CHAPTER 11
Turning Cyber Incident Lemons into Organizational Lemonade

Never let a good crisis go to waste.

—Winston Churchill

The BBC headline told a grim story: “Cyber-Attack on Irish Health Service ‘Catastrophic.’”1 The article began: “Health Service Executive (HSE) chief executive Paul Reid criticized the ransomware attack as a ‘callous act’ and an attack on health workers.

“The number of appointments in some areas of the system has dropped by 80%.

“Health workers are attempting to continue with paper records while work continues to recover IT systems… .

“However he said work to undo the damage will continue into the coming weeks… .”

Although the Conti ransomware group asked for $20 million to restore service, they suddenly handed over the decryption software tool for free, just under a week after the incident started.

“On its darknet website, the Conti ransomware group told the Health Service Executive (HSE), which runs Ireland's healthcare system, that ‘we are providing the decryption tool for your network for free. But you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation.’”2

During that same week in May 2021, other hospitals in New Zealand and San Diego, California, were hit with ransomware, and we learned of attacks on education systems, local governments, and more. But even in the midst of an unrelenting surge in global ransomware cyberattacks, Politico's Weekly Cybersecurity Newsletter closed with a message of optimism: “Not all hope is lost: There's plenty organizations can implement quickly to protect themselves from ransomware, such as regularly backing up data, using air gapped machines and creating offline, password-protected backup copies of information.”3

ARE WE LEARNING FROM THESE TRUE STORIES?

Skeptics will no doubt say that these global organizations knew plenty of cyber best practices before these cyberattacks. So why do these increasingly scary cyber emergency stories proliferate? How can we take these substantial extortion and other technology security incident examples (call them lemons) and find some organizational good out of them (call that lemonade)?

What factors contribute to inadequate security protections, process failures, and worse? How can we get more clarity around implementing risk-reducing solutions – even after comprehensive risk assessments point to the areas that need attention?

Most organizations have (at least some) cyber best practices, international security standard practices, cyber framework guidelines, enterprise plans, award-winning solutions, and more. Even if you don't possess these solution checklists, it's not very hard to find them.

But why are these practices not followed? What inhibits ongoing success, security culture change, or whatever it takes to stop the data breaches, disarm ransomware, react faster to incidents, and implant professional incident response plans?4

The answers vary depending upon who you listen to, but the following are a few perspectives:

More details are provided on each item in the article, but the following two charts outline the excuses and helpful actions, along with our tips.

10 Excuses Why Best Practices Are Not Implemented Fact-Finding (FF) Questions Tips to Help
We did not have the time. Where are we spending the bulk of our time? Are we allocating our time proportionately according to the criticality levels of risks? Project management team needed.
We could not afford it. Are there other areas we are spending our budget on that can be reallocated? How does our budget align with the company's strategy and business risk? Budget and resources must be prioritized.
Our company is different. How have we educated our stakeholders to raise their level of awareness? Have we looked for security advocates and champions within the different divisions to assist in influencing laterally and upward? So is every company. Culture and leadership are required.
The vendor told us it was not necessary. How are we cross-checking what our third parties are telling us? Are we responsible for our customer's data and trust at the end of the day, or do we hold them entirely responsible? Ask: Who, what, when, where, how?
We didn't trust our system vendor. How do we scale the business in the future with growing partners and vendors if we don't have a system of keeping track of how our critical data is being shared? How are we assessing the maturity of our vendors' security posture? Excellence in contract management and ideally a framework to assess criticality of risks across the different vendor partnerships are needed.
We didn't understand why it was necessary. What is the current security awareness culture like among the leadership team and the different divisions? Team education is an ongoing must-have.
It was too hard. Have you tried getting allies so that it is not just you fighting an organizational battle? Are there other battles that might result in better outcomes? What are some other smaller initial commitments you can focus on securing from your stakeholders first, and then working your way on getting more buy-in from there? Time and resources + priority and follow-through required.
We tried this before and it didn't work. What was the environment like before when it didn't work? What were the reasons it failed? How can change be made and executed differently this time? Have you looked at the mechanics of influence? The right time, place, product, team, and culture are needed for success – it may be best to try again.
We were afraid of what we might discover. Are you comfortable with not knowing what the malicious attackers out there know about your company? How are you managing your risks if you do not know what needs to be managed? Ongoing risk assessments are a must. Cyber risks do not just stop at us; we have to think about our customers too.
We thought we had a better way. Have you consulted the right opinions before coming to a decision? If an incident should happen and the company comes under scrutiny, is there documented evidence that due diligence has been done? Choose strategy wisely – with backup data.

