Proof of Concept: China's Threat to National SecurityAlso: Latest Analysis of Log 4j Event; How to Secure Evolving Work Patterns
In the latest "Proof of Concept," John Kindervag, creator of zero trust and senior vice president of cybersecurity strategy at ON2IT, and Grant Schneider, senior director for cybersecurity services at Venable LLP, explore the latest threats and vulnerabilities affecting national security. Kindervag and Schneider join Anna Delaney, director of productions at ISMG, and Tom Field, senior vice president of editorial at ISMG, to discuss:
- An overview of the first-ever Cyber Safety Review Board analysis, which shares recommendations in response to the Log4j event;
- The potential danger to national security posed by a popular Chinese-made automotive GPS tracker found to contain severe software vulnerabilities and used by 1.5 million people in 169 countries;
- The dilemma for security teams that need to manage the increasing complexity of evolving work patterns and the individual needs of a distributed workforce.
Prior to joining Venable, Schneider served as the U.S. deputy federal CISO and the U.S. federal CISO and as senior director for cybersecurity policy on the White House National Security Council. He previously served for seven years as chief information officer for the Defense Intelligence Agency.
Kindervag is senior vice president of cybersecurity strategy and an ON2IT Group Fellow at ON2IT Cybersecurity. Previously, he was field CTO at Palo Alto Networks. Earlier in his career, while working at Forrester Research, where he was vice president and principal analyst on the security and risk team, he created the zero trust model. He also previously served as a security consultant, penetration tester and security architect.
"Proof of Concept" runs semimonthly. Don't miss our previous installments, including the June 22 edition on the corporate risk of using social media and the July 18 edition on the new era for digital identity.
Anna Delaney: Hi there, and welcome to Proof of Concept, the ISMG talk show where we'll discuss today's and tomorrow's cybersecurity challenges with experts in the field, and try to figure out how we can potentially solve them. We are your hosts. I'm Anna Delaney, director of productions at Information Security Media Group.
Tom Field: I'm Tom Field, senior vice president of Editorial, also with the Information Security Media Group. Thanks for being with us today. Anna, it's a pleasure.
Delaney: Tom, you've had a relatively busy summer so far, moderating all these in-person roundtables and events or summits. Tell us what has been the highlight so far? I know you were at the Government Summit last week.
Field: The highlights so far is this is the first Monday in a month I've been home. That's a highlight. You're right. It's been roundtables in Chicago and in Charlotte, an event last Monday in Washington DC and a roundtable again in New York City, so full and flush with information from all of our speakers and sponsors and guests. What would you like to know?
Delaney: I want to know about the Government Summit. So what was the highlight for you? Main takeaway?
Field: Meeting Grant Schneider? It was a terrific event. We had excellent attendance from public and private sector in the Greater Washington DC area. On our stages, we had every alphabet agency, from CISA, to the FBI to the Secret Service to the NSA, and terrific conversations about topics that I'm sure we'll discuss today, including zero trust and the federal government's progress, and meeting the requirements of President Biden's executive order. We talked about nation-state adversaries and threats post Russia invasion of Ukraine. I would say an ongoing theme was public-private partnership, and how this time, we're ready for it. And organizations in both sides are clamoring for it not just in terms of what you can give me but what I can give you. So I would say it was very encouraging.
Delaney: And was there a particular hot topic in terms of what attendees were asking?
Field: One attendee that came up to me midday, and it was as the theme of public-private partnership was emerging and he was a well-placed CISO at an organization, he came up with "I have a question for you. I don't want to ask it. But I want you to." And the question was, "if Donald Trump gets elected president again, what happens to any momentum that's going forward on public-private partnerships?" And so, I did the responsible thing. I took the question, I phrased it appropriately. And I handed it off to Grant Schneider and asked his next panel.
Delaney: It's interesting how he didn't want to ask the question. So that was a bold, professional move, Tom.
Field: Because he's worked in government for so long, Grant Schneider turned that around. He said, I don't have a question from Tom Field. But I want to pose to the panel.
Delaney: And did anything encourage you, Tom, from these events?
Field: Yes, I would say that would encourage me with the conversations that we were having. And then we were talking about progress on zero trust. And we were talking about active initiatives for public-private partnership. And that's not just a buzzword. That's not just something we talk about because it's a popular thing to say. We're talking about organizations being able to share and receive real-time threat information, so they can respond proactively and not just validate that yes, we get attacked that way, these are the indicators of compromise. This is something that's for the health of all organizations, public and private. It's encouraging to see stakeholders in all aspects of that partnership, stepping up and talking about what they're doing and what can be done better. So, I take that away from it.
