HIMSS21 kicked off Tuesday, Aug. 10 at the Sands Convention Center in Las Vegas with a keynote titled “Healthcare Cybersecurity Resilience in the Face of Adversity.” The discussion was moderated by Jigar Kadakia, chief information security and privacy officer at Mass General Brigham. The panelists were Michael Coates, former CISO of Twitter and former head of security at Mozilla; Keren Elazari, cyber security analyst, author, and researcher, Admiral Michael Rogers, former director, National Security Agency and former Commander, U.S. Cyber Command; and Alex Stamos, founding partner, Krebs Stamos Group, former CSO, Facebook, and former CISO, Yahoo.
Kadakia kicked off the panel by asking what has been on everyone’s mind when it comes to cybersecurity: ransomware. He asked the question “Do we pay or do we not?”
Adm. Rogers responded with “Generally, I tell organizations there isn’t a single yes or no. My preference is no but there are some circumstances where some organizations feel that is the appropriate thing for them.”
He added that “I would urge organizations to think about what the criteria are that you are going to use to make the decision when you find yourself in that ransomware crisis.”
Stamos explained that it broke down into two levels for him—the macro and micro. He said that “For the ‘great evil genius’ in the micro level, you are a victim. Your exchange server is locked up, no one knows what they are doing, and the ransom says they have your data. It makes sense to pay—shareholders, patients, and the like are at risk.”
He said that it makes sense to pay the ransom instead of calling for outside help, since time is of the essence. Paying is essentially cheaper than waiting for someone outside of your organization to assist, as you’re losing money every moment. But on the macro level, he insisted that “We should outlaw ransomware payments.”
He explained that the FBI can’t really tell you that you can’t pay, even though they say not to. If ransomware payments do get outlawed “it would suck for the first company” but he believes we should take the short-term pain for the long-term gain.
The next portion of the discussion revolved around what steps companies can take to improve their resiliency.
“The most important thing to take away with resiliency is that it should be boring. We should get away from sexy cybersecurity,” Coates responded. “What builds resiliency is fundamentals. It is boring and hard doing the things you know you need to do across the board for your organization all the time, but it is what you need to do.”
Elazari chimed in, saying that “Tabletop games, like Dungeons and Dragons, but instead, Hackers and Malware." "Simulations," she said, “it is fascinating to look at the dynamics and see how the first couple of hours are pure chaos. There is also an aspect of how you communicate what happened to the outside world. How can you share the news?”
Moving on to the topic of how the landscape has changed in the past 18 months, Coates quickly responded, saying that “The migration to the COVID era of work and cloud transformation fast forwarded the landscape a number of years. Rethink the controls we do have in place. When everyone was in office, we had network security controls that monitor traffic. Now what does this mean for our security posture?”
“It is time to get rid of passwords; it is time to call them ‘pastwords,’” said Elazari. “They create so much friction, how much time does your organization spend on passwords? It is so outdated in the face of what we need in ID and authentication. There are alternatives out there. People work from home, so the endpoint is the new perimeter, and a lot of those controls are not effective. So, perhaps ID and authentication of people are the new perimeter we need to focus on. I really hope wed are going see a future that is ‘passwordless.’”
Adm. Rogers added that “Because we didn’t focus on resilience, we increased the probability of successful penetration. So, what does that mean for us?” He explained that the actors are getting more aggressive, and he knew things were fundamentally changing when he saw “regular” criminals carrying out attacks that he had only previously been seen in nation state hackers, like attacking supply chain. He added that “We need to step back and reassess.”
Next, the panelists discussed hiring, retaining, and recruiting cybersecurity staff. Kadakia noted that there are 5 to 6 million open jobs and not enough people to fill them.
“I think you should hire the hackers,” Elazari quickly responded. “There is a lot of untapped potential in the friendly hacker community. We have to start growing the next generation of talent. Create entry level positions—internships or apprenticeships in your organization”
Stamos had another idea: “Focus on the people you have that are subject matter experts and let them grow into security." He said that “It is easier to break things vs. build them. So, people who have a deep understanding of the building aspect or area, pivot them into security.”
Lastly, when final thoughts were discussed, Elazari wrapped up the keynote succinctly, saying, that “I think survivability is key. Security is not a destination; it is a journey.”
And of course, Adm. Rogers reiterated that “It is about resilience, resilience, resilience. We can’t do everything, so focus on the greatest return for your money and do it with a risk-based approach.”
