Cyberwar in Ukraine: What it means for the enterprise
There’s no bigger story right now than the Russian war in Ukraine, and without putting aside the daily human tragedy, it’s also a cyberwar – one that could have far-reaching implications for enterprises and governments around the world. Entrust CIO Anudeep Parhar and CISO Mark Ruchie talk about what’s happening, where we are today, and how you can help make your organization resilient in the face of attacks.
Transcript
Ken Kadet: Hello and welcome to the Entrust Cybersecurity Institute Podcast for May 2022. I'm Ken Kadet, and with me is Anudeep Parhar, Chief Information Officer at Entrust and member of our Cybersecurity Institute. Hello, Anudeep.
Anudeep Parhar: Hey, Ken. Good to be here, and thanks for hosting this. I think this is going to be a lot of fun.
Ken Kadet: Yeah, I think so too. And so, I figured this is our first one. We're going to start out with probably the biggest story out there right now, and that's the Russian war in Ukraine. And we're not going to put aside the daily human tragedy, but we are going to talk about the cybersecurity side of this because this war is also a cyber-war. And it could have far-reaching implications for enterprises and governments around the world. And to help us figure all this out, we've also invited our colleague, Mark Ruchie to join us. And Mark is the CISO at Entrust and part of our Cybersecurity Institute Team. Before that Mark, held computer network security positions in the US European command and several other enterprises. So, hello, Mark and welcome.
Mark Ruchie: Hi, Ken. Excited to be here.
Ken Kadet: So, let's just dive right into this. When it all started, I think the fear was that cyberattacks to countries like ours and in the west that are supporting Ukraine, would start happening from Russia almost immediately. Now it sort of feels like this looming threat, this threat that's sitting there out on the edges. So, what's going on right now, Mark? Maybe just talk about what's happening in this situation today.
Mark Ruchie: Well, Ken, you bring up a real good point? I think there is this expectation that the cyberwarfare was going to expand dramatically beyond Ukraine fairly quickly, similarly as it had in some of the other conflicts that Russia has had in the past. Because early on, we did see lots of ransomware, ransomware that was designed to destroy systems, to destroy infrastructure. And ransomware and denial of services are two of the classic methods and tactics, techniques, procedures that they use. And generally, they might not be focused wider, but they tend to expand on their own. It might be an intent to go after a single set of infrastructure, and we really haven't seen that yet at this point. That's a really good point.
I think everybody's been waiting for it. I do think a lot of this is because the whole... Since nuclear saber-rattling is going on right now, the reason that there are one things there wasn't nuclear war in the past was we had a thing called mutually assured destruction. And we have made it pretty clear as a country that going after our critical infrastructure could result in attacks going back. So, whether that's the rationale why or whether people just have better defenses to date, that's a good question.
Anudeep Parhar: So, that's what I was going to ask, Mark. And I think we talk about this stuff quite often within our corporation as well. I think my observation has been is that over the last say 12 to 24 months, there has been a lot more awareness around cybersecurity. And that's not because of the global conflict right now, but also because of the colonial pipeline stuff, some of the SolarWinds, and some of these other activities. You said one would tend to believe that the general resilience of corporations, especially the ones that are a lot more global, is higher than what it was. That doesn't mean that it's complete and it's never going to happen, but I do think the resilience and the awareness around being prepared for something like this generally is higher.
Which was I think when you and I were talking about this stuff, even with some of the vulnerabilities that came up with, for example, with the Log4j stuff or with the shell scripts, et cetera, the time for organizations to recover from something like that is at a record low, meaning organizations are able to recover pretty quickly. So, do you think that plays into it as well, that the globally you think corporations are more prepared for something like this?
Mark Ruchie: I think absolutely. And to your point, you talked about Log4j, SolarWinds a little over a year ago, and then the global pandemic of everybody working from home. It did result in an investment in a lot of companies in security, in their security postures, because they realized that once they had the distributed workforce, trying to secure it was much more difficult. Now to your point, does that mean that a lot of companies are completely resilient? No, there's still lots of holes out there, but without a doubt there has been an increased focus.
Ken Kadet: Yeah, I think that's true. So, do you think the perception of the fear right now is at the right level? I know that there's been a lot of US government, for example, talk and warning about cybersecurity and about especially for critical infrastructure companies. I know there's recently been a new law about disclosure and about how to react and analyze cyberattacks. But it seems like there's a varying degree of commentary on how ready we are for what may come or what's coming or even the threats that are out there today.