Delaney: Positive, indeed, and here's to calm August. So, welcoming the man of the moment. Mr. Grant Schneider, our good friend, senior director for cybersecurity services at Venable LLP and former federal chief information security officer. Great to see you as always, Grant, and well done in the event.
Grant Schneider: Great to be here. It was a fantastic event. And I thought Tom wanted to own that question. So that was why I thought I was just giving him the appropriate credit he was looking for.
Delaney: Very good, indeed. So Grant, I have a question for you. The first ever Cyber Safety Review Board report has landed and generally, it's been considered an excellent deep dive on the Log4j event. What are your initial thoughts? Did it meet expectations? Did you learn anything new?
Schneider: It was the first, so expectations were probably all over the board for people. I think it was good and that it's a great idea to have the board. I'm supportive of our ability as a nation to take a deep dive, look at significant incidents that affect federal government, critical infrastructure, and all sorts of organizations. And so, I think the board did a great job of taking a deep dive, looking to the various impacted individuals, as well as how this came about, or how it was disclosed, and what the challenges were. And I think this was a good case study because of the challenges with Log4j, on just how it's implemented at different agencies, the difficulty, or even just not knowing whether you have it in your ecosystem, or where it might be in your ecosystem, let alone how to track it down and do the mitigation. So, I thought it was good for that. I think the parts around enhanced cyber hygiene, and some of the future looking aspects, I think it'd be interesting to see, as we have future reports and future incidents that a lot of those are core fundamentals that I could almost see being largely replicated into almost any future incidents, because there's so many basic hygiene things that organizations just need to do and haven't changed over time.
Delaney: Sure. And some have criticized that broadness of its recommendations, as you say, good cyber hygiene, and build a safer, better software ecosystem and investments in the future. Is that criticism fair?
Schneider: It's understandable. And I think the question is, if you're the board, I don't know how you can put out a report without making those recommendations, because they are messages that need to be said over and over again. And hopefully, each time they're said, a few more organizations adopt them. That said, I also understand the criticism that we could have written that report at anytime in the last decade, and in fact, we probably have written a lot of those same things at any time in the last decade. So I understand the tension there. Personally, I think those parts of the report could be a smaller chunk of the report, a little more refined. But I don't know how you don't cover it. I think it's a necessary message to be told, after any incident.
Delaney: Do you think the general nature of these recommendations shows how far we have to go to make critical software safer?
Schneider: Yes, we have a lot to do. And we continue to expand our threat surface by connecting more devices and interconnecting more devices, and we get a lot of productivity and functionality and enjoyment in the entertainment systems for that interconnection, but we pay a price and risk and the people that are developing those capabilities and systems aren't always thinking about cybersecurity. That's often not their first objective. Their first objective is meeting some mission requirements. And so, getting more into the fundamentals of how does the education and training of individuals that are doing software development make everyone's number one job almost needs to be cybersecurity, as things are being developed in order for us to get ahead of this. We can't bolt cybersecurity cleanly on at the end. We need to be doing it at the beginning. But a lot of that is fundamentals and basics that aren't always exciting. I have a friend and I've said this before, years ago, cybersecurity is like working in a brewery. It sounds cool. I'm in a brewery and they're making fabulous beer and doing interesting things. And if you've ever brewed beer, or worked in a brewery, it's about cleaning stuff. It's about sanitization and making sure that nothing bad gets in and that you're cleaning everything and it's about the basics. And cybersecurity is that way. It's about the basics. And the basics aren't always exciting. They're always necessary, though.
Delaney: There was an interesting takeaway that the board applauded Alibaba for following recognized practices for coordinated vulnerability disclosure for Log4j, but is concerned about the Chinese government's vulnerability disclosure rules, which compel researchers to tell the government about vulnerabilities within two days of discovery. So, the worry is that the PRC government could gain early access to serious exploitable vulnerabilities before they're patched. What are your thoughts? It's an interesting point. Is this a concern of yours as well?
