The Future of Cybersecurity, a Conversation With Jack Thomas Tomarchio of Agoge Group, LLC - From Drexel University

Original Post, by Patricia Connolly, Found Here


Today’s boardrooms continue to sharpen their cybersecurity oversight in preparation for an inevitable cyber incident. Patricia Q. Connolly, Executive Director of the Raj & Kamla Gupta Governance Institute, sat down with cyber expert Jack Thomas Tomarchio, Principal at Agoge Group, for a conversation around growing cybersecurity concerns and the ways boards can ensure they are equipped to handle cyber-attacks.

The following is an edited transcript of the conversation.

Patricia Q. Connolly: In my work at the Raj & Kamla Gupta Governance Institute, I have had many boards raise questions around cyber preparedness. In your experience, do boards fully understand the scope and severity of cyber threats?

Jack Tomarchio: Some boards understand the scope of cyber threats, but many or most boards do not. Cybersecurity has become an agenda item, but directors and management don’t fully understand the severity of possible threats. And it’s hard to be prepared for a threat when you are unsure of what you are facing.

Security is always the last line item on a corporate budget, because it represents money out and no money in. There’s no profit in security; it’s not “sexy.” It’s like insurance—you don’t know you need it until you experience a disaster and are unprepared, but at that point it is too late to do anything about it.

Q. What should boards be doing differently now regarding cybersecurity?

It is incumbent upon boards to educate themselves on the risks of cyber-attacks and strategies to mitigate those risks. On April 24, 2018, Altaba (formerly known as Yahoo) settled with the SEC and agreed to pay $35 million for failing to adequately disclose a cyber breach—the first time a public company has been fined by the SEC for this. Headlines like that should get the board’s attention—this should be the impetus for everyone to act on cyber issues. When cyber-attacks occur, it’s a big headline. CEO’s are fired, along with other members of the C-Suite, and ultimately board members end up running the risk of personal liability outside of the insurance limitations.

But, for some reason, it’s often not enough to force companies to act on these risks. And that is an issue because most companies are currently unable to sufficiently handle a cyber-attack. Boards must develop useful responses to cyber-attacks. It’s not about “checking a box,” or simply having discussed cyber; there needs to be a real conversation around mitigating the risks. They tend to be reactive, but these are real assaults on companies for data, intellectual property, and money, and you cannot win a battle by being passive.

I’ve personally witnessed cyber warfare attacks through my work in the US Intelligence Community, and it is intense. You never want to end up saying, “now what do we do?” You always want to be prepared. There is help and partnership available, which many boards are unaware of or actively choose not to seek. The FBI offers outreach partnerships, but they don’t often get called. You only need to ask for help, and there’s an opportunity to have it.

“Boards have to be cognizant of the fact that cyber risks are now part of the business landscape and culture.”

Q. How have you seen governance practices evolve in response to major cyber-attacks?

We are seeing some boards attempting to recruit directors with cyber experience or skills. However, it’s not as common as it should be. All boards of directors need at least one individual with cyber expertise. The full board needs to be informed and responsible for cyber-oversight, but there needs to be one person with that background who can then educate others and measure the company’s preparedness regarding cyber planning.

I often hear from directors, “my Chief Technology Officer (CTO) or Chief Information Security Officer (CISO) is handling that.” This is a mistake. Boards cannot be relying solely upon the CTO or CISO for guidance on these issues, but should instead be reviewing their work and asking them to enforce board-directed strategies. It should be the role of the board to ask them the tough questions, and to do that, you need a board member who knows what questions to ask.

“Cyber warfare is an attack, and boards must treat it as such. If you don’t understand the threat or the ramifications, you won’t be able to withstand an attack.”

Q. In February 2018, the SEC issued an interpretive release to guide public companies when preparing disclosures about cybersecurity risks and incidents. How should a board be prepared to speak about their plans to confront cybersecurity risks and threats?

Boards shouldn’t show their entire hand—you don’t want to put the details of the company’s response plan out there for all the world to see. However, they should lay out two to three pages on the corporation’s cybersecurity plan in the annual report. There doesn’t need to be a great level of detail, as investors will gloss over that anyways, but the board should demonstrate the resiliency of the company in the cyber realm. Outlining what the company has done, steps that have been taken, tests that have been performed, can be helpful to show that they are taking cyber threats seriously and trying to be proactive.

Public company boards do need to disclose their cyber preparedness, and they should insist on a written information security policy and an incident response plan that gets to the point. You don’t want an 800-page plan—no one looks at that and it isn’t useful. And boards not only need to prepare these types of items, but they need to regularly and continuously evaluate their usefulness and update the materials based on the evolving threats in the cyber realm. Your plans are only useful if they are designed for the current landscape.

