Hyper-connected world requires decisive action now

By Nancy Doniger
Correspondent

If an intruder approaches a business with a crowbar and attempts to forcibly enter, the business owner responds by calling 911. If that same person sees their mouse moving by itself — and they aren’t using the computer — or a demand to pay money to gain access to their computer, who are they gonna call?

The odds are good if it’s a large business that they will have an incident response plan (IRP) in place and will know what to do. But the same attack could be curtains for any small or medium-sized business if it hasn’t prepared. Critical time will be lost figuring out what to do and who to call.

Responding to physical versus cyber crime was among the scenarios envisioned during the sixth annual North East Annual Cybersecurity Summit (NEACS) at the Trumbull Marriott. The recent conference drew hundreds of business leaders, government officials, law enforcement agents, IT and security professionals, and other interested parties. It offered insights on cybersecurity risks and threats, as well as strategies to protect against and respond to cyber-attacks, data breaches and fraud.

Acknowledging that everything is dependent on the digital world, Pamela Gupta, security expert and conference chair, emphasized that business leaders, state and local officials, law enforcement officers and individuals must be more agile and take a structured approach to cyber security to fend off catastrophic attacks.

“2017 had record-breaking damages and  financial losses resulting from natural disasters totaling at $306 billion. It is important to consider that large-scale cyber-attacks threaten to match, if not exceed, these costs for businesses and insurers in the future That’s why we’re here today. We have a lot of informative sessions to help understand the risks, impacts and preparation to meet cybersecurity challenges to business,” Gupta said in her opening remarks. Lack of cyber security literacy in the business community led Gupta to organize the summit six years ago.

Drawing upon a unique combination of more than 20 years of technical, process, policy, and business experience, Gupta founded her company, OutSecure Inc. 10 years ago. OutSecure Inc.  provides consulting to public and private sector clients in the areas of privacy, security, cyber crime, breach management, and cyber strategy. They are helping clients solve complex security problems such as integrating security into business processes, threats from emerging technology, deploying securely in hybrid clouds, buying the right cyber insurance and more.

Utilities are particularly vulnerable to cyber attack, according to Arthur House, chief cyber security risk officer for the State of Connecticut and NEASC keynote speaker. That’s because people can survive for a time if the power goes out, but they can’t live without potable water. Pandemonium could result from a lengthy outage. House served for four years as chairman of Connecticut’s Public Utilities Regulatory Authority.

“Connecticut is taking the risk very seriously and is known as a model for collaboration,” House said. An annual review determined the defenses Connecticut has instituted to protect its utilities are “adequate,” he said. However, “the worst thing to do is say all is well. The enemy is complacency.”

Aquarion, Avangrid, Connecticut Water, and Eversource participated in the annual review, which stated that “new, powerful viruses and attack vectors” were “unleashed during the past year,” according to a Connecticut Business and Industry Association report. None of the state's four utilities reported they were among a group of U.S. utility companies notified by the Department of Homeland Security or FBI that they were penetrated by Russia or other nation states, the CBIA report stated.

Response to manmade and natural disasters is primarily a state and local responsibility — not federal, House noted. He previously served as director of communications in the Office of the Director of National Intelligence and as chief of the Communications Group for the National Geospatial-Intelligence Agency, a combat support agency of the U.S. Department of Defense. As a White House Fellow, he was special projects officer on the staff of the National Security Council.

“I’m trying to drive home the fact that this is not an academic exercise, this is real,” House said. “It affects us everyday, it affects businesses right here in Connecticut. If you've been compromised, it’s an expensive hit from the bottom up.”

House said people often ask him, “Are we safe? No, we’re not safe. Of course we’re not safe. If we were, I wouldn't have this job. No person, no business, no government is safe from a cyber attack if cyber criminals can penetrate our intelligence agencies, our military, top corporations, the White House. We have to let that sink in.”

He cited the fact that the plans were stolen for the F-35 Lightning II Joint Strike Fighter — “the most advanced aircraft in the world” — the Black Hawk helicopter and the Aegis Anti-Missile Defense System from Sikorsky and Pratt and Whitney, “right up the road” from the Trumbull Marriott.

The national security industry, large businesses, banks, insurance companies, state government and law enforcement are aware of the risks and have made cyber security a top priority, but too many people are oblivious to it, House said.

“They feel they’ve heard enough bad news and don’t want to hear it anymore,” he said. “I'm worried about small- and medium-size industries. Most businesses have never done a risk assessment of any sort, according to a CBIA survey.”

He said business leaders need to start now — before an attack happens — to confront the risk and make an IRP so the damage isn’t extreme, so they’re familiar with what needs to be done to keep their business operating.

House cited a staggering 4.8 billion connection hacking attempts monthly in the United States.

Two billion are rejected, and some don’t meet protocols protecting health, tax records and personal identifiable information, but 19% get through, he said.

More trained cyber security technicians are desperately needed to fill a shortage of 300,000 jobs in the United States, 4,000 of which are in Connecticut, he said.

House said businesses want people with a two-year associate’s degree, not a four-year college degree because the knowledge they learn has to be current, not more than four years old. These are good-paying jobs that start at $50,000 to $80,000, he said.

Cybersecurity isn’t just an IT concern, everyone has a part to ensure they are safer online, he said. Resources are available at www.ct.gov/ctcyberlibrary to ensure all levels of Connecticut users, from home computing to businesses and government organizations can stay more secure online.

Following House’s talk, attendees could choose from a variety of high-impact sessions about a broad range of topics. Some of them were Make the Tables Turn: Get the Most out of Your Incident Response Plan Tabletop Exercise; Big Data analysis and Cyber warfare, Deeper Trends in Cyber Security and How to Manage Them; and The Shape of the Web: Nation States, Corporations, Globalization and the Search for Cyber Standards.

The Women in Technology Panel Discussion brought together female professionals from insurance agencies and other industries to explain how the different perspective women provide enhances a company’s cyber defense arsenal. The panelists encouraged more women and girls to consider a career in this dynamic field with lots of openings for good-paying jobs.

The most humorous session — The S in IOT Stands for Security — had a decidedly dark undertone. Mario DiNatale led the session, billed as a “hilarious journey through epic fails in IOT,” the Internet of Things. “What are you going to do when your light bulbs start connecting to the Dark Web? How would you know if they were? Are they already?”

Pamela Gupta emphasized that it was not all doom and gloom, she had chaired an industry effort at Internet of Things Security Forum, IotSF, on creation of a IoT Security self-certification framework that addresses security for Iot devices in their entire ecosystem —  to help develop better strategies for IOT moving forward.

A coalition of local chapters from renowned international associations for audit and security professionals presented the all-day conference.

You can learn more about NEACS here.