Richberg has more than 30 years of experience driving innovation in cybersecurity, threat intelligence and cyber strategy and policy. He served 20 years with the CIA, and as senior adviser to the director of national intelligence on cyber issues.
For more info, read Richberg’s latest security trends reporton the importance of upgrading infrastructure.
ON THIS WEEK’S SHOW
- “Where Next for Government in the Cyber Insurance Market?”
- “Fearing More Cyberattacks, Congress Requires Key Businesses to Report Digital Breaches”
AN INTERVIEW WITH JIM RICHBERG, FIELD CISO OF FORTINET
The following interview was lightly edited for clarity and brevity:
Q: What are some of the most exciting or even challenging things that you’re working on right now in the public sector?
A: One of the challenges, and it’s a perennial one in cyber, is we’re always playing whack-a-mole. We’re always driven by the threat of the day — the latest breach. So the challenge is how to be strategic between fighting the fires. When you charge out of the firehouse to put out that brush fire, and then you come back to your center of gravity, are you still moving consistently in a given direction?
We’ve talked about geopolitical tensions in what’s going on in Ukraine. For the public sector, advanced persistent threat actors — we use the acronym APT — tend to be nation states, and they tend to target public-sector organizations.
I have this joke when I talk to people in the private sector and say, for many organizations you don’t have to have the best cybersecurity out there, you just have to be good enough. It’s like the old joke about hiking and if you run into a bear, you don’t have to be able to run faster than the bear, just the hiker next to you. The criminal will go after the easier target if you’re too hard.
Well, that’s not the case for these APT actors. If they’ve decided they want something a public-sector organization has, they’ll keep trying until one of your employees make a mistake — until they find that vulnerability. So the public sector has to worry about a different class of threat actors.
The criminals also want what the public sector has, because the public sector has lots of money too. Ransomware has actually, in my estimation, been one of the things that’s fueled the rise in something that is like APT ... it’s APC, advanced persistent crime. This steady source of revenue is causing criminal groups that used to come together, do something and then disband and reform, to stay together because the money is always there.
One of the things that I find exciting to work on is — not everything you do in cybersecurity has to be big or expensive to be impactful and make a difference. But the reality is, big governments spend a lot of money on IT products and in some cases even on cybersecurity. But if I’m in a small procurement office in a small city or a county, I don’t know how to specify cybersecurity in what I’m buying. So who does a lot of that? The federal government, the Defense Department, (the General Services Administration), the big organizations that actually buy a lot of stuff have got a lot of contract language — “Hey, let’s make a library of existing contract language and make that available state and local government.” So if I’m going to buy endpoint stuff, and I’m the clerk of a small town, I can look up something, I can throw that into my contract. And guess what? The vendor community that sells to the federal government says, “Oh, I know how to deliver that.” So ... it’s a matter of taking something that we’ve already done and repurposing.
Q: What are the things that have your attention now, or should have the CIO or CISO’s attention now as they look into 2022?
A: I like to be strategic at looking at things. We always have an uphill battle on cybersecurity, but I think we’ve actually got convergence working in our favor.
Increasingly, networking and security are two sides of the same coin. We saw this when we all went to the direction of hybrid work. Yes, we needed to enable people to work from home. But you know, implicit in that conversation was that it’s got to be secure. Especially for government services. This isn’t going to work if I’m providing a connection that is absolutely exploitable.
We watched ransomware go up 1,100 percent in the year after we started working from home because the home environment was that much less secure.
So what’s working in our favor is the idea that networking and security are now increasingly unified. The idea of software-defined networking — if I’m not going to go back to the office, I can define my network on the fly. It can include the person working out of the coffee shop. And the same device that enables that kind of software connectivity is also the security device. So I don’t have to say “network performance or security.” They’re both the same thing. So that works in our favor.
The second big trend that I think CIOs and CISOs need to keep in mind is (that) within security, we increasingly have something called consolidation. Devices themselves under Moore’s Law are not only getting more powerful, they’re becoming more like Swiss Army knives. So, you may say I have to upgrade something in my cybersecurity stack in my ecosystem. This will now do the functions of 10 or 11 things. I don’t necessarily have to retire them now. But when I do, I don’t have to buy replacements because that one thing will help. It also avoids this chronic problem we’ve had in cybersecurity: If we’re really smart, creative people, and there’s a problem, some smart people are going to go find a solution. If it becomes successful, it’s going to be adopted. Rinse and repeat that cycle over 15 years, and you may have a large organization that has over 50 different security products, all solving separate problems, all reporting into the SOC and all requiring the human to do this manual interpretation and integration. That’s crazy. So fewer things that are more powerful means you’re getting that kind of integration as well.
I talked about this idea of mesh. I’m sure you’ve heard this phrase “the attack surface,” right? That’s one of the things we say is a complication in cybersecurity, because our network surfaces, our connections are big. We don’t understand them. They’re complex. But if you instrument that surface — I’m saying this as somebody who worked in intelligence — if I have instrumentation that can actually sense what’s happening on it, and I have artificial intelligence and machine learning at the back end, I’m actually turning my liability size and volume into an advantage because I can see somebody trying to do something and failing, which they normally do before they succeed. I can stop them where they’re doing it, and I can actually block them everywhere. So that idea of consolidation is really powerful. I think that not many people who are in IT or security recognize that.