Solutions

5 Things to Do About “Best Practice Apathy” Tips to Help Food for Thought
Make failure real Exercises are a must – practice, practice, practice. What is your mindset, and what is leadership's view on cyber failures? Who is accountable? How can you build a culture and work environment that does not finger-point or blame, but encourages transparency in sharing lessons learned and mistakes owned?
Failure Mode Effects Analysis (FMEA) Create a structured process. Do you know what your industry peers are using? How does your process benchmark against theirs?
Early identification of business operational continuity measures Regular reports on readiness to management. What has been the impact on other organizations who do not have a BCP? How does your BCP compare in your industry sector? What are the different lessons learned each time it is being run?
Methodology change control What is the process? Refine, improve, and test. How often have you reviewed your process? Are there ways of doing this more effectively?
Get a second opinion Constantly be looking to improve. Third-party experts can provide a fresh look. We are stronger together. How can you play on your strengths while leveraging the community or collaborating with existing or new partnerships to complement and strengthen your business case?

A few additional thoughts on the “make failure real” suggestion in the chart. Many CISOs say that they would love a leadership job right after a major data breach or headline-grabbing security incident strikes an organization.

Why? Because the last security leader got the boot, and you can come in with a new sense of urgency, additional resources (often more people and dollars), and very low overall career risk, because everyone knows the data breach just happened and it was not the new CISO's fault.

The challenge becomes how to get that sense of urgency before a major, expensive data breach or emergency cyber incident that is known.

One answer is to ensure that current (lower level, nonemergency) cyber incidents and vulnerabilities are being communicated to senior management in repeatable ways. Stories of supply chain and competitor data breaches are often effective at grabbing the attention of top decision makers.

While all of these lists offer pragmatic, common-sense reasons that change does not occur or last in public and private sector companies, there is another reason near the top of the list: the belief that “it won't happen to us.”

While this may seem very conceited, shortsighted, or even incredible to some, overconfidence is commonplace. See Chapter 10 for more on this leadership blind spot.

Finally, should organizations worry if they are using the wrong list of best practices? Some have argued that global data breaches are occurring at unprecedented levels because we are doing the wrong things.

One author even states: “The hacking at Colonial Pipeline is the latest in a series of breaches that have impacted a long-and-growing list of other businesses – all ambushed by some individual or group that managed to hack through cyber security ‘industry best practices …’”9

The trouble is that in most cases, and with the Colonial Pipeline breach in particular, best practices were not being followed in all areas, based on public reports of system vulnerabilities.10

The main point is that you should choose a well-documented, reputable set of standards and cyber best practices to follow and do so with rigor. (The NIST Cyber Framework is one example.)

While it is certainly worthwhile and important to try to adopt an excellent framework that consistently addresses the appropriate people, processes, and technology, including cyber controls, tools, protections, and staffing to secure your organization's critical data assets, data breaches generally occur via a weak link where best-practice lists were not followed consistently.

CALLS FOR MORE RESILIENCE AND DOING MUCH BETTER

The U.S. RSA Conference has been the largest annual cybersecurity conference in the world for many years. In 2021, due to the COVID-19 pandemic, the conference was a virtual-only event, and several presentations provided short testimonials on resilience in cybersecurity. These brief, passionate testimonials, which are available for free on YouTube,11 offer a glimpse of many lessons learned during a time of immense change and online uncertainty.

Chloé Messdaghi, cofounder of WoSEC and Hacking is NOT a crime, and founder of WeAreHackerz, reflected on the importance of being present and engaged in the moment, and not just focusing on planning for projects and events one, two, or three years out.12 She exclaimed, “The pandemic put everything on hold, which made me realize and recognize that there will be times when you do not have control of your own life.”

