DETROIT — There are only two types of companies — those that have been hacked, and those that will be.
Those words from former FBI director Robert Mueller provided an ideal backdrop for the latest regional Michigan Cyber Awareness Luncheon program, held Wednesday at the Marriott Detroit Renaissance Center.
“It’s not a question of if you will be hacked, but when,” said Joe Adams, a retired U.S. Army colonel and West Point cybersecurity professor who now leads the Michigan Cyber Range for Merit Network Inc. in Ann Arbor. “We concentrate on locking the door, but we have to open it up to do business.”
And when you open that cyber door to do business online, a must these days, the bad guys try to get in.
All sorts of bad guys, panelists said — state-sponsored hackers from places like North Korea that don’t observe international niceties. International mercenaries for hire. Targeted and recruited insiders. Disgruntled current and former employees.
And it’s not always tech wizardry that opens the door to your organization’s goodies, from design and production processes to cost and pricing information to negotiation strategies.
“The easiest way into an organization isn’t some high tech attack, it’s getting someone to click on an email,” said special agent David M. Martin of the FBI’s Cyber Task Force in Detroit.
That’s what happened in the much-publicized Target credit card information theft, Adams said — a hack that originated with an air conditioning contractor.
“They might be good air conditioning engineers, but they weren’t much for data security,” Adams said. “They used free security software, and to use it you had to click to scan something — it wasn’t on all the time. One of their engineers clicked on a phishing email and infected their network, and that little bug ran around and said, hey, I see something over here that’s even bigger. It jumped into Target, and $412 million later, here we are.”
Added Beth Niblock, CIO of the city of Detroit: “This topic could not be more timely or more urgent.” She said that Wednesday, the state of Montana disclosed a hack of 1.3 million patient records. And back in February, the city of Detroit announced a security incident in which personal data on 1,875 current and former firefighters and EMS workers was unlocked.
“Sitting with a disabled retired firefighter who was really distraught about this really brought home to me the trust people have in us,” Niblock said.
Martin urged businesses and other organizations to cooperate with the FBI if they find they’ve been hacked. He said the FBI can help with forensic analysis of intrusion response, malware analysis, and access to classified indicators of compromise.
What the FBI won’t do, Martin said, is take over systems, repair systems, or share proprietary information with competitors or the media.
New technologies also pose new risks. Gary LaRoy, CIO of the Michigan Economic Development Corp., said smart electric or plug-in hybrid cars communicating with the power grid is one possibility.
“This goes way beyond taking over a vehicle’s systems and making it take a left turn off the Mackinac Bridge,” LaRoy said. “That’s serious enough. But imagine if (malware in) a vehicle gets into our infrastructure.”
Mobile technologies also pose new risks, as last year, for the first time, more people used the internet on a mobile device than on a traditional desktop or laptop computer.
But all isn’t bleak. There is hope as well, panelists said. Maj. Daniel E. Guy of the Michigan Air National Guard’s 110th Communications Flight in Battle Creek said America is making “steady progress” in both public policy and technology in the battle against cybercrime.
And David Behen, Michigan’s state CIO, lauded the effort to create the Michigan Cyber Range, a cybersecurity training center, and the Michigan Cyber Civilian Corps, a volunteer IT force that would help the state respond to cyber incidents. (Michigan Gov. Rick Snyder is co-chair of the National Governors Association’s State Cybersecurity Resource Center.)
Panelists also said there is plenty of opportunity for young people for careers in cybersecurity.
And to get in, Adams said, young people should “learn the basics of programming. That will always help you. Too many people want to jump into game design and all this stuff that is neat and sexy, phone apps, but the basics will always work for you. I’ve been doing this for decades… and the first programming course I ever took is still paying off, because it taught me how to think, how to put a program together, how to put a problem together and solve it.”
Speaker after speaker said there’s a shorage of cybersecurity workers in the talent pipeline.
“If you have the skills, you will have a job for the foreseeable future,” said Steve Katz, president of Security Risk Solutions LLC, a North Carolina-based cybersecurity consultant.
Added LaRoy: “Everybody get on Facebook and tell their friends who have moved away… Michigan has become the land of opportunity and we need them back.”
And riding herd on your critical information is also a personal responsibility these days, speakers said. After all, as Diane Jones, CIO of the Detroit Public Schools put it, these days a 2-year-old already has left a digital footprint online.
The event concluded with a wide-ranging open discussion of privacy and security issues touching on recent headllines, from Edward Snowden and the NSA to disputes over the data mining activities of web giants like Google and Facebook.
The Michigan Cyber Awareness 2014 Luncheon Conference Series is an extension of last year’s Michigan Cyber Summit security event. The series continues Aug. 12 in Traverse City and Sept. 15 in Kalamazoo. For more information on those events, visit this link.
Premium sponsors of the luncheon series are Comcast Business, Deloitte and AT&T. Series sponsors are The Engineering Society of Detroit, Google, ITC Holdings, Motorola, Northern Michigan University, Symantec, and Unisys.