In this episode of Chattinn Cyber, host Mark Schein talks with Curtis Dukes, the former director of the National Security Agency (NSA) and the current Executive Vice President of the Center for Internet Security (CIS), a non-profit organization that aims to make the connected world a safer place.
Their conversation begins with a discussion on Curtis’ background, specifically on his experience in the NSA. After spending more than three decades in service to the agency, he learned the following:
- Computer systems must provide their users with a pleasing experience to ensure that they won’t switch to an alternative way.
- Technology is so ingrained into who we are as a society that we no longer notice it, even though we’re online all the time.
- Business owners must allocate sufficient resources for the regular upkeep of their hardware and software programs, so that these won’t be exploited by malicious adversaries.
Curtis also talks about the CIS, giving an in-depth explanation of its goals and current efforts. In addition to providing cyber-threat intelligence and analysis to State, Local, Tribal, and Territorial government entities (SLTTs), the organization has also introduced controls and benchmarks that allow businesses to develop effective strategies against cyber-threats. He further recommends that business owners show the efforts they’ve put into building their defenses when trying to obtain a cyber-insurance policy.
Regarding future trends, Curtis explains that the next few years will see ransomware playing an increasingly crucial role in cyberspace. To address this issue, the CIS has developed a community defense model that is based on genuine attack techniques. Published last August 2020 to much acclaim, this program will help businesses mitigate the risk of cyber-threats, enabling them to protect themselves from malicious agents.
- Technology has become so powerful and ubiquitous that our reliance on it has become invisible to us.
- Small and medium-sized enterprises (SMEs) need to have sufficient resources to limit their cybersecurity vulnerabilities.
- Business owners must thoroughly understand the impact of cyber-threats.
- The cyber-insurance industry still lacks standardization.
- Ransomware is evolving, with malicious agents often changing the way they operate.
- “But you can quickly see that computers were going to be a disruption, not only within national security systems, which I was responsible for providing security for, but as an economic enabler for society.” – Curtis (05:07)
- “Technology is ingrained in the fabric of who we are, and how we communicate as a society.” – Curtis (07:14)
- “It went from ‘let me just lock up your data, and you need to pay the ransom, or you have to recover your data through some other means’ to they started modifying their operations. Not only did they lock up your data, but they also exfiltrated the data. If you didn’t pay the ransom then they threatened to expose the data, some of which could be harmful to the company or personally problematic, as well.” – Curtis (16:23)
- “By mapping attack techniques to mitigation, I think that’s one way to raise cybersecurity across the board.” – Curtis (20:16)