Q. How can a board take the extra step to assure itself that the company has the proper protocols in place to evaluate, and respond to an incident quickly and effectively?

Yes, some boards are taking some smart steps regarding their cybersecurity plans. Small things, like not using the same IT guy when you perform penetration tests, can make a big difference. And those are actions that the board can easily take. You want to think about cybersecurity like baseball. A pitcher on the mound faces many different batters. If that pitcher only has one pitch, every batter knows exactly what to expect, and they can prepare for it. So the pitcher must mix it up and surprise batters; in other words, don’t always throw a fastball. Boards can think about cyber-attacks in the same way. They want to catch their attackers off-guard and not make it easy for them to gain access.

Q. What other steps might a board take to protect itself from a cyber-attack, and how can they manage the results if such an attack should occur?

One of my favorite tools to train boards on the risks, management, and mitigation of a cyber-attack is the use of the tabletop exercise. Originally developed by the military as war games to plan strategy and tactics, the tabletop exercise is a perfect pedagogical tool to teach boards how to respond to a cyber event.

When I run a tabletop exercise, I put the entire C-Suite and board through a cascading cyber crisis that challenges company leaders to make hard decisions under extreme pressure. The results are often eye-opening. Executives uncover gaps in their incident response plan, realize that they have serious systemic failures in inter-company communications, or learn that their crisis response is confused and disorganized. The exercise is designed to shed light on these types of deficiencies. I conduct a post-mortum afterward to discuss what the weakness were and methods to address them. Often the C-Suite will leave a tabletop exercise with a laundry list of fixes to be undertaken.

Furthermore, tabletop exercises allow the board to understand their role in the cybersecurity process versus the role management should play. The exercise provides the board with a hands-on experience to better understand what a cyber-attack entails, and what it means to be properly prepared to combat one. Board members can utilize these interactive sessions to further their own knowledge and ensure management has the proper crisis management and disclosure protocols in place.

Departure of Bossert Reveals “Boltonization” of NSC

On April 10, 2018, Thomas P. Bossert, the President’s Homeland Security Advisor, abruptly
resigned from his post. It came as a surprise to homeland security observers and to Bossert
himself. Speaking at the Cipher Brief’s 2018 Threat Conference in Sea Island, Georgia, Bossert
gave no hint that his departure was mere hours away. What the Bossert exit represents is a rapid
move by Bolton to put his own imprimatur upon the National Security Council.

As a fellow member of the George W. Bush administration, I worked homeland security issues
with Bossert although we did not work closely together. He was a denizen of the West Wing in
those days, while I worked domestic intelligence matters on Nebraska Avenue at the Department
of Homeland Security. Lawyerly and thoughtful, Tom was respected for his work ethic and
notably his ability to master the chaos that was the Hurricane Katrina crisis of 2005.

Unlike many other veterans of Bush 43, Tom was able to shed those “scarlet numbers” and join
the Trump administration. By all accounts, he and President Trump got on well. Bossert’s
relations with H.R. McMaster, Trump’s second National Security Advisor, were a bit more
complicated. Beset by a Byzantine chain of command conundrum, McMaster and Bossert feuded
over NSC seniority and who reported to whom. Besides their “who’s on first arguments,” the
two sparred over other matters of national security policy as well as often engaging in shouting
matches that reverberated through the black and white marbled halls of the Eisenhower
Executive Office Building.

A number of NSC staffers also complained that Bossert was a bit of a foot dragger when it came
to execution on policies relating to counterterrorism and especially cybersecurity. The Trump
administration’s failure to, as yet, delineate a cogent national cybersecurity strategy has been a
criticism that has been laid at Bossert’s feet. In defense to Tom, counterterrorism and
cybersecurity are both extremely complex issues, involving many stakeholders in government,
the private sector, and with our allies abroad. Getting these issues right and crafting a workable
strategy should take time and be subject to a great deal of thought and discussion.

Of course, the more important story here is the alacrity with which National Security Advisor
John Bolton moved to replace Bossert. Bolton, assuredly not a shrinking violet in the hard-
elbowed politics of bureaucratic Washington, has in one scythe-like move begun the process
which will result in the “Boltonization” of the National Security Council. Firings did occur after
McMaster took over as NSA, the most high-profile example being Ezra Cohen Watnick, but not
at the scale currently occurring during Bolton's first week as NSA. Bolton represents the
geopolitical hard, hard line of the Republican party. Indeed, many would contend that he is not
of the GOP at all, holding a worldview that is so combative and reactionary that he remains an
outlier among more traditional Republican foreign policy thinkers.

