International Threat/Cyber Intelligence industries, including health care and insurance, technology, mortgage and loan services, finance and banking, retail, and travel. Sutherland has 36,000 employees and annual revenues of over $1.2 billion, [and] was listed in 2015 as one of the fastest growing private companies in America by Inc. I work for the recently created Sutherland Government Solutions as VP of Government Relations and Marketing, where we are at several agencies and are known for integrated services for citizen service needs and digital government. Our cybersecurity operations at Sutherland Government Services are internal, but we do have a practice in customer relations management after a company or agency has been breached. Our cybersecurity practice is led by Glenn Schoonover who has a deep technical background. He is a former chief information security officer for the Army and was responsible for providing network security to the Department of the Army headquarters. He is also a former senior technology strategist for Worldwide National Security and Public Safety at Microsoft. Q. I see you are active in both the public and private sectors when it comes to cybersecurity. What are the similarities and differences between these two sectors? A. The biggest difference is that government is motivated by mission, and the private sector (for the most part) is driven by profit and loss. The R&D efforts, innovation sector and skilled technical expertise in the private sector has been more robust than in government. Industry is more agile and able to react to threat trends. On the federal side, the landscape has really changed over the past few years. [The U.S. Department of Defense], of course, has had the cybersecurity war-fighting mission and continues to build upon new requirements for operations and for systems. On the civilian side, DHS takes an increasingly larger role in cybersecurity. Presidential and congressional directives have mandated that DHS play a growing and more primary role, especially with protecting critical infrastructure (transportation, health, energy, finance) that is mostly owned by the private sector. DHS has to step up its activities in assessing situational awareness, information sharing, and resilience research and development plans with stakeholders. This has led to a trend in public-private partnering for sharing threat information and in creating standards and protocols. In both the public and private sectors, training of the next-generation cybersecurity technical and policy [subject matter experts] is a major 34 priority. Q. To date, there seems to be a standoff between Apple and the federal government when it comes to iPhone security. What are your thoughts on this, and can this bring about some lessons learned for the cybersecurity industry? A. This is the topic of the day, and it is a complicated issue relating to government requesting a corporation to provide software to allow access to data. My thoughts may be a bit different from some of the others in the industry. While I recognize the importance of privacy and the dire risk of an Orwellian surveillance state, I consider protecting innocent lives as a mitigating circumstance. What if that data that the FBI is seeking on the terrorist’s encrypted phone uncovers a deeper terrorist network planning more horrific acts? In my opinion, this is a mitigating circumstance. What should be done is to establish protocols between industry and law enforcement to cooperate in these type of instances (with proper warrants and assurances) so that company Internet protocol can be isolated and privacy issues for the company’s customers can be best addressed. I am quite sure Congress will be looking closely at this case to establish legislation to create a working formula. The lesson for cybersecurity is
that there is a balance between privacy and security that has to be constantly reviewed in accordance with the threats at hand. Q. With billions of Inernet of Things devices on the near horizon and zetabytes of data projected by 2020, can we secure and control our digital processes, or are we headed for a digital train wreck? A. According to Gartner, there will be nearly 26 billion networked devices on the Internet of Things (IoT) by 2020. Moreover, it will keep expanding as the cost of sensors decreases and processing power and bandwidth continue to increase. The fact is that most of these IT networks will have some sort of an IoT-based security breach. We could be headed for a digital train wreck if IoT security standards are not adopted. We may have a digital train wreck even if they are adopted. Standards will have to be developed industry by industry. Protecting a network of medical devices in a hospital will require different sets of standards than protecting utilities with SCADA [supervisory control and data acquisition] systems that make up the electric grid. There are a lot of questions, including who enforces compliance? And what are the liabilities of an IoT breach? The real danger is that the Internet was not built for security at its inception; it was built for connectivity. There is some truth to the notion that your network may someday be betrayed by your toaster or refrigerator. One thing is for sure: the Internet of Things will pose many challenges to cybersecurity and data analytics, much of which we have yet to contemplate. Q. You’ve had the opportunity to review many cyberdefense technologies. Are we really finding new solutions that can handle this explosion of digital processes, or are we still playing the game of catch-up and patch-and-pray cybersecurity? A. New solutions are continually evolving with threats, but there will always be a need for better encryption, biometrics, analytics and automated network security to protect networks and endpoints. It is a perpetual game of cat and mouse between hackers and protectors, and there is really no such thing as being invulnerable. In a sense, we are continually playing catch-up and reacting to the last incident with patches. The weakest link will always be the human element. However, there are many new interesting technologies that could significantly impact cybersecurity in 35 the near future. There are technologies and algorithms coming out of the national labs, government, and from private-sector R&D and startups that have the potential to be disruptive. Q. Any final comments? And are there any speaking engagements or events you are participating in that you would like to announce? Could you also offer a good source for information on the subject of cybersecurity that you would suggest for our readers? A. Please check my regular posts in the media and social media, join my LinkedIn groups and follow me on Twitter @ChuckDBrooks. I do have some future blogs with the National Cybersecurity Institute on my agenda. Also, in addition to social media, which I highly recommend, there are many excellent outlets for cybersecurity information including the Homeland Defense and Security Information Analysis Center. A great site that aggregated cybersecurity news daily is The CyberWire. Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors. Reprinted with permission of authors.