7 Key Lessons To Be Implemented For The Cyber Supply Chain

 

I am close to wrapping up the manuscript for my 16^th book, which is about the Data Privacy Laws, and how to come into compliance with them.  In this piece, I focus on three key pieces of Legislation:  The GDPR, CCPA, and the CMMC.  Of course, I could not cover each and every page of these Legislations, so I just wrote about the major tenets and provisions that exist from within them.  I have even included a separate chapter that provides a brief framework as to how businesses can come into compliance with these Data Privacy Laws.

So, by coincidence, I came across an article this morning that describes the compliance efforts that Solar Winds took to help remediate and inform their key stakeholders as to the security breach that had occurred (this is more formally known as a “Supply Chain Attack”).  The author of this article points out the flaws and the inconsistencies which took place in this reporting process.

For example, on 10/30/23, the SEC filed a legal complaint against Solar Winds.  The actual text of this complaint can be seen at the link below:

http://cyberresources.solutions/blogs/Solar_Winds.pdf

Basically, the legal document that was filed accused Solar Winds of "misstatements, omissions, and schemes that concealed both the Company's poor cybersecurity practices and its heightened —  and increasing — cybersecurity risks.”

(SOURCE:  https://www.darkreading.com/cyberattacks-data-breaches/solarwinds-2024-where-do-cyber-disclosures-go-from-here)

But as this legal document came out, and made its way into the public, the criticism of the SEC started to pour in.  For example:

Ø  The SEC was too slow in addressing anything.

Ø  The legal document is just a “slap on the wrist” and does to prevent future attacks like this from happening.

Ø  The CISO took all the blame.

Ø  Any future hiring of CISOs will now be carefully monitored as a result.

Of course, there are other many complaints as well, but these are some of the major ones I found in the article.  But, it is interesting to point out here that the Cybersecurity troubles actually started for Solar Winds way b.  in 2018, when it made its filing for an IPO.  In its statements that were made, the SEC accused Solar Winds of simply making “boiler plate” assumptions about the particular level of Cyber Risk.  In other words, they offered no evidence to back up the statements that they had made, such as providing results into any Risk Assessment Study that they may have conducted of their digital and physical assets.

But as time went on, and as the weaknesses and gaps became more prevalent and known to the key stakeholders, none of the upper brass took any initiative to disclose them actually fully. Here is what the SEC even said about this situation:

“Even if some of the individual risks and incidents discussed in this Complaint did not rise to the level of requiring disclosure on their own … collectively they created such an increased risk …" that SolarWinds' disclosures became "materially misleading."

(SOURCE:  https://www.darkreading.com/cyberattacks-data-breaches/solarwinds-2024-where-do-cyber-disclosures-go-from-here).

But even despite these stark statements made by the Federal Government, the gaps and weaknesses only got worse.  And so from here, the story goes, nothing was done to remediate these holes, and as a result of it, some 1,000+ victims were impacted, ranging from the private sector and to the public sector as well.  Some of them included the smallest of the Mom-and-Pop Shops to the largest of the large, such as Microsoft, and various Agencies within the Federal Government.

My Thoughts On This:

So now, the big question is how do we go from here, to make sure that this is prevented.  Although I am by no means a compliance or Data Privacy expert, here are my thoughts, based upon my knowledge in my years of Cybersecurity:

Ø  *Stop the blame game.  Don’t’ simply make the CISO the first target to shoot at.  Everybody is responsible to some degree or another if a security breach does indeed happen to a business.  The first thing that should be top of mind is restoring as quickly as possible business operations as quickly as possible.  Then conduct a detailed forensics examination, to see what exactly happened.  Then point the fingers at who is to really blame.

Ø  *It should be Federal Law that companies, no matte how large or small they are, must report any security breach to key stakeholders, law enforcement, and the regulatory bodies within hours, and not wait for four days, which is the current allowance.

