Securing Wall Street from Cyber Risks
Good morning from New York City and welcome to our Bloomberg panel discussion on securing Wall Street from cyber risks. I'm Erik Schatzker an editor at large at Bloomberg Television and it's great to see you. Our distinguished and accomplished panelists today are two of the fishel the officials excuse me most responsible for protecting this country from cyber attacks. Eric Goldstein is the assistant excuse me executive assistant director for cyber security at Cisco Cyber Security and Infrastructure Security Agency inside the Department of Homeland Security. He studied law and public policy and grad school at Georgetown worked for a precursor to system then oversaw cybersecurity at Goldman Sachs before returning to government in his current role in February of 2021. Executive Assistant Director Goldstein welcome. Thank you. Great to be here. And Brian Waldron is assistant director of the FBI ISE Cyber
Division. He's an engineer who earned his MBA at the University of Michigan and then worked for Procter and Gamble and Merck before joining the bureau in 2003. Over the past decade his responsibilities have ranged from strategic operations for FBI counterterrorism to dismantling multinational criminal gangs. He was appointed to his current role in March of 2021. Assistant
Director of Waldron. Welcome to you. Thank you very much for the opportunity to be here. Well we're delighted to have you. There's a great deal of interest in this panel gentlemen to keep things easy and flowing along nicely. From here on I'm going to address you by your first names Eric and Brian and to the audience before we begin. A couple of notes to we. We do have three polls we'd like you to participate in. So be sure to pay attention and respond when I prompt you. The choices of course will come up on your screen. And if you have questions submit them using the Q and A widget
you'll find on the console on the side of the console. And I will do my best to work them in if something should go wrong. You know what to do. Refresh the browser and hope for the best. Let's get started. Eric and Brian just by way of preamble your agencies are obviously both parts of the same government. They work closely together on cybersecurity and cybercrime and ultimately they share many of the same objectives. But that's an important but there are differences that are highly relevant to the conversation we're about to have. And so I think it would be useful if we started by having you Eric. As assistant executive assistant director briefly frame
how CIS approaches the problem of cyber attacks on Wall Street and then having you Brian as assistant director of the FBI explain the way you think about it and the bureau's approach. So Eric wanted to begin by framing the problem and how you look at it. Of course. Thanks so much Eric ISE. We really have a single minded focus of helping every organization in this country particularly including our critical infrastructure like the financial sector understand evolving cybersecurity risks and then implement the mitigations that are known to be effective in reducing the likelihood an impact of a cybersecurity intrusion.
And of course if an incident does occur helping organizations respond and recover and then rapidly sharing information to help protect other potential victims. And so in this way we are really a victim focused organization helping to protect against and prevent intrusions and reduce impacts when they do occur. In that mission we work extraordinarily closely with our core partners including and of course the FBI as well as the owners and operators of private networks themselves who of course are accountable in the first instance to actually deploy security controls and mitigations across their networks. Because at the end of the day cybersecurity is inherently a partnership. And our role here is to support and enable better networked
defense. But we can only do that if we work in concert with our partners at the FBI who are focused on the threat after themselves and with network defenders across the country who are actually the ones on the ground deploying protections to make sure that we understand the threats that are manifesting. I could take actions in response. Sure. Thanks for the questionnaire. You know I think to echo some of what Eric Goldstein said. We have a tremendously diverse and decentralized work force in the FBI. We can arguably put an FBI agent and on any doorstep in this country within an hour and probably in 70 countries within about a day. The dead victim focus permeates the FBI ISE eco
system as well when we look at cyber. But what differentiates us from CIS is simply that we are focused on the response and investigative side whereas Eric described their focus on the response and mitigation that defense side. But the tandem partnership between us insists and collectively with our private sector partners really forms that three legged stool of effectiveness for investigation on the threat response side and net defense on the asset response side and the FBI. We view ourselves as sometimes the action arm and sometimes an enabler. An enabler. TER ISE see partners but sometimes an action arm for indictments or arrests or extraditions or you know to work with private sector partners to flow intelligence back from them to our partners in the ICC or to assist as well. But it really is a team sport. I think that's something you will hear repeatedly from Eric and myself today is that we're all in
this together and private sectors partnership with us is absolutely paramount because they probably see ninety five percent of the threats that we face. Brian you just described the FBI ISE organizational structure as being diffused and it sounds to me that by comparison system is more centralized. Is it also helpful to think of the FBI as being being threat focused let's say insists on being more threat agnostic. And I'll let Eric Goldstein speak for. But forget the ISE perspective. We are certainly threat focused. We are looking at multiple criminal threats whether that's ransomware bot nets banking Trojans third party services telephone smartphone applications that contain malware. But then obviously the big nation states of Russia China and North Korea. And I ran up the
indicators. A compromise in the TTP ISE of all those threats are specific and certainly informed. This is activity on the net defense side. So if it's okay with you I'll let Eric Goldstein round out that part of the question. Great. Thanks Brian. You know I'd said Cisco we are absolutely threat informed. What I mean by that is if you look at these sort of cybersecurity practices that are generalizable across threats. If you're deploying multi factor authentication if you're adopting zero trust principles where you're locking down your most sensitive accounts and data and you're segmenting your network so an adversary can move across it those are going to be effective against every known cyber adversary. But at the same time we
also know that there are some mitigations that there are some indicators of compromise some exploited vulnerabilities that are unique to certain adversaries BDA nation states or cyber criminal groups. And so we also work very closely with our partners in the FBI elsewhere of government and our international partners to understand what the adversaries that we care most about are doing so we can drive prioritized adoption of those mitigations and controls that are most effective against the adversaries that are most likely to compromise American networks and cause harm. A key message that you've both both excuse me stressed repeatedly is the need for more cooperation between the public and private sectors on cyber risks. And the implication it goes without saying is that you're not getting enough not getting as much as you want. And Erik you have worked on both sides as I explained before on the in the public sector. You've worked in the private sector. Why is this the case. Why would Wall Street in this example that we're taking on today be hesitant to cooperate with the government on safeguarding threats that everyone recognizes or critical.
