EPISODE 29
What the Private Sector Can Learn about Incident Response from the Military

EP 29: What the Private Sector Can Learn about Incident Response from the Military

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

June 11, 2019

Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, talk with guest Melissa Van Buhler about what the military can teach the private sector about incident response.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Our hosts are Kip Boyle, CEO of Cyber Risk Opportunities and Jake Bernstein, cyber security council at the law firm of Newman DuWors. This is a show where we help you become a better cyber risk manager. The show is sponsored by Cyber Risk Opportunities and Newman DuWors LLP. If you have questions about your cyber security related legal responsibilities, and if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable and order fulfillment, then you should become a member of cyber risk business strategy program. Which you can do for a fraction of the cost of hiring a single cybersecurity expert. You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com.

Speaker 2: Hi everyone. Before we get started with this episode, we have a special announcement. As a regular listener, you know that the same technology that makes our jobs easier can also make things easier for cyber criminals. Given this, it's not surprising that enhancing cybersecurity is near the top of many organizations to-do lists. What is surprising is how many businesses approach cyber risk management the wrong way. We to help fix that at two lunch and learn webinars. So join us for the 10 biggest mistakes you are making with cyber risk and how to fix them. On the East Coast, we'll start on Wednesday, June 26th at noon. And on the West Coast, we'll start on Thursday, June 27th at noon. Invite your team members to join you in the conference room for this lunch and learn webinar. Registration to this exclusive 45 minute webinar and the Q and A session is free, but space is limited. Visit cyberriskmistakes.com to reserve your spot today. Now, on with the show.

Kip Boyle: So Jake, what are we going to talk about today?

Jake Bernstein: Today, Kip, I'm extremely happy to introduce my colleague, Melissa Van Buhler as our very first guest on the Cyber Risk Management Podcast.

Kip Boyle: All right.

Jake Bernstein: We're going to be talking to Melissa, a 15 year army JAG veteran about what the civilian world can learn from the military when it comes to cybersecurity.

Kip Boyle: That's great. Melissa, welcome. We're so glad to have you here. Would you please introduce yourself to our listeners? They want to know who you are.

Melissa Van Buhler: Sure. Thank you both for having me on the show. Yeah, so I spent over 15 years on active duty in the army as a judge advocate general, kind of like the TV show, but not really. Practicing law in different areas and kind of all over the place. But over the years, I spent a lot of time doing intelligence law. So specifically, time at the national security agency and US cyber command.

Jake Bernstein: So you didn't get to fly jets and beat people up?

Melissa Van Buhler: No, but I did spend a year in Iraq where I carried a weapon every day.

Jake Bernstein: Well, that counts, that counts.

Kip Boyle: More than a legal brief.

Melissa Van Buhler: Yes.

Kip Boyle: Pummel them with a legal brief.

Melissa Van Buhler: Yes.

Jake Bernstein: Well, so thank you very much for introducing yourself. Today, what we're really interested in hearing from you about that experience is what you think that we civilians can learn from the military, specifically regarding cyber security practices.

Kip Boyle: Yes.

Jake Bernstein: So if you had to sum up what the military does best in one word, what would you say?

Melissa Van Buhler: I think I would say readiness.

Jake Bernstein: Readiness. Okay. I'm giving you a second word. What's your second word?

Melissa Van Buhler: I believe my second word is awareness.

Kip Boyle: All right. Those are two great words. Now you guys, Jake and Melissa, you know and I think our audience knows that I was in the Air Force on active duty for about six years. And so it's been really interesting, I met Melissa recently and we kind of compared notes about what it's like to be in each of these respective services. And even though there's so many differences, I would agree, readiness and awareness are top things that they do well. And certainly those are very important for cyber risk management and cybersecurity. So yeah, let's start digging into these two ideas and how is it that the military... What is it they're doing to be ready and to being aware that members of our audience could learn from?

Jake Bernstein: I agree, Kip. Let's go ahead and start with readiness. I think that word is not something, I think you hear all that often in the civilian world, which is too bad because being ready is kind of a critical component of cyber risk management. So Melissa, what does readiness mean to you? And what we'll be talking about is how that concept helps cybersecurity professionals who need to stay ahead of the bad guys.

