Data privacy regulations continue to expand in tandem with new, emerging technologies and accompanying threats. Experienced security and technology experts Cristin Flynn Goodwin from Microsoft and Greg Young from Trend Micro discuss recent changes in compliance, risk management, and what organizations should keep in mind moving forward.
Governments are “leaning in” to the cybersecurity conversation
Due to the accelerated shift to cloud computing, governments are keen to understand the impacts of cloud security issues on critical infrastructure and companies. This had led to a growing number of cybersecurity laws being developed, including the Cybersecurity Maturity Model Certification (CMMC) from the US Department of Defense (DoD) and the Network and Information Security (NIS) Directive in Europe.
These new laws mean enterprises need to think aggressively and more seriously about cybersecurity to keep up with the changing landscape and ultimately avoid compliance lapses.
Top 3 challenges for 2022
- Advanced persistent audits: If you have a hybrid cloud environment or are migrating to the cloud, it’s vital for security teams to understand the logs and capabilities available to access evidence for the compliance audit. Ask yourself: are you comfortable with your infrastructure or are your teams able to support issues under stress? Do you have a thoughtful, holistic map of how to respond to security incidents across all your environments? Do you have the underlying data that demonstrates you’re consistent with your control sets of requirements?
- Nation states: Critical infrastructure will continue to be the main target for nation state actors due to its wealth of valuable information. According to Goodwin, Microsoft has notified 15,000 customers since August 2018 of such attacks, predominantly coming from Russia, China, Iran, or North Korea. These attacks highlight the need for companies to understand and leverage resources to comply with data privacy and security laws, regulations, and standards, which will inherently improve their security posture.
- Good cybersecurity hygiene: As technology continues to rapidly evolve, malicious actors look to take advantage. Practicing good cybersecurity hygiene is more important than ever, especially if you’re undergoing a digital transformation—don’t take the attackers with you in your move. If an attack does occur, there most likely was a patch for what was targeted. Goodwin noted that 99% of the time a computer was compromised, a patch was available, but not installed.
Greg Young: Hello and thank you for joining me. This is Greg Young. I am the Vice President of Cybersecurity for Trend Micro. I've got about 33 years in cybersecurity in different roles. I was a counterintelligence officer, which sounds pretty cool… Working to keep the bad guys away. Other roles I've been in are consulting, government, I was the CSO over at the federal department of communications, and I was with Gardner for 14 years doing Magic quadrants and stuff like that… Covering network security. This session is entitled “No Silver Bullets: Managing Risk and Compliance in a Global Economy.” I am absolutely thrilled to have our guests Cristin Flynn Goodwin, who is the assistant general counsel at Microsoft. Cristin, I have not done you worthy of an introduction, please tell me more about yourself.
Cristin Flynn Goodwin: Thank you for having me here. I'm thrilled to participate. I'm Cristin Flynn Goodwin I'm Microsoft's assistant general counsel for cybersecurity and I run a team called the digital security unit, where we look at advanced issues in cybersecurity law worldwide, as well as looking at the threats that come from major nation state actors, like Russia, China, Iran, and North Korea, and look for ways to help bring context, greater understanding as to why those nation states attack to our customers and to the world.
It is one of the most fun jobs you can have as an attorney anywhere in the world. I've been with Microsoft for 15 years. Got my start as a trial lawyer, way back when, on the 85th floor of Tower One of the World Trade Center. I've been a security lawyer for my whole life, and I will always be a security lawyer and I'm really happy to be here.
Greg: I love that we have security lawyers. That is the best, because so often law and compliance are seen as the enemy of security, not actually the friend as they should be. Maybe we could start off with that. Compliance has been around forever. There's been some changes recently, but what's coming up? What are you most excited about and what are you most concerned about?
Cristin: It's true that security is a really essential part of the law and actually a very fast growing part of the law. For the longest time, I would look at my privacy colleagues who were flushed with legal obligations, and I was always Jan Brady to their Marsha. They were the popular ones, with lots of exciting activity to go and deal with, and we were the wallflowers. But that's really changed over the past few years, as we've watched the rise of risk management and compliance, governments wanting to understand the impacts of cybersecurity issues on critical infrastructures and companies.