Expect Bolton to bring in his own people who share his worldview in the coming weeks. Most of
the new recruits will come with street creds that will label them as hardline foreign policy
reactionaries who will dismiss globalism and unity of action among the Western allies in favor of
American “go it aloneism.”

Since the Trump administration came into office, the NSC has been roiled with the hirings and
firings of two National Security Advisors, the departures of now three Deputy National Security

Advisors and several senior departmental directors as well as a slew of rank and file staffers.
Morale among council employees is said not to be robust.

Another changeover at the NSC could not come at a more inconvenient time. If Bolton is going
to look for a new and tougher staff at NSC, one that reflects his own vision of U.S. national
security, the real test for them will be decidedly immediate with the U.S. now facing an instant
decision on whether to undertake military action to punish Syria’s Assad regime for yet again
dropping chemical weapons on its own citizens, more challenges from Russian President
Vladimir Putin, and the looming summit between President Trump and North Korea’s Kim Jong-

With varsity level competition facing him, let’s see if John Bolton’s attempt to re-make his NSC
team in his own image will be successful or will result in just a bunch of ideologue scrubs taking
the field in possibly the biggest game of their untested careers.

While it is understandable that Bolton will seek to populate his NSC with like-minded thinkers, it
is also important to ensure that national security policy-making enjoys the rigorous give-and-take
that will be needed to examine all facets of a projected course of action. Indeed, within the
Intelligence Community where I served, contrarians are highly valued for the leavening they
provide to any intelligence policy decision. Without examining and valuing the opinions of “the
loyal opposition” in foreign policy decision-making, we run the risk of following policies
untested. When the stakes are as high as North Korean missiles or strikes against Syrian (and
Russian) targets, National Security Advisor Bolton would be well-served by a few dissenting
voices in the EOB.

Russian Military Embraces 21st Century Tactics

The familiar version of the Russian military is of the ponderous Cold War juggernaut that invaded Hungary in 1956 and Czechoslovakia in 1968, heavy on armor and artillery but light on agility, maneuverability and independent action when necessary. Not so much anymore. With Russian adventurism in Crimea, Ukraine, and Syria, its military is the recipient of an array of new technologies using artificial intelligence, high-resolution geo-spatial imagery, robotics and sophisticated drone technology. While Russia still lags significantly behind the United States in defense spending, $46 billion to the US’s $700 billion, what is important is that Russia is making strides to improve how its military fights and even more importantly where it fights. Russian submarine stealth technology is first rate with boats of the new Yasen and next-generation Husky classes quieter and stealthier than ever while Russian ground and sea-launched ballistic missiles allegedly packing more thrust and accuracy than ever before.

Russian military thinking is also undergoing a revolution. Historically Russia has always fought large defensive wars such as the Patriotic War of 1814 against Napoleon and the Great Patriotic War against Germany (World War 2). New Russian tactics, however, now call for taking the war to the adversary early and with stunning lethality. Chief of the Russian General Staff, General Valery Gerasimov in recent remarks to the Russian Military Academy stated, “The objects of the economy and the state administration of the enemy will be subject to immediate destruction, in addition to the traditional spheres of armed struggle, the information sphere and space will be actively involved.” With this shift in traditional tactics the Russians now seek to push conflict away from its borders and to the heart of its enemies. With Russia’s loss of its traditional “near abroad” (the 14 former socialist republics of the USSR) and “nearer abroad” (the Warsaw Pact allies) buffer states, Russian military thought now views it as a strategic imperative to take the fight to the adversary. Moreover, Gerasimov recognizes that in order to prevail in future conflict Russia must be prepared to fight a multi-dimensional war targeting a foe’s economic, information, energy and financial infrastructure, all critical instruments of national power. A future war with Russia will assuredly see attacks on all of these “fronts” as warfare enters an age of “inclusive lethality”, further blurring the old combatant/noncombatant targeting paradigms of the past.

This new Russian strategic mindset is itself a carryover of Russia’s traditional way it sees the world and its place in it. Obsessed with encirclement and invasion, Russia now seeks to control the tempo of world events by shifting away from its historic defensive posture to a new deep strike capability that will carry the war to the heartland of its enemies.

For NATO and especially the US, the challenge will be to ensure that Western capabilities in space, information warfare, submarine technology and other military modalities remain robust, technologically superior and nimble. Not to do so would be a mistake whose consequences will be paid for at a future time. The price may not be something we will be pleased to pay.