That same sentiment applies to cyber emergency incident responses for everyone involved as responders to emergency situations. There is a need to block out all other distractions, plans, and projects that were thought to be important before the incident, and focus on the actions required at that moment in incident response. There is a need to adapt to new circumstances and work together in newly formed teams to accomplish a very specific mission.

Another vital perspective on the “urgency of the moment and the need for us to renew our commitment to partnership” came from Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology in the Biden Administration. She spoke about not only the national security perspectives regarding cybersecurity, but an economic security imperative as well.13

Neuberger cited several lessons from the SolarWinds incident:

  1. Adversaries will look for any opening to attack.
  2. Partnerships are critical to the safety of our nation in cyberspace.
  3. Governments need to urgently modernize cybersecurity defenses. To do this, we must shift our mindset from incident response to prevention by getting ahead of threats and facilitate early detection.

She elaborated on what it means to shift our mindset: “I've observed as a community, we've accepted that we'll move from one incident response to the next. And while we must acknowledge breaches will happen, and prepare for them, we simply cannot let ‘waiting for the next shoe to drop’ to be the status quo under which we operate. The national security implications of doing so are too grave.”

She describes “three complementary and mutually reinforcing lines of effort”:

  1. Modernize cyber defenses.
  2. Return to a more active role on cyber internationally.
  3. Ensure America's better posture to compete.

In the area of protecting critical infrastructure, Neuberger described new private sector efforts with the energy industry to install new technologies that provide timely visibility, detection, response, and blocking capabilities. These steps will “protect the technologies upon which our critical services depend.”

MORE LESSONS LEARNED

After every headline-grabbing cyberattack, there are almost always lists of lessons learned and takeaways. Some thoughts are certainly better than others. Edward Segal, a crisis management expert and author of Crisis Ahead: 101 Ways to Prepare for and Bounce Back from Disasters, Scandals, and Other Emergencies, offered “7 Crisis Management Lessons From Colonial Pipeline's Response To Cyber Attack” in Forbes.14

These lessons include:

  1. Tell people what happened.
  2. Call in the experts.
  3. Establish priorities.
  4. Don't speculate.
  5. Take control.
  6. Send the right message.
  7. Isolate the problem.

This practice of learning from major security incidents, including how your team responds, is not new. However, the lessons learned are (sadly) often forgotten.

After the huge data breach at SolarWinds, the World Economic Forum published four ways that global governments and businesses can work together to be more effective in cybersecurity defenses.15 Those items included:

  1. Share threat intelligence.
  2. Align cyber education with market needs.
  3. Sharpen incident-response capabilities.
  4. Build security by design.

For item 3, they recommend:

“Even the best cyber defense is likely to be cracked. That's why effective organizations have well-rehearsed plans in place to deal with attackers.

“Several nations provide forums where government and business collaborate in response to cyberattacks. In the United States, CISA's National Cyber Incident Response Plan defines cyber defense as a ‘shared responsibility’ of individuals, the private sector, and government; spells out the roles government departments will play in responding to attacks; and commits federal officials to safeguarding the privacy and intellectual property of companies.16 The UK's National Cyber Security Centre, an arm of the GCHQ intelligence agency,17 coordinates similar responses and sets out which private sector cyber specialists it will collaborate with… .”

In a 2013 example, ISSA presented a seminar entitled “Life's A Breach Report: Making Lemonade Out of Lemons.”18 Pete Lindstrom, who was the Principal at Spire Security at that time, offered five questions to ask yourself after a breach, along with actions to help. It is still relevant in the 2020s and beyond.

Question Action
1. How much did you lose? Calculate (or at least estimate) losses.
2. What was the source of the attack? Identify/monitor your attack vectors.
3. Was your response efficient/effective? Assess security spending.
4. Were you negligent or “unlucky”? Measure/assess risk levels.
5. Where and when will the next attack take place? Use metrics to support risk management.

