Months after the Colonial Pipeline ransomware attack led to gas shortages across the East Coast, a slate of federal, state and private sector cybersecurity experts gathered in Annapolis Thursday to discuss ways to thwart future threats.
The 2021 Annapolis Cybersecurity Summit, convened by Gov. Lawrence J. Hogan Jr. (R), saw more than a dozen top officials outline how public-private partnerships can boost cybersecurity across the country. Hogan used the high profile Colonial Pipeline attack to underscore the importance of addressing cybersecurity for governments and private companies alike.
“If cybercriminals seeking $5 million in ransom could cause massive gas shortages up and down the East Coast, just imagine what a country or an organization that wanted to cause major disruption could inflict,” Hogan said.
Hogan also signed a trio of executive orders aimed at boosting cybersecurity in Maryland. Those orders will collectively:
- Create a chief privacy officer within state government to “streamline the way the state secures citizens’ personally identifiable information,” Hogan said. The chief privacy officer will be tasked with helping to set up and overseeing a privacy framework for state agencies that collect residents’ data.
- Create a new chief data officer to make it easier for state agencies to exchange data. The order also requires state agencies to appoint their own data officers to work with the new chief data officer and ensure data is kept secure.
- Expand the state’s MD THINK cloud-based data repository by using that data to support the Two Generation Family Economic Security Commission in looking to eliminate generational poverty in the state.
Hogan also announced the National Security Agency will be providing the state with a senior level data analyst to advise officials on security standards. Hogan also announced a memorandum of understanding between the state government and the University of Maryland Baltimore County (UMBC) to create a “Maryland Institute for Innovative Computing” that will seek to ramp up artificial intelligence, cybersecurity and data science efforts within state government.
Under the memorandum, the state will be able to deploy “rapid response teams” of UMBC students and mentors to address “high-impact, high-value data projects facing state agencies,” Hogan said, including responding to cybersecurity threats.
The cyber summit came just one day after President Biden signed an executive order aimed at shoring up national security against cyberattacks, including encouraging companies to adopt more stringent security standards like two-factor authentication.
Anne Neuberger, a top White House adviser on cybersecurity and emerging technology, said the federal government is looking to partner with state and local governments to boost security.
“It all boils down to people,” Neuberger said.
Rep. John M. Katko (D-N.Y.), ranking member on the U.S. House Committee on Homeland Security, said cybersecurity and infrastructure go hand in hand. He said companies and all levels of government should view themselves as the potential next victim of a cyberattack, and “prepare accordingly.”
Katko said paying out ransoms demanded by cyberattackers is currently the norm, but said both public and private sector leaders should “flip the paradigm” and only pay out ransoms in “the rarest of circumstances.”
“Cybersecurity is the greatest threat to our national security,” Katko said.
Dennis C. Blair, the former U.S. director of national intelligence and a retired Navy admiral, said security is often an afterthought when new technology is developed. He said defenses against cyberattacks are often set up only after a successful attack.
“Once the new system is in place, then the competition is on between the attackers and defenders,” Blair said. “The attackers look for and often find vulnerabilities … the defenders develop patches, if they’re lucky they develop them ahead of time.”
Blair said the responsibility for cyber security is currently assigned to purchasers of new technology rather than developers.
George C. Barnes, the deputy director and senior civilian leader for the National Security Agency, said recent cyberattacks have changed the way federal officials view national security. He noted that his own hometown, Leonardtown, was recently hit by one such attack.
“A lot of it is foreign originated,” Barnes said. “It’s our collective responsibility to create counterpressure there, and we have the president’s support in coming up with ways to do that. We have to prepare our society to actually live in and endure this type of situation.”
Barnes said talent and a robust workforce will be key to combating future cyber threats, but added that the country currently lags behind other nations in that regard.
Herbert J. Stapleton, a cybersecurity expert with the FBI, said partnerships are key to the bureau’s defenses against cyberattacks. He said federal interagency partnerships, cooperative efforts with state and local governments and public-private partnerships will be key to building up a robust defense to future attacks.
Stapleton also said many cyber incidents aren’t even reported to federal officials, and encouraged companies and government agencies to report cyber crimes.
“A call to one is a call to all from our perspective,” he said.
According to the cybersecurity-focused news outlet CSO, a slew of bills aimed at shoring up cybersecurity have been introduced in Congress in recent months, signaling an enhanced focus on digital security across the country.
State leaders who spoke at the summit focused on building up a cybersecurity workforce to combat future threats: Hogan called Maryland the “cyber capital of America,” noting the state’s large private sector security presence and federal agencies like the National Security Agency headquartered in the state, as well as universities focusing on the field. Hogan and others who spoke are taking a long-term approach to boosting cybersecurity, prioritizing computer science education to boost the state’s digital-focused workforce.
“Maryland’s access to the NSA, Cyber Command and other key federalized installations and institutions makes us pretty well equipped,” Hogan said. “We have the ability to connect the federal government to our private sector, and to a real pipeline of local talent.”
Arkansas Gov. Asa Hutchinson (R), the chairman of the National Governors Association, said his state recently mandated a cyber security course as a high school graduation requirement. He said that move is meant to give state companies and government agencies access to a wider talent pool, in addition to attracting technology companies to the region.
Hutchinson envisions a public-private education partnership to connect students with cybersecurity professionals.
“We can train a computer science teacher in the classroom that has the technical expertise, but to have the real world experience you need to bring industry into the classroom,” he said.
Louisiana Gov. John Bel Edwards (D) said while cybersecurity is “far more important than most people realize,” the Colonial Pipeline raised public awareness of the issue. Edwards also views the cybersecurity industry as a boon to his state’s economy, because students who focus on cybersecurity can find jobs locally.
“These people are getting jobs as soon as they graduate,” Edwards said.
Private sector security
Collaboration with federal and state governments to boost security was also a common theme among private sector summit attendees: Former National Security Agency director and Keith Alexander, a retired general who now heads up the cybersecurity company IronNet, pushed for “collective defense” and collaboration between the public and private sector.
“We’ve got to have some way of seeing these attacks that knit together private industry and the government,” Alexander said.
Dr. Mohan Suntha, the president and CEO of the University of Maryland Medical System, said Maryland’s response to the COVID-19 pandemic should be used as a basic framework for building cybersecurity infrastructure. He said the state should work with businesses to build cyber defense infrastructure from the ground up.
Daniel R. Ennis, the executive director of the University of Maryland’s Cyber Initiative and the CEO of DRE Consulting, said cybersecurity education needs to go beyond the classroom and involve business leaders and journalists.
“It’s not just about engineering, it’s not just about computer science, it’s also about teaching business leaders how to focus on cyber problems,” Ennis said.
Phyllis Schneck, the vice president and chief information security officer at the aerospace and defense technology company Northrop Grumman, said it’s “no longer shameful” to be the victim of a cyberattack.
“This truly has to be, and it is, one team, one fight,” Schneck said.
Tina Williams-Koroma, the president and CEO of the cybersecurity consulting company TCecure, said small businesses need to have a seat at the table while cybersecurity policy is crafted. Williams-Koroma said small cybersecurity businesses play a key role in boosting awareness and preventing attacks.
“Our involvement is something that I would like to see continue,” she said.
Williams-Koroma said small businesses are also well positioned to inform other small and even large companies about how to budget for cybersecurity.
Robert Lee, the CEO of cybersecurity firm Dragos, said government officials should be cautious about imposing strict mandates on how companies handle cybersecurity.