A growing number of hospitals have not been having a good start to spring. Kentucky’s Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, both in California, and now San Diego’s Alvarado Hospital Medical Center and King’s Daughters Health in Indiana are just a few of the institutions that have been hit by ransomware — software that freezes computer systems until money is paid to infiltrators.
All of the hospitals experienced some form of temporary network disruption. Some, like Hollywood Presbyterian Medical Center, even paid the ransom.
The malware intrusions will keep mounting until hospitals — the target du jour for crime circles — re-evaluate how they build their cyberdefenses, said Chris Ensey, COO of Dunbar Security Solutions.
“I do believe that we are on the cusp of a larger spread of this type of activity,” Ensey said.
Financial health for hackers
But why hospitals? And why now? Simple, Ensey said. It’s a quest for more revenue.
“What we’re seeing is the macroevolution of ransomware and the tactics that are being used by organized crime to continue to expand the revenue generated from ransomware,” Ensey said. “The most productive way to do that is by targeted campaigns.”
Hackers started, he said, by sending the malicious software to “a big list of email addresses” in an effort to hook as many people as possible. The hope was they’d get into a few computers, hijack the data on them and make money off each catch.
That evolved into spear phishing — similar phony-email schemes but customized for specific organizations. Hospitals use technologies that help them meet requirements set by the healthcare privacy law HIPAA and other mandates, and those are usually fine, Ensey said. Antivirus software and packet filtering as part of firewall protection “catch the common stuff.” But cybercriminals have gotten good at finding ways to burrow into systems. Hospitals in turn, have to get better at keeping them out, he said.
Guarding against malware intrusions
You may recognize the name Dunbar from the armored cars that banks and other businesses hire to transport large sums of cash. It also sells managed security services, so of course, Ensey stands by those. His pitch: Hospitals can focus on their healthcare infrastructure while Dunbar constantly monitors for attacks. His general-purpose advice for hospitals is to keep pace with the technologies used to hack them.
A “very, very comprehensive backup strategy for their data” is a good start. Using automated backups is a solid strategy; so is the more expensive measure of highly secured colocation facilities to which hospitals can send their data over encrypted channels and replicate it.
Hospitals should also take another look at how they set up employee work stations with access to the Internet, since those can serve as portals for ransomware that can hold healthcare data hostage, Ensey said. Email can be a conduit for malware intrusions, and so can malvertisements — online ads that proliferate malicious software.
And healthcare institutions not only need a CISO in charge of cybersecurity, Ensey said — that executive needs to have “a seat at the table” — the business strategy table, that is. The CISO should have close ties to the CIO, the chief medical officer and the risk management team.
“Being part of those conversations is absolutely paramount to every decision that they make,” he said.
Looking to win friends and make connections in high places? The most important networking rule to remember is also a pretty simple one: It’s not about you. That’s according to Todd Cohen, author of Everyone’s in Sales and keynote speaker at the recent Premier CIO event in Boston.
If it’s not about you, what is business networking about? “It’s about building a relationship,” Cohen said. “And anyone who goes into networking thinking that it’s anything other than about building a relationship will fail.”
The guide to business networking a là Cohen advises CIOs and senior IT leaders to play the long game. Instead of approaching a networking opportunity in search of instant gratification, consider how to add to a conversation. One of the ways Cohen suggests doing that is to think about secondary network connections: Who from among your colleagues will benefit from getting to know the person you’ve just connected with? Then, take your networking win one step further and make the introduction.
The up-front investment of connecting two people together — especially if the connection is a worthwhile one — may not pay off right away, but the likelihood is that it will eventually. Both people will remember the connection — and remember the connector.
More tips for the CIO from Cohen’s guide to business networking
- Only attend a networking event if you can “be present,” Cohen said. “If you’re not, everyone will know.”