Kip Boyle: Yeah.

Melissa Van Buhler: So what it means to me, well, it means a lot of different things. One of the things that goes into readiness is rehearsals, but the whole point of having a rehearsal is to rehearse a plan. So the first thing you have to do is you have to have a plan. And I recently read something in the paper referring to, I believe it was insurance. There's a saying that you can't predict tomorrow, but you can plan for it. And I like to apply that to what we're seeing with all the cyber attacks on networks. There are so many people right now who have this belief that it's never going to happen to them. And I think that's an unreasonable belief, but I don't think that negates whether or not you actually plan for that event occurring.

Jake Bernstein: So I think that this idea of a plan is it is enshrined really in quite a few laws currently. You need to have a, what they call a cyber incident response plan. You need to have plans in place to deal with a ransomware attack, being-

Kip Boyle: Getting a breach notification plan.

Jake Bernstein: Breach notification plan. Being caught unaware is probably of the less forgivable sins right now in the legal sense. Because if we're trying to practice reasonable cybersecurity and that's really kind of where this is coming, or I should say is going too, then surely there's nothing more reasonable than at least thinking about things that might happen, before they happen. And I think that's really what you're saying. When you say, you can't predict tomorrow, but you can plan for it, which is I like that phrase, that really, really applies here. Doesn't it?

Melissa Van Buhler: Absolutely. And I think one of the things that the military does really well is no one ever assumes that somebody can do something well the first time. A great example is one of the first things that you learn to do is to fire a rifle. That used to be the M16, now it's an M4 but the point is no one would ever put a weapon in your hand and ask you to go use it somewhere without teaching you how to use it and planning in terms of how you are going to use it. And I think we almost need to move beyond thinking about something. And I thought of a really good example that someone had spoken about at a conference we attended last fall.

This person is in an executive leadership position and she was telling a story about how her company had been the victim of a cyber attack. And when it occurred, no one had thought about who was going to make a public statement. So as a result, what happened was there wasn't anyone who had been designated to speak publicly, there wasn't a plan for what someone would say, and the company did not have control over the other executives who were all speaking to the press and saying different things. And it caused massive confusion, it could have caused damage to the company. But that's one of those examples where you can plan for that if you're a corporation, you can designate a public affairs person to speak and make sure everybody else knows not to speak and you can actually walk through that exercise.

Kip Boyle: You know, one of the things when I was on active duty and I've been out of the military now for 20 years, and I think Melissa, you recently entered the private sector. And so, with some distance for me, between being on active duty and now, one of the things that I just realized is when the military is not fighting, it's not doing anything or at least it really doesn't have much to do. And so the idea that we can practice to fight kind of makes sense because it's like well, what else would we do, right? Maybe go on a humanitarian mission or something like that. But even that's kind of a form of practice of fighting. And when I think about being a chief information security officer, in private industry, it's exactly the opposite.

Like we're fighting every day for greater revenue, not to lose a customer or to gain a new customer. So it feels like we're always at war trying to achieve our goals. And I always found it really difficult to encourage senior decision makers to practice plans because for them, I was almost saying, Hey, can we hit the pause button on our war here? So we can practice something that may or may not happen. And so anyway, just wanted to add that perspective in her, that that was the real challenge that I found.

Jake Bernstein: And Kip, I think that's interesting to me because having been now in the private sector, as opposed to government for about four years, myself, there's a different pace. And sometimes, it seems like oh, there's just no time to rehearse or practice because we're always doing the thing that we do. And I think that's a real mistake when it comes to cyber security because, Kip you're right when it comes to the overall business is kind of in battle all the time. And that's true. But when it comes to cyber security, it really isn't true because while on some degree, yes, everyone is under attack all the time. Those are oftentimes just automated small attacks. The fact is though, is that a major breach is in the life of a inaudible about the same frequency as a battle in the life of a soldier. It's not going to happen very often. Most of the time you're sitting around and preparing for it. And so, I think that the military does that extremely well.

