Mission Possible: Kiersten Todt on Securing the Public Sector

Hank Schless  00:00

Hey everybody, and welcome back for another episode of Endpoint Enigma. My name is Hank Schless. And I'm your host here today. Recently Lookout published a report outlining the threats encountered by all levels of government across the United States. And I'm really happy to say that we have an expert on this subject here joining us today to talk about the security challenges facing the public sector. So welcome to Endpoint Enigma, Kiersten Todt.

‍

Kiersten Todt  00:36

Thanks so much, Hank. Great to be with you.

‍

Hank Schless  00:38

Yeah, I'm excited for our conversation. Honestly, I couldn't think of a better guest to talk about this topic. Actually saw Kiersten speak a few years ago. And I'm really excited to have you on here and impart your wisdom on our listeners as well, given your extensive background in the public sector, especially in the past four years, where you've been working as the president and managing partner and managing director of Liberty Group Ventures, also the Cyber Readiness Institute, for the past five years. And the fact that you've also served as the executive director of the Presidential Commission on Enhancing National Security, I think probably qualifies you to have this conversation. So again, thank you for joining us.

‍

Kiersten Todt  01:18

Thank you, I'll do my best.

‍

Hank Schless  01:21

I have no doubt. So I'd love to get things rolling here, but kind of at a higher level, and talk about this current threat and cyber risk environment that we're all in, in light of the pandemic and this global shift to remote work, which has obviously affected the public sector as well. In your opinion, what are some of those main challenges and adjustments that state, local, federal government have had to make? 

‍

Kiersten Todt  01:48

Well, I think it certainly comes from resources and knowledge. You know, we had this urgent need to push everything online when the pandemic hit last year. And, you know, companies and even government who had completely prohibited working from home –– online working –– all of a sudden were forced to flip their business models to permit it. And so you first saw a lot of crisis response. To  me, I think one of the starkest and, quite frankly, I think one of the more egregious ones was the relaxation of HIPAA, all of a sudden –– that you could do, you know, tele-medicine appointments over zoom. And you know, when there was no security, you go from a situation where you're signing papers, and it takes you hours to go through the medical system. And then all of a sudden, we've relaxed all of that without kind of thinking through the security. Obviously, there were urgent needs and things like that, but it just showed this stark pivot that we all made. And I think when you look particularly across state and local governments, its resources, you know… Large companies, particularly those that are based in technology, know what a secure infrastructure looks like. State and local governments that don't have the resources are still working off of legacy systems. And so there was this, you know, urgent, almost, you know, on-steroids approach to security that had to be applied. And certainly in doing so, you saw some understandable workarounds, but also just some deficiencies and vulnerabilities that were exposed. And I think, you know, we're still understanding how to secure across all entities and organizations. And really, just going back to the basics, which always seems to be our lesson in cybersecurity: strong passwords, you know, what about phishing, software updates? And those continue to be the greatest vulnerabilities. But we're having a tough time getting that information out to all of the entities that really need to learn about that. And to understand it and to be able to apply the lessons.

‍

Hank Schless  03:39

There was definitely a shift in the way that people relied on mobile devices on smartphones, tablets, using those as a way to be more productive every day, especially to your point, as people made this immediate shift to working from home. Was there a similar shift in federal agencies, or state, local government? And if so, what did you observe in that?

‍

Kiersten Todt  04:01

Well, I think you saw everybody can shift their devices to those that were personal and at home. And, you know, I'm not clear on the specific guidance that different governments had. But I think certainly at the state and local level, continuity of operations, business continuity, would always be prioritized over security, because you have to make sure that everything is running. And that's really the state that we were in, which was, you know, what are you going to be able to do? How can you get it done? And you know, we can't assume that everybody has WiFi, everyone has an internet connection, everybody's able to access this, particularly when you've got families with children and trying to access school. And so certainly, I think you saw a lot where it wasn't a preference over devices as long as you had a device and you could conduct business. And implicit in that, obviously, is increased vulnerability, which we certainly saw throughout the pandemic.

‍

Hank Schless  04:56

Yeah, absolutely. First thing, you bring your own device or BYOD model, that definitely opened up a lot of potential vulnerabilities. Now, you mentioned you'd given a read through this US government Threat Report that we put out. Were there any particular trends that stood out to you or surprised you through that report?

‍

Kiersten Todt  05:16

I think there were a lot. In general, the increased vulnerability… You know, one of the key findings:  99% of U.S. government Android users are exposed to hundreds of vulnerabilities because of out-of-date operating systems. You know, we see and hear the same issues. And we're just kind of challenged by them –– the app threats that surged, I think the phishing attacks, specifically, the increase in phishing attacks against government organizations. You know, being online last year, certainly increased the attack surface. And you saw that across the mobile attack service, as well as just the general threat landscape and cyber, and all of those things made government even more vulnerable. And when we saw what happened with Solar Winds, and something like this going undetected for so long there. I think there are a lot of reasons for this. It's both intelligence as well as cyber challenges. But when you have such a large threat surface that people have difficulty in securing it, I think those statistics that Lookout came out with last year really just put an exclamation point around the vulnerability of that environment.

