Chris Folk is the Director of National Protection Portfolio, The MITRE Corporation. Folk oversees work program development and delivery to: the DHS National Protection and Programs Directorate (NPPD), including Cybersecurity & Communication (CS&C), Office of Infrastructure Protection (OIP), and Federal Protective Services (FPS), and US VISIT.
Folk brings more than 18 years of experience supporting the national and homeland security communities, working in operations, intelligence, infrastructure protection, and cybersecurity programs for the DoD, IC, and DHS.
In this interview he discusses the challenges involved in working with several U.S. government agencies, approaching the insider threat, the resilience of the government cyber ecosystem, future threats, and more.
How has your background prepared you for your current role as Director of the HS SEDI FFRDC National Protection Division? What are the main challenges involved in working in this position?
I have had the privilege of being involved in a wide range of national and homeland security missions over the course of my career. At MITRE, a not-for-profit organization that operates federally funded research and development centers for several U.S. government agencies, I started out supporting the Department of Defense (DoD) on sensitive activities and special programs, then changed to an intelligence focus and ultimately, to a homeland security focus.
Working across those three missions has provided me with a very strong foundation to address the challenges my team faces today. I’ve also supported the U.S. Navy, the Department of Energy, the FBI, the U.S. Intelligence Community and helped stand up DHS — it’s been very well-rounded and thorough exposure. I understand how these vastly different organizations and their missions intersect; they must work in concert with one another to help bring the right solutions to their individual national defense and security missions.
What’s the most underrated digital threat to the critical infrastructure at the moment?
We have been intensely focused on securing the .gov and less so on helping commercial companies understand or appreciate the threat they face. A fundamental change to our cybersecurity game is to alter what we watch and what we share.
For the past 30 years, companies have primarily played a reactive game of, “reduce the attack surface.” In other words, we have become obsessed with understanding ourselves and our own networks, our own devices. We have felt that if we can fully understand all of our infrastructure and the associated vulnerabilities, then we can use software products to mitigate threats by blocking malicious sites and patching systems to correct exploitable vulnerabilities. As with most complex problems, this singularly focused approach is not bad, but it is not sufficient.
The issues with this approach are many. Simply “reducing the attack surface” demands too close of a focus on identifying vulnerabilities in our own systems, an approach we have seen fail again and again for more than 30 years. It requires that we look inward and not outward. It assumes, at a time when systems are highly complex and connected to one another in ever changing ways, that it is even possible to understand all potential vulnerabilities. It also tends to focus on discrete incidents. And finally, when we only focus on vulnerabilities, it means that vulnerability information is the most valuable information an organization has to share with the government or other corporations who have joined forces with us in preventing cyber attacks. Many organizations are uncomfortable—and frankly, unwilling—to share information about weaknesses in their own systems.
And those aren’t even the biggest problems. The most sophisticated, advanced persistent cyber threats are often able to overcome this vulnerability reduction approach. Why? They are playing a different game. They tend to bring a long-term focus on high-value targets and can adapt to these tactics.
So, what should we be watching instead? We need to bring more focus to watching and understanding our attackers—we call this the threat focus. We need to place a greater emphasis on understanding and sharing threat patterns to balance detection with mitigation and response. We need to share and analyze knowledge gained from multiple, discrete attacks to better understand attacker behaviors and reduce the likelihood of future successful attacks by aligning our defenses and our investments to the actual threats we face.
How do you approach the insider threat?
Well, first we should define what we mean by “insider threat.” I define it to include true insiders as well as situations where an intruder has gained access to users’ credentials, and is now “free to roam.” Both types of insiders pose different yet equally challenging issues for security professionals.
Fundamentally, I approach both with a threat-based defense. This means gaining understanding of the system, of individual intruders’ behaviors, and then using the data to help inform defensive action where abnormalities exist. I like to think of the issue as looking for a needle—not in a haystack but— in a pile of needles. You don’t use the same tools and techniques to discover the latter, but you certainly can use similar understandings of the problem to start your search.
I think the work done by the Software Engineering Institute at Carnegie Mellon University is a good example of how DHS has worked to develop common-sense recommendations to address and mitigate the impacts of insider threats to organizations. It succinctly provides tables that make it easy for members of different organizational groups, such as IT, software engineering, and human resources, to work as a holistic team in finding and applying the most relevant practices to the threats. The guide also maps each practice to existing standards, lists implementation challenges for large and small organizations, and outlines quick wins and high-impact solutions.