Kip Boyle: I agree.

Jake Bernstein: They do. Not only do they have their massive, sometimes publicized, probably usually not war games with other countries, but they're always planning. There's a plan for everything. Every contingency has a plan and in the civilian world, we tend to not to bother doing that. And I think that is why it's very common to see companies fumbling their way through a breach response, having no idea who to call, what to do. They don't know which personnel should be at the office, who should be sleeping, they haven't worked out a shift structure. I mean, all of these things come to head immediately when you're dealing with a breach response. Who's thought about, well, who needs to go sleep? Those things are going to suddenly become important. So I think that the military's readiness concept here is really, really important.

Kip Boyle: Definitely.

Jake Bernstein: ... To having a good breach response.

Kip Boyle: Yeah. And even though, I'm what I'm saying is that it's difficult to get senior decision makers to do it. It's not impossible. It can be done. It should be done. It's absolutely worth being done. To Melissa's point, you can go to YouTube today and you can search for news videos showing executives trying to respond to reporters questions about recent data of breaches and cyber attacks. And most of them are cringeworthy, totally embarrassing to watch. And I feel horrible for these poor executives because it's clear, they were not prepared. Nobody did anything to help them get ready for what's happening to them. And so just showing one of those videos, I think would be so instructive to encourage senior decision makers to actually practice and to get their readiness levels up.

Jake Bernstein: I agree. I agree. And I think that, so the other... When I asked Melissa for her second word, Melissa you said awareness. You've recently taught me what FYSA stands for, for your situational awareness. And that's another really valuable concept that sounds military because it is, but something that the civilian sector really, really needs to get. It needs to learn how to do that. So, Melissa, why don't you go ahead and explain what you mean by awareness?

Kip Boyle: Yeah.

Melissa Van Buhler: I will. I have one saved round as we used to say for readiness before we move on to awareness. And I want to say two things that are related. One is you don't want a crisis to be the first time you do something. I don't know about YouTube, but if I was an executive running a company that would put significant amount of fear into my mind. And that's a great way to look at how to deal with the cyber attack. You don't want to do something for the first time during a crisis because you're going to do it very poorly and everyone's going to see it. And the other thing I would mention about trying to put some more or emphasis on readiness given the day to day tempo in corporations is I would find a way to tie that back into the mission of the company, because I think there's value there for the customer of the company. I think there's a way to tie it in and make it meaningful so that it can be addressed.

Jake Bernstein: That's a really good point. I'm just thinking like everyone has a bank, right? Wouldn't we all like to think that our banks are ready for a cyber attack, like their readiness level is high. They'll be able to respond well, if, and when some or not if, when something bad happens. And so I think that's a really, really good point.

Kip Boyle: Yeah. We're more ready to deal with fire breaking out, which is very low probability event happening, right. We do fire drills and stuff, and, but yeah. We need to have that same kind of readiness capability. Like that's where I think we need to be going.

Jake Bernstein: Yeah. Agreed. Well, and I think awareness is a corollary of readiness. You can't have readiness without awareness.

Melissa Van Buhler: Yeah. So I think I'll use a phrase that Jake really likes. I can't take credit for it. It's borrowed from, I believe the former commander of US Cyber Command. But in terms of awareness, you have to think of every employee, every person that touches the system within a company, as an operator. And when you think about each person as we do in the military, being an operator, then you can think about what's the level of awareness I want to instill in that person to build a level of awareness across the corporation.

So for example, every person within the company, most likely touches the network. And so if they're going to touch your network, use your network, operate within your network, there's got to be a baseline of training that you apply to this person. So they have an idea of what's the left and right limit on the network work, what can I do and what can I not do at work. And don't assume that person knows how to behave on your company's computer, because chances are... Well, 99 people actually know how to behave, but it's that one person that's open that door or clicked on that phishing email and that's all it takes as you both know.

