The cybersecurity threat landscape continues to expand, as critical infrastructure and software supply chains increasingly are in the cross-hairs of threat actors. As a result, organizations in all industries must recognize and understand the threats they are faced with daily.
In this Digital CxO Leadership Insights series video, David Cagigal, former CIO for the State of Wisconsin and current board member at RIDGE-LANE Partners, chats with contributor Mike Klein about the vulnerabilities of technology infrastructure and raising cybersecurity awareness within organizations.
Mike Klein: Welcome back to another episode of Digital CxO Insights. I’m your host Mike Klein. And I’m joined today by David Cagigal. David has many years of experience in both the private sector, higher education and the public sector.
David will be joining me today to talk about vulnerabilities of technology infrastructure. But before we get to that, David, with all the recent cyber attacks and ransomware schemes, what are those future vulnerabilities of our technology infrastructure and how are we going to protect them?
David Cagigal: Mike, It’s a good question. And I think the attack factors remain the same. Nothing has really changed. We have people accessing computers that are connected to a network and a data center and applications, and ultimately the data. Nothing has changed. Those attack vectors remain the same.
The vulnerabilities, however, are becoming a little bit more vulnerable. And what I mean by that is that if you look at – I’m going to take each one of those six components and go through them very quickly, but if you look at the people, the education by the media and all the press regarding these breaches and attacks has elevated some degree of concern.
So I think we’re advancing the agenda with the user, anyone using a keyboard and a computer and the network. Anyone doing that is cautious, a lot more cautious than they were, say five years ago. But I would also say, on the other hand, we’ve got a long way to go to ensure that people understand the risks they take every time they sign onto a computer. So computer awareness is very important.
Secondly, the device that you’re using, is it current? Is it got a good operating system? Is it being patched? Are there passwords that are frequently being changed? And then as you get connected to the network, is that network got sufficient protection firewalls to make sure that people that are using the computer in the network are authorized to do so?
Ultimately, connecting to a network data center, whether on-premises or in the cloud, the challenges remain the same. And then ultimately within the data center is an application that you would like to use. And those applications need to be designed with segmentation in mind. Many applications in the heyday and even yesterday were priding themselves on integration, integration, integration.
That’s great, but you need to have some stops in the integration to make sure that a breach doesn’t travel beyond a reasonable scope. And then lastly, the data. Is the data been protected and do the appropriate authorities have the authorization and administration to access critical personally identifiable information, otherwise known as PII.
So Mike, those vulnerabilities were there perhaps 10 years ago and those vulnerabilities exist today. But each one of them we’ve been attacking with greater products and services and educating the population as to what these vulnerabilities could be and what harm can come their way, both in the business environment and personal computing at home.
Klein: How have you come across these vulnerabilities across your professional career, both working in public-private and higher education? What are the similarities and what are some of the contrasts?
Cagigal: I would say that if you’re working with a retailer and you may be dealing with some information that may be a personal and private credit card numbers, et cetera. If you’re working in education, there are FERPA regulations that don’t allow the parents to see the student’s grades, there’s that kind of security.
And then if you’re looking at your tax filings – I just got a notice from the state of Illinois that someone’s using my social security number for a tax filing. I did not file. I did not file it in the state of Illinois in 2020.
So, there’s those kinds of things. So each reason that you’re using the computer for accessing critical data that’s personally identifiable to you, or that is a transaction from a business point of view, HR records that need to be protected, or if you’re looking at financial records in the stock market and making sure that those are protected.
So for every industry and every business, there is a degree of vulnerability in the asset that they’re trying to protect. And typically it’s a soft asset. It is a data asset. It’s not so much the servers and the computers, but it’s really the information is being captured and being transacted every single day across many, many industries.
Klein: So if it’s across many industries, that means it’s across many different segments from education to financial services, to water supply, to energy. What comes across your mind is some of the most critical of those 16 sectors defined by the Department of Homeland Security.
Cagigal: As you said, there are 16 sectors that really are the foundation of our democracy and our way of life. Everything we do is based on that foundation of infrastructure. Typically, people look at their highways and their sewage systems and their water systems as physical infrastructure. Now we have to contend with the computer or the network critical infrastructure.