‍

Hank Schless  06:18

It's interesting to observe it. And honestly, I'm glad that we're able to get that type of insight because it helps us provide that better security to people. But it also helps people understand the real risks at hand, to your point; whether it was outdated operating systems, the app threats or phishing attacks that all surged up. And even though, on an individual basis, we may think maybe I encountered one phishing link or, you know, maybe I was notified by downloading a malicious app. And that's, you know –– “it's just me, it's just once, not that big of a deal.” But you look at that across the entire organization, it can really be an issue. One thing that I think a lot of people maybe don't understand is that broader threat of mobile phishing and how quickly that's increasing. You know, it's interesting to see, in this report, how many government workers encountered a phishing link on their phone, especially given the fact that, to your point earlier, a lot of these are bring your own device. And we'll get into BYOD, specifically, in a sec, but looking at a managed versus unmanaged perspective, you would think that government workers only have managed devices. But obviously, that's not the case. So that really surprised –– that they're even allowed to use unmanaged devices. So maybe you can kind of touch on that. But also, more importantly, why you think they're so widely exposed to mobile phishing attacks?

‍

Kiersten Todt  07:35

Well, I think the challenge with mobile phishing, we've spent a lot of time educating individuals on desktop phishing. And you know, there are companies that have been very effective at phishing training and things that you need to do –– “don't click on links” you know –– that look like this. And, you know, “hover over the sender's address,” and “go through all of this.” Mobile phishing links are so much more difficult to identify, particularly now when we're getting anonymous texts about vaccinations and updating bank information, and things like that. And all you need is one legitimate one to make you believe that many of them are attacks versus all you need is one illegitimate one to think that everything is a phishing attempt. And I think it just… it really plays against our psychology. And what we saw during the pandemic was just, again, that kind of taking advantage of our psychology, which is, you know, mobile phishing around. You know, click here, if you're a small business to get an update on your PPP loan or, you know, find out about schools opening in your area. And they all look the same. They're all automated, you know, there's certainly ways to detect but I think it's a big challenge. And we've had a hard enough time educating on that, which is black and white, you know. Obviously, hover over the email address; if it isn't someone you know, or it looks suspicious, you know, you don't click on it. Mobile phishing is much more difficult. And I think that's been the challenge. Also, just the concept of mobile phishing took a while to get socialized –– that you would have an attack against you done through a text. And so, again, so much of this comes back to human behavior and education and awareness paired with technology.

‍

Hank Schless  09:12

Yeah. And in addition to the education, it's also almost a desensitization to… we're also used to getting texts, like you said, from unknown numbers. And whether that's for tracking a package, but also something, like, you know, resetting a password or using the phone as the second factor of authentication for MFA. We're all just kind of so used to getting these texts that… especially now when we're not in the office, and we're not there saying, “Oh, you know, I'm gonna go ask about whether I should have received this text.” I think people just become so much more lax to it, as well, as a potential threat.

‍

Kiersten Todt  09:48

Yeah, absolutely.

‍

Hank Schless  09:50

So another thing which is kind of a new idea to a lot of people and a new idea in the industry really is bring your own device or BYOD. People know what that is. But there's also now this idea of BYOAD, which is bring your own approved device, which I think is a really interesting kind of middle ground between using a fully personal device and having a fully corporate-owned or locked-down device that you can't really do anything else with. So it's sort of finding that middle ground, you know. In something like government, there tends to be a resistance to BYOD or even BYOA. So why do you think that is?

‍

Kiersten Todt  10:28

Well, I think it's about control. You know, it's trying to keep everything in control and managed and ensured that it follows a certain protocol. And we've had these conversations about human behavior, which is, you know… it’s just easier to allow people to bring their own device in as long as it's approved, or just to have two devices. And this is where the psychology element of cybersecurity is fascinating, particularly to me, because I think human behavior is so much about how we can get to particular security options. But I think government is so vast, and the idea of –– what does an approved device look like? How will that increase the need to, you know, purchase technologies? And all of those pieces can be an initial obstacle. But certainly, it is a flexible tool that is much better than I think some of the current options. But these challenges around how people will respond and behave vary. The other piece that you're dealing with is you're working across generations. And you know, I know Lookout has had some experience, you know, with customers and clients where it depends upon the primary age of the worker, because you're dealing with behavioral change. The challenge with the government is you're dealing with individuals from 20 up until 80. And so that behavioral change of devices, and all of that, is a big piece of this. And so it's both the security as well as how do you create culture that focuses and prioritizes security? And what's the most effective way to do that?