BACK TO THE BEGINNING: A CIRCULAR APPROACH TO INCIDENT RESPONSE DURING CYBER EMERGENCIES

The NIST Cybersecurity Framework (CSF) is designed to reduce risk by improving the management of cybersecurity risk. The CSF offers a diagram that articulates the five functions: identify, protect, detect, respond, and recover (see Figure 11.1).

Furthermore, under the fifth area of recovery, NIST describes the need to make improvements to processes, procedures, and technologies.19

Which brings us full circle to preparing for the next incident based on the lessons learned from past incidents and exercises. There are several formal methodologies for capturing these lessons to make “lemonade out of lemons,” and one of those is a “hot wash” procedure, as described in the Cyberstorm examples earlier.

NIST 800-84 is the “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities.” Pages 5–6 include this important point:

During the evaluation phase, the exercise director relies on the design team or other specified staff to develop the after action report that documents findings and recommendations from the functional exercise. Exercise notes, forms, and other material created during the course of exercise play and during the hotwash are the basis of the after action report. The introduction to the after action report should document background information about the exercise such as the scope, objectives, and scenario. The after action report should also document observations made by the exercise staff and participants during the exercise and recommendations for enhancing the IT plan that was exercised. The after action report should also include a list of exercise participants and may provide information from any participant surveys that were distributed during the hotwash to solicit feedback.

Schematic illustration of a diagram that articulates the five functions: identify, protect, detect, respond, and recover.

FIGURE 11.1

Source: NIST, https://www.nist.gov/sites/default/files/styles/960_x_960_limit/public/images/2018/05/01/cybersecurity-flyer-graphic.png?itok=yjdnk5Re.

Following the development of the after action report, the plan coordinator might assign action items to select personnel in an effort to update the IT plan being exercised. The plan coordinator should then update the plan, if appropriate, by implementing recommendations made in the after action report. It may also be necessary to brief certain managers on the results of the exercise, update other security-related documents, and perform other actions based on the exercise. …20

Following is one simple example from a hospital's cyber incident.

A HELPFUL HOSPITAL EXAMPLE

In October 2020 a small, rural hospital in Michigan's Upper Peninsula was the victim of a ransomware attack. On a Saturday afternoon, when the chief compliance and risk officer received a voicemail indicating that systems were down, she assumed that the cause was a routine hardware or software failure that would soon be rectified. It wasn't until the second phone call that she learned that a ransom note had been discovered.

The attack against this small rural hospital disrupted systems and communications for weeks and made it difficult to treat patients and perform routine hospital functions. IT systems were down, so patient care reverted to paper; simple functions like getting insurance authorizations reverted to phone calls; and for the first time ever, the hospital had staff physically driving to pick up patient medical records from other providers. The event put a strain on the health system and the communities it serves.

MAKING LEMONADE

Fortunately, the attack and its effects were an opportunity in disguise. The attack rallied support and reiterated the criticality of information security and IT. Despite the stress on the organization, they were responsive to the attack and eager to improve their security posture. They hired Doug Copley, the former CISO from Beaumont Hospital in Michigan, to run their security program. Doug's enterprise experience, industry connections, and focus on helping smaller organizations with cyber preparedness fit well with this small rural healthcare entity’s ideal.

Taking input from the forensics investigators and taking advice from the Michigan Cyber Command Center and the FBI, at the time of Doug's entrance to the organization, activities were already underway to enhance firewall protections, endpoint detection and response, and security monitoring. Despite all the security controls in place, Doug wanted a better way to tie all the controls together. Over the next several months, he focused on adopting industry frameworks and putting a comprehensive security roadmap in place. Within months the hospital security team had instituted the NIST 800-53 and NIST CSF frameworks, worked through a new security risk assessment, and laid out a roadmap to mature the information security functions. The attack was disruptive and stressful, but it was important to harness the heightened focus from leadership to drive advancement into the information security program.

FIVE LESSONS FROM THE HOSPITAL ATTACK

Doug shared several lessons learned as a result of this attack.

