Every four to eight years, a new U.S. presidential administration enters office, bringing a fresh set of priorities and national interests. Since the Biden administration took the reins in January 2021, they have made it clear the government response to cybersecurity will be a major focus.
This is partially in response to significant attacks, from the SolarWinds invasion allegedly perpetrated by Russian hackers to the Microsoft Exchange server vulnerabilities to the attack on a water treatment facility in Oldsmar, Florida. According to Tyler Whitaker, chief technology officer (CTO) and chief operating officer (COO) of Leading2Lean, this is a step in the right direction from a cybersecurity perspective.
“I’m really encouraged by the placement of the right folks in the right seats there, as well as the commitment for funding new initiatives in the cybersecurity arena,” Whitaker said. “As we look at the cyberwarfare that’s happening right now with nation-states, with other interested, more terroristic type of actors out there, the escalation only continues. So being organized from a U.S. government perspective and from an industry perspective around combatting these threats is a really smart move.”
One of the major transitions that is occurring in the government response to cybersecurity regards the Department of Defense and the Cybersecurity Maturity Model Certification (CMMC) that is being rolled out for defense contractors. The goal of the CMMC is to create a unified standard for implementing cybersecurity across the defense industrial base.
“One size doesn’t fit all,” Whitaker said. “You can imagine securing nuclear launch codes is one thing; securing people’s personal identified information is a full other level of effort. I think CMMC is going to be a very interesting move where the five graduated scales let the organization kind of fit the security response to the level of risk that they have.”
Of course, in any government response to cybersecurity, Whitaker said, there is always the potential for overreach. The solution is to get seasoned professionals into government roles who can collaborate with industry leaders to strike the right balance between regulation and the level of effort it takes to remain secure in the modern age.
“Cybersecurity tends to be a frightening thing. It tends to be something where people will overreach or overreact,” Whitaker said. “You find people that are securing Social Security numbers the same way you might secure nuclear launch codes, and try to have air gaps in places. It just doesn’t make sense from the standpoint that that adds an added tax to our economy. Balancing the level of effort it takes to secure our infrastructure without overreaching and having this added burden, or drag, on the economy is something we really need to consider.”
According to Whitaker, that economic impact is not something to sweep under the rug. Nation-states don’t always launch attacks to achieve a strategic goal; sometimes it’s just to create a drain on the economy. A strong collaboration between government and private industry can produce the right atmosphere to solve these kinds of problems in a systemic way.
Whitaker said his company recently experienced a set of secure shell (SSH) brute force attacks on their infrastructure that they were thankfully able to counter. But even when successfully thwarted, malignant attacks can still have an impact on companies.
“This is something that happens to infrastructure all the time. It’s easy to do, and you don’t need to be a nation-state to do it, which means that the number of active players out there is only growing over time,” Whitaker said. “While [the attack on our company] didn’t result in a breach, it did result in an economic drag on our company. It took resources to mitigate that, to do the discovery, to be involved with that – resources that we could have spent innovating and expanding our feature set and helping our customers get more efficient.”
In Part 1 of our interview with Tyler Whitaker, he discussed how the COVID-19 pandemic has spurred a move toward work from home, which can have a significant cybersecurity impact on organizations. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.