The Department of Homeland Security recently released its highly anticipated cybersecurity performance goals designed to establish some baseline measures of cybersecurity for businesses and critical infrastructure. In doing this, they worked with the National Institute for Standards and Technology (NIST) to come up with 37 cybersecurity baselines to help keep critical infrastructure more secure. How valuable is government involvement in the real world?
Sam May, senior compliance consultant at Steel Root, spoke to Industrial Cybersecurity Pulse about the state of cybersecurity within the government and private sector. The following has been edited for clarity.
ICS Pulse: The Department of Homeland Security (DHS) recently released their highly anticipated cybersecurity performance goals. How valuable do you think this kind of government action is for cybersecurity?
Sam May: I don’t think it’s valuable at all. There’s a tremendous amount of effort that went into it. I question who the target audience is. There’s a bit of a confusing and confounding element to this where, on one hand, the federal government is telling private industry to review and use 800-171 as a foundational principle. Then you have documents and programs like this that come out leaning heavily on 853. Then, on top of that, it’s great to have performance goals.
There are no broad strokes, aside from just saying things like, apply multifactor authentication or try to move to a zero-trust environment. To say, “OK, we’re going to have this generalized program that’ll help you reach operational technology (OT) security” might work at one plant, but it doesn’t work at another, and it’s just extremely hard. When you see stuff like this, I just don’t know who is going to pick up this mantle. What CEO, what boardroom is sitting around right now and high-fiving each other and saying, “Oh, the cross-sector goals are out. We can go running out now and be secure.”
ICSP: What do you think the government’s role really is in standardizing certain cybersecurity practices?
May: I think that the government should standardize cybersecurity practices within the government first and stop trying to advise private industry. In a completely uninformed opinion, I would be willing to wager that there have been very few times in the history of government when the government has looked at private industry and made sweeping advice to the private industry that have made private industry substantially better.
Government is its own soup and sandwich when it comes to cyber. It is its own mess of confounding rules and regulations from FSMA to everything else. It doesn’t have a wonderful track record of meeting its own performance goals. It doesn’t have a great track record of meeting its own FSMA requirements. Maybe they should look in first and then try to push out. Then, with private industry, I think that the government has an opportunity to require private industry and government contracts to meet certain cybersecurity levels, the way it’s doing in the Department of Defense with CMMC, and things of that nature.
I think it’s a spotty rollout of the program. That is where the government should be focusing. I think the government really should be leaning on private industry.
We have developed, without any input from the federal government, a solution to DOD cyber requirements, and the Department of Defense and the federal government had no part of that. We took private industry tools and private industry requirements and requirements from our clients, and we built together a product that meets all these goals. The federal government had no say, no help, nothing. It didn’t have a reason to be. At no point do I think that the federal government should have put its hand in there. The point is, private industry will solve these problems, and especially when it comes to cybersecurity, the way it’s done from the beginning.
ICSP: You’re going to need private industry, too. A lot of these critical infrastructure industries are held by private industry. If they’re not involved and aren’t doing their part, then where are we?
May: People have to understand a few things here. When you can’t see behind the curtain, it’s difficult to really understand how things work, especially when it comes to operational technology and the difference between OT and information technology (IT). That alone is difficult for most people to understand, that information technology or the computers you use, the printers you use in the office, the internet, things like that, that’s all IT, and the internet connections thereof. OT are factories and plants and manufacturing centers. OT has to be on. It has to be running. It has to be available 24/7. Availability is the No. 1 thing, especially when it comes to systems that have to do with safety-integrated systems. Security has to take a second backseat to availability.
If it’s an overflow valve or a safety relief valve that is connected to a bunch of sensors, that safety relief valve has to be able to lift no matter what. There can’t be a multifactor authentication requirement for the relief valve to lift, or someone’s going to die. What that interjects is a certain degree of insecure infrastructure, where people say, “OK, pipelines and treatment plants and all this kind of stuff, they have to be hyper secure.” What they need to be is as secure as we can make them and still have that availability that is required for the pipeline to run and for the safety systems to run.
Federal government’s role has to be a hand-in-hand thing. The federal government should be approaching the private sector and saying, “OK, what do you need?” not, “Here, we’ve made these cross-sector goals for you.” We didn’t ask for them. We didn’t need them. I’d rather them take that money, that budget, and approach one of the communities and say, “What is it that you guys need? How can we help you?” Then, provide honest help.
Usually, what I hear back and what people hear back is, what we could use is a cyber 911 where somebody actually comes out to help, especially mom and pop shops. Right now, we’re focused pretty much solely on the defense industrial base. Most of our clients are companies of less than 50 people and have really tiny margins to begin with. When you’re in a small-margin company, you have to choose between cybersecurity and buying a CNC machine that replaces the one that’s 50 years old. Maybe improving the shop floor or maybe giving everyone a small pay raise. Or you can spend $500,000 on a cyber thing.
Then, what happens if something does happen, if the alert goes off or you have an issue? Who do you call? It would be great if we took all these resources we’re dumping into all these plans and programs and simply made a national center where people could call, companies largely. Eventually, maybe even literally your mom and pop could call and say that, “This has happened. We’ve been attacked with ransomware,” and then somebody comes out to help them. Yes, sometimes people take advantage of that. Every now and then, Raytheon will call and they don’t need the government to come in and help them, but it should be available for everybody.
ICSP: That’s an interesting idea. Is there a corollary to that in the government? Is there something that the government does that’s similar that works?
May: 911. Aside from obviously calling the ambulance and the ambulance comes out, that generally works. On the cyber side, kind of. We have clients that submit reports to the government when they have cyber incidents. What they get back is usually a reasonably aggressive set of communications from the government demanding things that sound a lot like they should have an attorney representing them. That’s not the communication you need. When you’ve done everything you can to secure your infrastructure and then something happens, as it is bound to happen, you will get pwned, and then what do you do? You do the right thing. You report it to the Department of Defense, and the Department of Defense immediately sends communications out sometimes.
Sometimes, it just ignores you altogether. Sometimes it’s like, “We demand the following.” When the government demands something of me, my first reaction is, “I need a lawyer. Now I feel like I’m in trouble.” I shouldn’t be made to feel like I’m in trouble because I’ve done everything I’m supposed to do. I’ve reported this, and where’s the help? I can get all my drives, all my images, do all the forensics, send it off to the government and never hear anything back. What is the point? What am I getting out of this? Am I secure? Is there some mechanism to help?
If you look at the state of Massachusetts, the state of Massachusetts has some requirements around cybersecurity, which is fine and great. There is a command center for emergencies that was activated during COVID and other crises that happen, which is helpful, but it’s not staffed with any kind of cyber professional. When there is some kind of attack, there isn’t a professional government response in a way that can really help that I have ever seen. I’ve never seen the government staff up a response that’s been helpful to the victim.
With the smaller businesses, I also hate it when it’s a choice between employee benefits, employee pay and cybersecurity. It’s a necessary thing, but it’s just a gut punch. It becomes a little bit less palatable every time I hear a government person talking about this in terms of, “This is just something we all have to come together, pitch in and do.” Or somehow victim-blame the companies who are getting pwned and have either no idea what they’re doing wrong or no resource to turn to.
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.