Jake Bernstein: And just for our 100% civilian people in the audience, operator in this case does not mean someone behind a switchboard. Operator is a generic military term for soldier or someone who's actively doing something. So when we say everyone's an operator, that really is saying that everyone's a soldier.

Kip Boyle: Yeah. And that fits so well into that fun little saying that I have about everybody is a foot soldier in this cyber wars. And this is why I say it is for exactly this idea that Melissa's doing such a good job of expressing to us. And it's interesting because again, as I reflect on my experience in private industry, both in very large organizations and particularly in medium sized and smaller organizations. The overall attitude, and this is across many industries is get it done. There's not a tremendous amount of operational discipline. There's some and some more than others. If you're in the customer service team and you're answering phones, there's a lot of discipline around how do you take customer calls and so forth. But I don't think there's nearly as much discipline that I've experienced in private industry as compared to what I experienced when I was in the military. And so I think that's another challenge for civilian operators, just to kind of borrow that phrase, is a level of structure that just isn't common for most people.

Jake Bernstein: Well, and I think the problem can be summed up and I believe a certain executives famous phrase, move fast and break things as a kind of a Silicon Valley battle cry of how to grow a company. And I think that attitude of moving fast and breaking things is really contrary to the two concepts we're talking about readiness and awareness. And that clash I think is somewhat to blame for, oh, for example, a certain social network's recent set of troubles that have gone back for the last six months. And there really wasn't a great deal of awareness going on. And if you don't, and I'm talking on an extremely high level, all the way down, not just everyone's an operator, but there's also organizational awareness. And I think it's very important for our listeners to understand awareness throughout the organization is important. Because if it's not shared at the highest level, it's just not going to exist anywhere.

Kip Boyle: Yeah. Oh, and we call that tone at the top, right? So it's the senior most decision makers that are going to legitimize cyber security as something that's important for people. And the second most influential person in private industry in terms of being able to say that cybersecurity and good cyber hygiene is a priority would be a person's direct supervisor. So those two people have to set that tone and make this a team sport and all that implies like pro sports teams practice, right. They go out and have games, but they also practice a lot. And so, but if the coach doesn't make you go out and practice, if the team owner doesn't expect you to be out to practice, I really don't know that everybody would go out there and do it. You probably would have like a small percentage of the most serious athletes would be out there with regularity. But it's that tone at the top, it's so critical.

Jake Bernstein: So Melissa, how does the military instill awareness?

Melissa Van Buhler: I think the way the military does it best, especially with respect to using military networks is they hold people accountable. That's one of the things that I think the military does best. First, we train you on how to use something. So we make sure you understand what you need to do, the conditions you will do it under, and the level of expectation in terms of what bar you need to meet. And once we establish that and we train you, then we let you go. But we also make sure that you understand that you will be held accountable and you are responsible for your behavior. And that applies to the computer networks as well. There are... Gosh, there are signs all over the place whenever you're on a department of defense network, whether it's the log on banner.

So you understand that nothing you do is protected and you always understand which level of network you working on. So there's never any question. For example, when I worked back at Fort Mead, when I was on a top secret network, I knew that. When I was on an unclassified network, I knew that. And at all times I understood that I was absolutely responsible for everything that I did and everybody that I engaged with. For example, in the classified world, when things are classified, the responsibility to protect that information is always on the individual. And the military just does not take for granted that you will exercise a certain amount of caution that you think is right that's going to be enough, if that makes any sense. Because...

Kip Boyle: So, yeah, I was going to ask you, Melissa. So it makes sense that there's all these mechanisms for ensuring awareness. And then you talked about accountability, which I think is crucial. So as somebody who worked in the JAG, could you tell us a story or just sort of describe a little bit, like what are the kinds of accountabilities that you saw or participated in along these lines?

Melissa Van Buhler: Oh gosh, there are so many. I will tell... Maybe this will be enlightening. I will tell a small story, I think Jake has heard about when I worked at a basement in Fort Bragg. When I went to work for some very special organizations, I had already had my top secret clearance for a number of years. So that world was not new to me, but I entered into another world where things were for fenced off and compartmented. And when you're brand new to a certain flavor of information, I suppose, you don't know who else is read onto that program. And you're terrified that you're going to talk to the wrong person and say something that you're not supposed to say. So you basically... Well, I don't want to say you don't talk to anybody. But one of the things that I didn't do was I didn't initiate my own emails because all the classifications have to be built into the emails before you send them.