I think the framing here needs to be that these cybersecurity risk environment overall is extraordinarily challenging and we are seeing cybersecurity adversaries continue to invest in advanced capabilities. We are of course seeing ransomware actors become increasingly commoditization and these scores of ransomware affected organizations public and private across the country and indeed the world. And so with that framing we need to keep assuring and advancing the public private partnership really every day. You know this is a journey of an ongoing improvement. I think we have seen extraordinary advances in
public private partnership over the years. And the financial sector really has led that model including of course through the financial sector information sharing and analysis counsel the efforts ISAC as well as other bodies. And so there is certainly extraordinarily robust collaboration ongoing but that collaboration needs to continuously deepen and evolve as our adversaries evolve as well. Within Cisco we have a fairly new construct called the Joint Cyber Defense Collaborative or J.C. DC that really is the focal point for network defense operations for both critical infrastructure as well as the U.S. government. And so we have members from Bryant's team at FBI partners across the government joining together side by side operating in virtual environments to collaborate every day around the emergent cybersecurity threats and vulnerabilities that we are seeing. That's just one example of how the partnership model needs to evolve over time. If we say we are good enough we know the adversaries will keep investing. And so we have to keep maturing so we can actually stay ahead of the threat. Could we
talk about the hesitancy for just a moment more. There are executives I'm aware of some of them who think that the government is just you know snooping around using cybersecurity as a pretext for peering into P.I.. Right. Personally identifiable information or even client data. The best thing that we can do as a U.S. government to help resolve hesitation with working with us is by showing value is by showing organizations that by engaging with CSA engaging with the FBI that they will get information and expertise support the ability to collaborate seamlessly across sectors that help them protect their enterprise and help them protect their customers. And so every moment that we can show value that we have an
interaction where a Cisco a CIO at a major corporation can say they are more secure today because they engage with sister and our partners that we've done our job. And that's the most effective thing we can do to resolve hesitations about that sort of collaboration in mind. This chime. Sure. Please go ahead. Jump in. Thank you. You know to echo some of what you're going to see said you know one of the best ways for any organization to diffuse those myths would be to build those relationships. Now whether that's with the FBI or Cisco as the two primary inject points through
domestic intrusions here in the United States certainly the FBI has personnel in every city in this country to enable the building of those relationships in real time right now. But that will allow those corporations those organizations those academic institutions to talk through all of these issues when the waters are calm before the storm. So when the storm does arise everybody is prepared and understands the lanes in the road. I can assure you that there are ways to mitigate all of these concerns. We've done it for many many years effectively with many different organizations. But those conversations on the front side are absolutely paramount. I was going to say that this issue came up during your congressional testimony Brian on ransomware that took place a few months ago.