- Take the pressure off by making the goals attainable. Rather than doling out a stack of business cards, focus on having two meaningful conversations in an hour. “And a meaningful conversation is nothing more than 10 minutes of talking about something where you both can say, ‘Yeah, that was a nice conversation,'” he said.
- Create a rapport by talking about your interests. Cohen once met a botany hobbyist who explained that a seemingly healthy looking plant was actually on the verge of dying. “He just got me because he talked about something that was passionate to him,” he said.
- Join an organization and commit. “You can’t say I’m going to join [a Society for Information Management chapter] and go once,” he said. “You have to go every month because that’s the only way people are going to trust you.”
- Don’t interrupt a conversation between two people. Instead, focus on someone who is standing alone or groups of three or more people, where it will be easier to get invited into a conversation, he said.
- End a conversation by asking, “What can I do for you?” Especially if the conversation falls into the “meaningful” category. The comment is unexpected, memorable and opens the door for another interaction, Cohen said.
If your organization is doing a lot with cloud computing, you may have heard people on your cloud or security teams talk about the need for a CASB. That’s pronounced KAZ-bee.
No, it’s not a magical creature in the Nintendo game The Legend of Zelda. Or a mispronunciation of the word casbah. Or a reference to The Clash cult classic, “Rock the Casbah.”
It stands for cloud access security broker. It’s a cloud security tool that serves as a gatekeeper to your organization’s systems and loops in whatever security policies you have in place. So if someone tries to access a free file-sync-and-share service such as Box.com or Dropbox, he or she will get a warning notice or could be shut down.
In an October market report, research outfit Gartner labeled CASB a “required security platform for organizations using cloud services” and predicted enormous growth in coming years. By 2020, it said, 85% of organizations will use one, up from less than 5% in 2015.
Johna Till Johnson, CEO and founder of Nemertes Research, presenting results from a security study in a webinar earlier this month, said cloud access security brokers were in use at companies with the most forward-looking and successful cybersecurity strategies.
“This or something like it is something you have to have as you’re moving out to cloud,” Johnson said. “And using it implies that you already have a set of defined policies, and you have a good sense of who should be using what and why.”
So people say it’s hot stuff. It’s still new, though. The Nemertes study — a small one, surveying 17 organizations — found that just 21% of respondents were using a CASB.
That’s probably not why you might not know what it is, though. The study found that just 41% of respondents have heard of cloud access security brokers, but 57% have plans to deploy the cloud security tool.
I’ll let Johnson deliver the punchline: “What that means is, some people are actually using it without knowing what it is, which is actually pretty funny.”
CASB might be an important piece of a cloud security initiative, she said, but it’s not a great catchword. “The folks that make these products and technologies might want to think about a different marketing acronym — I’m just saying.”
I’m not sure the spelled-out mouthful is much better. As for CASB, I think it works better as a magical creature from The Legend of Zelda.
When a California court issued an order to Apple to help the FBI break into the iPhone used by one of the perpetrators of the San Bernardino, Calif., massacre, Sen. Lindsey Graham (R-S.C.), a counterterrorism hawk who in December called on tech companies to stop selling devices that encrypt information, switched sides.
“I thought it was that simple,” Graham told Attorney General Loretta Lynch during a Senate hearing. “I was all with you until I actually started getting briefed by the people in the intel community.”
The public battle waged between the FBI and Apple put the spotlight on encryption and data privacy. According to Chris McClean, an analyst at Forrester Research, that’s a good thing. Now, ordinary people not only know what encryption is — many know enough to argue whether the government should be able to dismantle the technology during investigations. Informed citizens could, he said, push progress in the privacy debate faster than the government can.
The FBI dropped its case against Apple on Monday, saying it accessed the contents of the iPhone. But a larger discussion over privacy and encryption has just begun. Congress is making moves toward legislation that addresses the government’s investigation powers and citizens’ right to protect their information. Sen. Mark Warner (D-Va.) and Rep. Michael McCaul (R-Texas) are pushing for a commission to study digital security and privacy issues and then make recommendations to Congress. But, McClean said, it might not matter much.
