Your Horse Was Analog

Your Horse Was Analog

Kevin L. McLaughlin

A  speech I made to 350+ people at the Michigan joint Military Ball.  Amway Grand Plaza Hotel.

Like my tie? My wife didn’t – gave me a lot of grief before we left the house,  you know how difficult things can be when your significant other doesn’t approve of your choice in clothing.

Well you see this tie has snoopy, the moon, the space shuttle and Apollo craft on it and it was given to me by Fred Hayes, yes the Apollo 13 Fred Hayes , yes astronauts are pretty neat people,  anyways Fred gave this to me when we were working on a project together and he told me that whenever I wore this tie I could look down at the pictures and that no matter what I do in the life I should remember that if we put a man on the moon we can do anything as a country.

…. as a country we can do anything,  even figure out how to defeat this cyber threat.

I want to change that thought just a little bit because I know what type of people went to and walked on the moon –  as a whole the U.S. Military and its veterans can do anything   make no mistake we are under attack, not by conventional weapon systems like guns and missiles but by cyber warriors utilizing digital attack vectors.

My speech tonight will be about trust and how it will help us win our cyber battle.  But, before I start I would like to do a shameless plug for the Whirlpool Veterans Association, who mentors soldiers transitioning to the private sector and with multiple outreach programs – I am sure many of the companies you work for have similar programs and a big thank you to those as well.

Trust and authority will be tonight’s theme. A lot of Information Security Professionals left Home Depot after years of not having their voices heard and repeatedly being over-ridden about whether a system could be touched or not.  Many Board of Directors are asking how to fix the cyber issue  –  a lot of the CIO’s and some of the CISO’s when asked that question are taking a passive posture of saying that their job is to make them aware of the risk versus telling them what to do.  In my opinion that is not the right answer… the people who are trained in cyber defense need to drive answers and solutions not just show risks

I will admit though that this morning while I was working out I had a big moment of angst,  you see I am an expert in this field and I can have an opinion and if I get it wrong a company will lose money but you know – if you get it wrong  lives will be lost and in the worst case our Homeland can fall.  Even with that – tonight you will hear what I feel we need to do in order to start winning the cyber battle.  We got our butts kicked by the bad guys in 2014 and it was a loud wake up call to anyone paying attention that what we have been doing is not the answer.

The general theme throughout my speech tonight will be one of trust. High performing teams consist of players that trust each other and who understand that each of the team members has an area that they are the expert in.  We cannot continue to ignore or muffle the voices of our highly trained and skilled cyber defenders and expect to be successful in our cyber defense efforts.

One of the first things we need to understand is that there is always in existance a large understanding gap.  I got my first taste of this type of understanding gap when I returned from Basic Training and I was talking to my Grandpa.  He asked me where I was stationed and I said Fort Bliss Texas,  he asked me what units were stationed there and I said the 3rd Cavalry. He got excited and we started talking;  about 5 minutes into the conversation it dawned on me that he was talking horses and I was talking tanks.  He was talking analog.

You see, we continue to increase our combat effectiveness by implementing new tools and technologies the majority of which are not analog, but are instead digital.  Digital means that they present entirely different attack vectors and will require us to have an entirely different level of trust in the expertise of the cyber defenders we put in place.  We must protect our digital assets.

The current generation of service men and woman are some of the first who have known nothing but digital tools.

(I left out this next part due to time constraints)

[Did anyone see the movie BattleShip? It’s a bit of a cheesy movie but there is a part in it where the modern digital destroyer gets blown up and the only available ship to fight the aliens was a WW II BattleShip,  they are working to try and figure out how to use the ship and the Chief looks at the Ensign and says “sir, this old thing is completely analog, it will take us years of reading the manuals to learn how to float and fight it”.  All of a sudden a long line of navy veterans come walking up and they are able to work side by side to show the team how to run and fight the ship –  think about this – in another 10 to 15 years people who understand analog are not going to be around to help us out.  ]

I continued my speech here —    I have to wonder how many of these digital troops would use a smartphone or GPS, even if disallowed in the mission parameters,  if they get lost during training?  I’m not disparaging anyone, I just realize how very hard it would be for any level of team leader to stop themselves from using an alternative before calling into command and telling someone that they were lost.  We all know how difficult that radio call would be to make.

What is scary is that if these digital devices were suddenly taken away our combat effectiveness would be greatly impacted – maybe by 90% or greater.  Ok,  each of your digital devices, smartphones, etc. have just been reset to 0:00 – how many of you can tell me what time it is?  Show of hands  {note – out of 350+ people in attendance only 2-3 raised their hands} wow, that was actually far worse than I expected it was going to be.

Having these digital items give us a significant advantage but also put us at risk if we don’t adequately protect them from cyber attack.  Tanks, Planes and ships will not operate if their computer systems are taken off-line.  Year after year we see annual reports that tell us  that our military systems are in no better shape than private sector systems are and our military IT staff feels the same pressures to get systems in place quickly rather than securely – we must be better than that. {looked down at tie and lifted it up}  We can do anything….

Most of us Cybersecurity professionals (risk professionals, assurance, etc. ) are very passionate about what we do – I personally spend upwards of 30-40 extra hours each week staying current, learning, wargaming, gathering intelligence, figuring out business enabling security strategies, and more.