Cybercrime victims such as a company that's losing millions of dollars a day while its systems are offline don't necessarily share or perhaps even care about the FBI ISE priority which is catching criminals and preventing them from committing more crimes. Doesn't that create trust in government. Is a problem enough. But doesn't that create an additional trust gap that's so difficult to close. I guess have a few thoughts on that questionnaire. The first would be that our position especially on ransomware attacks in the US government is that certainly we don't recommend paying the ransom because it just fuels the criminal enterprise and strengthens the adversary. But with that said we also understand that these are business decisions for every organization out there. In a simple manufacturing environment we understand that
downtime of production line equates to real time revenue and real time profits for a corporation. And there is an absolute equation to be drawn out about how much downtime a corporation or a manufacturing entity can really sustain until it's simply worth it for them to pay the ransom. What we would ask of all of these targeted entities or victims is to think a step forward outside of the immediate here and now. And that's the following. If you share with us there is the potential that we can prevent others from being victimized. We know that's not a mathematical equation that can be solved in the moment which does again speak
to the pre work and the necessary necessity of an instant response plan and exercising the answer response plan. But if we think downstream the way we get our hands around this as a country and as a team focused on a common purpose is really through that sharing of intelligence and intrusions in real time. And I'll end with this. We estimate within the US government that we have reporting on between 20 and 25 percent of the total corporate organizational academic intrusions here in the country. A data set that's 20 to 25 percent deep will never allow any of us the government private sector or our foreign partners to truly understand the totality of the picture so we can be effective at trying to mitigate it.
So just to be clear if I understand what you just said you don't have data on 75 to 80 percent of the intrusions that are taking place is that correct. That's our best estimate yes. I need to take a deep breath for a moment. That's kind of that's that's a problem. It's a huge problem especially as we try to predict trends. Certainly we can do the best with what we have but we'll never again. Just to reiterate this said we will never be in a position as a country. It's not about the government it's not about private sector but as a country as a unified team. To
mitigate this this threat or to impose costs on our adversaries or to make their way of doing this is so complicated that it's not worth it for them anymore. We'll never be effective with 20 to 25 percent of the data. Gentlemen I'd like to bring our audience in with the first polling question. And here it is folks. Please pay attention to your screens. What do you consider your biggest threat to data security. Again this is a question to our audience. Choice number one employees sharing did inappropriately or leaking a deliberately choice number to zero day vulnerabilities in your hardware or software. Choice number three phishing or spear phishing attacks. And choice number for employees communicating
on channels outside of your monitored network. Erik and Brian I'm going to give the audience an opportunity to answer that question. And we'll come back to the poll results in a moment. But in the meantime I'll put the question to you. You're the experts here. How about we rank order what you consider to be the biggest threats to cybersecurity on Wall Street. Eric what's
at the top of your list. You know I think if you look at these cybersecurity threats that are affecting every organization remarkably phishing and spear phishing still remain the most utilized intrusion vector for many adversaries. And so I think if we look at at the mitigations controls that are most effective in driving down no intrusions that would actually be at the top of my list. I'll also offer a bit of a nuance to one of these which is you know zero day vulnerabilities are of course extraordinarily concerning and really imply the need to again focused on adopting zero trust principles limiting what an adversary can do if they gain access. But across the board we are still seeing many intrusions utilizing no one vulnerabilities. So not even zero day vulnerabilities vulnerabilities that have been known
for months or years. And this is not specific to any sector or really across the board at Cisco. We recently launched a catalog of no and exploited vulnerabilities which is a list of about three hundred and thirty or so vulnerabilities where we and our partners have seen adversaries using the vulnerability in the wild to exploit organizations. And so any entity should make sure that all of those vulnerabilities are are patched and mitigated as a top priority of their cybersecurity program. Just to share with you both the polling results as they stand right now 15 percent of the audience is going with no one employee sharing data properly or leaking it deliberately. Twenty six percent is going for number two. Those are the zero day vulnerabilities. No surprise here based on what you just said Erick almost half
of the audience says that phishing and spear phishing are the number one threat they face. And option number four which was employees communicating outside of monitored networks is is only registering with 10 percent. Brian how about you. Could you rank order starting with number one what you think of as the biggest risks to cyber security.
Yeah. I'll take a little bit of poetic liberty if that's OK with you outside of your standard ISE or questions. But I mean when you look at the data right the financial sector has seen about a 65 percent increase in magnitude attacks against it in the last five years. It remains an incredibly highly tempting target to commit financial crime or threat social destabilisation from a prolonged service outage. You know the financial industry
specifically is very vulnerable. Upstream disruptions through third party services and third party applications. It's obviously dependent on power and connectivity and communications. All those things speak to supply chain. But when you put into The Factor ransomware groups ransomware attack actors have targeted the financial sector during the time and a process to destabilise mergers and acquisitions having a direct impact on the financial sector. You know SIM swapping remains a concern. New mobile malware variants remain a concern specific to Covid-19. Our data says that 97 percent of banks had to accelerate telework adoption practices and mobile activity on laptops phones because of Covid and not understanding third party services and apps and remote work and telework capabilities is yet another vector of exposure. But I think the message I would leave all of you with in terms of financial sector is the one about supply chain governance and visibility.