Ø  *It is a fact that Solar Winds depended a lot upon other vendors to carry out their work.  This is why this particular hack was called a “Supply Chain” one, because of all of the parties involved.  In my opinion, it should be a Federal Law that businesses have to show complete documentation as to how they have vetted and hired a Third-Party Supplier in this regard.

Ø  *The finger pointing must stop here and now.  Of course, this would only happen in a perfect world, not the real world in which we live today.  As a country and as a society, we need to be much more proactive and not reactive like we are today.  But, this only comes from leading by example.  In other words, if an employee is required to maintain a strong level of Cyber Hygiene, so should the C-Suite and even the Board of Directors,  for that matter.

Ø  *Just like the Department of Homeland Security (DHS) was created right after 9/11, the same needs to be said for a Department of Cybersecurity.  At the present time, the states are running rampant with creating their own Data Privacy Laws, which can vary greatly.  Therefore, we need some sort of central body at the level of the Federal Government that can create common Data Privacy Laws, as a well as a set of Best Practices and Standards so that everybody can have an equal playing field, so there is no more ambiguity.

Ø  *The sharing of intelligence and other types of data and information must be greatly increased, and this can only happen with a centralized body overseeing all of this.

If I*If a  Department of Cybersecurity were to be actually created, then all of the regulatory bodies and agencies must reside here.  By having them spread out across different arms of the Federal Government makes it much worse when trying to instill a degree of accountability.

SoSo, here are my thoughts on this matter.  More to come in the future.

How To Avoid Being Caught In Global Based Cyberwarfare

 

Although the scope of this blog is to remain as apolitical as possible, sometimes it’s not just that easy to do, especially when you are talking about nation state threat actors, such as those of Rusia, China, North Korea, Iran, etc. 

I also have to be honest and say that this year so far has been amongst the worst that I have ever seen for geo-related conflicts.  For instance, there is the Ukraninan war, the Hamas war, and now even possibly a war with Israel and Iran.

Although these wars are bring fought with the traditional means to do so, there is yet another angle to do this:  The Cyber Warfare that is taking place.  Of course we can’t feel it or hear it, because it is all taking place in the digital world. 

But believe it or not, there are victims of this as well, as we have seen in the Ukraninan war. For example, hackers from Russia have directly attacked its Critical Infrastructure causing havoc to all of its resources.

An example of just horrific this is, click on the link below:

https://www.darkreading.com/ics-ot-security/kyivstar-mobile-attack-ukraine-comms-blackout

So if you are unfortunately in the midst of experiencing this kind of crisis, there are key steps that you need to take to protect yourself and your business.  Here are some of them that you can take:

1)     Employee Safety:

First and foremost, remember always that your employees and other subcontractors that you may have hired are probably amongst the greatest assets that you have.  Thus, you need to take every precaution that is possible, at least from within the confines of your business.  If you have a remote workforce, then check up on your employees periodically to make sure that all is well.  By taking this kind of approach, you will truly show your employees that you care about them and their wellbeing.

2)     Backups:

Apart from your employees, your Datasets are your next big assets.  But as we know today, this is one of the prime targets for the Cyberattacker.  Therefore, as I have written about many times for clients and even here on my own blog (and even in my books), backups are totally essential.  You cannot do without them.  You need to maintain a regular schedule of doing this for however it fits your security requirements, and always keep in mind that you have to maintain multiple copies of your backups.  If you have an On Premises Infrastructure, then of course this will be much harder to do.  So, my advice to you in this regard is to use the Cloud, such as that of Microsoft Azure.  They have great tools already available for you to use.

3)     Cybersecurity Training:

This is probably the next important item down the rung here.  Your employees have to maintain the strongest levels of Cyber Hygiene that are possible, and the only way you can do this is by training them.  So just like how you do your backups, you also need to maintain a regular schedule here as well.  My recommendation is at least once a quarter, and it should be given in person directly.  But don’t make your training sessions as a “one size fits all” approach.  It needs to be specific and tailored to the audience that you are teaching.  For example, if they are members from your finance and accounting departments, then you need to educate them more about the tactics of Social Engineering, and how to spot BEC Phishing Emails (this is an acronym that stands for “Business Email Compromise”, and it is a kind of attack where the sense of fear and urgency is targeted towards these departments in order to wire a large sum of money to a phony, offshore account).