‍

Hank Schless  11:57

That's a really interesting point. Makes me think back to a conversation I had with somebody a few months ago, and they were talking about how phones have advanced so quickly relative to how what she called the human hardware had advanced, which I thought was a really interesting way of looking at it. You know, we are the hardware and the phone is the software; seems like there's some alignment there.

‍

Kiersten Todt  12:19

I'll just say one thing about this, because it's interesting. And I know I had talked with a lot of your thoughtful colleagues at Lookout with this, you know, after the Iowa caucus, when everyone was trying to understand what happened with the app. A lot of the interviews were with retired individuals who said, “Yeah, I wasn't going to use an app, you know. If you gave me the option to use an app or to call, I was going to call, because that's what I'm comfortable with.” And I think, for me, it was just there was so much about that experience. Obviously, that was a lesson learned. But it's a reminder that if you don't create cultures and work with the human behavior side of this, then individuals will look for workarounds, particularly if you give them an option. Which is why I think, you know, bring your own approved device is this interesting, happy medium that we should seriously consider and look at. And if it's determined to be the right way, it's: How do you get people to then do it the right way?

‍

Hank Schless  13:09

I feel like we could go on about the psychological side of all of this for a very long time, because I honestly think it's one of the most interesting parts of cybersecurity. But I think that we can save that for another episode. So, we can move on to something that I think is almost impossible not to talk about and not to think about these days, which is zero trust. And especially as we're kind of talking about bring your own device, it makes sense that you can't talk about any of this without talking about zero trust, because the core of zero trust is basically guilty until proven innocent. On the personal and device side, you want to be able to validate that both the person and the device are secure, and are who they say they are –– what they say they are. So my question for you is, in your conversations with folks across the public sector, have you seen a broader adoption and acceptance of zero trust? And if so, or if not, what do you think is kind of the timeline for basically industry-wide adoption of this philosophy?

‍

Kiersten Todt  14:07

Well, it's interesting, because I wonder about the industry right?  Adoption, I think, in theory, is one thing. And execution, obviously, is another. I mean, the concept, obviously, is that organizations shouldn't trust anything inside or outside its perimeters. And you have to verify anything and everything that's being connected. I think how the technology can perform that function, and what is required to do so will have a lot of impact on how quickly it's adopted. And like anything, it's how do you then educate those decision makers on the value of it? And I think it's also important to recognize that when I was serving as executive director of the Commission on Cybersecurity, we had this discussion around the tension between moving security away from the end user and educating the end user. So it was a little bit before the zero trust concept was so ingrained in how we're thinking, but the idea was an either/or. And where we came down on it is, this isn't an either/or. You've got to do both and reconcile both. And I think what's critical, as we're looking at the zero trust model, is it doesn't diminish the need to educate the end user. But the point here is that you're trying to create technology that minimizes as much as possible the extent to which a human can interfere. And that technology, again, it's how it's going to work with other technologies, particularly in the public sector. What we're constantly facing is legacy infrastructure. It's this challenge of how do you bring in these new concepts to a system that may not be able to support it. And that to me is, I think, where the challenge is going to be in the public sector. But so much of this can be done without having to necessarily update legacy infrastructure, but bolt this on. I think the concept needs greater awareness and education and understanding. And then hopefully, you'll see broader adoption. I also think if you can look at cross-sector adoption, that always helps to bring the point home even more effectively for government. And so when we look at zero trust, it's not to say that the government needs to come up with how to do this technology; it's looking at partners like Lookout and others to be brought in to engage and to do what they do best. And that's, that's really where we are in cyber. It's identifying the companies that have the technologies that are the best and bringing them into government. And, you know, ideally, having a seamless integration of government, industry, and cyber infrastructure development.

‍

Hank Schless  16:27

Yeah, I mean, like, we all want to be able to solve these problems ourselves. But sometimes you just gotta go ask for help. Just for those who may be a little bit unaware, does that really pose a security risk to have an out-of-date operating system? And maybe is there, like, a relatable analogy that would help people understand the risk of vault?

