Top Angst: Cyber and Travel
Now in its 33rd year, OSAC brought together thousands of security professionals from U.S. organizations to explore global security issues and challenges, hear from corporate and government thought leaders, and receive regional briefings from OSAC analysts in November 2018. Topics ranged from social media disinformation in India and emerging autonomous threats to creating a contemporary operations center and building a 21st century security program. But two topics stood out: cyberwarfare and travel risk management.
Cyberwar
In the waning days of the Second World War, U.S. President Franklin D. Roosevelt, U.K. Prime Minister Winston Churchill, and Soviet Premier Joseph Stalin met in Yalta to demand Nazi Germany’s unconditional surrender. Stalin emerged from that conference with control over Eastern Europe. The Soviet Union’s collapse half a century later eviscerated Russia’s sphere of influence, but the country is dramatically reasserting its claim as a world power player largely through its vast cyberwarfare activities. Russia’s return to prominence, the diversification of nation-state hacking among new actors, and the cyberthreat to both governments and businesses emerged repeatedly as areas of grave concern at the OSAC 33rd Annual Briefing, held in Washington, D.C.
Russia is effectively out to create a “Yalta 2,” said Heather Conley, a senior vice president at the Center for Strategic and International Studies, during a session on new-generation warfare. Russian President Vladimir Putin’s objective is to “retain his power structure, restore Russia as the United States’ equal, and stave off long-term Russian decline,” Conley said.
Cyber activities are key to Russia’s reassertion of dominance in Eastern Europe and beyond, where it is deploying a combination of cyber activities, including economic investment, politicized nongovernmental organizations, proxy groups, and political patronage. For their cyber activities, “Ukraine is the lab,” Conley said. Putin is looking to not only identify which techniques are effective, but also to gauge the West’s reaction, she said. A main objective: “Get U.S. citizens to lose confidence in elections” and other democratic institutions.
Of course, Russia is far from the only combatant on this virtual battlefield. China and Iran are also prevalent sources of advanced persistent threats, with instances of unauthorized and stealthy access to a network for an extended period of time. Kevin Mandia, CEO of FireEye and the author of the groundbreaking 2013 report documenting the Chinese military’s cyberattacks on 141 Western organizations, noted in a separate OSAC session that Iran has been vastly improving and increasing its cyber aggression. Even Vietnam has joined the fray, he said.
“Eighty percent of breaches we respond to are corporations hacked by nation-states,” Mandia said. And almost every breach reflects geopolitical conditions or developments.
Given the vast resources of Russia, China, Iran, and countless other nation-state cyberwarriors, how can corporations mount their relatively meager resources in defense? Emily Heath, the CISO of United Airlines, who presented on Mandia’s panel, noted that the airline emphasizes sharing intelligence between its physical and cybersecurity departments. “Almost every incident has a cyber component today,” she said. Boeing Senior Director Scott Regalado added that security executives should be closely following the news and proactively reaching out to the C-suite, especially if a development might somehow involve their company or industry.
Panelists stressed that tabletop exercises are critical, as is creating an enterprisewide information security committee. “Consider preparedness for media response as well as internal response,” advised Heath. Preplanning is essential because breach-disclosure regulations put victimized organizations on the clock.
Defense starts with good cyber hygiene, security consultant Stevan Bernard told Security Management following the panel. He is in a good position to know: Bernard previously served as executive vice president for Sony Pictures Entertainment, which was the victim of a high-profile breach believed to have been committed by the North Korean government. The key is to change behavior, which is best accomplished through personalizing the message, he said.
For example, companies can encourage cyber vigilance by explaining how employees are personally at risk and how they have assets worth protecting. Good home habits transfer to the workplace. In addition, companies might consider providing employees with dedicated computers—that aren’t connected to the corporate network—for personal Internet browsing. Corporate cybersecurity basics should include 12-character passwords that must be changed every 90 days, two-factor authentication, regular encryption and purging of data, and phishing-education campaigns. Yet despite increasingly sophisticated attacks and the growing involvement of state actors, Bernard said, “the biggest vector is still email.”
Travel
In early 2018, due to work commitments, a U.S.-based corporate executive was unable to join his wife and two teenaged daughters at a resort on the Riviera Maya in Mexico. He felt comfortable sending them, despite general travel warnings issued by the U.S. State Department and highly publicized media accounts about tourists caught in gang crossfires, because the incidents were remote and isolated, and he was familiar with the airport, the transportation, the travel route, and the resort.
Additionally, transportation to and from the resort had been set up in advance, his family followed good travel security practices, and the executive had assets on the ground to assist if necessary.
Happily, the family had a great time and returned safely. But during their stay an American tourist was killed only a few miles from their resort. In the aftermath, the CEO questioned the executive’s judgment, citing the murder, media reports, his recall of travel advisories for Mexico, and third-hand horror stories of trips gone awry. What the CEO lacked was an objective assessment of the risk.
Many organizations turn to travel risk management firms to drill down into specific locations, routes, times of year, and other factors to protect their traveling staff, students, and volunteers. But OSAC has recently introduced a free matrix tool available to its constituents that enables a nuanced view of travel risk for specific locations.
With the OSAC framework, a user selects a country and completes six modules related to risk—crime, terrorism, civil unrest, environment, health, and operational/information security. For each of these modules, companies answer a series of questions, typically with checkboxes or prepopulated answers contained in a pull-down menu. OSAC provides the links to objective data, such as the types of natural disasters that have occurred in the last 24 months, while companies answer many of the questions based on their interests in the country and their own risk tolerance.
For example, under the “civil unrest” module, a travel security manager might identify recent civil demonstrations and gauge the prospect for future incidents, as well as discern the underlying cause, average size, and participant makeup of demonstrations. The manager can also determine their frequency, location, and the frequency and nature of any attendant violence. In one possible example, the framework can help a travel manager conclude that demonstrations reflect opposition to host-country politics or practices, average between 500 and 1,000 participants, occur in areas where the company has significant operations, and spill over into looting and rioting that local security forces cannot control. That information would help inform the company’s security practices, for example choosing alternate travel routes or rescheduling visits.
At the end of the framework is a section on countermeasures and guidance. It includes space for travel security managers to enter risk summaries, travel requirements, traveler guidance, and transportation countermeasures.
Questions for the matrix were chosen based on their ability to provide clarity on the overall security picture, says OSAC Regional Analyst Morgan Dibble. For instance, to gauge crime, organizations frequently consult homicide rates, which most nations report. But homicide rates—which can be underreported, unavailable, or manipulated—do not truly reflect overall crime rates. Therefore the “crime” module also includes common crimes such as smash-and-grab theft and drink spiking, popular scams, discernible targeting patterns, and police response.
OSAC constituents can access the tool via the secure OSAC website.