4)     Perimeter Security:

It is imperative that you get away from this kind of security model.  It assumes that you have one line of defense circling and protecting your business.  But despite how fortified this is, once a Cyberattacker breaks through it, they have complete reigns over your IT and Network Infrastructure.  So to avoid this from happening, implement what is known as the “Zero Trust Framework”.  This is where you segment all of your digital assets into different zones, and each one has its own layer of defenses.  The thinking here is that if they can break through one zone, the chances of them breaking through all of the others becomes almost statistically insignificant because of all of the authentication mechanisms that are involved.

5)     Sharing:

In order to keep ahead of the game, you need access to intelligence.  The only way that you can get this is by forming partnerships with others in your industry to share that level of knowledge.  Also, there is a greater movement now in the Cyber industry for even more extensive partnerships to be created between the academic, public and private sectors.  I know for a fact that the FBI and Secret Service already do this, as they offer seminars to the public so that such knowledge can be shared.  Also, you can contribute to and get a wealth of information from such sources as the NIST, CISA, OWASP, etc.

My Thoughts On This:

Apart from taking these above-mentioned steps, don’t forget this one last thing:  Have your Incident Response, Disaster Recovery, and Business Continuity plans in place and ready to go if they are needed.  Also, make sure that you take the time to rehearse these as well, so all of the people that are involved with these plans will know exactly what to do.

Many business learned the hard way during the COVID-19 pandemic by not having these kinds of plans in place.  But make sure you are not caught again “with your pants down” in these uncertain times.

The Impacts Of Liquid Cooling On AI Datacenters

 

When we think of AI, hear about it, or even use it, we often think of ChatGPT.  While in a way this is correct, Generative AI (from which ChatGPT is derived from) is just a subset of AI.  For example, there are other areas as well, such as Machine Learning, Computer Vision, Neural Networks, Large Language Models, Natural Language Processing, etc.

But yet, there is yet another area of AI which will receives almost no public attention whatsoever, and those are the companies that own the datacenters which house the servers to host the AI applications.  But a point of clarification is needed here.  Although many of the AI applications are now SaaS  based, and in fact, you can even create and host your own AI app on Microsoft Azure – you still need a physical server to host all of this software.

Because of the huge growth in AI, there in turn has been an increased demand for datacenters.  In fact, if you listen to a business channel like CNBC, you will see them even talk about the stocks of some of these companies that own these datacenters.  For example, some names that come to mind here include Vertiv, Advanced Micro Devices, Nvidia, Iron Mountain, etc.

The demand for datacenters is going to be red hot in the coming years.  In fact, it is predicted that the entire AI market will be worth well over $1.3 Billon in just revenue alone.  This represents a staggering growth rate of over 37% from today’s numbers.

(SOURCE:  https://www.marketsandmarkets.com/Market-Reports/artificial-intelligence-market-74851580.html)

Given all of the servers and networking technologies that a datacenter has to contain, the temperature in them can get very hot.  As a result, these physical infrastructures need to be cooled on a 24 X 7 X 365 basis throughout the entire year.  But, despite the profits that are being made, the costs of cooling, take a big chunk out of that – it can be almost as much as 40% for a datacenter’s electricity bill. 

(SOURCE:  https://www.computerweekly.com/news/366568452/Datacentre-operators-face-capacity-planning-challenges-as-AI-usage-soars)

Because of these staggering costs, many datacenters are now opting for another form of cooling rather than the traditional ones.  This makes use of water, as now referred to as “Liquid Cooling”.  At least here in the United States, the datacenters rely upon a freshwater supply for cooling – this is the same source that provides us with our drinking water.  Although we think that water is a plentiful resource that we will never run out of, consider these statistics:

*The typical datacenter uses at least 1-5 million gallons of water, on a daily basis.