You have to know who your supply chain providers are. You have to know who the third party services and how providers are. You have to know what normal operational traffic for your network looks like. So those are just some additional thoughts I might add in addition to what Eric Goldstein mentioned. Brian examples just like paintings speak a thousand words. Could you pick perhaps one or two. Hacks cybersecurity breaches that you're intimately familiar with and use them to illustrate some of these points that you're making and perhaps even the ones that Eric has made as well. Sure I'll stick with the one that we all know about which is
solar winds from about a year ago. These solar winds is your traditional software as a service third party vendor. Vulnerability you're at the end of the day it could have affected eighteen thousand businesses right from one compromise force. Multiply it out is eighteen thousand businesses. You know the U.S. financial sector must understand that. Third party services third party applications through trusted partner relationships. Nest has specifically provided guidance about what companies and organizations should look for in terms of third party services and apps and supply chain vulnerabilities. So that would be the one I would sit with her just because it's so well known and the potential impact to so many corporations and organizations could have been so fast. Eric is there an example that you'd said that you think is
illustrative that has some lessons we ought to learn from. You know one example that I'll cite Eric which is really a vulnerability than an incident. But of course the recent work that the cyber security community did around the log for a software vulnerability which really you know for those who may not be aware law for J is an extremely widely used software library used in millions of devices and products around the world. In early December the cyber security community identified
identified and easily exploitable vulnerability in the software library that could have enabled adversary exploitation of countless devices and products around the world. And what we saw is a real call to action by network defenders not only in this country but really globally to rapidly understand exposure and deploy protections. But I think one of the lessons learned from this work is the criticality of understanding the software and hardware running on the network and then actually what's included in that software that really is foundational table stakes to any effective cybersecurity program. But it's actually also one of the most challenging things to do for a complex large organization particularly one that's running a lot of legacy infrastructure at Cisco. We're putting a lot of effort into driving adoption of software a bill of materials which which our process processes to understand not just what software you're running on your network but also what should be components of that software which really expedites one's ability to understand impact from a vulnerability and prioritize remediation. And so I think this was an effort where we saw great efforts from the cybersecurity community. We have not yet
seen the sort of prevalent damaging intrusions that we were so concerned about although certainly we know that adversaries remain focused on this vulnerability. And certainly any organization operating software with the vulnerability to take steps to mitigate with great urgency. Gentlemen your comments thus far have prompted a couple of questions which I'm going to introduce into the conversation. The first one has to do with with what you just said Brian. So we'll pose this question to you. And if Eric you want to jump in afterward with anything feel free. What is stopping regulation from forcing critical industries such as financial services not to use third party software that hasn't been properly for lack of a better term vetted. Now the question as to who does the vetting is something we'll leave aside for a moment. But it's a
valid question why is everybody free to use whatever regardless of how risky it may be. Is there not something that the quote unquote government could do in the way of legislation or regulation to help in that regard. Here I'm going to let Eric Goldstein respond to that question because that's squarely within systems mission space. Certainly the XPRIZE. I think the the important takeaway here is that every organization needs a strong third party risk management program that is grounded both in the right security principles and then implemented in a prioritized way. So that third parties and vendors with those key trust relationships that could be abused by an adversary are subject to the utmost scrutiny. And those connections are tightly monitored and tightly managed. And the organizations works works
through those scenarios where what do they do. If a trust relationship is abused how do they limit the blast radius of the impact that an adversary could have if they are able to move from a vendor or supplier network onto the company's enterprise network. Certainly financial institutions are driven in part by regulation have adopted strong third party risk manager programs. But each of those programs needs to be discreetly tailored based upon a business of your organization your way that they use third parties and suppliers. The relationship with those third parties of suppliers with them will dictate the sort of controls and scrutiny that a given supplier should undertake.
And I hope you'll both be encouraged by this question. And I'll directed to you first Brian. This goes back to cooperation between the public and private sector and that 75 to 80 percent gap that you describe in awareness of what's actually happening in the way of cyber security breaches. What types of information do you want us to share with the FBI and with Cisco. Be prescriptive. Sure. There's a few standard reporting mechanisms into the US government and we're proud to say that a call to one is a call. And that also includes any financial institutions out there that have an ongoing relationship with Secret Service as they're deeply invested in that sector as well. But for the FBI the primary reporting structure would be through your local field office or to w w w DAX. I see three dot gov. Which stands for the Internet Crime Complaint Center. But bottom
line the more detail that can be provided and the more timely that information is provided the better we will all be positioned to help. That in Colonial Pipeline resulted in the seizure of millions of dollars of ransom paid. Now that is a difficult scenario to replicate but it is possible at times put information such as the initial attack vector when the compromise was originally found and located. Whether your systems are safe segregated is their impact on the I.T. and the team or just the I.T. or just the OTI. Is there a signature indicator of compromise that would allow us to identify an actor or a nation state on the attack. All these levels of detail would be very very helpful for us. Another one in ransom were the specifically helpful is are there immediate backups available now. Would allow all of you to forego paying the ransom into one of the things the FBI can do if we're asked is we'd be happy to share the data we have on the ransom work groups. Right. And some of the data and I can't go into great detail here but some of that data is very very powerful for
corporations to know before they enter negotiations with a corporation with a ransom or a gang. But bottom line the more specific the more timely the better position we will collectively. I would want Eric to have the opportunity to chime in because they have parallel reporting. But again for all those out there the call to one is a code all.