The recently published fourth edition of Common Sense Guide to Mitigating Insider Threats, sponsored by DHS, updates and expands the CERT Insider Threat Center’s recommendations for a broad range of organizational stakeholders.
Based on your experience, what advice would you give to a government trying to improve the resilience of its cyber ecosystem? What areas are often overlooked and in desperate need of improvement?
First of all, I think that we need to significantly alter the conversation about the challenges we face. We have countless government agencies, private industries and citizens within and outside of the United States, who own, operate, and use cyber infrastructure to conduct their business. We also have another broad range of players, some human, some natural events, that threaten our cyber infrastructure.
Given the diversity of players, it isn’t surprising that they don’t operate as if they were part of a single team that is playing the same game and using the same set of rules in a predictable manner, where linear cause and effect relationships are easily definable.
In this game, the different players who own and operate the infrastructure each have different approaches to how they assess and manage risks to their infrastructures. At the same time, and paradoxically, while these players are organizationally independent, and have different approaches to risk management, they are often operationally interdependent. This interdependence means that impacts to a single sector, facility or asset can have increasingly significant second, third, and fourth order of magnitude impacts on other sectors. Or to say it more pointedly, if the power in your house goes out, your cell phone and laptop won’t be far behind.
When you talk about the actors who threaten our cyber infrastructure, we know they are also a diverse bunch—motivated by any combination of political, economic, security, and criminal gain. So the challenge becomes even more complex. It means that numerous players—human and system, adversary and ally, and natural adversity—are continually and dynamically playing this game in unpredictable ways.
Here is our challenge. Despite the diversity of players, and the different ways they play the game, we sometimes act as if those players are centrally controlled and commanded and are playing the same game by the same rules. In addition, we often assume that one player can easily be protected independently of the others.
What do I mean? Much of our nation’s first efforts at cyber strategy were grounded in a government-centric, traditional national-security view. For example, the first Comprehensive National Cybersecurity Initiative (CNCI) attempted to redefine how the United States thought about cyber-security by focusing primarily on government systems, and deploying systems from the national security, .mil environment into the .gov environments. In some cases these assumptions were accurate, but in others they were not appropriate to meet civilian security needs.
The national security environment has evolved over the years but is often grounded in assumptions, such as centralized command and control, government to government interaction, and information classification requirements, which are not always effective in the decentralized environment that owns, operates and uses our nation’s communications and information environment.
Additionally, this construct doesn’t consider the interdependence between government and non-government organizations. Let’s consider, for example, the Internal Revenue Service (IRS). Even if we completely secure IRS systems so that they are 100% impenetrable to attack, revenue that the IRS collects can still be placed at risk by attacking the systems of large private sector tax preparers.
Finally, this construct can assume that security challenges are primarily addressed by the government acting alone. During the Cold War, when many elements of our modern national security infrastructure were developed, the job of protecting our nation was assumed to be primarily the province of military and intelligence agencies.
Given the decentralized environment surrounding communications and information infrastructure, there are many players in this game who are not part of the traditional national security environment, and whose engagement and expertise must be brought to bear. Thus, it is essential to acknowledge the diversity of the players and to shift from a perspective that is primarily focused on government action, which is historically rooted in a command and control model, to one that is more focused on tailored engagement and collaboration across a broader set of public and private organizations and citizens.
– How do you expect cyber threats to evolve in the next decade? What kind of impact will that bring?
I expect they will increase both in terms of frequency and of sophistication. I see the interconnectedness of IT as the number one challenge individuals, companies, and governments will face in the next decade. I predict the threats will drive completely new business models. I liken the evolution of cyberspace in the next ten years to the ways the interstate systems completely changed the way countries do business; it will bring opportunities and changes to the way we live, work, and play. The threats that will result from the expansion of IT in our lives will also change. Much like security, safety, governance and business opportunities that had to change along with the exponential growth of our infrastructure, threats and will opportunities evolve with the expansion of our cyber ecosystem.
The threats we face today are beyond the basement hacker; they are persistent. With regard to APT (Advanced Persistent Threat), I recommend that we give special consideration to the “P.” Persistence of our adversaries may mean different things to different people, but the adversary will not give up. Right now we are trying to change the equation and raise the adversary’s “cost of doing business” by exploring new approaches to engaging them.