Posts

U.S. Not Ready for Online Voting, Stick to Mail-In Ballots

American democracy is resilient. From its rebuilding after our civil war to recovering from the Great Depression, America has been able to overcome the largest of obstacles. However, 2020 gives us unprecedented challenges that will test this resilience. Central to our country’s recovery from this pandemic will be ensuring the foundation of our democracy remains intact: free and fair elections.

Despite the current news cycle, our election system is very resilient because of our forefathers’ design. State and local governments distribute and implement elections individually, leading to different procedures and regulations within each jurisdiction, which creates independent – or segmented — operations.

In the cyber world, segmentation is central to digital resilience. A segmented network can help organizations minimize damage from some of the most advanced forms of cyberattacks by preventing them from overtaking the entire network. The independent orchestration of our elections is very similar. However, COVID-19 presents a conundrum: keeping people physically distant is profoundly challenging with in-person voting.

So, how do we combat this issue?

A few states are beginning to explore online voting to help citizens maintain social distance and ensure their franchise. The CARES Act even allows states to use some of the funds to pursue online voting systems. However, while online voting holds promise, there is simply not enough time to roll out a secure, vetted system before November’s elections. Plus we still haven’t repaired the issues that our 2016 elections revealed about the vulnerabilities of our existing online systems. America’s election process remains extremely vulnerable to cyberattacks. In fact, last December Valimail confirmed only 5% of the country’s largest voting counties are protected against email impersonation and phishing scams. Specifically, this vulnerability was found in Arizona, Florida, North Carolina, Pennsylvania, Michigan and Wisconsin, six key swing states in this upcoming election cycle. This vulnerability opens a door to bad actors that could allow voting data to be stolen, manipulated or deleted in 95 percent of the highest populated counties in the nation.

Luckily, we have a solution that’s already in place, accessible nationwide, resilient and in a sense, “un-hackable”: absentee voting by mail.

For decades, absentee ballots have been the bridge connecting those who are unable to make it to the polls on election day. Now, it can be the cornerstone for everyone. While filing for an absentee ballot can be an arduous process, states are now making it more accessible. For example, Michigan is automatically sending absentee ballot applications to every resident to both encourage social distancing and support democratic participation. This supports secure, offline elections with segmentation still in-play. Additionally, an overwhelming majority of Americans support expanding access to voting by mail. Recognizing that any change is difficult, 16 states delayed their primaries, which illustrates the urgency to act now so we can move onto the general election by November.

In these unprecedented times, we must support all efforts to ensure our elections remain fair, free and guaranteeing each citizen’s franchise. While we have the technology and the ideas necessary to move to completely online elections, that can and should only happen when it’s secure and tested accordingly. In these pressing times, there is no bandwidth to do so. However, the $2 trillion stimulus package  included $400 million for states to prevent, prepare and plan for COVID-19’s impact on the 2020 elections. This amount is a significant step in the right direction, but a full roll-out of voting by mail, let alone ensuring secure online voting would require a much larger investment. I urge lawmakers at both the state and federal level to embrace mail-in ballots. We need to ensure this year’s elections are available to every citizen, whether they are practicing social distancing or fully quarantined and without fear that exercising their franchise will expose them to a deadly illness. We can maintain the resiliency of our country and our elections and our health with mail-in ballot elections. We just need the will to do so.

Change Management Processes are Critical — From Nuclear Submarines to Your Network

How often have you made a network change that didn’t work the way you expected or even created a new issue? The list of configuration changes needed to build, maintain, and secure a network is daunting.  It’s all too easy to act without thoroughly thinking through and considering the impact on the whole network.  Initially it may appear as though quick action to make a small change would save time, but that can be a trap that leads to costly mistakes. Oftentimes changes have complex implications. The wrong change can result in in downtime and millions of dollars in lost productivity or revenue. No one wants to be that person.