And on one side, you’re driving down a highway that took a number of years to build and then the other side, you’re traveling at the internet highway and accessing a lot of websites. But a foundation to all of that is the energy sector. One of the 16 of the power grid, all the electricity that we have that drives the computerization and the network capabilities for this country and for every citizen that lives in this country.
So at the foundation, we should all be concerned about those 16 sectors. And as President Biden mentioned when he was visiting with Putin here the last month, he mentioned the 16 sectors, not one by one, but he mentioned them as a category of infrastructure that needs to be protected.
And he basically told him hands-off nothing can – We shouldn’t be accepting any attacks against our 16 sectors and more specifically the power grid and the energy sector. So of the 16, I think that’s the one that’s most important. And all the public and private sectors are sitting on top of those infrastructures, whether it’d be the transportation, water system, power grid, et cetera, et cetera.
And lately, what has come into focus for us as the elections, which is included in the 16 sectors. The election in ’16 and ’18 and ’20, I think the media has done a great job in warning everybody about those vulnerabilities in the voter database and making sure that the votes are cast appropriately and for the appropriate candidate, appropriate issues.
Klein: So as we’re looking at those sectors, obviously there’s been some big ransomware attacks lately. So how did these attacks both impact our physical as well as our software supply chains? And what does the future hold?
Cagigal: I think the most recent one here with Colonial Pipeline and followed up quickly with JBS, a meat supplier, we see the physical disruption of a cyber attack, the physical disruption. But what is running on those systems is software. Software systems that have been bought and purchased and implemented.
When you run a Colonial Pipeline, there are switches along the line operated out of a control room, SCADA switches that are IP addressable, and we need to make sure that all those switches are protected and that they’re not exposed to a hacker or to an unintended use. We were fortunate in the Colonial Pipeline that it was more of a business attack on the business side, and that we were able to recover from that. Had it happened on the operation side, it could have been a lot longer recovery period.
So as you distinguish the supply chains between the physical supply chains and the software supply chains, on the physical side, we are all witnessing a chip shortage and an impact on the automobile industry and many other industries that they’re suffering from parts and being able to get sufficient parts into the manufacturing process.
So the pandemic caused a gap for a period of time, and it’s very hard to fill that gap again and have a smooth flow of parts and supplies into the manufacturing process. On the software side, we need to make sure that all of the software developers in each of the segments, and typically it’s multiple companies that are providing the software.
So a software provider A and B and C, each segment of the supply chain, have they been protected and have they reduced their vulnerabilities and hopefully that they have. So both supply chains, physical and software are extremely vulnerable today and they need to be given some attention.
I think the pandemic and the SolarWinds attacks have focused us on the supply chains and the need for improvement, and perhaps the need for maybe a third-party auditor to say that the supply chain is compliant with best practices, et cetera, et cetera.
Most vendors will tell you their supply chains are protected. Obviously, they would say nothing less. But we need some way of making sure we’ve got some degree of credibility in the supply chains.
Klein: So when these attacks happen, obviously there has to be an increased intention on how you monitor the confidence of the recovery plan. And how do you recover and respond?
Cagigal: Mike, over the last five years and maybe even longer, we’ve been spending millions, if not billions of dollars in cyber defense and the NIST framework is a pretty good way of providing some context. There are five steps in the NIST framework. The National Institute for Standards and Technology as provided by the federal government. No. 1 step is to identify the asset that you’re trying to protect. No. 2 is to make sure that it’s protected. Identify, protect.
No. 3 is that you’re going to detect an event, an incident that may have occurred. No. 4, when detected, can you respond sufficiently? And after the event has been responded to, lastly, No. 5 would be recovery. So one, two, and three are fairly easy. You can spend a lot of money in protecting and detecting, but where we fail is our ability to respond.
Do we have sufficient professionals that understand and can do the forensics and immediately identify, as they did with it with Colonial Pipeline? They should be graded “A” on the way they responded to that. Within five days, they had product flowing again and they responded very well. Which tells me they had a plan, a disaster plan. It was exercised, it was executed, and the right people with the right responsibilities were able to resolve the issue quickly.