  1. Advanced antimalware is a necessity. With the continual advancement in cyberattack methods, it is critically important to have strong detection and response capabilities on every device possible.
  2. Leverage machine learning in security monitoring. The volume of events to monitor can be staggering, and machines can monitor events much more quickly than humans. Leverage automated monitoring so anomalies can be identified and escalated faster.
  3. System dependencies sometimes lie outside your organization. It's important that your Business Impact Assessment (BIA) clearly articulate all dependencies, even with third parties. When security incidents cause you to sever communications with third parties, it will take time and energy to convince them to re-enable communications.
  4. Continuity and recovery plans must be accessible. Maintain copies in paper format or on secure cloud platforms that can be accessed when company systems are down.
  5. Practice, practice, practice. Although they may not prepare you 100% for attacks, running periodic exercises to educate team members on proper incident protocols can help ensure that people follow procedures in times of crisis.

FIVE LESSONS FROM DIVERSE INFORMATION SHARING AND ANALYSIS CENTERS (ISACs)

Carlos P. Kizzee has worked in a variety of senior leadership capacities, including director and executive VP roles with several ISACs and senior roles within the U.S. Department of Homeland Security (DHS). Carlos's observations of many organizations responding to cyber incidents have provided some key differentiators between those who do well and those who do not.

“The first differentiator is the organization's commitment to peer engagement and collaboration. I am not just talking about information sharing here, I'm talking about meaningful peer interaction. Organizations who are in the habit of active and proactive peer engagement have a means to detect earlier, to be aware of, and to embrace the most relevant security controls and best practices. This helps them to enhance detection and prevention efforts and to shorten the time to mitigation. These organizations evidence the commitment to learn from and with their peers before there is a problem, and to leverage security collaboration to give them an edge.

“The next differentiator is the organization's ability to prioritize risk management efforts. No enterprise can eliminate all risk. Resources are limited, and the identification of new and emerging threats and vulnerabilities is continuous. Organizations who have internal mechanisms and capabilities that focus security activities to what matters most to their enterprise evidence best practices in prioritizing threat detection and vulnerability management activities against relevant risks and key organizational concerns. This places them ahead of their peers.

“A third standout is the organization's dedication to cybersecurity fundamentals. Every security vendor will confirm that their latest shiny ball capability is all that is needed to meet the next great security concern. It is wise to keep an eye on emerging capabilities and evaluate what works, but it is essential to keep the team focused on enhancing their efforts in the fundamentals. Patching, tuning and implementation of tools for highest efficacy, and maintaining and enhancing key analyst and operational tradecraft should be a priority. Organizations must be dedicated to not being distracted by every new, latest thing to the detriment of their focus on the fundamentals.

“Fourth among the key differentiators of quality organizations is the commitment to meaningful security. Organizations should not be satisfied with the ‘security kabuki’ of looking secure or achieving milestones in security effort while hiding actual risks and key controls behind masks and layers of greasepaint. Organizations need to focus on applying controls in depth that are essential to their security, and to promoting an alert and security-aware workforce that is mature and sincere in key habits of cyber hygiene that are informed by the threats of aggressive and highly motivated threat actors, and by the priorities of their organization and its overall mission.

“Fifth and final among differentiators is an organization's commitment to its people. Leaders who invest in their people's training, their quality of life, and who remember that they compete with their employee's next, best green grass employment opportunity will care for their people so that their security workforce can stay sharp, focused, and motivated to their critical tasks.”

BRINGING IT ALL TOGETHER

Throughout the chapters, we have explored and peeled off the layers of different approaches taken by industry experts in preparing and managing crises.

Cyberattacks will only continue, with cybercrime presently being forecasted as a $6 trillion industry,21 and $10.5 trillion by 2025.22 Put into context, the drug trade is less than a $1 trillion business, although drug dealers are now resorting to cybercrime as detection is low and returns are high. And IoT is a rapidly growing industry, with 75 billion IoT devices connected to the virtual environment.23 This only serves to present more threats, opportunities, and vulnerabilities for people.

Historically, communities have had the perspective that as long as virtual crimes are out of sight, the threat is out of mind. Unfortunately, COVID-19 has revealed more recent real-world impact, as seen with the attempted manipulation of pandemic information, vaccines, and even elections.