Schneider: It's a concern of mine that China has that law. It's a concern about how it could be implemented, how it could be leveraged maliciously. It's a fair warning, because we've seen somewhat similar drafts or proposals in the US as well to have early vulnerability reporting to the government. And I would caution the US government and our lawmakers that we can't put something on the books in the US that we have concerns about in China. And it's easy for us to say, "But we're going to use it for good. We want to be able to mitigate critical infrastructure and federal in advance." And I understand that, and I want us to be able to do that. At the same time, if it becomes a precedent, if we have undisclosed, unmitigated vulnerabilities being reported to governments, less friendly governments are going to follow suit, they're going to have the same laws, and they're going to point at us and say, "We're doing the same thing as US." I think it's a warning for us. It's a concern with China, though, having that on the books. And I also applaud Alibaba for following appropriately what I would coin as international norms and what we expect from the cybersecurity industry.
Delaney: Yeah. And complex. As always, Grant, this has been brilliant. Thank you for your thoughts on this. Appreciate it. And, Tom, it's over to you.
Field: Excellent. I have the opportunity and the privilege to introduce a frequent guest here. He is called the father of zero trust. I call him the godfather, and some people even know him as the senior vice president of cybersecurity strategy with ON2IT. John Kindervag, it's such a pleasure to see you again.
John Kindervag: Hey, great to see you again, Tom.
Field: I understand the state of Texas has released you, you've been out and back out on the road out in the wild. What's it like to be back traveling?
Kindervag: It's insane. I spent all of June and July on the roads. So, we saw each other. You, I, Anna, Grant I saw somewhere in there, maybe RSA, so, I've seen everybody in person within the last two months. And it's good. The world needs people to see each other face to face. There's just demand for that.
Field: I agree with you 100%. I know that you spent significant time in Europe. Tell us how is the conversation about zero trust any different in Europe now than it is in what you've seen in the US? And it's in top of the mind in the people you met?
Kindervag: Given the fact that I like to say the world is flat because TCP/IP made it flat, we're all directly connected to the world's most malicious actors. So, I think the people in Europe have faced the same challenges. And as we've talked before, you and I, several times, the presidential executive order gave people in the US the freedom to think, "I could do the zero trust stuff. It's okay, because the incentive structure has changed." I found that that resonated all the way over to Europe. There was a lot of discussion about the presidential executive order that happened in May of 2021. And they're aware of that. And so, it seems to have changed the incentive structure over in Europe as well.
Field: Do you see any other government mandate that has the stature of the executive order?
Kindervag: There's different governmental compliance or regulatory efforts in almost every country. The executive order is more of a carrot for other countries because they're not mandated to do it according to a law, like you would have to follow that if you were US federal government agency, but it's all about incentives and feeling good about doing what you're doing. So, they now feel like it's okay to talk about zero trust. It's no longer the first rule of fight club. As I've joked so many times, it's okay to talk about it. And then that emboldens people to want to talk about it and want to do it and that's very gratifying.
Field: In your lifetime, John, you're going to see the GDPR of zero trust.
Kindervag: Maybe. I don't know what's going to happen in my lifetime. I've been around for so long that a lot of things have happened that I never would have imagined them happening.
Field: I'm going to give you your Chinese flavor of this conversation now. As you know, cybersecurity researchers have found some severe software vulnerabilities in popular Chinese-made automotive GPS tracker. It's used in 169 countries and poses a potential danger to highway safety, national security supply chains. CISA said in a statement that it was not aware of any active exploitation of vulnerabilities. First question for you. Are we inflating the problem about this?
Kindervag: Absolutely not. We're not inflating it. It's having an awareness of it. Because the first time that somebody cuts off the fuel line to some truck on a highway and it crashes and kills people, and we find out that it was caused by this particular vulnerability, everybody will want to know why we weren't aware of it. So, you have to disclose it early and often. Secondly, it speaks to what is the fundamental problem, which is when people design things, they aren't thinking about everything that could possibly go wrong. And they're not incentivized to think about what could possibly go wrong. And therefore, a lot of things can go wrong. And especially in an industry like this, the manufacturer of this device maybe knew that there was a problem, that they could add more security, but I'll bet it's a very low-margin sale. So, they didn't want to add something that would cost an extra 25 cents, which to you and I means nothing. But if you're selling millions of something, 25 cents an item adds up quickly. So, this is a great example of one of the fundamental problems we have the disconnect between the people who make the technology and the people who have to secure it, and the lack of incentives to build technology that has security controls in it, so that we can do something to protect it.
Field: Good point, the sprint is always prioritized ahead of the security. How do we deal with this?
