On March 6, Boston College and the Federal Bureau of Investigation convened the Third Annual Boston Conference on Cybersecurity. The one-day symposium, organized by the Woods College of Advancing Studies, brought together experts from federal law enforcement, private practice, and academia to discuss emerging strategies for countering cyber risk.
Through panel discussions and a lively attack simulation, the conference made one point clear: cybersecurity is very much about personal relationships. With the barrage of cyberattacks that critical infrastructure operators face, it is not a question of whether a company will be breached; but rather when. Establishing communication networks, incident protocols, and trust between the private and public sectors is paramount to enhancing cyber resiliency (once a company’s cyber defenses have been breached).
The conference opened with a keynote by FBI Deputy Director David L. Bowdich. He provided a high-level overview of cybersecurity issues from a national security perspective. Panelists emphasized the human-centered aspects of cybersecurity, including workforce training, management, and even diplomacy to mitigate state-sponsored cyberattack. Speakers consistently noted that all entities are vulnerable to attack, and highlighted an attack on institutions of higher education that had been discovered just that day.
The costs of increasing security were also discussed, as speakers described the challenges that smaller entities face in implementing appropriate security measures. While we recognize this challenge as well, we argue that high-cost technological fixes can be preceded by a wide range of low-tech alternatives The threats shift quickly; it does not make sense to lock into a high tech security fix that will be out-of-date quickly. Social cyberdefense strategies, as well as continuous retraining is important as technical safeguards, if not more.
The conference speakers reviewed sophisticated nation-backed cyberattacks. In addition, though, we would emphasize that even low-level attackers can cause major disruption to critical infrastructure. A recent ransomware attack against Norsk Hydro makes this point. Norsk Hydro was able to maintain its operations thanks to careful preparation.
Another conference panel explained how attacks play out within an organization using a simulated utility response to a phishing attack. The panelists played the roles of key partners who had to work together in the event of an attack. These included federal law enforcement officials from the FBI and Attorney General’s office, a company CISO and in-house counsel, as well as an outside cybersecurity consultant.
The discussion highlighted the importance of having well-documented internal policies and incident response procedures. Following the initial attack in this imagined incident, a well-meaning employee noticed foreign malware on the servers, deleted them, inadvertently obscuring records that were key to the investigation. Panelists noted that establishing from the get-go which employees are responsible for the investigation, and who has access to which records, is essential to regaining operational control and deterring future attack.
The discussion also highlighted the mixed signals that private companies sometimes receive from federal law enforcement. The FBI, which is responsible for identifying perpetrators of an attack, view the utility as a victim and an ally. The Attorney General’s office, by contrast is charged with enforcing data breach and other cybersecurity laws. To them, the stricken company is a bad actor because it is out of compliance. The utility may therefore hesitate to share critical information, or have less trust when interfacing with any federal partner.
Regular, informal communication between utilities and government can ease tensions by allowing information to flow without triggering additional reporting requirements. Likewise, companies can protect themselves by documenting and maintaining internal compliance with cybersecurity policies.
A final takeaway came from the panel: it is essential to engage employees up and down the organization. The CISO from Eversource, a major utility in the Northeast U.S., outlined the importance of engaging the C-suite. First, cybersecurity is an enterprise-wide consideration, not just the domain of IT. While he is not a fan of “scare tactics,” he makes sure that each employee, from entry to senior level knows what is at stake.
There are legal implications to how cyber risk is managed. But doing nothing, to avoid making a mistake, can also impose substantial costs. Corporations must invest sufficient staff time and budget in addressing cyber risk – although knowing just how much to invest is difficult. Accordingly, top executives must decide which risks to avoid and which to accept.
We agree completely with the conference’s main take away: relationships matter. This is why we are devoting our attention to the “social” components of cyberdefense.