Change management is the organizational process to ensure that we stop and consider the impact of change before acting. It’s used in many industries, including IT. Submarine commanders need change management in an environment just as complex as information technology but with more serious, life or death repercussions. In his book, Turn the Ship Around!¸ former submarine commander David Marquet describes “Deliberate Action,”  the process he used to create competency, reduce errors and improve resiliency. It required sailors to stop and think before making a change. Stopping, thinking, and then acting provides an opportunity to review and thoroughly think through the impact of an action.

Marquet got great results:

“Later, when Santa Fe earned the highest grade on our reactor operations inspection that anyone had seen, the senior inspector told me this: ‘Your guys made the same mistakes—no, your guys tried to make the same number of mistakes—as everyone else. But the mistakes never happened because of deliberate action. Either they were corrected by the operator himself or by a teammate.’

He was describing a resilient organization, one where error propagation is stopped.”

A nuclear submarine has highly engineered systems that are tightly coupled, all of which need to work for the whole system to operate properly. Errors can damage valuable and sensitive nuclear reactor equipment or even result in complete system failure and death of an entire crew.

Like a nuclear submarine, IT networks are highly engineered and tightly coupled and need resiliency to avoid catastrophe. Every interconnected system relies on others, as in nuclear submarines. And having a change management process to ensure that everyone stops and sufficiently thinks before acting is just as important. We need to avoid the temptation to bypass the change management process and execute a change quickly, thinking we’re “saving time.” Catastrophe can be lurking around the corner, and none of us wants to be responsible for a Code Red.

The RedSeal platform gives you the ability to quickly think through the impact of change prior to acting. It tells you what you have, how it’s connected, and where your risks are. RedSeal discovers the devices on your network and creates a digital network model of how everything is connected. The model can provide deep insights into the implications and impact of change. On the submarine, the requirement to stop and think not only gives sailors time to process using their own experience and knowledge, but also allows teammates with additional experience and knowledge to think and intervene before mistakes are made. RedSeal is a reliable teammate you can have by your side as you execute change management.  It knows how everything is interconnected and can better show you the impact of a proposed change.

 With RedSeal, you can engineer “Deliberate Action” into your change management. It may seem that stopping and thinking may take time and be expensive, especially during an incident, but errors can be significantly more damaging. RedSeal allows you to stop for shorter periods of time and avoid errors. By automating analysis steps and reducing complexity RedSeal helps you make your network more secure and resilient.

 

Marquet, David L., Turn the Ship Around! Penguin RH 2012. Pg 124

The new cybersecurity resilience

SC Magazine | May 1, 2020

Is your cybersecurity posture resilient enough to survive a pandemic? You’re about to find out.

The quick spread of COVID-19 has lent urgency to that mission and underscored the importance of building resilience. “Cyber, or digital resilience should be considered essential – like water, gas, and telephone/internet. Maintaining essential services that keep the lights on, keep people operating in their roles, and keep the digital world safe from attack is critical,” says RedSeal CEO Ray Rothrock, who penned the book Digital Resilience: Is Your Company Ready for the Next Cyber Threat?

Ray Rothrock: The Fortune Teller

Spirit Magazine, Texas A&M Foundation | Spring 2020

Ray Rothrock ’77 uses his proven penchant for predicting the future to bolster resilience against cyberattacks and advocate for a nuclear solution to the planet’s energy crisis.

Podcast: US Election Interference Happening Right Now, Virus Plans and more from RedSeal

The Top | April 8, 2020

Ray Rothrock joins Nathan Latka on the latest episode of “The Top.” Prior to RedSeal he was a general partner at Venrock, one of RedSeal’s founding investors. At Venrock he invested in 53 companies including over a dozen in cybersecurity including Vontu, PGP, P-Cube, Imperva, Cloudflare, CTERA, and Shape Security. He is on the board of Check Point Software Technology, Ltd. an original Venrock investment, and Team8, both Tel Aviv–based companies.

Best Practices for Cyber Resilience: Step One, Walk the Terrain

 

You’ve been asked to defend your organization from a myriad of threats: state sponsored attacks, cyber criminals, insiders. But where do you start?

