Removing Spookery from Cybersecurity

DAVID HECHLER (New York): He’s the president and chief information security officer (CISO) of CI Security. And those are just the jobs he bothers to list. As the founder of this startup, Michael Hamilton does whatever needs to be done. And he draws on a wealth of experience, having worked in the information security field for a quarter of a century. But when he talks about his years as a security consultant, this CISO downplays the importance of his technical ability. There was something else that was much more important.

“The technical skills, anybody can learn,” he explains. “Sitting across the table from someone, being the expert in the room and focusing on eye contact, tone of voice, inflection, body language—those are very important skills to get.” You have to keep the customer happy. You have to manage expectations. “You turn into a really, really good communicator,” he says. “And frankly, security consulting teaches that more than anything else.”

He’s clearly given the topic lots of thought. He’s particularly expansive on the subject of how general counsel and CISOs ought to communicate and collaborate. And he’s had an opportunity to observe and put his ideas into practice during lengthy stretches as a consultant at companies like retail giant Walmart and the automotive and aerospace company TRW.

He was also a senior principal consultant at startup Guardent, which was acquired by VeriSign, and he later spent seven years as the CISO of the city of Seattle (where his current company is based). His no-nonsense approach and his jargon-free speech are unusual for cybersecurity experts, who sometimes sound most comfortable when they wade into the verbal weeds.

CyberInsecurity News: You think a lot of companies are missing the point on cybersecurity, and that it’s not as complicated as some people would have us believe. How do you break it down?

Michael Hamilton: You need to package information security in a way that resonates with the role of the people you are speaking with. What I have found is that it’s better to talk about outcomes to avoid, and the dollar amounts you associate with those outcomes, to convert the cybersecurity spookery into amounts of liability. That is a much better conversation to have. Here are three things that go wrong: unauthorized disclosure of protected records; theft and extortion; disruption of critical services. Undesired outcomes are fairly categorized into those three buckets. Critical services may be essential for the operational continuity of your company. Or, if you’re a local government, it’s drinking water, flushing toilets and 911 service. And then you talk about the dollar amount. It could be something between $200 and $400 a record to clean up unauthorized disclosure of records. Theft and extortion is probably right around what you routinely lose if somebody gets fooled by a fake invoice, or it’s what you think you’re going to pay if you’re extorted. If you get hit with ransomware and your critical operating capacity is affected, you’re probably going to pay it. It’s probably going to be whatever they ask for. If your critical services include life safety, the liability may include loss of life, which has a cost that has actually been quantified by airplane manufacturers. So turning liability into dollar amounts lets us have a discussion around risk.

Now, to your point about making this simpler: Risk is the likelihood that something will go wrong, and the impact if it does—that is, what it costs. We have been convinced by venture capital companies that smell blood in the water that all we need to do is keep buying products that will make our networks more and more secure, using artificial intelligence, machine learning, etc. And none of this is necessary. What’s necessary is to roll up your sleeves and do the things that you’ve always been told you need to do. You buy down the likelihood that things will go wrong with preventive control, and you buy down the impact with detection and effective response. If you’re not managing your vulnerabilities and training your users, you have no business buying AI. Not watching your network, you’re digging your hole deeper by buying a whole bunch of products that you’re going to have to throw people at. And ultimately you will achieve an outcome that is exactly the opposite of the one you intended. You’re just going to have to throw people at the problem that you bought technology to avoid throwing people at.

CIN: You also object to the overuse of the word “attack” in this context, don’t you?

MH: Yes, I do. And here’s an example of why. The British National Health Service, which was crushed by the WannaCry attack, released a statement that said, “We have been hit with 11 million attacks.” No, they did not get 11 million attacks. Now that they have religion, after getting crushed, they’re watching the network, and they see the magnitude of the background noise of the internet. Most companies’ problems are not nation-state threats. It’s a user who trips over crap on the internet. Or a shotgun-blast attempt to round people up into some banking Trojan or something like that. It wasn’t directed at you. It wasn’t personal. It was meant for anybody dumb enough to click or follow a link. So this whole business about attacks is way overblown. I really wish people would quit calling everything an attack.

CIN: Where do in-house lawyers fit in your vision of security?

MH: In-house attorneys should be important in a third-party acquisition and, more broadly, in mergers and acquisitions. There have been a number of circumstances where valuation prices have been impacted after there was an announcement that there was going to be an acquisition—for example, Yahoo fell on its face, and its valuation lost several billion dollars. So certainly this is one area where attorneys are uniquely valuable—figuring out what is the appropriate touch to put on an acquisition target in the process of diligence to make sure that you don’t inherit something that’s going to blow up on you. This is part of a larger third-party security trend that is not going away. An example involves the Office of the Comptroller of the Currency. The OCC has said that when the FFIEC—that’s the Federal Financial Institutions Examination Council—goes out to examine banks, those banks have to not only substantiate the presence of a third party’s security program, but also provide evidence that demonstrates its effectiveness. And the Department of Defense has said that if you are a contractor to the DoD—that could be construction companies, that could be truck drivers—you need to self-attest against NIST SP 800-171. And if you don’t, you will no longer be a contractor for the DoD.

