Coming up with an assessment of cyber risk that is meaningful and actionable tends to be a task where practitioners consistently come up short. You are often stuck with two extremes – one extreme saying simply that the sky is falling which doesn’t leave you much room for understanding your options or taking risk reduction actions; and, the other extreme which is focused on the technology and attack surfaces which leads to many intractable trade-offs to consider. So when I saw a presentation by Dr. Charles Harry at a recent conference, his systems approach to risk struck a chord with me since it goes to the heart of the matter -> what are the effects to your business or mission that a cyber event can create and how do you measure these effects? It’s interesting to me that in some ways this approach was born from his experience as a targeting officer during his tenure at NSA. This approach takes the technology out of the picture for now and allows decision-makers to understand how and when and where his business or mission may be disrupted by a cyber event. So read the interview below to learn more about this interesting approach by Dr. Harry and how it might improve how you prioritize your active cyber defense resources to help reduce your system risks.
Spotlight on Dr. Charles Harry
» Title: Dr. Charles Harry, Director of Operations, Maryland Global Initiative in Cybersecurity (MaGIC) and Associate Research Professor, School of Public Policy, University of Maryland
» Website: https://www.cissm.umd.edu/people/charles-harry ; http://magic.umd.edu/
» LinkedIn: linkedin.com/in/charles-harry-phd-0b377528
Read his bio below.
February 4, 2019
Chris Daly, Active CyberTM: What is the focus of your current research on cybersecurity risk and what inspired you or led you down this path of research?
Dr. Charles Harry, Director of Operations, Maryland Global Initiative in Cybersecurity (MaGIC) and Associate Research Professor, School of Public Policy, University of Maryland: I am interested in understanding the strategic impacts of cyber attacks on complex organizations and critical infrastructure. Governments and businesses have a difficult time quantifying the range of effects they are exposed to which leads to the misallocation of scarce resources. This confusion has also led to broader concerns in the insurance market as the data on these events is lacking. I originally became interested in this line of inquiry during the OPM hack where I saw policy makers having difficulty discussing the problems associated with that attack in a nuanced manner. It was apparent that they were struggling to understand how the local effects engineered by the hackers in that attack were demonstrably different than other possible scenarios. I am working with my colleague Dr. Nancy Gallagher to address these seemingly intractable problems in a rigorous and repeatable framework.
Active CyberTM: Cyber decision makers are sometimes confused by the complexities of emerging threats and the response options that are needed to address them. What types of insights can be gained by your approach to cyber risk assessment that can assist decision makers in reducing this confusion and identifying the best allocation of resources and path to risk reduction?
Dr. Harry: A typical problem for decision makers is an inability to categorize the range of hacker induced effects and to assess their severity. We often find sensationalized headlines that talk about millions or billions of cyber attacks per year, yet when you dig into the number, they are often nuisance attacks with no effect. Instead decision makers need to be armed with an understanding of the motives of the threat actors they are facing, the range of effects that can be engineered, and a means of measuring the exploitive or disruptive impact they can face to different parts of their organization. The ability to marry organizational function, with categorized effects and measured impact allows decision makers to focus on scenarios and functional areas to reduce their overall risk.
Active CyberTM: A system of systems breakdown to functions and dependencies is a fundamental element of a consequence-driven approach such as yours. Please explain why this task is so essential to performing risk assessments and to understanding the impact of disruptive events.
Dr. Harry: Typical methodologies look to estimate risk on a unit by unit basis. For example, they look to estimate the likelihood and impact on a server that houses their firm’s customer database. Yet hackers might attack other parts of the network to engineer a disruptive effect that impacts the ability to leverage that data even when not directly attacked. This begs the question of why we don’t use a systems approach to organize and measuring risk in our organizations? The complexity found in modern networks which in turn influence the organizational functions on top of them are an area of study that is not well defined.
Active CyberTM: Your Cyber Disruption Index (CDI) seems to be a unique tool for helping to understand the effects or consequences of a cyber attack. How have you tested or vetted the CDI to date as a way of helping to guide investment or gauge insurance needs? Do you see the CDI also playing a role in disaster recovery planning and COOP? What are some examples of insights and possible use cases that can be addressed by using the CDI?
Dr. Harry: We have developed graph algorithms to estimate a systems level understanding of effect. This allows us to estimate the exploitive and disruptive impacts associated from a range of hacker induced impacts. These measures serve as a basic building block in which we can run scenarios of attack on different parts of an organization, building a collection of impacts that provide a more comprehensive and nuanced assessment of risk. I believe this is a major problem in the insurance market. The data we have looked at shows a wide range of primary and secondary effects in targeted organizations, so one size fits all policies are insufficient to address the problem.
Active CyberTM: There are several different cyber risk analytic frameworks including the NIST Risk Management Framework, the NIST Cybersecurity Risk Framework, FAIR, and others. How does your risk framework complement or compete with these other frameworks? What do you see as the ideal set of best practices to identify and assess cybersecurity risk?
Dr. Harry: Our approach is designed to work directly with the NIST standard framework. While the NIST framework is a collection of guidance and best practice, it does not provide a method for assessing risk. Our approach adopts the guidance it recommends and creates a method to address those best practices. There are certainly other approaches, such as the FAIR standard, but we fundamentally utilize a systems approach to model the interplay between devices and organizations to provide an estimation of the cascading impact of attack.
Dr. Harry: To best position an organization, firms should expect that a attacker will get a toe-in to their network. Therefore, a good defensive strategy is to first identify what processes and functions you care about the most. Creating a prioritized list of functions and data allows you to better craft defensive strategies to not only protect data but build resiliency in the case of a disruptive attack.
