practice such as behaviours and activities to be wary of, and what to do if you suspect there has been (or will be) an incident.

“Your employees know who to call if someone has a heart attack, so what about a cyber-attack?” asks Flores.

“Even if they just have a question about someone or something they saw. It’s very important that folks have a fundamental understanding of what’s important, how to report things, and what’s worth reporting,” Flores says.

“This is what we mean when we talk about the culture – people will just know: I report that to my regional IT manager and here’s his number on my desk.”

One of the key changes of a new cyber-aware business will be the need to take a data-centric view of security as opposed to keeping cyber security a technical issue.

“Traditionally, CIOs have been concentrating on how to protect their technical assets. With cyber, all enterprise architecture should be centered on data security. Really focus on how to secure that data, and how to allow access to the data,” says Hockenberry.

“Yes you have to protect your end devices, your networks and servers, and so on. But at the end of the day, you have to protect your data,” adds Flores. “No matter how much security you put on the perimeter, somebody is going to get through if they really want to.”

MailGuard offers internships to ease 'critical' talent shortage

Once data-centric architecture and controls are put in place, then that system must be audited to see how sensitive data is sourced, collected and shared around the enterprise so data monitoring can be effective and informed.

“If you don’t do this then you’re not going to stop someone getting into your enterprise, whether it be an insider attack or from the outside,” says Hockenberry.

Flores recommends a tiered approach for different subsets of data, with one security plan for the most sensitive or valuable data, and another system for less sensitive (but still mission-critical) data to ensure hacking into one won’t mean hacking into both. Success also means not wasting energy locking down invaluable information.

“There’s a whole class of data that’s not worth paying to protect. If I send you an email that says ‘hey let’s go to lunch’ - from a corporate standpoint nobody cares, and from a hacker standpoint, nobody cares,” says Flores.

Data security goes beyond just locking down sensitive information though, the duo tells CIO Australia, with a growing need to duplicate and back-up as part of a cyber security strategy due to the growing prevalence of ransomware attacks.

Preparing for advanced threats

Flores says ransomware is going to be huge in the next few years, especially as many targeted companies are disclosing the fact that they paid the ransom to the hackers – an action that doesn’t always deliver the results promised.

He cites an incident in Washington DC where MedStar Health suffered a ransomware attack. The attackers, who promised to release it after a ransom payment, encrypted all the hospitals’ data.

Doctors and clinic staff couldn’t access important patient files and thus couldn’t offer treatment, so MedStar decided to pay the ransom to access data straight away, rather than risk patient health. The cyber attackers, demonstrating unusual integrity, then did as promised and unlocked the data after $40,000 was transferred via Bitcoin, rendering them untraceable.

“Here we have a hospital probably with some big IT infrastructure, and I have to believe they had no incident response plan in place,” says Flores.

“As the FBI advises kidnap victims: don’t ever pay the ransom. And they may have said ‘no we would never pay these bad guys, it sets a bad precedent’, but when it happens to your business, or when your kid gets kidnapped, and I only ask for $10 and not $10 billion, you’d think ‘sure okay, let’s pay up’.

“We’re going to see this stuff continue, because if this result gets shared in the press, people will say well – it worked for them! Maybe we could do that. We’re just at the very infancy of that.”

Australia lagging decades behind in cyber security efforts: ACCS
To avoid being backed into a corner, Hockenberry and Flores say everything must be backed up, scrutinised and protected so that if the bad guys one day call to say, ‘you can’t access your data anymore’ you can say, ‘we got this’, delete everything, and load it back up.

“That’s much harder than it sounds, but it’s crucial,” Flores says.

“Prevention is something that you have to do - you really need to focus on discovery, containment, remediation and restoration of services,” adds Hockenberry.

“If you think you can prevent an attack, then you’re absolutely incorrect. The goal is to figure out how you can quickly identify something and restore trust with both my internal people and my customers to keep my business moving.”

More funding, less mandated reporting

Regarding the federal government’s Cyber Security Strategy released in April, the duo say every initiative is “absolutely correct”, yet there remains a real glaring omission – the funding.

“Just $230 million is not going to go very far. It may be all the budget can bear right now, but I really hope the government understands that this sort of thing costs billions and billions of dollars,” says Flores.

This reflects the tone of a recent discussion paper by the Australian Centre for Cyber Security (ACCS) that found the government’s cyber strategy was “lagging” behind many of our international peers in combating advanced technology threats by as much as 10-20 years, particularly in financial commitment.