(SOURCE:  https://www.washingtonpost.com/climate-environment/2023/04/25/data-centers-drought-water-use/

*Almost a third of the world’s servers are located here in the United States.

(SOURCE:  https://www.usitc.gov/publications/332/executive_briefings/ebot_data_centers_around_the_world.pdf)

But now, we are facing an imminent water crisis, brought on by two fronts:

*The sheer amount of water shortages that are now happening because of global warming and an increased demand for more drinking water by our population.

*The increased number of Cyberattacks against our Critical Infrastructure, namely that of our water supply lines.  More details on these kinds of attacks can be seen at the link below:

https://www.cnn.com/2023/12/01/politics/us-water-utilities-hack/index.html

So now the trick is for datacenters to start to rely upon other means in which to procure their water resources.  Considerations have been given to the options:

*Using sewer water, and even water from the oceans.

*The deployment of more advanced freshwater tracking technologies to get an accurate view of just how much fresh water is actually being consumed.  More information about this can be found at the link below:

https://datacenters.lbl.gov/water-efficiency#:~:text=Key%20best%20practices%20for%20water,Evaluate%20chillers%20for%20replacement

*Procuring grants and other sources of funding from the Federal Government to look at alternate means of using less fresh water, but yet will maintain the current levels of cooling that are needed by a datacenter.  In fact, the Department of Energy) just announced a grant of $40 million in this regard.  Details on this can be seen at the link below:

https://www.energy.gov/articles/doe-announces-40-million-more-efficient-cooling-data-centers

*Building out the datacenters in areas of the United States where the temperature is cooler, and there is an abundant supply of other forms of water, such as water from the Atlantic and Pacific Oceans, or even in the Gulf of Mexico, and the surrounding Great Lakes regions. 

But from the standpoint of Cybersecurity, more effort and initiative has to be taken to shore up the defenses on our water supply lines.  This is not just a local or state issue, rather, this is something that must be addressed and fully funded by the Federal Government.  But it is important to keep in mind that our Critical Infrastructure is made up entirely of technology and equipment that was made back in the 1970s.

In fact, many of the vendors that made these parts are probably no longer in existence.  So, it is not just a matter of ripping out the old stuff and putting new ones in to help solve the Cyber problem.  At the present time,  this simply will not work.  The only option we have is to add more layers of security, but this has to be done very carefully, in order to ensure that whatever is deployed will be interoperable and compatible with the old stuff.

My Thoughts On This:

So now the big question is:  “What if my datacenter runs out of a fresh water supply, or it is hit with a Cyberattack?”  The fundamental answer to this comes down to proper planning.  You need to have an Incident Response Plan, a Disaster Recovery Plan, and a Business Continuity Plan to address this.  Two areas of focus should be:

*Sourcing a secondary source of freshwater for your datacenter in case of any interruptions.

*Beefing up your lines of defenses in case you are indeed hit with a Cyberattack, and your cooling systems were the primary target.

So as you can see, in order for all of this to work, it is going to take a huge partnership with the private and public sectors, and even that of academia in order to make all of this work. But it can happen, over time, which is something we do not have the luxury of right now.

Finally for more details on how our precious water supply systems can be further protected, click on the link below:

https://www.scmagazine.com/perspective/heres-how-we-can-make-water-utilities-more-secure

The Key Fundamental Cyber Question That Needs To Be Asked And Answered

 

Today’s blog is a little bit different than the others, and yes, that means no AI!!!!  This is an issue that I have addressed many times before, and even in one of the books that I wrote about on Risk and Cybersecurity Insurance.  This is the topic of whether a CISO is really understanding what they get when they purchase a holistic, end to end Cyber based solution.

What got me to this topic was an article that I had read this morning about a Cyber Executive who interviewed many people in the industry to see what kinds of trends exist in their buying patterns.  Here is what he found:

*Not planning the solution in its entirety.  In other words, asking questions and evaluating the product and/or service to make sure that it addresses all of our needs.  In other words, CISOs very often look for curing the symptoms and not the actual cause.  Once they have found something that can do this, they immediately jump at it without thinking clearly if this is what they really need.

