It might be “very basic and trite,” Rod Turk said Thursday, but “you can’t protect something you don’t know you have.”
The acting CIO of the Department of Commerce was talking specifically about high-value IT assets — the present-day federal versions of what nobility in the Middle Ages might move to a castle keep during times of attack.
Those valuables got extra protection, and “we should be doing the same thing with high-value assets,” Turk said during a panel discussion about critical infrastructure at the Cyberthreat Intelligence Forum presented by FireEye and produced by FedScoop and CyberScoop. He was joined by John Felker, the director at the national Cybersecurity and Communications Integration Center at the Department of Homeland Security and Paul Morris, CISO at the Transportation Security Administration.
Medieval rulers prized tangible, readily identifiable things, but IT assets can be less obvious. So protecting them also requires agencies to identify exactly what they are, Turk said, and by extension, figuring out how they’re vulnerable.
“I’d love to have a silver bullet that could tell me exactly where my next threat is going to come from,” Turk went on, “… but that’s kind of pie-in-the-sky. It’s not fair. It doesn’t exist.” Instead, he said, cybersecurity is more a game of understanding your own system architecture, both software and hardware, mapping the threat landscape — often from looking at past attacks — and pairing the two to get a sense of where an agency is vulnerable.
But don’t wait for an attack to get to work, he cautioned. “Some pre-work is always very, very important,” Turk said. Get to know the surrounding security professionals, he suggested, both inside your agency and at intelligence agencies.
Morris echoed this statement. “You gotta build a team that you’re going to share with … you have to have that prepared ahead of time,” he said. It’s too late to make a call “when things go bad.”