Mark Ruchie: Well, I think there's definitely always going to be a soft underbelly. But the type of threat has changed, because historically it was intelligence collection. Where foreign entities were, they weren't seeking to destroy anything, they were looking for data for designs and they were all pretty good if you look at the history book of the last 20 years of pulling data away. But kind of going back particularly with the Russian invasion of Georgia where it was more the ransomware, the denialist service, the defacing of webpages for national means, that clearly has gotten more attention in the last few years and I think that people are much more aware of that. And as Anudeep had pointed out, the idea of ransomware is crime groups trying to make a buck, a quick buck. And when I say quick buck, millions of dollars. That's kind of merged in with a lot of these traditional offensive ideas of destroying systems and denial of service as ways to get influence or achieve your strategic objective.
Anudeep Parhar: And I think that's a really interesting point. So, for example, in conversations with some of my peer group, at least across the country here and a little bit more sort of globally as well, I think, and I don't have empirical evidence so to speak, but I am seeing that organizations are lowering the thresholds to anomalous behavior. There is a general feeling in the C-suite as well as with the boards, is that we need to be a little bit more aware. The thresholds are a little bit lower, which traditionally used to be always considered like, well, that's a business disruptor anyway. But given all of the activity that has happened, I get a clear sense from some of my peer group is like the boards, the C-suites are a lot more prepared to lower their threshold. And to be able to partner within the C-suite in terms of communicating and working to address when something like this would happen or preparing for it, involving the board quite a bit. Mark, we do it in our businesses as well. And the bigger thing is, Ken, to your point, I think there is a willingness to share some of this information with the authorities as well. So, I think from a broader cybersecurity and resilience point of view, I think that is helping and that is helping tackle this problem from a more proactive basis as well. So, I think that's a good movement from where I sit.
Ken Kadet: That's good to hear and gives us a little bit more comfort, although obviously there's a lot of work in that and there's a lot of diligence in that. It seems like from a cyber, from a war standpoint we've entered a new phase of cyberwar. That I know Microsoft just came out with a report on the way Russia has coordinated almost its cyber activities with its attacks. How do you think that's going to affect the rest of the world as this happens? Or how does it change what our posture is in getting ready for the next phase of the world?
Mark Ruchie: Well, I don't know if they're the tactics, techniques and procedures, TTPs. To your point, outside of [inaudible], they've done a good job of focusing in on Ukraine. They have not created this splash that went generally outside Ukraine, meaning that some of the malware that the GRU produced is not all over North America or Europe today. I think that is a definite change. They've been able to control the sprawl of theirs. And I think that the defenses against it are still going to generally be the same, but the fact that they're able to still keep as focused as they are to this date, I think most people have been surprised.
Anudeep Parhar: Agreed, agreed. So, I think I definitely would consider this is a sort of watershed moment for the global business economy, so to speak, and the community. And that's not just from a cyberattack and cybersecurity perspective alone. So, in talking to some sort of folks that I speak with on a normal basis to just build my knowledge base, it sits very clear that we are acknowledging what a nation state can do at varying different levels. And of course, like you said at the opener, there is the whole unfortunate people cost of this, which is extremely sad. But the business cost is that I think this is my way of looking at it, people are defining, so to speak, the crown jewels of the company a bit differently. What used to be considered a low cost production type in apparatus within an organization, suddenly is becoming very critical because of the supply chain impact. Your modern IT and the supply chains are very interconnected. And as the digital transformation continues, folks are looking at things which were considered before as commodity. Now they're so critical to your success that most C-suites and boards are reconsidering what is the formula, so to speak, of saying what should be close to your business and what should be your partnership with the suppliers, et cetera. So, I think there's some interesting dynamic going on from how you organize and how you deliver value to your customers as well.
Mark Ruchie: Anudeep, I couldn't agree more, because it's interesting to see this developed historically, because years ago you were trying to protect your crown jewels, but then you would find out that the bad actors would come in through a backup server that was in some obscure location and they would make their way across. So, we kind of thought, okay, we have to worry about defense in depth to where we are today. The other things, and Anudeep had mentioned with some of the CIO circles and some of the CISO circles that I've been in. Initially when this all started, we all talked about what are we seeing. Have we been attacked? If so, where? What's it look like? We didn't get the data that we thought we would. But I do think some of the things that have changed, like intelligence sharing that's going out there or an intelligence service is become more critical to having a presence on the internet. Whether you get that feed from your local government, whether you contract out with a country or a company that says, that's keeping track of all of the attackers, all of their IP addresses, how their attack looks and putting that real time into your systems, you won't be able to live without some of those longer terms. And it's the same thing with your supply side, with your open source software, all of those are getting more attention these days.