He explained using a two-word phrase you may recall seeing plastered on news shows a few years ago: pink slime. That’s the unflattering nickname for processed beef used as a food additive in school lunches. (ABC News did a series on the stuff, and the rest is history.)
“This wasn’t the [U.S. Department of Agriculture] coming down on the manufacturer saying, ‘You can’t serve this to our children.’ They actually said, ‘We give this a thumbs-up,'” McClean said. “But once average citizens saw that, that went viral and they shut it down. Two or three of the companies that created that product were out of business within a couple of months.”
Customers and the privacy debate
McClean sees the same thing happening in the encryption and privacy debate. What happens if the feds petition other companies with people’s information in their databases for intel — cell phone providers, utility companies, makers of home-automation systems? Apple took on a powerful government agency. Will other businesses do that in the name of customers’ privacy?
They might, if customers expect it. Apple’s public opposition to the FBI may have given consumers the push they need to start asking tough questions of the companies that serve them. Once they start digging into privacy policies and asking how their data is being collected and how it’s being used, they may find practices they don’t like — and then voice their displeasure.
“Every company now is a data company,” McClean said. “Your grocery store, your hospital, your bank — they’re all data companies. It will be really interesting to see how much consumers are putting pressure on those types of companies to see whether or not they would stand up the same way Apple has.”
When the FBI dropped its court case against Apple — an order to the tech company to help break into an iPhone in the San Bernardino, Calif., murder case — it left behind unresolved data privacy issues concerning millions of mobile device users.
The bureau sought the help of a partner it did not identify to crack the encryption on the iPhone used by one of the two shooters, Syed Rizwan Farook, but how did it do what Apple, its maker, has said would be hard even for it?
Who’s got the goods
That’s one of many things we just don’t know, said Forrester Research analyst Chris McClean. For example, the hackers could have found a weak spot in an old device — the iPhone 5C used by Farook and owned by his employer, the San Bernardino county government — that Apple has fixed with updated security features.
Or it could have found something else.
“We may hear details later that there’s maybe something more fundamental as a flaw that allows people to break into iPhones, and Apple still doesn’t know what it is,” McClean said. “If there are details that come like that, there would be a larger concern for sure.”
One theory is the FBI can use the key on other phones in other investigations. But federal agents would have to have it in their possession before using it.
Unless the hackers “made a whole lot of money off it,” McClean said, they probably didn’t hand the decryption method over to the FBI. They might do better to sell it to someone else — say, another government.
“I think that there would be an enormous price that they could put on an exploit like that,” McClean said.
A closer look at data privacy issues
A second, longer-term issue pits the ability of government to do investigations against citizens’ right to protect their data.
Two Capitol Hill lawmakers, Sen. Mark Warner (D-Va.) and Rep. Michael McCaul (R-Texas) are trying to build a commission that would study digital security and make recommendations on how Congress should balance security and privacy issues. And a group of private-sector executives and former government officials are pushing for a separate initiative to address the matter, called The Digital Equilibrium Project.
That’s the right way to go, McClean said, as long as the members understand the technology they’re going to be examining. They can learn, he said, since the groups will include technology experts among their members, and other, outside experts can help them understand things like passwords and how encryption works.
But doing an extensive study of technology is a race against the clock. McClean fears that by the time any commission is done working, mobile devices will have biometric features — which identify authorized users by their physical characteristics — and stronger encryption, making them even harder to crack.
“So all of the technology issues that we may discuss over the next year may be moot before they finally come up with any kind of guidance,” he said.
But commissions can still do good on data privacy issues. They just need to be equipped with the right people asking the right questions, McClean said. They’ll have to discuss the various types of data that investigations might want to examine as well as the types of data that users of mobile devices have the right to keep private. They would also do well to look at aspects of European privacy law, such as the “right to be forgotten,” which creates a legal duty to destroy or hide information if requested. In Europe, people are considered the owners of their private information.