So you don't have to report to the FBI and the system to report to CIS or report to the FBI whoever you have a relationship with. And we'll share the information between us. That's exactly right and would would fully endorse all the Brian it just outlined. Also call out a useful hole a government Web site here which is stop ransomware dot gov. Which is a Web site developed jointly by SIS the FBI the Secret Service other partners that provides the most up to date guidance on how to detect identify mitigate and recover from W from ransomware intrusions. And then also on this Web site outlines. As Brian noted the ways to report both to the FBI and to SIS. And as noted there is no need to report to both organizations unless somebody is inclined to. But reports are shared seamlessly between our two organizations. And so any entity the most important thing is to report to the. Because once it's reported the US government can offer help to the victim but the victim
doesn't want help. Even if the victim has it covered internally or with a third party. We can then help figure out how to protect others and help to prevent the same after the same intrusion from happening again. And so really the encouraging point is you know whatever you report sister or the FBI just report so we can help others. It could we just. Would you mind each repeating the websites that you just described. I'm not able to put them up on the screen for people. And so I just
think it would be good if you repeated them. Eric you just mentioned one. And then Brian. I think you mentioned two certainly. So the website I mentioned is stop ransomware dot gov. I would call a whole of government Web site to learn about how to prevent ransomware and also report incidents. Of course viewers can also go to assist the dot gov which has a broader information to report the system there as well. And for us in the FBI our kids. W w w but I see the number three dot com. So I
see three dot com. But we would dot gov. I'm sorry. I see three dot gov. But I would say listen the FBI for over 100 years has been built on personal relationships and while the reporting mechanism is available and should be used we also would really encourage institutions out there to build a relationship with their local field office FBI field office cyber squad today because that personal contact having someone's cell phone in your back pocket is perhaps more valuable in the moment. Can I ask you both a question about timeliness. Maybe I'll direct that you first Brian. I think it's obvious to everybody that information decays in value over time. I'd like you first. How quickly do you find companies reporting those companies that do report cyber intrusions. How quickly do they tend to report them. Because I know you know thinking organizationally there are a lot of traps that companies have to run. Once they realize that they've been
breached. And how quickly do you want them to respond. How quickly should the CTO or the chief information security officer perhaps even the general counsel pick up the phone and call the FBI or call system. So your question absolutely underscores what I think from the FBI ISE perspective would be my primary takeaway for the audience which is build those relationships now with sister with the FBI develop an incident response plan and exercise it at the numbers. The people's names in that instant response plan have to be personally known to all the personnel in the financial
institution where you work. But timeliness matters in all crimes. We can provide data on business e-mail compromise and the financial fraud kill chain on child abductions on any number of other crimes. Time matters. It really matters. And the bottom line is us. The faster organizations report to us the better position the US government will be to potentially help save potentially help because at times just in full transparency there is nothing that we can do to aid the victim in a better way than therapy and aided by their third party and response firm. But we can absolutely help
other future victims from being victimized and we may be able to serve as an action arm either unilaterally within the FBI or as an enabler with U.S. Cyber Command or other partners of Arras to bring pain to the adversary. As a result of the victims sharing with us in the moment. But again that starts through planning today. OK know I want to direct something to you. We've called this panel securing Wall Street from cyber risks. But to be clear Wall Street is a writ large can't sort of concept. It doesn't just encompass the securities industry. It extends to commercial and consumer banking asset management alternatives insurance payments and increasingly crypto as well. Anywhere I like to think money is on deposit in transit or being invested. Now collectively the companies in these businesses spend billions of dollars every year on cyber security but we don't know how effective that spending is. This is your area of expertise. I like to think how secure is financial services as
an industry relative to say something else we might think of as vulnerable to a cyber intrusion or attack like the energy industry or public infrastructure. The financial sector has made extraordinary investments over the years in cybersecurity. Some of the best leaders and experts in the world call the sector their home and certainly the sector has pioneered both novel technologies for cybersecurity but also collaborative models including the FSI ISE Act that I that I mentioned earlier. So certainly the financial sector is on the leading edge of our nation's critical infrastructure in deploying the right cybersecurity controls to meet their mission needs. Now it bears noting as as my colleague Brian explained that we are of course aware that certain adversaries do seek to target the financial sector which means that institutions need to continue evaluating and testing their controls. In light of what we understand our adversaries to be doing and planning and developing and of course there is inevitably some degree of asymmetry between institutions in the financial sector which is why it is so important for SIS and our colleagues to work not only with the largest entities but also smaller and regional organizations providers of financial infrastructure and even dependencies across sectors to ensure that we are maintaining the integrity of the financial system for all of the different participants. Erik as you noted in your question at SIS we spent a large amount of time focusing on understanding dependencies and interdependencies within and across sectors so we could do just that work. So even if we assume that people are sophisticated entities in a given sector have the right controls
have mature security programs against known and emerging threats. We also understand where there may be dependencies that require further support and further assistance to avoid introducing Boehner abilities into the broader ecosystem. Could you comment further on the asymmetry issue. We know for example that.
