The North American International Cyber Summit was held in Detroit this past week, and there were plenty of important cybersecurity messages that apply to governments, businesses, families and schools all across America.
Speakers came from all over the world, and I was surprised to meet an attendee who even came in from Alaska. So what were main messages coming out of this event, and what can be shared as a model for other organizations?
Key Summit Messages
Speaker themes included:
• Information and intellectual property are falling victim to cybercrime at alarming rates, the status quo is untenable.
• We need to follow a risk management approach for cybersecurity.
• Redesign of security is needed – the old ways are not working (well enough). This includes changes for people, process and technology.
• We don’t need to stifle innovation, to implement effective cyberprograms.
• Maintaining technological advantages requires capital investment to protect critical infrastructures. Threats are real and compelling.
• Physical and cybersecurity are closely connected and must work together in new ways. Many case studies and solutions were offered.
• Cyberexercises are important to test defenses. The Michigan Cyber Range offered a global example for all to see.
Governor Snyder's Keynote
It’s been a good month for Michigan Gov. Rick Snyder.
First, he was re-elected to a second four-year term.
Second, just a few days later, Detroit emerged from bankruptcy.
Third, Snyder was the only governor named as one of Governing magazine’s Public Officials of the Year.
And then, before embarking on his fourth trade mission to China, he was the host of the newly named North American International Cyber Summit in Detroit.
He borrowed the name from the North American International Auto Show held each January at the same (newly renovated) Cobo Center. The first two Michigan Cyber Summits in 2011 and 2013 were more Great-Lakes-centric and held outside Detroit.
Gov. Snyder started by describing how technology impacts every area of our lives. Telling personal stories from his experience, Snyder brought home what is at stake for our way of life. From children at home playing games to advanced robotics competitions in high schools to protecting our nation’s critical infrastructure (such as utilities running the power grid), there are constant cyberattacks against our families, businesses, schools and governments.
“I will help lead the nation’s governors in cybersecurity. But I need your help…. Our vision from four years ago isn’t good enough today. We need to consistently review and update as technology evolves. Bringing together national thought leaders at forums such as this is critical to ensuring a safe and secure cyberenvironment.”
The governor described many of the cyber accomplishments of the past four years in Michigan:
Gov. Rick Snyder announced updates to his Michigan cyber initiative, including an expansion of the Michigan Cyber Civilian Corp (MiC3) to 12 teams. MiC3 is a group of trained cyberexperts who volunteer to provide assistance to the state in times of emergency. The MiC3 is project managed by Merit Network. The creation of MiC3 was announced at last year`s summit. Applications for volunteers continue to grow, prompting the decision to add more teams.
Many of these cyberprojects will be expanded in 2015 in Michigan. He announced an updated cybersecurity strategy entitled: The Michigan Cyber Initiative 2015. While the strategy does not contain any entirely new security programs, it does vastly expand upon his initial Michigan Cyber Initiative released in 2011. Future goals include:
• Enhance Michigan Cyber Defense Response Team
• Increase Number of Cybersecurity Exercises
• Implement Zero Trust Model
• Implement a Risk-based Approach to Cybersecurity
• Develop Cyberawareness Programs for Michigan Schools to Educate Our Children
• Deploy Michigan Cyber-Range Hubs to Strategic Locations
• Increase Adoption of CySAFE Security Assessment Tool
• Enhance Promotion of Cybersecurity Careers to Students
• Expand Economic Development Partnerships to Promote Cybersecurity
• Develop Cyberthreat Warning levels to Provide Real-time Cyberthreat Awareness to Citizens and Businesses
Detroit Mayor Duggan’s Breach Story Grabs Global Attention
Detroit Mayor Mike Duggan, who spoke just before Gov. Snyder, welcomed the audience to the new Detroit and told a few surprising cyberstories of his own. Indeed, Mayor Duggan’s account of how hackers seized a database from city of Detroit and demanded $800k in bitcoin back in April was even covered by the Russian news website RT.com.
Here’s an excerpt:
Hackers seized a digital database from the city of Detroit earlier this year and then demanded they receive a ransom in bitcoin, Mayor Mike Duggan said this week, but the city balked and ultimately the hijackers were unsuccessful with their request.
Duggan, who was elected last year to lead the Motor City after a headline-making bankruptcy filing, explained at a conference on Monday this week that hackers had asked for hundreds of thousands of dollars in cryptocurrency after compromising a city database back in April. The pilfered database wasn’t used or needed by the city, however, The Detroit News reported, so the ransom was never paid.
That Detroit News coverage of the event that was mentioned by RT.com offered these additional details on Mayor Duggan’s speech:
Duggan also noted Monday that a person involved in Detroit’s historic bankruptcy case recently was the victim of a cyber attack that involved threatening emails and a “significant” amount of money taken from a personal checking account.
“The timing was such that he certainly thought it was a political agenda,” the mayor said.
The attack was one of several examples Duggan gave of the city’s lack of updated technology and security.
Michael Chertoff’s Comments on Cyber
Michael Chertoff, former secretary of the U.S. Department of Homeland Security and executive chairman and co-founder of The Chertoff Group, went deeper into cyberdefense trends at the summit, stating that:
1) We will never eliminate cyberattacks.
