Featured Image: Cybersecurity expert, Navy veteran, and AMU graduate Robert M. Brzenchek
By Wes O’Donnell
Managing Editor, Edge
Our nation faces substantial cybersecurity challenges in the years ahead of us. Adversaries like Russia and China are consistently probing for weaknesses and carrying out attacks that threaten to destabilize America’s infrastructure and our very way of life.
According to Harvard Business Review, China is quickly closing the once-formidable lead the U.S. maintained on artificial intelligence (AI) research. Meanwhile, in Russia, state-sponsored criminal hacking organizations are encouraged to attack the West. DarkSide, a Russian hacking group, has been accused of being behind the ransomware attack that shut down the Colonial Pipeline.
Urgent Action Needs to Be Taken – America Is Falling Behind in Its Cybersecurity
According to some U.S. experts, America is falling woefully behind in this new front of offensive and defensive cyber operations. In a recent poll, only 9% of Millennials said they are interested in pursuing a cybersecurity career. The numbers are even worse for Gen Z.
Most surprisingly, these jobs have pay scales that are beyond competitive. On the surface, these salaries should make cybersecurity not only essential but also extremely attractive to younger, tech-savvy generations.
We need to take urgent action. It feels like September 10, 2001, except we know an attack is coming this time.
An Expert’s View on the Current State of US Cybersecurity
I recently had the good fortune of speaking with published author, Navy veteran, and cybersecurity expert Robert M. Brzenchek about his take on the state of America’s cybersecurity posture. Mr. Brzenchek has worked with dozens of national agencies, governments, and international organizations in the use of advanced technologies and information sharing to detect violations of international laws.
His book, “Transnational Organized Crime and Gangs: Intervention, Prevention, and Suppression of Cybersecurity,” provides several first-person examples of the mentality present in today’s transnational organized crime groups. It also features a holistic approach towards cyberattack prevention and intervention in the cybersecurity space.
Wes O’Donnell: Robert, thanks so much for taking time out of your busy schedule to chat. I joined the military before 9/11, but I spent most of my time in the military after 9/11. What was funny is that we were focused, in basic training, on Russia and China – these large nation-state adversaries.
After 9/11, I had a front-row seat watching the military slowly retool to counter insurgencies and terrorism. As a nation, we’re finally pivoting our defense posture back to large countries. So how vulnerable is the nation’s infrastructure to cyberattacks from China or Russia today?
Robert M. Brzenchek: Thanks for having me, Wes. As you know, in this world, there are increasingly capable hackers that are funded by nation-states such as China and Russia and massive spending in the United States on the internet of things (IoT) and 5G. We have advanced sentinels. We have data centers that will be everywhere. However, we can’t catch everything. And so that’s an issue.
With the capabilities of Russia and China, especially on the heels of the Colonial Pipeline and SolarWinds attack, we have nation-state actors from Russia make their way through business and government systems. And so what we need to focus on is what our vulnerabilities are in our critical infrastructure. And trust me, there are many.
When you think back to pre- 9/11, this [cybersecurity] wasn’t really on the tips of anybody’s tongue. Now, this is the new front. This is our new 9/11. And unfortunately, I predict that our next 9/11 will be on the cybersecurity front. We are absolutely vulnerable to threats from the capabilities of the hackers from China, Russia, and others.
For example, getting back to SolarWinds, that was a huge vulnerability that exposed U.S. defenses and it’s a reminder of what we already know. The federal government and private enterprise have struggled for decades to build a deeper relationship on cybersecurity to stay ahead of the accelerating, more advanced threat to come from both China and Russia and points beyond.
Take Colonial Pipeline, for example. That ransomware attack hit our critical national energy infrastructure.
That’s a new level of ransomware that we have not seen before. And you and I were both in the military; we both know in the intel world that nothing comes out of Russia that Putin does not sanction. And so I take pause with the Biden administration saying that it was not an act of war, because it was a clear and present danger to our sovereignty.
In Russia, they are training the next generation of hackers by having them do esports-style competitions for who can hack into different cities in the U.S. Now, our critical infrastructure here for cyber is pretty vulnerable, because if you’re attacked every minute of every second of every day, at some point an intrusion will get through.
And so when you asked the question, “How vulnerable are we?”, I think that we have banded together too late. Is it recoverable? Absolutely, because as Americans, that’s what we do. We’re going to do what we need to get done.
However, is it too late? Are the enemy capabilities beyond what we’re doing right now? I say we are vulnerable.
Wes: That’s scary stuff. It feels like I’m speaking with someone who knew we were about to be attacked the day before 9/11, and no one paid attention.
Robert: I get the fact that we should not go to war with Russia. However, let’s call it what it is.
Wes: So, if you have a corporation like Colonial Pipeline or really anybody that wants to bring you on board to have a look at their vulnerabilities, how do you go about assessing risks?
Robert: Well, let’s walk back to what a risk is. The risk assessment process is a simple way to plan what you’re doing and to minimize the chances of anybody getting hurt, whether it’s in cyberspace or beyond.
It’s a way to identify sensible measures to control the risks in your workplace. I harken back to my days of me being an intel specialist in the Navy: We learned that Threat x Vulnerability = Risk.
What is your threat? What’s your vulnerability to that threat? And what are your acceptable risks? And I tell you right now, no loss of life is an acceptable risk.
When you’re looking at different things in the risk assessment process, these are things that as a security expert that you need to keep in mind. How are you going to be able to identify what the hazards are and what are you planning to do to mitigate those hazards?
And when I say, ‘mitigate,’ what are you going to do to prevent them from happening? You also need to look at your team. Do you have a cyber security team to do a red and blue exercise? Do you have the capabilities to counter anyone?
Wes: That’s great information. If you were to pick one major cybersecurity threat, who’s at the top of the threat board? Is it a criminal organization? Is it a nation-state?
Robert: They work hand-in-hand. As we saw in the Colonial Pipeline, Russia utilized an organized crime group. At the top of the board, obviously, the nation-state because they have the capital, and they have the resources. But they utilize these criminal organizations to do the dirty work.
Wes: I just learned about the existence of cybersecurity insurance. And I don’t know why it took me by surprise because it seems completely logical, now that I think about it.
But if you’re a medium- to a large-size organization and you’re a thoughtful CEO who’s thinking about risk, you’re probably already thinking about the day that you have your data encrypted and locked behind a ransom wall. Is cybersecurity insurance something that you recommend?
Robert: Well, I recommend doing a risk assessment and doing a process such as ISO 27001 first, because if you do not have those processes in place, all the insurance in the world is not going to help
Note: ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and then revised in 2013. Some organizations choose to implement the standard to benefit from the best practice it contains, while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed.
Now, if you have a robust process in place, and you feel that you’ve exercised it, then absolutely, insurance should be there for you to utilize. But I would advocate for cyber insurance if – and only if – you understand what your vulnerabilities are.
Wes: Robert, this has been a ton of great information. I appreciate your taking the time to talk.
Robert: It was my pleasure.