Recently, we checked in with Junaid Islam, a well-known cybersecurity expert, about “Automated Continuous Threat Testing”.    We continue this conversation to discuss the increased cyber risks Enterprises face due to the current geo-political environment and actions they should take to mitigate cybersecurity and operational risk.

Junaid is a Senior Partner at OODA. He has over 30 years of experience in secure communications and has led the development of many network protocols including Multi-Level Precedence and Preemption (MLPP), MPLS priority queuing, Mobile IPv6 for Netcentric Warfare, and Software Defined Perimeter for Zero Trust. He founded Bivio Networks and Vidder, the first Zero Trust access control solution which he sold to Verizon. Currently, he advises NASA on network protocols and recently developed the first interference-aware routing algorithm for space communications. Junaid is also on the Board of XQ Message, a Zero Trust Data Protection start-up.

“On the front line of this geopolitical battle are Enterprises.”

Pereira:  In 2018  you wrote a blog post on CTO Vision that Cyber War is a 3 Way Cage Fight between China, Russia and America; has your opinion changed in the 5 years you wrote that?

Islam:  Unfortunately, Russia and China have decided not to be a part of the global community and have instead decided to focus on their strategic, technological competitive advantage, no matter what the cost.  However, we don’t need to fight alone to protect the free world; we have friends and should work them. This includes private and public companies and coalition partners. We must build up our relationships with our domestic industry partners and global partners.

Pereira:  At the end of our previous conversation, you mentioned growing geopolitical risk Enterprise’s face. Do you want to expand on that thought?

Islam:  Right now, the free world – the United States and democracies from Europe to Asia – are fighting Russia and China, who are controlled societies. Being in an open society we let anybody connect to us. Russia and China are taking advantage of America’s openness to conduct asymmetric warfare.  State-sponsored cyberattacks have become a tool for Russia and China to weaken America’s infrastructure and information systems without declaring war.  On the front line of this geopolitical battle are Enterprises

Pereira:  There are two aspects of the national security challenge as it relates to cyber:  One, the fact that everyone “brings their A-game” when they play the Yankees or the Dodgers – or a few years ago I would have said the Red Sox or the Patriots, right? With cyber, it is against the U.S. that everyone brings their A-game.  Secondly, cyber conflict is not asynchronous, which results in the sheer volume of everyone – state, non-state, and individual actors – bringing their A-game simultaneously.

Islam:  Russia utilizes non-state actors to attack America while China utilizes its global supply chain to infiltrate America.

“The fact that the intelligence community is partnering with the cybersecurity community is fantastic.  The old approach of using government procurement is too slow to counter Russia or China.  We need a collaborative framework.”

Pereira:  So there is an increased threat, and we need new ways to combat it.  I will get to the notion of defense versus offense in a second. So, with all that: What do you make of the timing of this Joint CISA CSA and the amount of collaboration we are now seeing.

Islam:  It really has to do with today’s geopolitical reality.  Both Russia and China are being extremely aggressive. And the United States and Western Europe, and certainly Ukraine, did not ask for a war with Russia. It was completely unjustified.  China decided to get aggressive with Taiwan, again; unjustified. Taiwan never threatened China.

Pereira:  What Easterly and Krebs have done in terms of public-private partnership, they are the model for all other agencies in terms of the health of that strategic partnership approach and the true collaboration going on at CISA with industry.  For example, there are whole sections of these new joint advisories that have direct private-sector contributions. It is a significant, real-time contribution.  Industry is really pitching over there.

Islam:  The fact that the intelligence community is partnering with the cybersecurity community is fantastic. It is unfortunate it took so long. The old approach of using government procurement is too slow to counter Russia and China.  We need a collaborative framework. In today’s cyberwar we need to be able to be able to respond instantaneously.

“Offensive cyber operations are risky because any cyber attacker can login to a system of a different country.”

Pereira:  Related to this topic, there is also the criticism that we do not do enough offensive cyber messaging and signaling.

Islam:  Offensive cyber operations are risky because any cyber attacker can log onto the system of a different country and launch their attack from there. So the problem with offensive cyber security is attribution. Cyber attackers always log onto a third-party system, or log onto a third-party system that logs onto another system, and logs onto another system.  To immediately attack a country or a user based on a specific IP address is very foolish because there is an extremely low probability that is the real site.

Pereira:  I have to admit, I have sometimes questioned how metered out the attribution process is and how patient the market is for a clear narrative to emerge from a cyber incident.