And so at the beginning, I never initiated anything. But that's one example of just how serious this business is when you're in it. And so it really gives you an idea of the lengths that are appropriate to go to in order to protect information. And it doesn't have to be classified information. The military operates in what we would call the for official use only. And it is unclassified, but that does not mean that you put it on Facebook or you share it with anybody. So there's always kind of this thing in the background that makes you think about what you say to whom, especially when it's not your information to tell.

Kip Boyle: Yeah. Oh, I got to imagine there's some people in our audience right now, they're just, the hand just already went up to the side of the head and there was a slapping noise. And they were like, oh my God, the productivity killing of somebody being afraid to send an email because they don't want to compromise information. And I think to a-

Jake Bernstein: Until the lawsuit kit. I was actually thinking the opposite of gosh, there's a lot of lawyers right now who might be listening, thinking, oh man, if only people at insert client here would not initiate any email, it would be so much better.

Kip Boyle: Right. And I think that really says a lot about just how many conflicting perspectives there are in this topic, right? You've got some people saying go slower and then you've got other people saying go faster. And then you've got some people saying, go so fast that you break stuff because I've got a cleanup crew on standby to pick up the pieces, so no wonder, why's so hard.

Melissa Van Buhler: inaudible Everything. Tell us everything, post things on Facebook about your employer.

Kip Boyle: Mm-hmm (affirmative).

Melissa Van Buhler: The more information you give us the better.

Kip Boyle: Yeah. Yeah. It's a very confusing world for operators. I love that word. You know, for operators. It's a very confusing word. And again, it brings me back to my point about tone at the top. There's so many different voices, so many different messages coming at people that they have to have clarity about what is truly important. And if I get criticized for making decisions and it's inevitable that I will be, which criticism are valid, like which one should I really allow to drive my behavior. And I think that was a great story that you told Melissa about, you were concerned about accountability. And so that was the thing that you put front and center. You weren't as concerned about answering to questions about productivity and that sort of thing. Not to suggest that it isn't important, but priorities, right. We need clear priorities.

Melissa Van Buhler: Definitely. And the tone at the top, I mean, whoever you're working for that person lets you know what's important. And then, certain people have certain roles that's. And when I was working in that basement, I was not the commander of... I was not wearing the three stars on my collar. So it was not my place to take the risk or...

Kip Boyle: By the way, why were you in the basement? Did that have anything to do with being held accountable for anything?

Jake Bernstein: She can't say. She can't, won't ask her.

Kip Boyle: Trick question. Trick question.

Melissa Van Buhler: I think, you know the answer is everything gives off a signal and when you're underground, fewer signals can get in and out. So I think that was probably why we were in the basement.

Kip Boyle: Because it was safer.

Melissa Van Buhler: It actually was. When we had active shooter training, we were in the basement and we had a door that we could lock from the inside and it was probably the best place to be in the event of an active shooter, so.

Kip Boyle: Oh, okay. That's great. Okay. So this has been a fantastic conversation. Melissa, any parting thoughts as we wrap up our episode?

Melissa Van Buhler: I don't think so. I come back to, well actually, I will take that back. So one of my favorite phrases is nobody plans to fail, they just fail to plan. I'll leave you with that.

Kip Boyle: I love it. Yep.

Jake Bernstein: Oh, I really, I am going to have to start living by that more.

Kip Boyle: Okay. Jake, that's your last word and I'll hold you to it. Well, that wraps up this episode of the Cyber Risk Management Podcast. Today, we talked with our very first guest, Melissa Van Buhler about what civilians like us can learn from the military about cyber security; readiness and awareness. See you next time.

Jake Bernstein: See you next time.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR and IT for full effectiveness.

Kip Boyle: And management's goals should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.