“I don’t think we have that kind of viewpoint in the U.S.,” McClean said. “Hopefully, we get enough experts that understand all of the ethical, legal, technology boundaries.”
Bill Michels, CEO and founder of Aripart Consulting, cautioned attendees at CPO Rising Summit in Boston on Tuesday that chief procurement officers (CPOs) have a very short window of time in which to make their mark at a company: The average tenure of a CPO, he said, is less than five years. And the terms of engagement are brutal: Corporate mandates to reduce costs in the supply chain set up procurement officers for failure since costs can’t be reduced year over year indefinitely without a breakthrough change, which is hard to achieve.
The problem, he said, stems from the need to ensure that supplier margins are sustainable over the long term. “You don’t want to run the supplier out of business. We want suppliers to reinvest in the business and innovate, continue to give us improvements year over year and we need them to be healthy to be able to do it,” Michels said.
But, he said, CPOs still need to reduce costs. “Here’s where you’re most vulnerable as a CPO,” he said. “Unless you can come up with ways to come up with innovation, breakthrough, change the specs, change something, you’re not going to do it.”
By the third year of a CPO’s tenure, “if you haven’t changed out your team, your process or the way you’re going about it, or educated management on the value [of the procurement team], you’re in a danger zone,” Michels said.
Value can be demonstrated by protecting the supply chain as a whole and supporting business imperatives to make more money. One example: A biotech company that Michels worked with was less concerned about cost reduction and more concerned about making sure that its supply chain continued to function.
“[Management said], ‘Build me a risk management system that works,'” Michels said. “They built a predictive model of all their suppliers and their supply chain. They identified which suppliers were going [to fail].” As a result of that analysis, the biotech company’s board of directors made a decision to spend $100 million to protect its supply chain, since that supply chain was feeding a $7 billion business. That decision obviously resulted in money being spent rather than saved, but because the expenditure protected the company’s ability to continue making money, the board of directors quickly approved of the expense.
Michels predicts that value will trump price in the future. Citing a 2014 study from the Institute for Supply Management, he said that CEOs are looking for CPOs who can deliver shareholder value, integrate the company’s supply chain, capture innovation and speed the process of getting products to market. CPOs who focus on cost reduction at the expense of these other key requirements will be the first ones looking for a new job.
Beyond the need to deliver value to the company rather than simply cutting costs, chief procurement officers also need to prepare for digital disruption. Michels told the story of a client of his who’d envisioned using artificial intelligence to identify suppliers around the globe, help produce RFIs and RFPs, and then make sourcing recommendations. He said that much to his surprise he learned that there’s a project underway at Stanford University to deliver such a capability through artificial intelligence.
He also suggested that the Internet of Things will have a major impact on the supply chain. “We’re going to have connected suppliers who are going to be able to transfer demand all the way through the supply chain automatically, and we’re going to wind up having perfect inventories and perfect solutions. I think the IoT is going to change your life,” he said.
Apple won’t be forced to build new software that would let the FBI into the iPhone used by one of the shooters in the San Bernardino, Calif., attacks. The bureau withdrew its legal action against the tech company Monday, and the FBI-Apple case is closed — for now.
Here’s a possible future chain of events: Apple will patch any vulnerabilities that allowed the unnamed “third party” helping the FBI access encrypted data on the phone, the FBI will be locked out of another iPhone in another investigation — and the feds will be back in court demanding that Apple help it break into the device.
A win for the feds would send chills down George Do’s spine. The CISO for Equinix, a Silicon Valley provider of data center space, said that if Apple is forced to comply with the order, it would set a “dangerous precedent” — his words as well as Apple’s — that would alter how companies do everything from plotting security strategies to just doing business. (Do spoke to me before the FBI-Apple case was dropped.)
“It would turn our whole world upside down,” Do said. “Depending on where this falls, it has the potential to change things very fundamentally.”