Kindervag: You have to have something that makes people want to do things the right way. I've struggled with this my whole career. My first experience was with morphine infusion pumps, and trying talking to manufacturers to put some security controls in there for security people, because you had very little and they just didn't care. It's not going to benefit us well. But what about the poor patient, not our problem. So you got to make it everybody's problem. And I don't know if you do that with legislation. I don't know if you do that with some other sort of governance. But there has to be. People will sometimes do the right thing. But more often, there have to be drugs, kicking, and screaming to be forced to do the right thing. And that's what we need to do.
Field: Full circle. We're back to the GDPR of zero trust in your life.
Kindervag: Maybe so.
Field: With that, let me bring Anna and Grant back. Anna, please?
Schneider: I think the first aspect is just culture in general, from an organization culture, where you're trying to build a community inside of any organization, and that goes for your security organization and the entirety of your organization. We learned so much from each other just interacting that we are not even aware of. And I think that some of that is lost when you can't have teams that get together. I think you're also with your teams when you're in person, everyone's in person. And so, you're getting to share with everyone as opposed to sharing with your favorite person at work, who maybe you do call 10 times a day or 10 times a week, and you're able to have that interaction. So, I think it's a challenge across the board for learning about an organization, your craft and growing in your field. That, as John said, humans are meant to see one another and in person and face to face.
Delaney: John, what about these specific securities concerns for you?
Kindervag: I'm not concerned about the security problems because I think we've solved that. We proved during the pandemic that we could securely deliver access to corporate resources, no matter where anybody was. And that's one of the big incentives or big drivers for the growth of zero trust was the pandemic. So, the security things aren't a big issue. You're not more secure if you're in the office than out of the office. But you might learn a few things. But in general, people don't want to go back to the office because for their day-to-day work, they don't need to be in an office, which is the downside of the technology we enabled during the pandemic, because we made it so seamless to work away from the office, then you think, "why should I go in the office," and a lot of companies are seeing people, when they tell them come back to the office, they find another job where you don't have to go into an office. So, you have to ask the question: why do you need people in the office? And sometimes, there's compelling reasons to have people in the office and I think when those things occur, then people are willing to go. So, have an event, have a special meeting but not every day. But if you try to pretend that you need them to go to the office, and the real reason is, "I'm paying for the real estate, and I want to get my money's worth," then that's not a compelling reason for the average employee. They don't care about that particular problem you have.
Delaney: Tom, are you hearing the same?
Field: I am. And I think that they've nailed it. What we're in is a cultural shift right now. And I think that the focus of this culture shift is on the tension between those that want people to return to central office and those that want to maintain their independence. And the focus is on that discussion. Meanwhile, the adversaries are taking advantage of divide and conquer. They've got people in disparate offices and now are able to focus social engineering efforts on individuals, where it used to be if you saw a suspicious email come through with an attachment, you could look up or go into the next office and say, "Take a look at this, how does this look to you?" That's gone now. And I think that there are more people that are falling victim to some of these social engineering schemes because of it, or they're being taken advantage of by external actors, and being unwitting, insider risks, which is a whole other issue to deal with. That's the conversation I wish we were having more, and not just about where you happen to set your laptop down today.
Kindervag: And that conversation is easily solved within the zero trust realm where we say what are we trying to protect. So, if you have a perimeter defense, it's not going to work, whether people come into the office or not into the office, and maybe if there's a problem, somebody could go to the next cube and ask somebody, but they might not know anyway, and every company has ways to report suspected phishing emails and all that kind of stuff. And they all have security awareness training, and whether that's useful or not is still a question. But if we can protect the digital assets, the data, the assets, the services, then we're going to enable remote and on-premises work. You're even seeing changes in interior design. I would go to places and this whole area used to be cubicles, and now it's multifunctional workspace with pool tables, because, they've acquiesced to the fact that people are only going to come in occasionally. But I do think the upside is that it gives thoughtful leaders opportunities to create reasons for people to want to come into the office, whether it's a special event. When I was in Europe, I had large crowds in these offices that had come in to see my presentation. So that became a special event and there's some food and all that kind of stuff. People still go out and do a lot of this business in pubs and bars at night. So, that hasn't slowed down. So, there's other ways to accomplish the same goal as opposed to, the movie The Hudsucker Proxy kind of world of corporate America.
Field: This is why he's the godfather.
Kindervag: It's a circle. Remember that?
Delaney: Yeah. We're social animals, after all. So this has been a brilliant conversation. Thank you very much. Gentlemen. I really enjoyed this. John Kindervag and Grant Schneider, thank you for your time and insight.
Field: Gentlemen, thank you. Anna, as always.
Delaney: It's been a pleasure. Thank you.
Schneider: Thank you so much. Really appreciate it.