Locked Doors, Open Windows: Failures in Guarding Private Sector Information

| Deborah Lee James
Deborah Lee James
Former Secretary of the United States Air Force

Not a day goes by that Americans don’t wake to the news of a new cyber intrusion affecting private sector or government networks, whether major cyber hacks at Target or Equifax, sloppy data breaches like those Verizon experienced, or nation-state-sponsored efforts like the WannaCry virus. Companies and institutions are pouring more time, attention and resources into computer network security, because the networks are so critical. But why lock the front door when you leave the windows wide open? Bad actors can launch attacks and gain access to critical information through other routes too.

As seen with the widely reported interference in democratic elections, attacks can be launched cheaply and relatively easily by criminals, nation-states, terrorists, disgruntled employees, or even good people with sloppy habits who accidentally expose critical data. As a former Secretary of the Air Force, I can tell you that Air Force networks are attacked—and these attacks are repelled—thousands of times per week.

This is why, in addition to network security, the Air Force is focusing more resources on operational security. The private sector should follow suit.

Operational security means protecting assets that depend on lines of code in software to conduct missions, whatever those missions might be. This could involve anything from protecting advanced fighter aircraft to the HVAC systems on a base where critical operations take place. It could include the MRI machine in a hospital entrusted with sensitive patient data. Our critical infrastructure—the electrical grid and transportation systems, for example—can be equally vulnerable from an operational perspective, if network security is the sole focus.

The solution is to broaden the national cybersecurity approach to include “endpoint security” for vital operational systems. Stated another way, we need to wrap firewalls around certain vital machines to ensure that an intrusion in one area will not allow for a more extensive penetration to the broader network.

Consider a fictional scenario in which a U.S. nuclear facility is breached. A terrorist group launches a “cyber-physical attack” by unleashing a virus that penetrates sensors that monitor cooling. The malware is introduced when an infected flash drive is inserted into a network laptop during maintenance to adjust, for example, process sequences. The laptop is presumed to be safe because it’s not connected to the internet—it is “air gapped.” The virus targets specific endpoints that manage fail-safe functions such as temperature maximums. The virus tells temperature sensors to stop working. At the same time, it tells other mini computers to escalate heat-generating functions. The result could be catastrophic overheating and, ultimately, a meltdown.

Such an attack, and many others we haven’t thought of yet, are preventable when control systems are more deeply protected. Each device and sensor comprising the network can and should be shielded from malware that gets through the figurative front door.

Here’s the bottom line: we need a holistic approach to cybersecurity going forward, including network and endpoint security. Focusing on one but not the other could result in crippling losses in today’s machine-to-machine marketplace.

The government and the private sector need to keep working to lock the front door, and start doing a better job of bolting the windows.

The Author is Deborah Lee James

Former Secretary of the Air Force Deborah Lee James has over 30 years of senior level homeland and national security experience in the federal government and private sector. She is also the author of Aim High: Chart Your Course and Find Success.  During her time as Secretary, her responsibilities included organizing, training, equipping and providing for the welfare of The Department of the Air Force and its nearly 660,000 active-duty, Guard,... Read More

Learn more about The Cipher Brief's Network here.

CLICK TO ADD YOUR POINT OF VIEW

Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *

One Reply to “Locked Doors, Open Windows: Failures in Guarding Private Sector Information”
  1. I’m a retired infosec specialist, CPP and CISSP Lifetime. You need to go further than Secretary James suggests. A more holistic approach includes personnel, physical security, and environmental security, e.g., the HVAC system she mentioned. Too much emphasis on the network and even the systems the network links have overlooked the these other areas. Too often this happens because each area has its own shiloh with the attitude that if its not our direct responsibility on which our performance rating is based, who cares about the other area. While someone at a higher level should be making sure that information is shared, this person is often at the VP level or higher in corporate organizations. The communication and coordination simply does not take place. A starting place is for organizations to change how ratings and bonuses are determined.