Money center banks global banks such as JP Morgan spend hundreds of billions of dollars a year on cyber security. Does that make the money and data housed inside a bank like that. Safer than say the money and data stored at a retail trading platform like Robin Hood markets. So certainly when assessing the the both maturity and effectiveness of a given security program it's important. Understand first of all investment because investment in the
right security controls that are tailored to a given risk environment should inherently lead to better security. But of course one also has to look at the adversaries that are targeting a give it institution and also the dependencies that a given entity has. And so our goal at CSA is to ensure that every organization makes the right investments for its risk environment and its risk profile. And so an organization that is being targeted more frequently by advanced actors may need a different kind of security program or different degree of defenses versus one. That is it. IBEX. Certainly there is
nothing that inherently makes a smaller organization more at risk than a larger organization. The key is for both to invest it to have invested in a security program that is tailored to meet the risk they're facing. I'd like to bring our audience back in for the second poll gentlemen. Folks here's the question. Please pay attention to your screens. What best describes your data security capabilities. Option number one we can detect and block data leakage in real time. Option number two we're able to detect data leakage after the fact. Option number three. We're not always certain when data leakage has occurred. Gentlemen we'll let the audience have a few moments to submit their answers to
that question and we'll come back to it in a moment. In the meantime I'd like to pose this to you both up though. What keeps you up at night. Question is an old interview trope but in this case we really do want to know the answer because you both know the bad actors and you know what they're capable of doing better than anybody else. So Brian what keeps you up at night. Eric I'll give you one kind of in the moment and then one forecasting the future in the moment is what we don't know about whether that's a zero day vulnerability whether that is a vulnerability that's being exploited at scale that we don't know about whether there's new malware being deployed by a state actor that has new signatures that we can't tie together at the enterprise level. These are things that all impact our ability
for resiliency and net defense here in the United States but also hamper our investigative ability or the action arms in the US government to help with the net defense or help on the offensive side. So those are the things that concern me on a daily basis which is again you know. You see this whatever figure you want to throw out there 90 percent plus these threats are seen by our private sector partners and that collaboration between offices super important over the horizon. The forward looking one is about synthetic content what we call publicly deep fakes but within the US government and in academia which largely referred to as synthetic content. When you look at biometric authentication facial recognition digital footprints mimicking voices these things are huge huge challenges to the law enforcement the intelligence community in the next five to 10 years. Huge challenges for the private sector multi factor authentication
and even research democracy in terms of disinformation and malign foreign influence ensue from over the horizon perspective. The synthetic content piece is something that is a fascinating discussion but also a very very scary discussion. Eric just before I get into what keeps you up at night I want to share with you both the answers to our second polling question. It was about data security capabilities. 38 percent of the audience believes it can detect and block data leakage in real time. Twenty one percent says it's able to detect leakage but only after the fact. And thirty nine percent says candidly it's not always certain when data leakage has occurred. Now Eric as I said what keeps you up at night. We heard from Brian.