2) Companies need to take a risk management approach.
3) Risk includes threat, vulnerability and consequence. We need to prioritize defenses.
4) Internet protections require deliberate steps to close holes – unlike a physical bank which has vaults closed by default.
Secretary Chertoff also described cyber “sins and sinners.” We need to understand what’s happening such as: A rise in criminals (scams to ID theft), corporate espionage, rise activism (embarrassing information, intimidation, harassing others, bullying) and nation state actors becoming more aggressive.
Former DHS Secretary Chertoff's keynote
He described one interesting potential scenario that could trigger a cyberattack on critical infrastructure. Imagine if Russia was seeking to raise the price of oil, so it attacks certain control systems or oil refineries.
He also said that the Internet of Things (IoT) will bring about exciting new opportunities, but also difficult situations, user problems and product vulnerabilities that we have not yet identified today.
Solutions start with constant monitoring of our environments – using the human body’s immune defense system as a model to emulate. He said vaccinations were like information sharing – and we need to improve how we get answers to the people that need them.
We must develop effective quick response plans. Good collaboration and public-private partnerships are vital. We also need new education programs to train people at all levels of our organizations – with intriguing and relevant content that engages end users in new ways.
Other Keynote Sessions
The Platinum Keynote Panel was titled “Cyber Security 3.0: The Good the Bad and the Ugly.” The panel of experts discussed: What are the new issues keeping you up at night? What is the impact of the latest threats on you and your business and how do you prepare? A major focus was on our shared responsibilities and shared solutions as we proceed into the next generation of cybersecurity.
The panel moderator was Doug Robinson, executive director of the National Association of State Chief Information Officers, (NASCIO).
The panelists were:
• Terry Hect, director of Security Strategy, AT&T;
• Edward Powers, national managing partner, Cyber Risk Services, Deloitte;
• Mark Spreitzer, director of Outreach and Collaboration, Cyber Security Solutions, U.S. Federal Market, CGI Technologies & Solutions;
• Albert Kinney, director, Cybersecurity Practice, U.S. Public Sector, HP.
When Doug asked the panel to close by describe a cybersecurity “universal truth,” the panelists urged the audience to look for trusted partners, improve communications during incidents and get to "yes" in enabling secure technologies. Al Kinney said cybersecurity is like brakes on a car – which can allow technology to go faster – if applied correctly.
Platinum Keynote Panel
Another keynote was presented by Ari Schwartz, who is the director of Cybersecurity Privacy, Civil Liberties and Policy for the National Security Council Staff at the White House. Schwartz emphasized the importance of implementing the NIST Cybersecurity Framework using a risk management approach. He also described how the federal government is working together with Michigan and Detroit on cybertraining and several other key initiatives. More details will be coming in 2015 regarding joint projects with several states.
Breakout Sessions & Competitions
This Cyber Summit had five separate tracks in the afternoon that covered business, education/family, law enforcement, government, defense/economic development and an international cyberexercise. The summit agenda describes the specific sessions within each track.
The international cyberexercise was described in this Yahoo Finance global press release:
During the summit, the Michigan Cyber Range, developed and powered by Merit Network, held a live international cyberdefense competition. Two teams from MiC3 competed from Cobo Center. Teams competed remotely from the Michigan National Guard in Battle Creek, Mich., the California National Guard in Los Angeles, and the Latvian National Guard Cyber Division in Riga, Latvia.
The exercise took place in Alphaville, a virtual training environment within the Michigan Cyber Range. Alphaville contains five locations, each representing a different security level. During the competition, the teams planted and protected encrypted beacons within the virtual library, school, private industry, police station and power & electric company.
Michigan Cyber Range Exercise
Final Thoughts
Every federal, state and local government needs an updated cyberstrategy. I urge readers to review the Michigan Cyber Initiative 2015 as one potential model to follow. The timeline presented in the opening pages offers a compelling cyberstory and set of key initiatives that others can certainly emulate.
As administrations lay out their plans in the coming months, cybersecurity plans need to be a priority for governments to address. For businesses, schools and families, the toolkits offered at michigan.gov/cybersecurity can help.
In conclusion, Gov. Snyder is one of the top government leaders on this cyberissue. He writes this at the beginning of the new 2015 strategy document:
We have made many strides since 2011, including the creation of michigan.gov/cybersecurity, an award-winning website with helpful tools for citizens, businesses and governments, hosting two sold-out cybersecurity conferences and successfully taking the cybersecurity message throughout the state with our Cybersecurity Breakfast Series and Michigan Cyber Awareness Luncheon Series.
Michigan has taken a proactive approach to cyberdefense with the creation of the Michigan Cyber Command Center, partnering with Merit Network on the establishment of the Michigan Cyber Range at public universities and National Guard installations, the formation of the Cyber Civilian Corps to assist in emergencies and the creation of the Michigan Intelligence Operations Center. Though our accomplishments are noteworthy, we cannot and should not rest on them.
There is much more to do.
And with the announcements this week by the NSA director that China has the ability to shut down our power grid with a cyberattack, all of us need to pay attention and act – now more than ever.
Note: All pictures and video, credit: Dan Lohrmann