And that’s, I think, a testimony to the Colonial pipeline executives and the leadership team to make sure that they’re capable of responding. So in that five-step process, the fourth one is where you make or break a situation. If you’re not prepared, you’re layering a chaos event and another chaos event on top of that in the inability to respond with capabilities and capacities and the people that understand their roles and responsibilities.
So I think out of the five steps, our ability to respond requires a lot of attention. And that’s something money really can’t buy. If you’re going to look at number three, detect, you could spend millions of dollars buying software that will set the alarms off.
But if you can’t respond to the alarm, you spent millions of dollars and you really didn’t get any further. It’s the ability to have staff that are accountable and responsible for exercising disaster recovery plan or incident response plan.
Klein: So you said who’s going to be responsible. And I would think about both physical assets and digital assets. And there’s a lot of variation. We call ourselves CxO because there’s the chief information officer, there’s the chief technology officer, the chief security officer, and so forth. Who’s going to be responsible and how do those teams of people come together to ensure that those plans are in place and how often they’re reviewed?
Cagigal: Mike, I think there are a number of different ways to respond when the incident occurs. And over the last five years, we’ve witnessed a number of ways in which they respond. Some organizations, take company A gets caught flat-footed and they don’t know where to start. They call the insurance company and the insurance company says, don’t tell anybody until we understand exactly what happened. And then you get the lawyers involved.
And then you get a lot of other people involved, try and understand what did happen. There was a company a couple of years ago that took about three months for them to publicize the event. And that was because they had to get their communications in order, the 800-number to call. And this was a consumer event.
And so they had to do a lot of things, a lot of due diligence to understand the forensics of the event, understand exactly what happened and then prepare to plan to recover. And that takes a very long time. That’s one way of doing it. Another way of doing it as the way Colonial Pipeline did it. Very quick and responsive in terms of something that was very impactful to society, in terms of being able to buy gasoline on the East Coast. So there are varying degrees of responses today.
I would say that today many organizations are ill-prepared to handle an event like this. Others are, where their product or their service is critical, much like Colonial Pipeline or even JBS, for that matter. They had a plan, they were able to exercise, they understood the importance of their infrastructure to the country, and so they were much better prepared.
So I think it matters on the industry and it matters on the importance of the company and how seriously they take their ability to respond versus others who understand that it’s mission-critical, and they have to have those resources and plans in place. It varies across the waterfront.
Klein: So in summary, what I hear you recommending for companies as they face these vulnerabilities is that they prepare, plan, execute and be ready to recover.
Cagigal: In summary, Mike, that’s an excellent way of stating it. And I guess the money required to do that varies on the importance of the product or service.
Klein: Well, we only have time for one more question today, David. And I want you to reflect back on your career as a CIO and talk to me about some of the most satisfying moments.
Cagigal: Well, as you know, Mike, you and I know each other fairly well, in my last eight years serving for the state of Wisconsin as a chief information officer. We ran our data center a consolidated data center for more than 50 agencies that make up the state of Wisconsin’s services to the citizens.
And I think one of the greatest rewards that I got was to get to know each one of the secretaries and their mission in servicing the citizens. And it varied from the department of revenue to the department of corrections, to the department of workforce development, financial institutions, the public service commission, each one of them in their own right plays a critical role in servicing the state of Wisconsin.
I was one of 49 other state CIOs. We all had similar missions. We all had to understand with some degree of empathy, what each mission required and what the citizens of Wisconsin, in my case, needed from us.
So being able to do that every second of the day, every day of the week, every month, throughout the course of the year, was rewarding in working shoulder to shoulder with the employees that were in my area servicing the agencies from the data center and making sure that the gateway to the internet was protected both up and down.
Klein: I guess I’d add one thing. You’re protecting the citizens of the state of Wisconsin as you’re holding a lot of their data.
Cagigal: Yes. That’s an obvious statement is that every single citizen, 5.8 million citizens of the state of Wisconsin, every single record, whether it was from the DMV or from the department of revenue, that record was sitting in our data center and that needed to be protected, like I said, every second of the day.
Klein: Well, David, thanks for enlightening us on the future vulnerabilities of our technology infrastructure and joining us today. Again, I’m Mike Klein and visit us on the web at digitalcxo.com. And this broadcast will also be available on our YouTube channels. Thanks for joining the conversation, and have a good day.