As we see global problems start to emerge relating to access to water, food and vaccines, and so on, people will turn to alternative methods to survive. Throughout the book, we have seen the many devastating consequences of cyber crime being turned into a paid-for-service activity, including the economizing of people's suffering, as in the case of the cyber incident at the hospital.

In a Mega C-Suite Stories podcast with Doug Witschi, assistant director of Interpol's Cybercrime Threat Response, he shared his view that cyber crime presents a global threat to the global industry, and a global problem needs a global solution.24

“We have over 200 countries globally that set their own laws, set their own policies, and resource the government capabilities that provide a government response to some of the threats that we're seeing around cybercrime. Each country has their own thoughts and ideas about what's right and what's wrong, based on a range of different mechanisms and issues.

I think the challenge for a global crime type such as this is the lack of consistency. And that lack of consistency also inadvertently provides protections for organized criminals. You'll have countries that are strong in certain elements in relation to cyber crime, and the neighboring country won't have any laws whatsoever. What's to stop a person from actually stepping across a border and being ‘provided’ an element of protection or untouchability and continuing to exploit the same criminal activities on victims on the other side of the world?

“We've had a case where we had a target that we identified; we got in touch with one of the primary countries that was a victim of that target. And now we're reluctant to bring them back into that jurisdiction for prosecution, because the chance of them getting any jail time for their crimes was next to zero.”

Witschi draws the opposite comparison with the country that they've identified this target in, where it was most likely that they would get mandatory jail time for the crimes that they committed. He brought to light the irony that in one country, a theft of tens or hundreds of thousands of dollars is considered a criminal offense, while another country may not impose any penalty at all.

Global crime ignores boundaries. Laws are complex, and it can take years before someone is prosecuted. Geopolitics also play a big part in how Interpol treads carefully in addressing threats. We need to be more agile in threat response and in prosecution.

Witschi believes that over time, these gaps will start to minimize and be mitigated, also in relation to powers and authorities that various governments provide to have law enforcement respond, prosecute, or impose penalties for those activities.

THE ECOSYSTEM VIEW

To fight cybercrime at a global scale, countries need to partner with other countries. Partnering is more than just partnering with the law enforcement; alliances need to be formed with the banks, cybersecurity firms, supply chains, transport, oil, and gas across diverse sectors.

Witschi explained, “The challenge for us as part of an international community, in the virtual environment, is that a cyberattack on one is a cyberattack on all. For us as a global ecosystem, we need to actually start to come together and work a lot more diligently and collaboratively. Yes, politics plays a part in some of the discussions that we have across geopolitical environments. But at the end of the day, we're chasing criminals. We're chasing people that try to exploit other people and take advantage of other people.”

LEADING BY EXAMPLE

The greatest challenge in collaborating with law enforcement is the issue of trust. The truth is that people simply do not like to report cyber crime.

In the event of a data breach, they are worried about their risk to their bottom line. It is never ideal to pay a ransom, which ultimately rewards criminals for their activities and behaviors. However, the truth is that when business livelihoods, the livelihoods of the people who work within the organization, are at stake, it presents interesting challenges and issues for the organization to take certain actions. Should they choose to pay a ransom, then it's less likely that they're going to report the incident. Also, they're probably not agreeable to sharing that information more broadly, which feeds back into the cycle and extrapolates underreporting.

In just a span of a few weeks as we finished writing this book, we have seen many ransomware attacks on big corporations that have grabbed national and international headlines. From the suffering going on in Ireland's health service to the gas pipelines in the United States and JBS meat services in the United States and Australia, it hits home for Witschi. He explained that targeting these threats and trying to get a response around them is a real issue of actively engaging with nations. “Sometimes, we can't get the priority because they haven't got an identified number of threats, risks, or issues that they've identified within this jurisdiction. And one of those is the reporting element.”

A case in point: Through one of their private–public partnerships, Interpol identified thousands of victims in a country facing a ransomware attack. “When we advised that country that they had an issue with that ransomware strain, they told us that they only had two reports. They were surprised when we provided them with a list of more than 11,000 victims. They then acknowledged that they had an issue and it became a priority for them to respond to that.” As the victims were not reporting, naturally this hadn't been prioritized by law enforcements.