How many of you in this room (Cybersecurity men and women you are not allowed to answer) can say you spend that much time studying and focusing on cybersecurity? How many of you even spend 2 hours per week?  Of course you don’t spend time studying Cybersecurity nor should you – that’s why you put cyber security professionals on your team.

Then why is it that across Corporate America, and I can only imagine it is a bit worse in the military, is it so hard to build trust between the Cyber defenders and the management community of the organization?  I know some of you are sitting out there thinking -What’s this guy talking about – I trust my Cybersecurity person.  Do you?  Do you really?

Think about this … you are the Colonel in charge of finance imagine an E6 Cyber defender walking into your office at month end closure and telling you that he has to take one of your business critical system off-line immediately for security patching as it is critically exposed and can be very easily compromised which could put the rest of our infrastructure at risk. He then tells you that the outage may last 8 to 10 hours.    Well, after 17 years experience as a security professional in Corporate America I can tell you that this request would be met with a lot of resistance and most likely the Cyber Defender will be told to wait for a day or two to do the patching.   Often times that directive will come with a comment about “you security guys and girls don’t really understand the business and tend to over-react”….

Hmmm…  I can only imagine similar conversations happening inside of Target, HomeDepot, Sony, Subway, Dairy Queen, Sigh, I’m not going to name them all – but like I said earlier we really got our butts kicked in 2014.  2015 continues the theme with the Anthem breach – a breach which directly impacts each one of you the Feds feel China committed the breach to continue their mission of gathering the personal data of our active and former military and their dependents.  We don’t know what they want the data for but it is obvious that they want it

Trust,  Target has a 148 million reasons – those are dollars by the way – plus open lawsuits, HomeDepot has 120 million reasons and Sony has 1 billion reasons, to implement a Cyber Defender authority policy.   1 billion?  how many of you work for companies that would even be able to survive a 1 billion dollar loss? I imagine if I lost a billion dollars for a company I’d be out on the street. and luckily for us we are starting to see Board Chairman, CEOs and CIOs resigning due to allowing a security breach to occur on their watch. Why is that lucky?  because it might raise the awareness we need to help fix this issue.

A base level of trust needs to be in place that makes it so that is assumed your cyber defender, who also is part of your profit sharing plan and wants the company to make money or who is a strong patriot and wants our tanks to run or planes to fly,  is not going to willy-nilly.  I just wanted to say willy-nilly in a formal speech,  is not going to willy-nilly take systems off-line and that when they say a system really needs to be fixed immediately they need to be granted the authority, we already give them the responsibility and career risk when a breach occurs,  now let’s give them the authority they need to protect the organization,  even if there is a small short term negative profit impact – wow that is hard to say but I bet if we asked Target, HomeDepot, Sony, Anthem, you get the idea if they could go back in time and accept a $5,000.00 profit hit in order to take a system off-line and patch it instead the breach they would all say yes.

For you the risk of allowing the E7, E8, Lt. Captain, Major, etcetera, I’d try to go on but I’ve been out of the military for a loooong time and would most likely get the other command ranks wrong…   to trump the cyber defender may just result in a significant loss to both your combat effectiveness and your ability to defend our country.

Trust,  trust the cyber defense experts that we are graduating from our military schools to both understand the business and to effectively assess the risk and make the call on fixing open and exploitable channels of attack.  While the department heads and commanders should still have the final say an answer of “don’t touch this system” or an answer of “you are over-reacting to this threat  – yet how would they even have the expertise to make that judgment?  should be the rare exception and not the norm.       – Trust and authority-   we can win this cyber war and defend our systems against the cyber threat.

About mclaukl

Professional Certifications - Certified CISO, CISM, CISSP, PMP, ITIL Master Certified, GIAC Security Leadership Certificate (GSLC), CRISC. Kevin also holds Certificates in the Advanced Principles of Information Security and in Advanced Information Security Research Methods from Jones International University. Kevin L. McLaughlin began his career as a Special Agent for the Department of Army. He was responsible for investigating Felony crimes around the globe. He has had many careers over the years, including being a Police Officer in Kissimmee Florida, an Investigator for Mastercard/Visa, a Middle School teacher, a Director at Kennedy Space Center (where he worked with Fred Hayes, James Lovell, Armstrong, Sheppard, etc.), the President of his own company, an IT Manager and Senior Information Security manager with the Procter & Gamble (P&G) company (fortune 35), a CISO at the University of Cincinnati and a Senior Information System Security Manager for the Whirlpool Corporation (fortune 125). Kevin has also been an adjunct since 1992. While at P&G Kevin created one of P&G’s augmentation outsourcing teams in India. Kevin designed and implemented this India team and it won a global Gold Service award from Atos-Origin and has acted as a model for countless corporate relationships since. Over the years Kevin has: created an Information Security program conducted Information Security Strategic planning designed Information Security solutions, investigated over 700 Cyber cases and operated a Global Security Operations Center. • Education - MS in Computer Science Education, BS in Management of Information Systems * PhD in Cyber Security, University of Fairfax
This entry was posted in Uncategorized and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s