Q: States and localities are getting a lot of federal funding for cybersecurity right now. What advice would you have for them to help maximize the impact of these dollars?
A: Well, you really hit a hot button for me. We have that Infrastructure Investment and Jobs Act, and people look at it and think, “Yes! $2 billion for state and local cybersecurity!” It’s $2 billion out of $1.2 trillion. If that’s all we spend on cybersecurity out of that, bad on us. That’s going to be an epic fail.
A couple of things to keep in mind: Infrastructure lasts a long time. We have cities in this country on the East Coast that are using water pipes that were laid down in the 1800s. We have traffic going over a bridge that was built in 1697. So if you build it, it’s going to last longer than you actually envisioned. All of this infrastructure has a digital dimension. We watched an interstate highway bridge collapse because pigeon poop built up on the girders and corroded them. Now everything has sensors. Now it has actuators on it.
So Jim’s digital “Field of Dreams?” Connect them all. Can I tell you how I might want wastewater and bridges to talk to each other? No. But if you connect to them, some smart person will find a way to leverage it. And people say, “Well, you’re enabling the adversaries.” Newsflash, we already see threat activity jump from sector to sector. So this infrastructure investment is an opportunity and responsibility for state and local government. You have the opportunity to build the digital “Field of Dreams.” But darn it, your minimum responsibility ought to be to architect in the ability to see threats moving from one to the other. Because I can guarantee you’re going to be in this operation center for your county or your state and you’re going to say, “Oh, I just watched the threat actor go from here to well, I don’t know where because they keep score differently.”
It’s like when we threw a lot of money at first responders after 9/11. And we just discovered that, left to their own devices, they would each do what made sense to them. And it took big things like a fire that required fire departments from multiple jurisdictions to realize they’re on different radio frequencies. These are easy problems to address at the front end when you’re setting out to spend the money. They’re a whole lot harder to corral after you’ve made the investments.
Q: What can government agencies do to increase their capacity in order to manage risk and also combat any threats that they might have to deal with?
The workforce and skills gap is a perennial one. And yes, you can do training, and government can help with STEM education. There are programs like apprenticeships. You can do rotations. There are a lot of things we can do to increase the size of the pipeline. And actually, the gap has been closing, if you look at the latest statistics.
But the reality is the public sector is never going to hire its way out of the problem. Not only are there not enough people to go around, the public sector can’t compete with the private sector’s pay scales. So the thing I tell people in the public sector is you’ve got to do a combination of things: modernize, automate, federate and outsource.
Anyway, you’re going into more cloud-based services. I’ve already talked about convergence of networking and security. Use that tool. It’s going to give you more capability for IT and more capability for security.
Automate. Security automation, that artificial intelligence and machine learning I talked about that could make the attack surface become your friend and not your enemy, that applies across cybersecurity.
Automation. AI-driven is the way to do that.
Federate. There are times when, especially for local government, they are never going to hit critical mass in terms of experts or money to do something jurisdiction-by-jurisdiction. So they need to regionalize it. Maybe it’s at the state level. Maybe it’s bigger than that. But there are times when pooling your need makes it possible to accomplish something. And then sometimes you just look at it and you go, “I can’t do this in-house.” If I’m a small jurisdiction, I may just need to say “I need to outsource it.” And that doesn’t have to mean to the private sector. Sometimes you simply (find) a partner in government on that federated model, maybe a more efficient way to do this than my doing it. But the idea that everybody in government has to do every function in security is just never going to work.
Q: What’s on the horizon?
A: So it’s IT and security modernization. It’s helping them with that new normal. It’s operational technology. You talk to organizations that say, “Well, I’m not a utility, I don’t have any of this operational technology.” And I say “Well, you do have smart buildings, energy efficiency, public health monitoring, surveillance cameras, these things are all actually operational technologies, finding ways for them to secure operational technology as well as informational technology is important.”
Helping these organizations figure out how to make these smart decisions at the front end of their investment of the infrastructure dollars that we’ll be rolling in over the next year from the federal government is important. And then, of course, we have mid-year elections. Elections are expensive to run. The rules are being changed in a number of jurisdictions. And all of these elections require private-sector infrastructure. Even the voting machines are made by the private sector. And almost all of it is conducted on general purpose IT that state and local government own. They’re using the same network, the same devices they use for general purposes. So helping them recalibrate, re-instrument, re-secure that with another election cycle — those are the kind of priorities that we’re focusing on this year.
LEARN MORE
Fortinet secures state and local government organizations around the world. Fortinet empowers its customers with intelligent, seamless protection across the expanding attack surface and the power to take on ever-increasing performance requirements of the borderless network — today and into the future.
For more info on how Fortinet can help your state or local government agency, visit their website.
Follow Fortinet here: LinkedIn | Twitter| Facebook
COMING SOON
“In Case You Missed It” returns on March 25 with Rheaply CEO Garry Cooper.
“In Case You Missed It” is Government Technology’s weekly news roundup and interview live show featuring e.Republic* Chief Innovation Officer Dustin Haisler, Deputy Chief Innovation Officer Joe Morris and GovTech Assistant News Editor Jed Pressgrove as they bring their analysis and insight to the week’s most important stories in state and local government.
Follow along live each Friday at 12 p.m. PST on LinkedIn and YouTube.
*e.Republic is Government Technology’s parent company.