Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

January 2020
The WSJ Pro Executive Forum packed in short sessions with small panels and a lot of punch.

By David Hechler
Clockwise, from top left: Catherine Stupp (WSJ Pro), Omar Khawaja (Highmark Health) and Alissa Abdullah (Mastercard); Anne Neuberger (NSA); Jamil Farshchi (Equifax) and Jo De Vliegher (Norsk Hydro)
Photos Courtesy of The Wall Street Journal
Top photo, from left: Catherine Stupp (WSJ Pro), Omar Khawaja (Highmark Health) and Alissa Abdullah (Mastercard)
Bottom row, from left: Jo De Vliegher (Norsk Hydro) and Jamil Farshchi (Equifax); Siobhan Gorman (Brunswick Group), Kim Nash (WSJ Pro) and Andy Ellis (Akamai); Anne Neuberger (NSA); James Rundle (WSJ Pro), Nasrin Rezai (GE) and Keven McNamee (Nokia)
THE NATIONAL SECURITY AGENCY WANTS TO CHANGE THE WAY IT’S VIEWED BY THE PUBLIC. In fact, it has to change, according to Anne Neuberger, new director of the NSA’s Cybersecurity Directorate. “If the public we serve doesn’t trust us,” she said, “then something has to change.” They need our help to keep us safe, explained Neuberger, who assumed her post in October.
     To keep companies apprised of future threats, the NSA will soon issue unclassified advisories, warning of the danger of attacks on the cloud, she said. The agency will also add advice on how these may be countered.
     Neuberger was speaking at the WSJ Pro Cybersecurity Executive Forum, held in Manhattan’s Conrad Hotel in early December. Though no session during the one-day conference was billed as the keynote, Neuberger’s came right after lunch, and her comments were the ones that broke news. It’s not every day that the NSA sounds ready to talk to Oprah.
     But this wasn’t the kind of conference that built to a crescendo. It was the kind that just kept humming. Neuberger’s session was one of only two that lasted 30 minutes. Most were a brisk 25. Two were only 15. The panels were limited to no more than two experts and a reporter (the shortest ones were solos). The surprise was how much ground they covered.
     There were lessons learned from data breaches, warnings about IoT vulnerabilities and about the risks of foreign technology. Other sessions tackled supply chain security and the limits of cyber insurance. And the panelists didn’t summarize what most people already knew. They often drew on personal experience and offered practical advice. Here are some of the highlights.

Handling the Post-Breach Chaos
In the first session, “The Year in Hacks,” two expert panelists dissected the Capital One hack. The bank had moved data into the cloud, using Amazon Web Services, and “mostly did it right,” said Andy Ellis, chief security officer at Akamai, which provides cloud services itself. But often clients have a problem with the transition, he said, partly because cloud providers don’t always work closely enough with them. Transition periods in particular are often when problems occur, he added.
     Siobhan Gorman pointed out that the bank’s initial response was to assure customers that no personal data had been compromised. Except for that of about 200,000 people, the bank added “almost in the same paragraph,” she said. That was bad communication, said Gorman, who was a journalist for nearly 20 years before she became a cybersecurity and privacy partner at Brunswick Group. Companies need to carefully plan their responses to avoid ad libbing, she said.
     The next session delved deeper into this subject. In “Lessons from a Data Breach,” Jo De Vliegher, the chief information officer of Norsk Hydro, talked about the ransomware attack his company weathered last winter. The giant aluminum company, based in Oslo, shut down its systems and refused to pay. A week later it had 20,000 unpaid invoices, De Vliegher said. And the number was rising by 6,000 a day. “It was pure chaos.”
     The other expert on the panel was Jamil Farshchi, chief information security officer (CISO) at Equifax.  He was hired in February 2018 to help right the ship after the massive breach the company revealed in September 2017.  He’d played a similar role at Home Depot, where he arrived a year after it had suffered its own breach in 2014.  Farshchi spent nearly three years helping the company recover. The post-breach reality is often exhausting and demoralizing, he said. When he arrived at Equifax, having survived that experience, “I think I was over-confident,” he said. The situation was very different from what he’d found at Home Depot.
     De Vliegher confirmed the toll of fatigue. Getting through the first 30 days is what everyone expects will be the hardest. But it actually gets worse, he said. After a month, everyone is wiped out from the effort. And they see that they’re nowhere near back to normal. Hydro had to create three work streams. One focused on old business; a second on current business; and the third struggled to build a new infrastructure. In addition to communicating with customers and suppliers, De Vliegher said, the company recognized the importance of keeping the teams informed of the big picture during recovery: successes, failures and lessons learned.
     Near the end of their session, Jamil issued a warning. “I don’t care how good your technology is, your infrastructure is, any company can be breached,” he said. “We are at war here.”