We're seeing more laws that are being developed and more standards regimes that are being pulled into to procurement and compliance regimes. They're causing companies to have to think much more seriously about cybersecurity and how they comply, not just in the United States with key issues, but really globally.
When we look at the growing cyber security laws that are coming, some of the big ones in the United States, like the CMMC, that’s the Cybersecurity Maturity Model Certification that the Department of Defense is promulgating that will impact lots of companies that work with DOD and have to think aggressively about cybersecurity.
In Europe, we’re watching the Network and Information Security Directive, the NIS Directive, go through its second iteration, which includes requirements like incident reporting to your government that you work with wherever your company is headquartered or based. We’re watching these laws grow so quickly that it's causing security and security law to have to evolve very fast, to keep up.
Greg: Oh, that's great. You mentioned sort of nation states in the last few decades, because attribution has been so hard. We've always encouraged our clients, customers, and partners to kind of stay away from the nation state discussion, because it's been so narrow, but I think that threats really changed in the last while some of the discussions we had before this. What's changed for nation state for the work you do?
Cristin: I think that's right. I think nation states are here to stay. Anyone that's working in cybersecurity over the past six months has kissed their families goodbye and spent countless hours in incident response, dealing with the Nobelium or Russian attacks from December forward. And then the attacks that emanated from China, associated with exchange online that really picked up at the beginning of March. These are just two examples, but nation state attacks are happening all day long, every day, all around the world.
One of the things that's really been transformative is that we've been tracking nation, state actors and notifying customers at Microsoft in earnest since August of 2018, and we've notified our 15,000 customers of those attacks coming predominantly from Russia, China, Iran, or North Korea.
One of the things that we know is that 90% of all of this nation state activity is not going after critical infrastructures. They're going after information that's of use to government. They're targeting think tanks and law firms and consulting firms and businesses that have connections to governments.
As we think about security, we have to think about how do we make sure that it's not only the infrastructures that are protected and secure, because they are essential and they are targets to governments, but what governments are going after right now, the most, and what every customer of our companies have, is information.
Those attacks on information are really the lifeblood of nation state attackers right now, and that's only going to keep.
Greg: What we're seeing though, is a lot more activity for the stopping resources that are known bad, especially are known malicious that we've kind of in the past been seemingly all right with just leaving up and operating in a hostile nature. What about the international aspects of this? Because so much of this crosses borders, of course. Have you seen changes there or is it just been there's been more cooperation or is it just, there's been more efforts just to put resources behind those kinds of international agreements or working with other carriers or telecos?
Cristin: I think there's a real international focus to engage on cybersecurity issues in the nation state space. Absolutely. You're seeing governments that are collaborating and partnering. The United States issued a statement of attribution for the Solar Winds and Nobelium activity, attributing that activity to, not just Russia as it had back in January, but specifically to SBR, their equivalent of an intelligence agency. Well, their equivalent of the NSA or CIA. That's really exciting to see that the US is leaning forward into that space.
In years past, we've seen other governments that have strongly joined on those attribution statements. We saw some of that come up when the US issued its statement. Australia acknowledged that it was Russia involved in the attacks. We saw other countries doing the same. That's important. The more we see governments getting comfortable leaning into making these assertions and talking about who is behind it… The governments are the ones with the legal authorities who are able to then attribute down to the person, who was the bad guy that was stopped behind the attack. That's really exciting that the governments are getting more comfortable doing that. That also helps with international accountability.
On the private sector side, it's terrific when there's an issue and you want to collaborate with somebody to say: Hey, we see a threat, can we share information? Would you like to partner? I think there is a worldwide consensus in the cybersecurity community that we have to do something. We're seeing great collaboration with my colleagues who drive ransomware issues and in my space with nation states, lots of interest in being collaborative, sharing information and figuring out how to stop attacks. And it's all because we need to help protect people. These attacks are only growing. I think the community's response.