You'll also offer two. The first is we have not yet seen in this country a cyber intrusion that directly results in a prolonged degradation of essential services upon which Americans. And that really is you know at SSA and I know our partners as well. You know why we come to work every day to ensure that these services at Cisco we call them national critical functions remain viable under all conditions. And what that means is of course for every organization to focus not only on security but also resilience to really test out what would happen if there is an intrusion of both the I.T. and the operational technology or OTM network and how the organization can keep those essential services running under all conditions. You know it of course bears noting as all
of us know that network technologies now underpin every facet of our lives. And the ability of malicious cyber actors to to degrade those services is deeply concerning and merits. Again this ongoing focus on resilience of the longer term point all raised is the fact that even as we are urgently investing in cybersecurity controls to protect today's technology organizations particularly in the financial sector are of course also continuously innovating to provide more productive efficient scalable tooling to their customers and their organizations. That of course means that we have to secure those new technologies but simultaneously we have to focus on securing our legacy infrastructure. That of course is foundational to so many organizations and so simultaneously making sure that new technology is developed with security by design and top of mind while making investments ongoing early in securing legacy infrastructure. Also I think is an area that requires focused
investment going forward. Gentlemen I'm mindful of both your time so I'm going to jump to the third polling questions so that we have an opportunity to get it in for our audience. Again folks please pay attention to your screens. Here's the question How have you adapted to hybrid work environments or work from home situations. Option number one we don't restrict communication on personal channels outside our network. Option number two we monitor employees use of personal communication channels. Option number three we don't allow employees to use personal communication channels for work purposes. I suspect gentlemen you'll be interested in the answer to this poll. There is an obvious follow up question and I'm
going to pose it to you Eric which is how closely should the financial services industry monitor its own employees both at work and at home. You know I think the main key here is to have and Brian should weigh in here as well. You have a focused insider threat program that that understands the potential impacts of an insider threat for different roles for different physicians for different accesses and then take steps to appropriately detect and mitigate risks of insider threats as they emerge as part of an insider threat program. Certainly can involve monitoring of communications but it also certainly is not a silver bullet. And so the key that I would offer is to have a holistic insider threat program that has layered mitigations and variables brought in to detect an emergent threat before it causes harm to the organization. Brian I'll just share the poll results that I have at the moment somewhat shockingly 56 percent of respondents don't restrict communications on personal channels outside their networks. That
was option number one. And option number two we monitor employee use of communications channels. Personal communications channels was affirmative for 43 percent of our respondents from a law enforcement standpoint. Do you favor I guess deep or extensive monitoring of employee communications. Brian. That's a tough question to answer. You know we certainly have rigorous protocols inside the organization in terms of what we
can and cannot share outside of the organization what we can and cannot do on devices. You know I think Eric offered a really good answer about understanding and I'll get his. I think I'll get his terminology right. Understanding the multiple variables that are going to play into the analysis about whether someone is posing a threat to your brand or more more significantly to the bottom dollar the profit of your organization and taking a multi step process through layer defenses. And that is probably
really good advice. Eric you mentioned earlier third party risk management and I wanted to raise a question for you on that subject specifically as it concerns security ratings. There are a number of companies out there selling expensive subscriptions that grades service providers on their cyber security. But what I've also learned is that in many cases to get a good grade the suppliers themselves also have to buy subscriptions from these same rating companies often at even higher prices. And that reminds me of the credit rating model that landed us in the financial crisis when issuers
paid Moody's or Standard Poor's for triple-A ratings. What guidance would you offer on these cybersecurity ratings these third party risk management companies and the way these ratings are compiled. You know as a first principle it is extraordinarily important for any organization to ongoing. We assess measure and where possible quantify their security posture and their security maturity. Security rating services can provide a valuable input into that sort of broader measurement and quantification regime without commenting on the business practices of individual ratings organizations.
Certainly the ability to get a recurring the updated third party assessment of other organizations risk profile and security baseline is important to understanding changes in posture and the need for further investment. Now rating services that often look at an organization's internet exposed assets can be one input. But of course there are others like penetration tests like red teams and purple teams that are also invaluable to help the organization understand once an adversary can get into the organization. What can they do and what can they access. And those sort of assessments can also be invaluable in closing down holes and giving management and the board a critical perspective on security risks and gaps there.