At a dinner Witschi attended in Singapore, a guest revealed that her company had been attacked by ransomware. He got the name of the company, went back to the office to make some inquiries, and identified the ransomware. Apparently, the attack had started 10 days earlier. Interpol reached out to the country where the company was headquartered and offered their assistance because they had a decrypter for that specific ransomware. The problem was solved in a matter of minutes, as opposed to a delay of many weeks.

Problems and issues need to be shared so that they can be remediated properly. “Dare to share” was the catchphrase the team came up with for sharing intelligence and identifying information that may help in preventing, disrupting, or apprehending the targets behind these threats.

Additionally, when a company is able to talk through their threats publicly, this bolsters confidence within the industry for others to likewise share the threats they have faced as well.

This is an issue that won't be solved overnight; however, if the community plays their part in plugging the gaps, and nations look beyond the geopolitical affairs focusing on solely global crimes, cooperation across the different countries could achieve more effective outcomes.

Interpol is one example of an organization that has a cyber threat response capability and is progressing in making a difference for their current 194 member countries. With strong private–public partnerships across the globe, they have been able to provide immediate responses to ransomware attacks on telcos to financial crimes and even to the hospitals providing Covid support.

With more versatility in being able to shop for services from one country that another might not have, they have also brought in public partners for member countries that do not have a CERT, which aids in getting them up to speed.

Witschi explained, “We're all in this together, and we need to work out mechanisms to be able to expediently disrupt threats as they emerge to protect all our industry partners from these types of attacks. But we also need to look at how we can actually disrupt the threat actors, whether it's through the infrastructure they use, obviously, their livelihood, and the financial guys, they generally extrapolate out of these types of criminal activity. I think that's ultimately where we need to be. I think the challenge for a global community with a global crime type is we need to radically change how we may do this. What we need to do is try to get some sort of global consistency in relation to these standards.”

We also need to continually think about improving the framework for global collaboration so that we can better protect our communities. Even from a law enforcement perspective, how do we act quickly in an international environment with domestic enforcement services? We need to influence people to think differently. The more our industry shares data with our community, CERTs, law enforcement, and Interpol, the more our ecosystem will level up and accelerate its progress in addressing cybercrime more effectively.

Despite geopolitical issues, collaboration remains a powerful key and solution to face any Cyber Mayday incidents in the future, head-on, with boldness, and because we are stronger together.

