momius - Fotolia
As the former CIO of U.S. Customs and Border Protection, Charles Armstrong is no stranger to the cybersecurity threats facing the public and private sector. But despite the rapid evolution of hacking techniques, Armstrong notes that email data security vulnerabilities remain a primary target for attacks against both the government and businesses.
While Armstrong was in San Francisco to present at the RSA Conference 2017 last month, he sat down with SearchCIO editor Ben Cole to discuss email vulnerabilities and the state of critical infrastructure cybersecurity in the United States.
How much of a risk are online threats to homeland security? Are nation states seeking intellectual property the main concern, or is it terrorists attacking critical infrastructure cybersecurity targets such as the electrical grid?
Charles Armstrong: I think it's all those things. We've certainly seen them go after the financial sector, the energy sector, and obviously nation states have been going after state and local governments. Those are all areas that the bad guys are going after. As fast as we try to put remedies in place, they are coming up with newer ways to attack.
They've moved quite a bit in the right direction after the past few years. You're never going to be 100% secure, that's part of the nature of the business. But I think with the policies that are being put in place, the standards that NIST has come up with, it's moving in the right direction. But it's a question of what is the tempo of change, how quickly can they adapt and keep up? Right now the rate of change in the hacking industry is so much faster than our ability to keep up with zero-day vulnerabilities and all these different attack vectors.
What are some recommendations for protecting our critical infrastructure, citizens and economy from foreign cyberattacks?
Armstrong: Cybersecurity is important for the nation -- not just the government but the citizens and corporations. The DMARC protocols that were established a few years back are out there, and companies are implementing solutions to help go after some of these top threats that are being executed for email: whether it's spoofing, phishing or anything fraudulent through the use of email. It's not everything, but it's the bulk of it.
I think citizens need to be more informed about what the threats are, and solutions around how to go about preventing them. I don't think telling them 'don't click on a link' or 'don't open an attachment' is the right message to send to the public. Some of the onus resides on the bigger companies -- like the Googles or the Microsofts that supply email -- to help prevent some of this, too. It just can't be looked at as 'I'm a transport business, so I don't have to worry about protecting the person.'
Charles Armstrongformer CIO, U.S. Customs and Border Protection
You've seen a lot in the news about the IRS and the threats to W2s contained in companies' emails being used maliciously to get into employees' personal information and then file a false tax return. I think the media is doing a better job helping communicate some of those threats, but it's not everything. There is a lot more that needs to get out there in the press about cyber and the damage that cyber can do to help the citizens.
What are some strategies that chief information officers can implement to ensure email data security at their company?
Armstrong: CIOs first need to understand the DMARC standards that have been published and understand that there are companies that can help prevent the fraudulent use of your email domains, thus protecting your brand. For example, there are a number of customers whose email domains were hijacked to elicit personal information or extort money.
There have also been instances where an email, appearing to come from the same company, is sent to a corporate executive with instructions that are intended to harm the company -- such as transferring large amounts of money. In my role as CIO at U.S. Customs and Border Protection, criminal organizations would use the CBP email domain to send out demand notices for payment of duty and fine. Spear phishing is another core problem for corporations. Cybercriminals use targeted spear phishing of corporations' emails as one of their most common attack vectors.
Why do you think it is important that government agencies implement cybersecurity practices and partner with the private sector to protect our national interests?
Armstrong: The federal government helps promote the private sector solutions a lot: In homeland security, there is a big arm in the science and technology area that helps some of them create projects that either provide seed money around white papers on how to solve problems or even develop tools, then they help them meet venture capitalists to get things off the ground. Government is reliant on private industry to come up with some of these solutions, and I think you've also seen in some cases where governments develop solutions, especially in some of the intelligence community, then move some of that information to the private sector to help protect corporations and citizens. Government can't own and operate this stuff; they have to rely on private industry to do that.
Read more about email data security:
How should email security policies handle mail from unverified addresses?
UK's National Cyber Security Centre to name departments that fail to secure email
Clinton email probe highlight's government data security issues