Gentlemen I suspect it won't surprise either of you to learn that there's one topic more people seem to be more interested in than anything else and that's crypto and block chain. So I'm going to begin with crypto Brian. Where does crypto currently fit into the cybercrime picture. Sketch it for us. And then I have a quick follow up question. Well in terms of a sketch I'll probably see a little bit more simple than that among my 6 year olds artistic framework and say it's the only game in town right. Crypto is the primary currency and the primary vehicle to facilitate extortion payments data leakage extortion payments etc.. So it's the only game in town. We all know that the bond chain offers us some opportunities but largely the ability to pay crypto scripted immediately into a Tumblr whether through an extortion payment or theft is a huge huge challenge for us. The FBI and the Department of Justice have had some successes
however are there any lessons we should draw from the recent Crocodile of Wall Street bust. You know I think that the most important thing. Two things. Number one is early engagement with us does enhance our collective ability to recover or to track cryptocurrency on the case. You just mentioned I think the most important takeaway is just to stick to denounce the grit of the people working in the US government to solve these threats to solve these crimes. Short and long term after the crime actually commits. And I think quite frankly the examples that you've brought is quite
commendable in terms of what happened. And one quick one before I pivot to you Eric. A lot of people as you might imagine are interested in sort of how to when it comes to ransomware attacks. And we're not going to get into details there. But a relevant question concerns ransomware insurance because they're really three ways of managing risk right. One is
that you lay it off on somebody else. The third is that you manage it yourself. And the fourth is of course that you just buy you know you buy insurance. Is ransomware insurance a good idea. And this is a question straight from the audience. Eric I'm not in a position to comment on that publicly certainly. We can talk about that off line in a more private setting that would just bring this back to the focus point of the more money that we pass to criminal enterprises the stronger they do get the more creative they get the more professional they get. I'll give you two quick examples. Number one we know that ransomware actors in Eurasia and Russia have literally
established call centers between the ransomware groups to professionalize the ability to pay a ransom and then to have your files decrypted. And secondly we know that they're shutting down ransomware groups or brands in simply transferring all of the victims to other ransomware gangs or groups or profiles so that those other groups that they're collaborating with or in a conspiracy within our terms can benefit and profit from them. The only way those organizations those criminal organizations get that strong is by getting more and more money. And Eric the other side of the coin block chain you don't have
to go far. I don't need to tell you even inside a bank right to find evangelists for block tainted to block chain technology who say who tell us. Maybe with good reason that it's going to revolutionize finance. It's going to eliminate friction. It's going to improve trust. And it's good going to add layers of impenetrable security that are built into the algorithms themselves. What's your view on block chain as a tool for the purposes of cyber protection or managing cyber risk. You know
certainly BLOCK Chain has intriguing use cases both for novel services as well as potentially for security. The key of course as with any new technology will not be only how it's designed. House How secure is the photography but also how is it configured. How is it implemented. How is it integrated with other systems and platforms. And so much of what we see in
security where risks arise is not actually that a given piece of software or hardware was designed poorly but that it was either configured poorly or it was integrated poorly as part of a broader ecosystem. And so as we think about integrating a block chain into various aspects of the financial system either within a given institution or as with the for if the future perhaps more generally the key will be ensuring not only that these systems are secure by design but that they are integrated securely so that we are not introducing new risks even as we innovate. Gentlemen I have to wrap up and I want to ask you this question. The bad actors the adversaries whom you're up against have a couple of advantages on their side. They can mobilize perhaps by force if necessary the best hackers in the world. And they can take whatever time they want to break in and infiltrate the victim's network. Erik you returned to public service from a very high profile job in the private sector or enough of the best people making the choice that you made forgoing the financial incentives available to them on Wall Street or in Silicon Valley to dedicate their careers to cyber defense in the public sector. In other words is this a fair fight. I think it is and I think we have extraordinarily talented group
of professionals of cyber security experts not just at a but at the FBI and across the broader US government. We of course always need more. What I will say having recently read one government from the private sector there is no better mission in the world than coming to work every day and being focused on protecting the American people against the threats that we know are confronting us. And of course I would encourage any individual who is seeking to move into the field looking for a
new role to consider public service. There is really nothing more rewarding. And I miss. I did note that anybody can visit the dot gov to learn about options at our agency. And I'll also note in closing here that the historical model where somebody would join government service and work in it for decades and then retire we know that doesn't work. Certainly in the
cybersecurity field I mean certainly with the new generation of professionals. And so the model we are seeking is that somebody join the public service for a few years does terrific work helps safeguard our country perhaps goes back out to the private sector learn some new skills does great work there and then comes back. And that is the only way that we will attract the talent that we need to meet the mission confronting us. And certainly we are looking for talent wherever it may be in this country to help us join us in this mission. And Brian very quickly and last to you we're all aware of how consequential the
information gaps in misaligned priorities were back on 9/11 when it comes to cybersecurity. How does our patchwork of federal agencies with varying degrees of responsibility know that it's doing all the right things and in the right order. Sure you know the Cyber Solarium Commission really took a look at this exact question and many others and it's the catalyst for the Senate confirmed position that we know is the national cyber director who's Chris Inglis. And so Chris is charter one of Chris Charters is to bring the operational components together a common of course common fabric and a synthesized synergistic way. What I can tell you from sitting in my seat every day is that we are getting better by the day. That includes. It includes us it Treasury State U.S. Secret Service NSA Cyber Command and others not to mention the global partners who were
in touch with every day. Certainly our goal is to begin with the end in mind. And what that means in real time practice is what can all of us do today when we have intelligence or evidence inclusive of what the private sector to have an even bigger impact on our adversary for an even bigger impact on net defense. I'm very very confident saying that we are getting better by the day. And I think we'll be much better in the next year in the next two years.
Brian Waldron assistant director of the FBI Cyber Division. Eric Goldstein the executive assistant director for cyber security at Cisco. Gentlemen thank you for being so generous with your time. And I'll speak on behalf of all the taxpayers in our audience. Thank you for the work that you're doing for the nation. Thank you.
2022-02-18 12:37