‍

Kiersten Todt  16:44

I mean, I think, the most recent example is the Microsoft Exchange breach. And absolutely, it's dangerous to have an outdated system. You know, it's sort of like driving a car that's been recalled. It  has an engine that's been recalled, and you still keep driving it. And they've recognized that something in the manufacturing of the engine isn't working, that whatever the reason is, it's now dangerous to drive. And so you should bring it to the dealer and have it replaced. And so the less than perfect analogy is with an operating system. You have to have what can run effectively on the current state of the internet. And with Microsoft Exchange, the companies were running an out-of-date operating system that Microsoft no longer supported. And so, what happened then is Microsoft wasn't looking at vulnerabilities and patches they had. The recommendation was to update the operating system, because that was the one that they were supporting; they were no longer supporting the outdated ones. And so, the vulnerabilities in operating those would go unnoticed by Microsoft, because they weren't paying attention to it –– so, therefore, extremely vulnerable for those organizations and just, essentially, a honeypot for malicious actors, you know, just this open field of of opportunity,

‍

Hank Schless  17:54

You bring up two really interesting things in there. The first being, you know, for this exchange incident, from my understanding –– most of this was for their on-prem infrastructure. So, as you're pointing out, legacy infrastructure was all on-prem stuff. And it just shows that cloud-based solutions… I mean, obviously, with something like SolarWinds, you look at that, and you say, well, it's a cloud-based solution that was delivered an automatic update, and that automatic update was laced with malware. So there's risk involved in that. But at the same time, you have a situation like with Exchange, where it's an on-prem service, people may not be aware of the fact that there was an update and, to your point, it basically becomes a honeypot for threat actors. So actually, a question that came to my head is, there's obviously risk. I mean, your opinion, does the benefit of cloud based infrastructure outweigh the risk of something like another exchange type attack? And is it more than just the fact that the world's moving that way? 

‍

Kiersten Todt  18:52

Yeah. And I think, you know, it's always risk management; there's no perfect solution or perfect answer. And that's always, I think, a challenge. We all look for finite, 100%, you know –– what do I need to do to never be breached? And that doesn't exist in this world. And so I think, you know, for most organizations, a cloud-based infrastructure is where you're going to have more security than what you're able to perform. I think, you know, the numbers about the number of small businesses specifically in the United States are extremely high. It's, you know, 85% 95% of companies have, I think, it's 100 or less employees. I think that number is 95%. And the point being that this discussion is targeted at those companies, not, you know, the Palo Alto networks, the large tech companies. And I think from that perspective, you really want to help those businesses manage their risk in the most effective way. But always educating and making sure that you know or outsourcing a function doesn't outsource the responsibility. So, just because you're going to the cloud, it doesn't mean you're going to have perfect security. It doesn't mean that the cloud may not get breached at some point. But when you're managing the risk across all these other elements, I think it makes a lot of sense for these businesses to turn to the cloud. And also for the reason which you talked about, which is, this is where things are going. But in light of that, don't let the momentum distract you from what the responsibility of the business is in managing its security. But I think given all of the vulnerabilities that come right now with outdated systems and authentication and other elements, the cloud is a very responsible and effective option.

‍

Hank Schless  20:25

The other thing that you brought up before was investment. And obviously, financial investment is one thing, but sounds like what you were really talking about is investment of time and resources. Basically, do you think that the investment is something that the public sector should be really looking into and worth the time and resources that it will take?

‍

Kiersten Todt  20:45

I do. I think that I was having a conversation with a senior executive of a large tech company a couple days ago, who was saying, you know, I'm glad to be a part of technology, because this really is the future. And even if you're not a technologist, understanding how the technology infrastructure of our world is really dominating how we operate, making sure that we're laying the foundation for security and making it easy for individuals, companies, and the government to be secure is going to be critical. And we have to invest in that future, not just for today, but for where it's going. What we haven't quite figured out is how to make those investments strategic and smart, so that we're not investing in sunk costs and legacy, but really looking at where there's agility. And I think that's when we look at mobile. The effectiveness that mobility offers isn't just about, you know, being able to take your phone back and forth to work, but it is mobility as far as being able to work in distant places. And that works for attracting talent, that works for people's choices and creating a more diverse workforce. And I think we've got to invest in that, again, not just for those qualitative factors, but certainly for the quantitative improvement of how we're securing the nation. We clearly need to be doing better. You can’t look at these recent attacks –– and, I think, Solar Winds, particularly in looking at the intent of what Russia was looking to do and then even just looking at what China was willing to do –– and not say that we've got to be doing better. And investing in that infrastructure and that security is obviously a key component of what it means to do better.

‍

Hank Schless  22:23

Absolutely. Well look, Kiersten Todt… Thank you so much for joining us again, everybody. Kierston is president, managing partner, and managing director at Liberty Group and also the Cyber Readiness Institute. So be sure to check that out. Kiersten, thank you so much for joining us today.

‍

Kiersten Todt  22:38

Thanks so much, Hank, I appreciate it.

‍

Hank Schless  22:40

You got it. And thanks, everybody, for tuning in. You can always find us on Spotify or wherever you get your podcasts, follow us on Twitter, or check out our blog to learn more about what we're up to in the cybersecurity world. Thanks, everyone. See you next time.

‍