NOTES

  1. 1. “Cyber-Attack on Irish Health Service ‘Catastrophic,’” BBC News, May 20, 2021, https://www.bbc.com/news/world-europe-57184977.
  2. 2. Joe Tidy, “Irish Cyber-Attack: Hackers Bail Out Irish Health Service for Free,” BBC News, May 21, 2021, https://www.bbc.com/news/world-europe-57197688.
  3. 3. Sam Sabin, “Who's Next on Ransomware's Hit List,” Politico, May 17, 2021, https://www.politico.com/newsletters/weekly-cybersecurity/2021/05/17/whos-next-on-ransomwares-hit-list-795343.
  4. 4. Carnegie Mellon Computer Security Incident Response Plan: https://www.cmu.edu/iso/governance/procedures/docs/incidentresponseplan1.0.pdf.
  5. 5. Jérôme Barthélemy, “Why Best Practices Often Fall Short,” MIT Sloan Management Review, February 27, 2018, https://sloanreview.mit.edu/article/why-best-practices-often-fall-short/.
  6. 6. Pamela Hinds, “Research: Why Best Practices Don't Translate Across Cultures,” Harvard Business Review, June 27, 2016, https://hbr.org/2016/06/research-why-best-practices-dont-translate-across-cultures.
  7. 7. Kacy Zurkus, “Clearing the Hurdles: Why Companies Have Not Implemented Basic Best Practices for Mobile Security,” Security Intelligence, April 3, 2018, https://securityintelligence.com/clearing-the-hurdles-why-companies-have-not-implemented-basic-best-practices-for-mobile-security/.
  8. 8. John Belden, “Top 10 Excuses to Not Implement Best Practices and 5 Things to Do about It,” CIO Magazine, July 24, 2017, https://www.cio.com/article/3209914/top-10-excuses-to-not-implement-best-practices-and-5-things-to-do-about-it.html.
  9. 9. Allen Gwinn, “Our Cybersecurity ‘Industry Best Practices’ Keep Allowing Breaches,” The Hill, May 17, 2021, https://thehill-com.cdn.ampproject.org/c/s/thehill.com/opinion/technology/553891-our-cybersecurity-industry-best-practices-keep-allowing-breaches?amp.
  10. 10. Robert Carnevale, “Colonial Pipeline Ransomware Attack Linked to Microsoft Exchange Vulnerabilities,” Windows Central, May 12, 2021 https://www.windowscentral.com/colonial-pipeline-ransomware-attack-linked-microsoft-exchange-vulnerabilities.
  11. 11. RSAC Conference USA 2021, virtual sessions on resilience and lessons learned in cybersecurity during the pandemic, “The RSAC Community Shares Their Stories of Resilience,” https://www.youtube.com/watch?v=_twpsC-IJf0.
  12. 12. “Chloé Messdaghi Shares Her Story of Resilience, the RSAC 2021 Theme,” https://www.youtube.com/watch?v=0kdr_rJNk18.
  13. 13. Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, “Cybersecurity as a National Imperative,” –RSAC 2021 Keynote, https://www.youtube.com/watch?v=KiOXZEgksXg.
  14. 14. Edward Segal, “7 Crisis Management Lessons from Colonial Pipeline's Response To Cyber Attack,” Forbes, May 8, 2021, https://www.forbes.com/sites/edwardsegal/2021/05/08/colonial-pipeline-cyber-attack-is-providing-crisis-management-lessons-in-real-time/?sh=405b824b3d82.
  15. 15. Paul Mee and Chaitra Chandrasekhar, “Cybersecurity Is Too Big a Job for Governments or Business to Handle Alone,” World Economic Forum, May 3, 2021, https://www.weforum.org/agenda/2021/05/cybersecurity-governments-business/.
  16. 16. “National Cyber Incident Response Plan,” U.S. Department of Homeland Security, December 2016, https://us-cert.cisa.gov/sites/default/files/ncirp/National_Cyber_Incident_Response_Plan.pdf.
  17. 17. About the NCSC, “Incident Management,” National Cyber Security Centre, https://www.ncsc.gov.uk/section/about-ncsc/incident-management.
  18. 18. “Life's A Breach Report: Making Lemonade Out of Lemons,” ISSA Conference, April 23, 2013, https://cdn.ymaws.com/www.members.issa.org/resource/resmgr/2013_april_web_conference:slides/2013_april_web_conference:-_.pdf.
  19. 19. NIST Cybersecurity Framework, “The Five Functions,” https://www.nist.gov/cyberframework/online-learning/five-functions.
  20. 20. Tim Grance, Tamara Nolan, Kristin Burke, Rich Dudley, Gregory White, and Travis Good, “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities: Recommendations of the National Institute of Standards and Technology,” NIST Special Publication 800-84, September 2006, pp. 5–6, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf.
  21. 21. Steve Morgan, “Global Cybercrime Damages Predicted to Reach $6 Trillion Annually by 2021,” Cybercrime Magazine, October 26, 2020, https://cybersecurityventures.com/annual-cybercrime-report-2020/.
  22. 22. Steve Morgan, “Cybercrime to Cost the World $10.5 Trillion Annually by 2025,” Cybercrime Magazine, November 13, 2020, https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/.
  23. 23. Nick G., “How Many IoT Devices Are There in 2021? [All You Need To Know],” Tech Jury, last updated March 29, 2021, https://techjury.net/blog/how-many-iot-devices-are-there/.
  24. 24. Cyber Risk Meetup, “Meet Interpol's A/Director of Cybercrime Threat Response on The Mega C-Suite Stories,” June 14, 2021, https://youtu.be/X1kfardpczw.