CIN: You’re talking about government entities working with vendors—third parties of various kinds. We also know that companies that hire third-party vendors can be held liable if those vendors suffer data breaches; therefore it behooves companies to sign contracts with those vendors that require them to demonstrate their cybersecurity. And I suppose you’ve probably had experience along those lines.

MH: Well, now I’m on the other side of this, and I have to sign the agreements. CI Security is a service provider to lots of entities that are covered, so we’ve had to architect our platform in such a way as to respect the regulated nature of the information that we necessarily must handle. We work with attorneys to make sure that we make the proper kinds of attestations about our security controls, and we voluntarily bring in auditors to peek behind the covers. There are attorneys involved in every part of that. Increasingly, this is table stakes going forward. Everybody’s got to show everybody else their papers.

CIN: Where did you first have substantial experience working with in-house lawyers?

MH: Probably at Guardent. The attorneys were very front and center. This was before a lot of this regulatory expansion to third parties. Still, it was important that we made our attestations in the right way. There’s another entity that’s recently really gotten into the security space, and that’s the Federal Trade Commission [FTC]. It’s important that the public statements that you make about how you handle customer data, consumer data, employee data match your practices. If you make pronouncements about how you file all appropriate controls, and then something happens and you have unauthorized disclosure of records, the FTC is going to call that a deceptive trade practice. And they’re going to bring out the hammer.

CIN: Did you have trouble communicating with the lawyers in the early days? Or have you always been able to communicate effectively?

MH: I think I’ve evolved. But I was one of the senior consultants from 2000 to 2004 at Guardent. I was the senior principal consultant. And so I think I worked with attorneys a little bit more than everybody else. I remember in particular there was a privacy attorney who we worked with—an outside attorney who partnered with us named Peter Adler. The nexus of security and privacy was not as clear then as it is today. Consumer expectations about privacy are starting to be a main driver of security. Compliance has always been a driver of security, and really now it’s consumer expectations, shareholder expectations, board expectations, etc. Privacy is really front and center. But back then, being assigned to be someone who worked with an attorney specifically to come up with a go-to-market strategy around combined security and privacy—I think that was probably the earliest and one of the best introductions that I ever got.

CIN: Was it at Guardent that you learned the most about working with lawyers?

MH: I think I learned the most when I started the company that became CI Security. When you’re founder of a business, and it’s your money that you’re spending to keep the business afloat, you become a little more highly attuned to the value of the attorneys.

CIN: Why do you think people on the tech side, such as CISOs, often have difficulty communicating with in-house lawyers?

MH: I think their goals may be a little at odds. The people that do security have a certain sense of how secure things are. And attorneys are going to be involved in public communications, talking about how things really are—up to the limit of what they can say. There’s a little disconnect there. Everybody needs to work together for a bit before they become fluent and comfortable with those differences. More than anything else, we’re becoming allies. It’s because a general counsel at a corporation ultimately has a fiduciary responsibility much like, say, a chief risk officer. They’re concerned with some of the same things. And so when the conversation between information security professionals and general counsel takes place, it’s much better done around these concepts I talked about earlier: outcomes to avoid, dollar amounts assigned to those, how you manage risk around those things. Lawyers understand very well what the hit to the corporation is going to be if the FBI calls and says, “Hey, all of your customer records are for sale on the dark web.” So we’ve become allies over the last five years. They’re really getting tuned into what the security folks are doing for them, asking for their presence more at C-level meetings. Instead of saying, “Hey, we told you to keep the bad guys out of the network,” it’s now more, “Help us manage the risk of these foreseeable events.”

CIN: Beyond what you just said, CISOs and general counsel actually have a good deal in common. They’re often seen by their companies as cost centers and impediments to the business. They can throw up roadblocks to business initiatives in the name of compliance or security. And they have to justify their budget requests to sometimes skeptical executives. If you agree, is there a way that they can use those common elements to form strategic alliances?

MH: I do agree with that. I think it’s a fairly primitive view when people think, “You folks are just a cost center. And I’m going to have to work around you.” Do that at your peril. As for the second part, I do believe there is a way to become aligned, and I think in part it’s being driven by things like customer expectations, shareholder expectations and all this third-party “show me your papers” stuff. Because we’re getting to the point where security is starting to actually be considered a competitive differentiator. I’m starting to see more and more vendors holding up their hands and saying, “Buy from us, because we’re more secure than our competitor over there.”

CIN: Do you have advice on how the two groups can break the ice that sometimes exists between them?