Anudeep Parhar: That's fantastic. It's the fundamental how at least people like us, mark, who've been in this industry doing this job inside of various different phases, this is like a new way of running the cybersecurity apparatus of the infrastructure in a business. And you got to look at it a little bit differently. I'd love your thoughts on saying this is just, again, not empirically, but a large population of organizations have built the foundational infrastructure which allows them to increase your readiness for some of these things. I think it's kind of like how it used to be that when PCs and computers became a way of conducting business, it's a given, it's an appliance that everybody needs in order to do business. I think it's getting to the point that the basic foundational cybersecurity, kind of so to speak, put the locks on your house and to have the protection of the set assets is becoming the knowledge of it and the acknowledgement that you need to invest in that is becoming much more understood. So, Mark, do you see that sort of happening in the industry as well? So, roughly, would you take a guess at saying what kind of industries are leading and what kind of industries are perhaps catching up?
Mark Ruchie: Well, clearly there's the regulated industries, the critical infrastructure. So, the banking industry, the insurance industries, they've been required for 20 years to have infrastructure. So, that along with a fair amount of high tech companies, I would say have led the way. But to your point, right now a lot of small and mid-size companies are finding attractive alternatives, whether it's through outsourcing or a service that will facilitate what they need to do. And kind of going back to your point about the investment, I think a lot of companies that traditionally made investment had a large investment, their SAMs, their firewalls. Having the COVID-19, and having it as first work field pushed a lot of those out to the end point, which has really helped with intelligence and understanding what's happening realtime. It wasn't driven from what's happening in Ukraine right now, but those who have made an investment there are reaping the rewards of it.
Ken Kadet: So, one of the things that's really clear is that supply chain is more important than ever and it sort of leads to more communication between companies and each other, companies and governments, companies and their suppliers. And obviously, for any company, you're in both positions at once in a lot of cases. Maybe talk about that a little bit. How has that changed over the past few months or even the past year?
Anudeep Parhar: I think from my perspective, one of the things that's really interesting is, I think that the ecosystem that we've built is dependent on a lot of profits, not only how products are built, but also how organization delivers services to their customers because of just the transformative nature of some of the digitization that's happened. So, I think what's happening a lot in my mind is that, to your point, the communication between partners to be able to see that instead of, for example in a supply chain type situation, instead of just holding all the supplies, it's more partnership between the consumer and the suppliers to be able to say how do we actually plan better. So, you're seeing a lot more technology being deployed where you can plan and project what your demand is going to be so they can work with your suppliers properly, to be able to say where in the ecosystem do you need redundancy in terms of what different parts and solutions you should have. Mark and I talk about this stuff even within our world from purely where either consuming and buying technologies relatively easier, compared to if you have to buy physical parts. But redundancy of networks, redundancy of certain pieces of your critical infrastructure, it's counter to your traditional cost based analysis. But if you put it in a risk perspective, you're seeing some of that dynamic is changing. You have to work with multiple vendors. Vendor diversity for your critical infrastructure from a supply chain perspective is becoming a scorecard that we track within C-suites, as well as with the board of directors, because it's a very critical risk that the company has to cover. So, really interesting things that are happening that are changing slowly the business in response to some of these broader geopolitical events and the companies are getting credit for it. Mark, would you agree?
Mark Ruchie: No, absolutely agree, Anudeep. From just a pure security perspective, supply side has gone from slow. What I mean by that is the questionnaires, the audit ask, where you're asking questions to your suppliers didn't necessarily give you a good view of what their operational security was, to now there's a demand for constant monitoring, constant understanding of what's going on. There's various services and ways to measure how they're doing, kind of like the Dun & Bradstreet, except for security. And there's a continual plethora. But I always like that word of intake that we send out to our suppliers and we as customers, or our revenue generating customers do the same to us. So, the dynamic is completely changing and it's becoming much more operationally focused.