In the FBI-Apple case, the bureau said the software — essentially a new version of the iOS operating system — could be made for just the one phone, and then Apple could discard it. But CEO Tim Cook has maintained there would be nothing stopping the government from demanding that Apple unlock other devices as well.
If law enforcement agencies have that kind of power, companies that make, say, security software or mobile devices, will have to change the way they build their products. Encryption, no matter how strong, will no longer be best way to keep data from prying eyes, Do said.
“They’ll have to find ways around those challenges to manage risk — and that’s going to be hard,” he said.
Consumers of that software, like Equinix, would be affected, too, Do said. Encrypted security tools may no longer be the go-to software for infosec teams. It may also force them to make tactical shopping choices — especially if a certain software or hardware company is known to be in the government’s line of sight.
“Maybe we choose the company that’s less on the radar than a big, giant Apple, right?”
If a cyberattack extinguished the power to the electrical grid in Wisconsin, leading to a prolonged blackout, Maj. Gen. Donald Dunbar would have a lot of work to do. He’d have to turn the wheels of the state’s cybersecurity response strategy. He’d have to mobilize the National Guard he commands to help utility companies quickly get the power back on and emergency teams get to people who need immediate assistance.
Before he could do any of that in the hypothetical future, though, he needs to ensure that there’s communication and cooperation among public and private sectors in the state.
“Because I don’t pretend for a second that the state of Wisconsin or the National Guard is going to come riding in on a white horse in a cyber-event and save the day,” said Dunbar, who is the senior adviser to the Wisconsin government on cybersecurity matters. He spoke to an audience of business and IT executives at the recent Fusion 2016 CEO-CIO Symposium in the state’s capital, Madison. “We all have personal responsibility; we have corporate responsibility when it comes to cyber.”
The U.S. runs on private industry, Dunbar said, and to get it running again after a power grid failure, corporations need to work with the state government on disaster recovery preparations.
Public and private sectors, activate
The first thing companies need to do is tell the government whether they would need help in case of a power-crippling cyberattack, Dunbar said. The banking industry, for instance, invests heavily in cybersecurity and wouldn’t need much assistance from the National Guard. “It’s not on my radar screen.”
But many other businesses, communities and infrastructures are in the state’s line of sight — but the people in charge of them need to speak up so Dunbar knows what resources should go where. He said the state is now in talks with grocery store chains about their power-generation or backup capabilities. The National Guard may be able to ensure delivery of generators in populated areas to “get the power on and keep people fed in the community while the broader recovery happens.”
It’s a challenge to figure out the right chemistry of government and private sector involvement, Dunbar said. And there’s no finish line. He contrasted his present mission of ensuring readiness in the face of constant cybersecurity threats with flying in his early days in the military.
“You put the airplane in the hangar, you’re done. Well, there’s no getting done here,” he said. “It’s 2016. Long after we have departed this earth, this will be a problem for the people on the planet.”
Patrick Schiffman agreed that businesses and government need to team up and develop ways to respond to a widespread failure of the power grid. He’s IT manager at Nord Gear Corp., which produces motors and industrial components used in everything from conveyor belts to Ferris wheels. Together, he speculated, the public and private sectors could come up with creative strategies. Perhaps the government could give companies subsidies to build solar facilities; that way, they could operate without special assistance during a power outage. Or maybe the transportation industry could help the government get supplies to needed locations.
“It’s good that the discussion is happening versus, ‘Oh, we’ll be OK. We’ll figure it out when it happens.’ That’s not the answer,” Schiffman said.
Meantime, Nord Gear is making its own preparations for unforeseen events. The company is working to implement a cloud-based disaster recovery system, Schiffman said, “that will take our infrastructure, resources, our processes and be able to relocate them so we have business continuity of people, places and things,” he said. The company has six locations in North and South America.
“We’re assuming not all of them are affected at the same time because if they are, I’m not caring about the company anymore, right? There’s a bigger disaster that’s out there.”