Greg: Oh, super. The most advanced, persistent threat I've ever seen are auditors. For most of the people watching us right now, their greatest concern is going to be: hey, how do I avoid this threat, which is advanced, persistent, and never goes away. And the landscape is changing so much. For the people watching today, what do you think they're going to be facing in the next few years? Both from compliance and this changing threat that you've described.
Cristin: I liked the concept of advanced persistent auditor because previously the most horrific threat was always the advanced persistent teenager. I'm glad to know that that worked for me. I think that this is important because one of the things that we all have to think about, particularly in environments that are hybrid cloud and on-premise, but also, as you migrate from an on-premise cloud environment into the cloud, is understanding what logs and capabilities you have to be able to go back and find the evidence that you need.
In order to have the compliance audit that is attached, that you have met your security obligations are that you understand and that you are consistent with these control sets or these requirements… Understanding the underlying data. Are you comfortable with your infrastructure or are your team's able to support your issues under stress? And then do you have the data that you will need in order to meet and fulfill your compliance obligations. That's really going to be the key issue.
Standards and compliance with standards have always been important, but in the wake of issues like the Solar Winds or Nobelium attack, or China and Hafnium, we're starting to see governments probing more deeply wanting to understand, as the SEC announced its investigation against Solar Winds.
What data is available to be able to respond to that type of an incident? From an audit and compliance perspective, ensuring that you have a clear line from your control to the standard that sits behind it, to the data that you actually need at that point in time to prove that out… Having a really thoughtful map of A to B to C is going to be important, because what you'll see under stress, is that you may have it for one environment, but you may not for the other.
How you think about and a holistic approach to auditing that reflects both of the underlying data from your cloud and from your on-premises environment… That will be important because from a legal perspective, your auditor or your government official who’s demanding that information, will expect to see both.
Greg: Yeah, so many changes for the good that's the good news, bad news is technology keeps moving so quickly that we're seeing, of course, new changes to technology with 5G and changes in just how we communicate and changes in the cloud. There's new places for the bad guys to go all the time.
Cristin: Well, there is, but at the same time, one of the things that we see is that a nation state attacker in particular—criminals are a slightly different category—but nation state, attackers, they typically go after their target because there's a reason to, right? There's a value to that government to say, go get that company's information.
When those customers migrated into the cloud as a part of their digital transformation, the attacker generally comes with them. When we find that attack activity in their cloud, it isn't because it's net new. It was that it was there, and it wasn't being picked up on the on-premises side.
I think in part the attackers, sure, are they going to exploit 5G? I go to sleep at night terrified about new ways to exploit artificial intelligence and the threat models that we'll need on a national level to go protect that. But yes. Right. Attackers will always go to the next technology to think about how do we take advantage of that.
But what it also means is that we have to be thinking about how our hygiene practices, our basic security requirements for all of those technologies and making it easier for customers to be able to enable them and adopt. 99% of the time when a computer is compromised, a patch was available, but it wasn't installed. 99% of the time… That's extraordinarily high.
If you're thinking about attacks in 5G networks or other IoT infrastructure, if 99% of the issues get mitigated by patching… If that's how the attacker gets in, some of that hygiene practice is really going to have to move in to help address threats against those emerging technologies. It's not super different, but the risk is still there.
Greg: Yeah, and the bulk of that 99% is also more than four years old as well. That most of the tags you used are ones that are known about for a while. There's been patches available for four to eight years quite often. So yeah, you almost forget the nation state… It's just make it harder [for them], just patch your patch and back yourself up and good things will happen.
Well, Cristen, this has been fantastic, and I want to thank you so much for taking time out of your schedule to speak with us and our friends who are watching today and I really enjoyed our discussion. So once again, thank you very much on behalf of Trend Micro and all of our watchers.
Cristin: Thanks a bunch, Greg. Appreciate it. Be well.