The Real IoT Headaches
The real risk to worry about, according to the panelists who spoke on “IoT and the New Frontier of Risk,” is botnets. Internet of things devices don’t have protection built in, said Kevin McNamee, director of threat intelligence at Nokia. And they already represent 60 percent of today’s infected devices. They have to be watched and monitored, he said.
     A decade ago employees started bringing their own devices to work, which introduced new vulnerabilities—and BYOD policies—into the   workforce. “You now have to think about IoT devices very similarly,” said Nasrin Renzai, global chief information and product security officer at GE. Part of the problem, she said, is that innovation is coming from smaller companies that can’t always afford to build security into their devices.
     The greatest danger, McNamee said, is that these devices will become launch pads for botnet attacks. Mirai botnets are Exhibit A, he said, but they were just the start. When the 5G technology arrives, he warned, the problem will be exponentially larger.
     For companies that are part of the country’s critical infrastructure, Renzai added, this is a huge issue and an added responsibility. Also a shared one: “Resiliency is not just resiliency of one piece,” she said. “It’s the resiliency of the entire ecosystem.”
 It sounded bleak. But a question from the audience brought a glimmer of hope. Can AI help with monitoring? Renzai said that sensor systems can monitor devices and are already being tested at companies like GE.

Supply Chain Scrutiny
The basic question introduced during “Striving for Supply Chain Security” was: How does a company get comfortable with vendor risk? You have to look at the risk each supplier represents, said Alissa Abdullah, deputy chief security officer at Mastercard Operations & Technology. What data of yours do they have? “Who has the crown jewels and who has the chatter?”
     Highmark Health used to assess risk by the size of the vendors, said Omar Khawaja, the company’s CISO. But that didn’t turn out to be a good   approach. Large companies often have great security, he said, but may not have very much of your data. Small companies may have a lot or a little—but very poor security. And the data allocation can change at any time. So you really have to stay on top of each company, he said.
     The two firms take a different approach to vetting. Mastercard starts with security questionnaires. Then they add on-site assessments. And each supplier has an engagement partner from Mastercard who continuously monitors performance, Abdullah said.
     Highmark, on the other hand, has given up on questionnaires. “The value of the data that comes from the questionnaires is no better than a coin toss,” Khawaja said. The most important question is: Who filled it out? If the answer is a salesperson, the results will be different than if it was a security employee. Even if there was no intention to mislead. So now, rather than using them, Highmark sends out assessors to audit the supplier for months before filing a report. Every year, Khawaja said, new controls are added and Highmark obtains a new monitor report.
     At the end of the session, an audience member asked the panelists if they’ve changed anything after reading about cyberattacks that hit companies through vendors. Abdullah said that Mastercard does lots of exercises to sharpen employee skills. They even have an escape room in which participants must answer cybersecurity questions to get out. 
     When Highmark learns of a particularly egregious attack, “we pretend like that happened to us,” Khawaja said. “What would we do?” Lessons    learned can be really valuable. “The best mistakes to learn from,” he concluded, “are somebody else’s.”