The problem: Leatherman Tool Group Inc., a manufacturer of multifunction tools and knives based in Portland, Ore., updated its 20-year-old, DOS-based ERP system with Microsoft Dynamics AX, increasing the complexity of the system from one physical server to nine virtual machines. The upgrade to Microsoft Dynamics AX tied systems together that were previously siloed, enabling the company to better track products across the warehouse — from assembly to packaging to shipping. But it also created a new problem: slow data center performance, according to Dameon Kirchherfer, database and systems administrator at Leatherman.
The strategy: Because the new ERP system is dealing with an uptick in data volume, data movement and data complexity, performance issues were not unexpected, Kirchherfer said. In advance of the implementation, Leatherman purchased new hardware and back-end storage to mitigate those issues, but the data center performance issues persisted anyway. And the added complexity of the system made it difficult to pin down where the bottlenecks were occurring. The network and CPUs, for example, appeared to be functioning smoothly. “So we started our search into how we could speed up our data center,” he said.
The results: Leatherman turned to PernixData. Initially, the software helped reduce data latency by caching “hot traffic,” or traffic that needed to be moved the most frequently, closer to processors and RAM, according to Kirchherfer. And, it turned out, data latency was a symptom of another problem: The CPUs, which had been running at 50% utilization before the PernixData installation, couldn’t handle the speed at which the system needed to run. “So we upgraded our CPUs,” Kirchherfer said, providing Leatherman with improved performance speeds. Today, Leatherman uses PernixData’s infrastructure analytics product Architect to keep tabs on data center performance.
Blockchain technology — perhaps the hottest topic in the financial tech community — has finally made it on the radar of the U.S. Congress, but it’s been a long haul, much more education is needed and time is of the essence. Banks are scrambling to avoid disintermediation by the technology, according to U.S. Rep. David Schweikert, R.-Arizona.
Schweikert — who spoke at last week’s DC Blockchain Summit in Washington, D.C., and serves on the House of Representatives’ Financial Services Committee — said he has been following cryptocurrencies and Bitcoin for a number of years. The DC Blockchain Summit was hosted by Georgetown University’s McDonough School of Business.
“I will make the argument right now that only six or seven of my brothers and sisters [in Congress] even understand the basic mechanics of the distributed ledger,” Schweikert said. To combat that knowledge gap, when The Economist published a cover story about blockchain technology last October, the Financial Services Committee bought dozens of copies of the issue to distribute to members of Congress, Schweikert said.
Schweikert suggested that banks and other financial services companies are “scared to death” that blockchain technology will put them out of business. “If you’re in the money transfer business, if you’re in the credit card infrastructure business, if you’re the old processing systems, is this technology basically your disruptive threat?” he said.
Schweikert pointed to blockchain technology’s potential to enable peer-to-peer value transfer between people — without requiring a bank or government to enable or execute the transaction — as an enormous threat to community and regional banks. This threat is especially pronounced when you consider that there are many millions of people in the world who up until now have been “unbankable” — without access to a bank account and therefore unable to participate in a credit-based economy. With blockchain technology, cryptocurrency and a mobile phone, these people can join the economy without ever doing business with a bank, representing a huge lost opportunity to financial services companies.
And it’s not just banks that face disintermediation, he said; any company that acts as a middleman in financial transactions is at risk. “Say you want to sell stock,” he said. “Could I buy it directly from you and never have to have it land in another platform?”
Schweikert said that while banks’ biggest problems used to revolve around regulatory compliance requirements, today the biggest threats they face are cryptocurrencies.
He finished up his talk with a call to action for audience members, many of whom are advocates of blockchain technology. “What I will beg of you is, for those of you who have relationships with those of my kind, those of us who get elected and think we already know everything: Educate us on the upside here before — and I don’t have a delicate way to say this — before the control freaks find some way to destroy the incredible good this could do to our economy and the incredible good this could do for our world.”