Ken Kadet: Yeah, it's something we've said. I know we say a lot, nobody does cybersecurity alone. So, I know government has been a big part of this as well. We've seen the Shields Up program, areas like that. How is that going? Is the government doing enough? Are they doing the right things?
Mark Ruchie: Shields Up is a very good program, a lot of very fundamental controls that every company should have. So, people, if they have not looked at it, they should be looking up at it or thing like Shields Up and looking at the controls that are recommended. There is a difference obviously between that, when you say is the government doing enough, it's kind of like they're putting up a plan, a blueprint. They don't really tell you how much it costs, other than it could cost a lot and it could add a lot of friction to your business. So, I think that's where a lot of the challenges, a lot of companies don't have the resources for what's listed on there. And even if they do, the friction that we introduce, the CIOs, the businesses of the world don't like it because it slows down business. It's way of saying that I think Shields Up is a great fundamental blueprint for you to design internally and take what you can implement.
Anudeep Parhar: I personally really like the way Shields up is structured, which is I think it gives you a framework. It's like Mark, we talk about even from a said nest cybersecurity framework point of view, it starts setting the baseline from a government perspective to say that these are the essential, you say protect activities, these are the defensive activities you should be doing. And I think a lot of organizations that you see, it sounds very obvious if you are higher in the majority curve, but it's good to see, especially in the US, the government is actually taking control of saying how to define, how should corporations secure themselves. To Mark's point, it's a continuum. It gives you a framework of doing it. You can do a little bit of it and you can do all of it, depending on your risk appetite and risk posture of the company. But from my point of view, I think it's kind of like a basic infrastructure in terms of say the banking industry or in any other government industry. This is the horizontal layer that is being provided that we can innovate and build on, rather than so saying everybody's got to go build this stuff themselves. So, I think there's an efficiency that organizations will benefit from it and I think it gives a standard framework to manage your security posture.
Mark Ruchie: Sure, for lack of better description, because haven't historically been attacked, which is why the quick turnaround or intellectual theft hasn't necessarily impacted them because they're not a target. But I think they're fast becoming a target, particularly in the global nature. When I think about the world going from a unipolar to a multipolar between Russia, China, India, the US, everybody looking for influence, all of this stuff will start to splinter along those lines to a certain degree. So, they need to have their own shields up.
Ken Kadet: It sounds like, again, the word that keeps coming to mind and that you hear a lot is resilience, that as a company we want resilience for our organizations. For business leaders, maybe, Anudeep, this is something you can answer a little bit. What gives you that sense? How can you get to be confident that your organization has the resilience it needs in the face of what is coming?
Anudeep Parhar: So, one of the fundamental things like I was mentioning before is there is a lot of information available in order to how to make your organization resilient. Not this type of risk alone, but generally the risk to the corporations. Usually, the thinking was, even as little as five to 10 years ago, these were events people thought would happen to somebody else. So, the general knowledge of saying how to organize the company, how to have committees and subcommittees where you can at least talk about some of this stuff and document this stuff. Which means is carving out time in organizations very deliberately to focus on bringing like-minded people together to be able to say, how should we respond to this? How should we organize and report out to our C-suite, our CEO, as well as to our boards, is extremely important. So, organizations need to spend the time. Usually in a very outcome driven, very speed to market driven organization, those types of things are considered, man, we are slowing things down. But it's really, really important because it's not a euphemism anymore. It just takes one bad event, it could bring a very, very successful company down. So, I think these are essential risks that need to be taken care of. And like Mark and I talk about it is that, what used to be insurance, this is your corporate insurance that you're building by building a talent, the venues, the mechanisms. And if you invest the time on it, I think you'd be a lot more resilient as you go forward. Then the second piece is the obvious, which is like there's a lot of technology available. You can be really good at responding when events happen. You need to have those muscles. You need to be really good at protecting before the events happen, so events don't happen to you. And finally, to be able to say you got to have communication. This is one of those places where an organization cannot be successful if there is only one part of the organization that worry about it and everybody thinks it's a burden. So, the communication between different function, different businesses, and to your previous point, with your suppliers, as well as with the government is extremely important. And I think these are the muscles that, in my opinion, organizations, big or small who will build these muscles or exercise these muscles that they already have then will be extremely successful. And the national conclusion of it is, leaders who will actually do this are going to see their careers grow as well, because this is the scale in my opinion that's going to be needed going forward.