Islam:  I think what we really need education. We need more awareness and education in the form of advisories, more partnerships between the US national security establishment and private industry. There are a lot of cool technologies, and things we should do without reservation, but ideas like offensive cyber operations are extremely dangerous.

“All big Enterprises are really a collection of supply chains with distributed data to enable cross functional operations.”

Pereira:  You mentioned the weaponization of the supply chain as a risk exposure for Enterprise.  Can you elaborate?

Islam:  All big Enterprises are really a collection of supply chains with distributed data to enable cross functional operations. This has really happened over the last few decades and are now the norm: do what you are good at, and you buy everything else. You might be good at assembling a car, but the brakes will come from a brake expert. Car seats – someone else. The continuous data exchange enables the extended Enterprise to operate as a unified entity.

So having an extended supply chain just makes economic sense, but that increases our vulnerability because now not only do we have to worry about our own cybersecurity, we also must worry about the cybersecurity of our supply chain partners.

“The supply chain has extended in every dimension.  This makes the threat surface of companies more vulnerable.”

Pereira: If I put my systems thinking hat on, my intuition’s telling me that continuous threat testing and evaluation as a layer of the IT supply chain makes a lot of sense. Specific, continuous testing and evaluation of supply chain vulnerabilities…

Islam: …that is right, that’s a core of zero trust; continuous monitoring based on risk.  You must watch your mission critical systems and sensitive data like a hawk.  The good news is we have new tools and technologies. But you must know what your risks are and then develop a strategy to manage them.

You need to have a good understanding of the operational model of your enterprise and that of your partners. We must look at the enterprise, not as a financial entity, but as a tightly integrated ecosystem where partners add value.  Once you have your operational model in hand, you then identify those risks that will cause your company to halt operations.  Those risks then determine your prioritization of resources.  You then implement your data protection and monitoring systems. That is the heart of Zero Trust.

So, the good news is all the solutions we have talked about (analytics, automation, ML-based security tools) are enormously powerful and relevant to that. Yes. But here is the rub:  You must know what is going on in your enterprise to know where to point your analytics and automation on that global supply chain.   The supply chain has extended in every dimension.  This makes the threat surface of companies more vulnerable.  What we need is a clean and fresh approach to cybersecurity. We need to rebuild the stack. 

“The risk to human life is real.”

Pereira:  We did some coverage recently on an Industrial Control System advisory from the NSA.  What are your thoughts on ICS and continuous threat testing?

Islam:  One of the areas of concern to the United States government, as we move to a high-tension climate, is that Russia and China will launch a cyber-attack on industrial sites and cause physical damage.  The Chinese government has made it known that industrial systems are a legitimate target if we intervene in Taiwan. Our industrial control systems are very vulnerable as most are built using Chinese components with built-in vulnerabilities and are hanging on private sector networks which are not very secure.

Consider a factory with any type of furnace or high temperatures processes.  Or facilities that have high voltage transformers. Or chemical or petroleum refineries. The risk to human life is real. We should not fool ourselves to say Russia or China will never hurt Americans.  This is why you are seeing so many advisories released by DHS/CISA, and we need to take them very seriously. They would not be sending out these advisories unless they had some real facts to go on.

There is nothing unique to Industrial Control Systems versus protecting the Enterprise.  Except securing an ICS is very complex and costly.  In fact, many ICS are not upgradeable thus industrial sites might have to consider creating partitioned networks with application layer gateways and strong identity-based access. However high the cost of ICS cybersecurity it’s still a fraction of the cost of equipment sabotage.

“Learn from Ukraine…Don’t wait until the conflict is at your doorstep.”

Pereira:  One last question. For the past few months, you’ve been advising Ukraine’s Ministry of Digital Transformation of protecting their Enterprise environment.  Are there any specific lessons learned you think are valuable for Enterprises here?

Islam:  Yes! Within days of Russia crossing the eastern border, Ukraine’s Ministry of Digital Transformation moved government data to AWS.  This enabled the Ukrainian government to maintain civilian services even as its data centers were destroyed because its Enterprise infrastructure was now virtualized and decentralized.

Learn from Ukraine. Enterprises should prepare for war.  Don’t wait until the conflict is at your doorstep.  Enterprises should look at their entire product life cycle and move mission critical data to redundant storage and compute facilities to ensure continuous operations if a site goes down.  And of course, consider a zero-trust data protection model.