Active CyberTM: Cyber threats tend to cut across multiple systems, and impact different functions within an organization and its ecosystem, thereby requiring a high degree of multi-stakeholder governance and communication. How does your risk approach improve the dialogue and governance between the CISO and other senior directors so that appropriate and comprehensive actions can be taken to reduce or mitigate cyber risk?
Dr. Harry: The goal of our approach is to serve as a translation mechanism to allows leaders to identify essential business functions and marry them to the underlying infrastructure. Doing so in a highly customizable and modular way gives a means for technical and business leaders to understand how specific devices and portions of their network directly impact the revenue generation for the firm rather than simply estimating the replacement costs of the impacted devices. By reviewing which parts of the firms IT network generates the largest impacts, based on the hacker induced effect, allows managers to isolate the greatest risk and focus their resources to reduce it.
Active CyberTM: The IoT is emerging as the next big wave of cyber vulnerabilities to our infrastructure as billions of new connected devices are added to our attack surface. How does your risk analytic framework begin to help IoT product vendors and customers to control this risk exposure – what are your recommendations in this emerging technology area?
Dr. Harry: The framework we have developed allows us to not only assess risk in specific devices, but to think of how these devices work together as a system. The ability to think of thousands of interconnected devices as part of complex organism and to model impacts across a range of scenarios enables deeper and more nuanced thinking for cyber-attacks. For example, what are the range of interconnected risks associated with sensors deployed in manufacturing lines. How are the exploitive impacts and disruptive impacts different? Are the threats they are facing focused on stealing information or disrupting the function of the sensor? How does potential disruption of a few or all of those sensors translate into operational delays? How is the revenue loss computed? Our approach helps answer those questions.
Active CyberTM: What is MaGIC? How did you get involved and what is your role? What types of initiatives are you envisioning over the next year for MaGIC? What outcomes are you trying to achieve?
Dr. Harry: The Maryland Global Initiative for Cybersecurity (MaGIC) promotes and coordinates efforts across the University of Maryland to expand its cyber education, research, and development activities. I serve as its Chief of Operations in addition to my role as a faculty member in the School of Public Policy. Dan Ennis, former chief of the National Threat Operation Center at NSA serves as the Executive Director. I came to the university after a long career in the US intelligence community where I focused on a range of complex national security issues. We are focused on promoting a holistic vision of cybersecurity both across campus and to our external partners. The university has a wealth of world class researchers who are tackling a diverse set of challenges from computer science and engineering to the socio-economic considerations of the challenge. MaGIC is focused on promoting the campus’ thoughtful approach to understanding the problem and working on practical solutions to help the private and public sector.
Active CyberTM: MaGIC’s inaugural summit is coming up on April 4-5 in College Park. What should people expect who are looking to attend?
Dr. Harry: The University of Maryland will be convening the first annual Executive Cybersecurity Summit at The Hotel at Maryland from April 4 and 5. The Summit will be an intensive two-day experience with keynote addresses from industry leaders including Rick Ledgett, Jim Rosenthal, Deb Plunkett, and Curt Dukes. The summit offers a unique, interactive learning opportunity that combines the latest industry research with practical relevance. It will be led by renowned University of Maryland faculty, senior policymakers, and cybersecurity experts. These experts will brief you on the evolving cyber threat landscape, threat detection, risk management and more so that you will be able to maneuver your organization appropriately to keep ahead of cyber threats. Here are some of the confirmed speakers and the agenda
Thank you Dr. Harry for sharing some background on your extensive research in cyber effects and risk frameworks and the overriding necessity to identify and priortize impacts to your business processes due to cyber threats. I believe your Cyber Disruption Index and overall risk methodology will become useful tools to help decision-makers focus their cyber resources on where they will do the most good. I also look forward to the April 4-5 Summit for Cybersecurity in College Park MD sponsored by MaGIC and the University of Maryland.
And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, securing the Internet of Things, or other security topics. Also, email email@example.com if you’re interested in interviewing or advertising with us at Active Cyber™.
|About Dr. Charles Harry
Dr. Charles Harry is a senior leader, practitioner, and researcher with over 20 years of experience in intelligence and cyber operations. Dr. Harry is the Director of Operations at the Maryland Global Initiative in Cybersecurity (MaGIC), an Associate Research Professor in the School of Public Policy, and a Senior Research Associate at the Center for International and Security Studies at Maryland (CISSM). Dr Harry facilitates and promotes external engagement and interdisciplinary research across the university and is often called to speak to international and national audiences on a range of cybersecurity issues. Dr. Harry sits on the US Chamber of Commerce’s Cybersecurity Leadership Council engaging private companies and public officials on a range of cybersecurity topics. Prior to his work with the university, Dr. Harry grew and led a $35 million dollar cybersecurity consulting organization combining analysts and developers to deliver innovative solutions to the private and public sector. His public service includes a 14-year career with the National Security Agency rising to the rank of senior technical leader (DISL). He has supported senior policy makers at the White House and has regularly appeared before congressional committees to provide testimony. Dr. Harry holds degrees in Economics and History from the University of Colorado, and was awarded a PhD in Policy Studies from the University of Maryland. He is the recipient of the Director of National Intelligence Extraordinary Achievement Medal and the Signal Intelligence Career Achievement Medal. His current research focuses on the development of an analytic framework for assessing cybersecurity risk including the ability to categorize and measure the impact of cyber events.