MH: Well, pizza is always a good idea. And I will tell you one place where there’s always a good common conversation. It’s emerging legislation—typically privacy legislation that’s coming at us fast—and what is the nexus of privacy, security and law? Privacy is becoming a main driver of security. And the penalties for lapsing controls in unauthorized disclosure of privacy information—well, you’ve seen what some of the fines look like. From the EU’s General Data Protection Regulation to the California Consumer Privacy Act—and now New York just jumped on the bandwagon. Pretty quick here, you’re going to end up with a dozen or maybe up to 50 state laws on how you must fall on your sword if you have unauthorized disclosure of privacy information. And the security folks who are applying the controls, and the legal people who are going to have to clean that up when it happens, probably have a lot to talk about.

CIN: Let’s turn to a topic that’s been in the news a lot: ransomware. Recently there’s been an onslaught of attacks on cities and municipalities. You were the CISO of Seattle from 2006 to 2013. Did that experience afford you any insight about vulnerabilities that would help us understand these events?

MH: Yes. A couple. Ransomware starts as just a piece of malware. I would not break it out specifically. Its function happens to be extortion. It encrypts, and then you get the extortion screen. The initial piece of malware is just to establish a beachhead. And then it’s got to beacon out and go, “Hey, I’m here. What do you want me to do?” It could be “log keystrokes.” It could be “look around for intellectual property to steal, or records to steal.” Or it could be “lock up the network so that we can extort.” So avoiding malware and the introduction of that first little piece—that’s really the conversation to have. Secondarily, a real vulnerability that can lead to a lockdown—especially in the public sector, but I think this is fairly ubiquitous—is company policies governing employees’ use of technology. Many companies allow employees to use personal devices, as long as this doesn’t create a security problem, cost extra or affect productivity. But I can prove that it does all three. I made a lot of measurements at the city of Seattle while I was there. At one point we could prove that 40 percent of compromised assets on the network came from personal email. If a policy change is enacted that says: “All personal use will be on personal devices,” and Facebook lives on your phone, and gmail and all other personal email lives on your phone, that 40 percent of this problem is likely to just go right off a cliff. Unfortunately, government in particular manages by landmine. Not to explode; but to go, “Oh. Oh. We should probably go fix that thing we all knew was wrong.”

CIN: And do no work related to business on your phone? Is that part of the policy?

MH: Yes. I would package it as all personal use on a personal device. I would rescind the policy of de minimis use. That’s the name they give it in government. It means small enough to be insignificant. De minimis use is not the way it works anyway when employees use office computers for personal matters. People use office computers to surf all day long. Look, just do it on your phone. And I don’t say that will make the whole problem go away. But if it accounts for 40 percent of the problem, that is a huge move of the needle.

CIN: What about business email received on a personal phone?

MH: That’s another issue. It can be addressed by installing mobile data management software on phones. This partitions email for personal use and email for business use.

CIN: Has your company advised cities that have been victimized by ransomware attacks, or are worried about being victimized?

MH: Absolutely. Everybody’s worried about ransomware. Everybody saw what happened to Atlanta. And in the public sector, the conversation is always, “Well, how likely is it that that could happen to us?” But again, it’s not that you got ransomware. It’s that you got malware, and it just turned out to be ransomware. If you stop malware, you stop ransomware.

CIN: So what do you tell them?

MH: Your preventive controls help you buy down the likelihood of a bad event. That likelihood will never go to zero. You must manage the impact of these events. Malware can land on a computer, start to look around the network and look for the real operational capability to encrypt so that they can extort the hell out of you. And if you see that happening, you can pull the plug on the computer and limit the impact of that to a single system. And your impact is that the Help Desk has to clean up a system. That’s not a big deal. Everybody’s got great preventive controls in place, and they will fail. User activity, determined actors—there are a lot of ways that they can fail. And when they do fail, you need to manage the impact of those events. And the way you do that is through effective monitoring and response.

CIN: What are your most important takeaways for lawyers?

MH: Don’t get bogged down in quote unquote cybersecurity. Think about this in terms of dollar amounts of liability that are avoidable. Think about managing impact of what is certainly coming your way. And it doesn’t necessarily have to be pointed at you. It can be part of a shotgun blast. Or you can actually be collateral damage from an act that was targeted against another entity. Russia targeting the economy of Ukraine ended up hitting Merck and Maersk and all of these companies. Stuff is coming to your doorstep. And do not think for a second that you’re going to be able to invest in a product that allows you to avoid all of this. You need to really focus on managing those dollar amounts of liability, putting out little fires before they burn the house down. Because little fires are going to start. In order to do that, have a great relationship with your information security officer, keeping the discussions mostly focused on governance, risk, compliance, etc., and not so much the weeds of specific threats. That’s probably the best advice I can give.