Many years ago, as a young Marine lieutenant I learned that the first step to establishing a defense is to understand what you’re defending. You must know the terrain. Walk the terrain. Understand the key parts of the terrain and all avenues of approach. Then ask yourself how you would attack the same terrain. You must understand your own terrain better than the enemy.

In information security, we haven’t been given the luxury of understanding what we have — but we need to understand what we have to effectively defend it. Our networks were built to optimize for performance and availability, not for security. Understanding our cyber terrain has become a daunting task – but one fundamental to security.

Today, we rely on current inventory management technologies, but they provide just part of the picture. You get an overwhelming amount of detail and yet still struggle to understand how everything interconnects.

Ideally, you’d like to be able to understand what you have, how it’s all connected, and what’s at risk. Specifically, you’ll want to:

  • Visualize each of your sites and the connectivity between them.
  • Locate and identify devices missing from your inventory management and NCCM solutions.
  • Rationalize data from multiple data sources, including vulnerability scanners, CMDBs and EDRs.
  • Quickly determine where an attacker can traverse to in your network — from any point.

Most organizations begin by trying to get their endpoint or host inventory. This seems logical, since that’s where your applications and data are housed. But without an overall picture of how your network is configured, you have a collection of data points that don’t tell a full story.

The first step needs to be organizing your cyber terrain at the highest level. Identify your sites, then group your assets by site or facility. For example, assign devices to your Austin data center, Denver data center, branch offices, and AWS. Next determine the conductivity within and between these sites. This requires an inventory of networking devices and their configurations. You’ll end up with a model of your network devices, security groups and VPCs and quickly be able to get a picture all the connections and interconnections — intentional and unintentional — in your network. Inevitably, you’ll discover unknown network devices.

Then, with this framework in place, you can add your host information.

Cyberspace Solarium Commission Highlights the Importance of Digital Resilience

Morning Consult | March 17, 2020

By Ray Rothrock, RedSeal CEO

On March 11, the Cyberspace Solarium Commission released its long-awaited report, which provides more than 80 policy recommendations for “defending the United States in cyberspace against cyberattacks of significant consequences.” While the report is over 180 pages, Senator Angus King (I-Maine) said the report can be summed up in four words — define, develop, defend and deter. I would simplify this further, as these four words can be condensed into one concept: digital resilience.

How network modeling and cyber hygiene improve security odds for federal agencies

FedScoop | March 16, 2020

Agencies that have built network infrastructure over decades may not be doing enough to manage basic cyber-hygiene practices and stay ahead of modern threats, cautions a new report.

When out-of-date configuration rules lurk on networks, attackers essentially have a back door to walk into government systems. However, modern network modeling platforms, capable of integrating into existing infrastructure, can help agency IT departments identify and manage cyber risks and accelerate essential hygiene practices.

Cybersecurity Canon Book Review: “Digital Resilience”

Palo Alto Networks Blog | February 27, 2020

I got into cybersecurity because I read books like Winn Schwartau’s “Information Warfare,” William Gibson’s “Neuromancer” and Cliff Stoll’s “Cuckoo’s Egg.” These books gave me a very balanced view of what cybersecurity could be, even though no one called them cyber in the 90s. Until I got Ray Rothrock’s book, “Digital Resilience,” I didn’t have a book I was comfortable with suggesting as a great first read to the next generation of cyber professionals.

If you’ve recently been put in charge of IT or IT operations and didn’t grow up in cyber over the past 20 years, “Digital Resilience” is for you. This book is also equally useful for new CEOs, CFOs or board members who need to understand cyber risk without getting overwhelmed with IT technology or the defeatism of “hackers and nation-states will always get in, so why bother.”

Network Resilience vs. Cyber Resilience

SIGNAL Magazine | January 6, 2020

There are certainly similarities between network resilience and cyber resilience. The foundation for both is the ability to maintain business or mission capabilities during an event, such as a backhoe cutting your fiber cables or a nation-state actively exploiting your network. But there are also significant differences.