“The government has to determine the same thing that a risk officer has to determine - what are my most important assets? Where am I going to spend the most to protect that?” says Flores.

“You can’t have a constant effort against everything because there’s not enough money or resources in the world to do that. Decide what’s important and really concentrate on that, that’s going to be different with each government agency just like it is with each business.”

Hockenberry says one area of the strategy that concerns him is the mandated public reporting of cyber incidences which, though good for the consumer, could actually be used as a blueprint for other cyber criminals in future, as well as stifling the progress of many smaller firms.

“Once an incident is reported, every company is going to have to take steps to ensure they don’t have those same gaps – that’s not necessarily a bad thing, but how many resources does a small company have to constantly be chasing that patch? You can spend all your time doing that patching instead of getting ahead,” he says.

“Smaller companies are always going to struggle. When you’re a large company, typically you have the resources to put against cyber, but for a small business of 50-100 people, you don’t really have the sophisticated IT resources.”

Everyone is a target

Smaller firms will need to hold their own in the cyber arena despite lacking the resources of larger enterprise, as they’re just as likely to be targeted.

“There’s this misconception that cyber is only a problem for large companies and banks – it’s actually every industry that’s targeted, and businesses of all sizes,” says Hockenberry. “If a bank is really well defended and I can’t get in, I’d start to look for targets of opportunity that are smaller but can still yield me some result.”

But it’s not just smaller firms that are at great risk, with many of their larger counterparts held back by outdated processes and a false sense of security.
“In our meetings with Australian businesses, we see a lot of them falling back on things they’ve always relied on, which is usually some kind of compliance framework, IT security controls and financial controls, so on. 
Those companies are a great risk because compliance does not equal security, especially from a cyber perspective,” says Hockenberry.

“If they’re not updating all those controls, and taking into account cyber intelligence, they’re going to check a lot of boxes but still be very exposed.”

CIO: http://bit.ly/24tuYz0

« First Shots Of A New Cyber War
Cyber Security On the High Seas »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ACI Solutions

ACI Solutions

ACI Solutions is a managed IT services and network security provider working with diverse global commercial, government and public sector clients.

CETIC

CETIC

CETIC is an applied research centre in the field of ICT. Key technologies include Big Data, Cloud Computing, the Internet of Things, software quality, and trust and security of IT systems.

Valire Software

Valire Software

Valire provide a solution for the automated detection of internal fraud.

PSYND

PSYND

PSYND is a Swiss consultancy company based in Geneva specialized in CyberSecurity and Identity & Access Management.

Trusona

Trusona

Trusona is a pioneer and leader in passwordless two-factor authentication (2FA).

Cylera

Cylera

Cylera is a Healthcare IoT cybersecurity and intelligence company built in close partnership with healthcare providers.

CyberClan

CyberClan

CyberClan’s carefully selected team of experts is capable of solving complex cyber security challenges – keeping your data secure and your businesses running as usual.

Informer

Informer

Informer provides an Attack Surface Management SaaS platform alongside penetration testing services. We combine machine learning and human intelligence to reduce cyber risk.

Norma Inc.

Norma Inc.

Norma provides the secured wireless environment (WiFi and Bluetooth) with the unauthorized AP detection, and secures your IoT assets from various threats.

Real Protect

Real Protect

Real Protect is a Brazilian provider of managed security (MSS) and cyber defense services.

Swiss It Security Group

Swiss It Security Group

Swiss It Security Group offers clients complete IT security concepts based on innovative solutions and technology, with a focus on protection, detection and defence.

ADVA Optical Networking

ADVA Optical Networking

ADVA is a company founded on innovation and focused on helping our customers succeed. Our technology forms the building blocks of a shared digital future and empowers networks across the globe.

Sikich

Sikich

Sikich LLP is a leading professional services firm specializing in accounting, advisory, technology and managed services.

Kriptos

Kriptos

Kriptos helps businesses improve their cybersecurity, risk, and compliance strategies by locating critical information through a technology that automatically classifies and labels documents using AI.

Cloud Seguro

Cloud Seguro

Cloud Seguro are leaders in the development of cloud solutions, Ethical Hacking, Privacy and Information Security.

Kahootz

Kahootz

Kahootz is a highly secure cloud collaboration platform helping teams to work together across organisations.