Fending Off Nation-State Attacks: BlackBerry LIVE Interviews CISO John McClurg
When times get tough, we tend to turn to people like BlackBerry SVP and CISO John McClurg.
That’s who personal computer mogul Michael Dell turned to in 2011, to head up Dell’s global security operations as chief security officer. That was just one of several similar roles John McClurg has held in private enterprise – at companies such as Lucent, Honeywell, Cylance, and now at BlackBerry – following a distinguished career of public service at the CIA, FBI and US Department of Energy. Even after entering the corporate world, McClurg continued to serve the public interest, acting as co-chair of the Overseas Security Advisory Council (OSAC) for the US State Department, and as a member of the FBI's Domestic Security Alliance Council.
So in today’s troubled times, there are few voices quite as experienced and reassuring – especially when it comes to facing cyberthreats on a corporate, national or even global scale.
I recently caught up with McClurg to discuss unsettling reports from federal agencies such as CISA (Cybersecurity and Infrastructure Security Agency), stating that “Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland.”
In this excerpt from my podcast interview with McClurg, he discusses what organizations – particularly midsize companies – can and should do to protect themselves from sophisticated nation-state or affiliated cyberattacks.
I wanted to get your sense of what organizations should be doing. What should they be focusing on if, in fact, they could be facing a nation-state or a nation-state-affiliated threat, as a result of some of these kinetic conflicts that are taking place in the world?
And of course, the roll out of the “Internet of Everything” has only exacerbated the rate and pace at which that porosity has spread. And, of course, that porosity means that the attack vectors through which an adversary might strike have only grown more numerous. And so we face that challenge.
And then you add into the mix the complexity and the dynamics of nation-state conflicts, and the fact that it’s in cyberspace. We've always known and appreciated that the boundaries that we delineate are clearly signaled to us, where our adversary is coming from and who they are and what are their capabilities and what might we expect from them. That porosity and that ambiguity has just gotten very, very pronounced and hard to grapple with.
It does quickly pose the question, if that's the world we're living in today, how might we best position ourselves to respond to that spillover, and that possibility that the containment of the conflict might spill over into an area that some of us may have an interest in?
And fortunately, the answer to that perhaps differs depending on the sector you sit in, and your positioning: Are you a small to medium-sized business, or are you a large enterprise? What are the resources that you have to draw on financially and otherwise?
If you're a small to medium-sized business and are challenged in that, you maybe don't even have a CIO, or if not if you have a CIO, you surely don't have a CISO. And you're just tagging each other to cover certain dimensions of it in an environment where, even if you had the money and the resources, we've seen in the press for years now, how the community and the world, the global market generally is challenged when it comes to having enough cybersecurity professionals to staff all the open positions.
I think the one figure I saw in terms of the global market was over 4 million open job requests, in terms of the talent we need, and it's just not there. And so even if you want to get into that market and try and capture what resources we do have, you then find yourself in a bidding war with people who have deeper pockets than you.
It poses a unique challenge, which is why in addition to this paradigm, we see a paradigm shift from reactive detection, to trying to be proactively preventative. We're also seeing a paradigm shift toward the acceptance of a service model. Many security service providers are becoming more and more accepted, almost out of an expediency that grounds itself in that limited supply of talent.
The price points that this talent can now command are going to place a lot of people out of the running. And so, the evolution of a market in which, if I'm a small business, I can sort of rent my CISO to have them step up and provide for me, based on what I can afford. You can engage so that these experts can come in and say, well, look, if you're just starting out, don't be embarrassed that you've ignored this for decades and have been focused on just keeping your business afloat. We’ll help prioritize matters for you.
And I think, back to your original question, Steve, if you're a young or a small- to medium-sized business and you just haven't had time to appreciate this. The statistic I saw years ago by Verizon in their annual threat report said that most data leakage or problems are incurred as a direct result of malware. Viruses.
If you're just starting out and most people say, well, yeah, I've got antivirus protection, but it doesn't do me any good, or it requires maintenance in terms of constant updates for what they call the DAT files. That has become untenable, and the fact is, the bad guys have figured out how to morph those files or those signatures almost instantaneously, so that your signature-based antivirus just isn't working anymore. I would nonetheless still say that it is a primary or fundamental step that I would recommend.
Everybody needs to reexamine, roll their sleeves and reengage, but not engage the old model of signature-based antivirus, but this new paradigm that, of course, BlackBerry is very proud to be championing with the acquisition we made of Cylance – to actually step into the game with the strength and prowess that A.I. supported math models now afford in the way of proactive prevention.
We recently heard the representative of the CISA organization mention in a recorded program that, given the nature of the world we live in, it's time for us to – and she invoked the old Star Trek command: “Shields up!”
We understand that, and I can think of no utterance that perhaps reflects the spirit of being proactively preventative. Not waiting to react after the photon torpedo has already wreaked damage on your deck or in your ship, but actually proactively preventing that by (going) “shields up” before that happens.
So that resonates and is very much reflective of this new paradigm of proactive prevention. But I think even more important, as strongly as I resonate with the “shields up” utterance, there's actually another that I think is just as important, and also speaks of shields.
It's the phrase that the Romans used to shout when they were going into battle. They would say “Lock Shields!” And it's the locking of the shields that is as critical as just getting the shields up initially, because of the porosity and the interconnectedness that we now experience in today's world.
I've seen firsthand in many of my past assignments where our adversaries – particularly those that have the prowess that nation-states bring to the battle space – know that in a connected world, if I want to get at McClurg directly, I may not be able to do that because he's got his act together. But I know he's becoming more and more connected with small-to-medium businesses who he needs to partner with, but who haven't had the resources or the time or the focus to raise their level of security to the point that they should. They know I'm connecting to them, and they will strive and look for an opportunity to strike in the gap.
And that's why I say we've got to lock shields. We've got to make sure that the rising tide that we're trying to affect throughout the community actually includes some of these partners, our small-to-medium businesses, and that we bring them along. Because in a connected world, these third-party relationships, as we saw in the Solar Winds Affair and even in the recent Okta compromise, these relationships have been identified by these very sophisticated, very capable adversaries, where they can strike and pursue their interests.