*CISOs are often taken aback by all of the bells and whistles that comes with an all-inclusive security package.  For example, if a dashboard looks sleek, that is the catalyst that decides if they will buy or it not.  Or now, the big thing is Generative AI.  If the package comes with it, buy it!

*CISOs very often don’t take a close look at the triaging process and the legitimate warnings and alerts that come through.  Very often, they leave this to their IT Security teams to filter through.  But IMHO, this is the wrong approach to take.  It is this very process that paint the entire picture of what exactly is going on the IT and Network Infrastructure.  It’s like taking aspirin to stop a chest discomfort without seeing the doctor to determine the underlying cause and to see if further action is needed. 

*Another area of key weakness is that CISOs do not adopt and enforce is a software patching process.  Instead, if they even do have a process in place, they often rely on automation which may or may work.

So, what does the author recommend as to how a CISO should make their purchasing decisions?  He starts off with first that an organization needs to have a comprehensive Security Program in place first, which should answer these fundamental questions:

*Examining all current processes for your lines of defenses, and asking this question:  “Why are we using it?  Give me the reasons.”

*Your current strategies for fending off an imminent threat, and how to even deal with those that are lurking about your IT and Network Infrastructure, when you finally discover them.

*How quick is the response time?  This is where the key metrics of the “Meant Time To Detect” and the Mean Time To Respond” become especially critical.

*What are the current methods for Incident Response, Disaster Recovery, and Business Continuity?  Are there even plans in place, and if so, how often have they been rehearsed?

*Who is part of the Incident Response team, and do they know what they need to do if they are called upon during the time of a security breach?

To help the CISO address all of the issues, and even more, he recommends following the Security Framework as outlined by NIST.  It can be downloaded at the link below:

https://www.darkreading.com/cybersecurity-operations/biggest-mistake-security-teams-make-when-buying-tools

He gives his own model for Cybersecurity, which is as follows:

“Program = Tool + People + Processes + Goals”

(SOURCE:  https://www.darkreading.com/cybersecurity-operations/biggest-mistake-security-teams-make-when-buying-tools)

In my writings, I have produced something similar, but with not as many variables in it.  This is as follows:

Great Cyber:  People + Technology

In other words, to have truly effective lines of defense for your business, you cannot rely too much upon one side or the other.  You need both, as the model proposed by the author also suggests.

Towards the end of the article, the author also points out two key areas the CISO also needs to address in crafting their plans.  They are as follows:

1)     Involve everybody:

In Corporate America today, people still think that all issues that are related to technology fall onto the shoulders of the IT Department.  While the proverbial buck does stop here, it is important to remember that each and every employee has to tow their own line for the collective good!!!  In other words, “Cyber Hygiene” is not just left to the IT Department.  Everybody has their role in this, to make sure for example, that they recognize the signs of a Phishing Email and discard it.  Or, creating long and complex passwords with the help of a Password Manager.  It takes all of the employees to fill the cracks!!!

2)     Conduct Risk Assessments:

This is one area in which I have belabored heavily upon.  In order to lay out your Security Framework, you first need to identify all of the vulnerabilities that are present.  Simply put, this means inventorying all of your digital and physical assets, and ranking them on a numerical scale in terms of their degree of vulnerability.  Of course, those with the highest ranking should receive immediate attention, by either putting in new controls or upgrading the existing ones that are in place.  Also, by conducting this kind of Assessment, you will know where all of your security tools lay at, and from there, you can then decide if you really need them or not.  This is called decreasing your Attack Surface, and will enforce the efficient use of the tools.  Remember, by having too many of them, you widen the gap for the Cyberattacker to penetrate into.

My Thoughts On This:

To be honest, I agree with the author on these points.  As a CISO, if you are considering procuring a new solution, ask this basic question:  “Am I really addressing the underlying issue or just the symptom”?  By thinking along these lines, you and your IT Security team will go a lot further in staying ahead of the Cyberattacker.