Mark Ruchie: I concur exactly with what Anudeep said. And one of them, I was almost starting to chuckle, because if you're the company that thinks that the CISO, the security director, the CIO is going to protect you and you can operate like you always have, you're missing the point. You're missing the point badly. The CISO, the security director, the CIO is going to be able to provide the framework, can provide the conceptual ideas, can provide a reference architecture, but it really does involve everybody at this point. Everybody is working remotely. If they're not reporting things, they're not doing things right, they're going to be susceptible. So, what it means is the culture has to change in companies. Move away from, yep, we check the box, we got some dude that does security for us or we've got the CIO is responsible for that. It's true that we're accountable for it, but it is a shared endeavor. And again, if then you have to have obviously the reference architecture, you have to have a framework to understand the cyber kill chain. You want to take a look at that and what's happening around the globe today. Do you have protective and detective controls wrapped around that? And 100%, as Anudeep said, this is going to grow for people who embrace that. It is not going to grow for those that do not.
Anudeep Parhar: I think you've seen some of this stuff. Mark, like for example, it used to be traditional thinking is if we just educate all of our employees on all these risks, that is good enough. So, now that good enough has moved quite a bit far up, it involves a lot more collaboration. We need to continuously educate. Unfortunately, the rest of the organization is so high if things go wrong that you have to continuously educate your folks, especially with the digital transformation. The amount of power that some of our endpoints, so to speak, the laptops and the devices that our business colleagues use, the disruptive power of some of this new technology is really high. So, if we need to educate the folks, it's not going to be, to your point, centrally manage that we can click a couple of buttons and secure the entire organization. It requires everybody to step up, learn, and from a leadership point, you need to make sure that we make the time, the venue and the content available for folks to be able to do some of these best practices. So, Ken, I think those are the kinds of things that we see that are more sort of the big R of the resiliency. It's not just the technology, it's the people, it's the culture, the communication, both internally and externally. I think that makes up the new resilience, so to speak.
Ken Kadet: Yeah, it really does take everybody. I think that's a great place to stop. This has been a great conversation and I've really enjoyed it having it with you guys. As a wrap up, I want to ask you guys to just share a little bit from yourselves. So, I'll just sort of throw this out. As you are hanging around the nerd bar this weekend, talking to CIOs and CISOs, as I'm sure you typically spend your entire weekend doing, what are some things you're going to be talking about this week? What are things you've learned or have kind of got your interest this week?
Mark Ruchie: My interests tend to be at a geo-strategic level, I must admit. For me, I'm amazed that kind of the west or the global response to what's happening. Ukraine has remained consistent. It hasn't spilled over in the cyber realm too much yet. It's spilling over in other ways. Then I will add in there that, look, Sweden and Finland may be joining NATO. Although, I found all those just rather fascinating things that you would not have thought of for my entire lifetime, that these things would've changed in this direction.
Anudeep Parhar: Awesome. Mine is a little bit on the lighter side. I think one of the things is, especially with what's happening globally with work from home or the hybrid work, the circles that I hang out with, literally last week we were talking about this stuff. It's really a challenge right now to figure out where, so the talent needs are going to be in order to address this. How do we actually create an environment so our talent, our folks be the company can sort of give their best, as well as we can get the best out of them? There's a lot of points of views. It's how the hybrid work should work and how we should secure it. But it's a really, really interesting point. There's no conclusion to it yet, but that's something that's top of mind for us all the time when we talk about this stuff. In terms of saying, how do we actually make sure that the organization and the company structured, our policies are in place so that it's a fun place for our colleagues to work? And at the same time, the productivity is at an all-time high and we are a culture that people want to be a part of. So, that's something that I learned last week that it's still being cooked. It's going to be a little while before it's all done. There's no magical answer and it's going to take us a while, but that's one of the reasons we love our job so much. So, it's fun to be able to make a positive impact on not only the company and the industry, but hey, how do we make it a good place for our people to work?
Ken Kadet: Perfect. Well, thank you. Let's wrap it up there. So, thank you, Anudeep. Thank you, Mark. Thank you, everyone, for listening to our podcast. The Entrust Cybersecurity Institute shares news and insights for IT and business leaders to help you protect and enhance your IT infrastructure. The Cybersecurity Institute leverages insights from Entrust, a global leader in protecting identities, payments, data, and infrastructure. See the show page for notes and links to our content. Our podcast was produced by Stephen Demone. And thanks for listening.