Commercial Factor Q&A: Theresa Payton Discusses the Continually Rising Threat of Cybercrime
Theresa Payton, founder and president of Fortalice Solutions, spoke with Commercial Factor in an exclusive Q&A previewing her upcoming session on cybercrime at the IFA’s Annual Conference. From the Internet of Things to Big Data and beyond, Payton, a cybersecurity expert and the first woman to serve as chief information officer at the White House, outlines key processes and safeguards every individual and business needs to survive digitally without busting their budgets.
What can you tell our readers about you and your background?
Theresa Payton: My family is comprised of a long line of U.S. military and law enforcement professionals. We all have a call to serve, defend and protect the public proactively by taking preventative security measures instead of a reactive approach. Serving and protecting is in the DNA and fabric of my family on both sides, and for my husband's family as well.
My parents encouraged me to get good grades and focus on academic scholarships to fund college, and in doing so, I caught the "cyber bug" in my early years in school as a military kid. I went to high school at Quantico Marine Corps Base, and a class in computer programming was mandatory. I am so grateful that the U.S. Marine Corps and the Department of Defense saw the value in learning new technologies and made this non-negotiable because it resulted in my love for computer programming.
After graduate school, I worked in banking. I was on the leading innovation edge for customer self-service technologies, which meant I was on the cutting edge of cybercrime, which, back then, we referred to as fraud. That's when I realized my company lacked empathy and design for humans. This opens up the human experience, identity and information to crime.
I had the honor of serving as the first female CIO at the White House. That job's duties included overseeing technology, operations, call centers, websites, remote locations, Air Force One, the residences of the president and vice president and any domestic and international trips. I was also considered the federal records manager for the Executive Office of the President.
What do you hope attendees at the IFA annual conference will take away from your presentation at the conference?
Payton: I hope attendees will be entertained, engaged and empowered to take at least one of my recommended actions to make them more secure at work and home without busting their budget.
What are some keys to secure IT systems in today's environment?
Payton: McKinsey Consulting indicates that transformation roadmaps were accelerated by seven years on average, and yet many businesses are carrying technical debt, otherwise known as older technology. We're stretched thin — I have seen it create a significant uptick in our overall risk, which plays out with the following top three common mistakes:
Accidents happen. System administrators, for example, can accidentally misconfigure remote access platforms, servers and cloud platforms. The fix for preventing accident is peer review.
Humans are all duped by digital trickery. This is not just a problem for "unsophisticated" digital users. The gamification of social engineering is the solution to reducing these kinds of mistakes.
Passwords matter. Most of us still use weak or recycled passwords, passwords in data dumps or easily guessed passwords. Identifying “keys to the kingdom” passwords for higher security protocols, multi-factor authentication as well as checking password dumps to see if you are listed are all great starting points to combating weak passwords.
For smaller organizations without the resources of a multinational corporation, what can be done to safeguard company and customer information effectively?
Payton: Leverage the free and fabulous resource of the FBI Infragard, which will provide free advice, support and briefings. You can also subscribe to bulletins published by the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency organization. And if you can only implement one thing, consider multi-factor authentication for all accounts. If you can add one more thing, create full backups for your systems and encrypt and store them in a location separate from your day-to-day operations.
How does the approach to cybersecurity differ for public vs. private companies, if at all?
Payton: Although there are differences in requirements responding to proactive and reactive frameworks of the regulatory agencies, cybercrime syndicates do not care if you are public or private.
How have some of the more severe global disruptions we've seen in the last few years (COVID-19 pandemic, broken supply chains, the invasion of Ukraine) affected cybersecurity?
Payton: The pace of global change has accelerated the number of incidents. Cybercrime is global, and operatives live and work in almost every country with internet access. Some of the biggest cyber threats to America's national security are individuals operating within Russia, China, North Korea and Iran. Here is what I see pertaining to each:
Russia: I predicted at the end of 2021 that Russia would eventually invade Ukraine and that the United States would have to respond along with NATO. Vladimir Putin will likely decide to leverage cyber tools because they are less noticeable. This could include misinformation operations, cyberattacks on banks and businesses within Ukraine and attacks on critical infrastructure.
North Korea: In 2022, we will see North Korean hacking groups continue to target staff that work in economics, finance and research and development, as well as diplomats and prominent executives. Their tool of choice has been "credential harvesting", which is sending emails to convince the target to click on links, looking for and stealing from password dumps and using tools to generate passwords based on one-time passwords. One skilled group, the TA406 group, has targeted individuals far and wide, including in the United States, Russia, China and South Korea. Besides committing economic espionage, they look for ways to steal cryptocurrency.
China: This year, operatives will continue probes and theft of U.S. research and development projects. Last year, the FBI and Nation Security Agency said they had "high confidence" that hackers contracted by China's Ministry of State Security attacked Microsoft email servers. This attack netted email treasures from private and public sector organizations, including schools, hospitals, cities and pharmacies. I expect this to continue unless the United States hammers out an agreement. According to a new Washington Post study, China, which typically focuses on internet surveillance of its citizens, has started to track citizens outside their borders. The investigation found China had government contracts and projects that included "orders for software designed to collect data on foreign targets from sources such as Twitter, Facebook and other western social media."
Iran: Political espionage to advance Iran's interests will continue as well as attacks for financial gain. In November of last year, a federal grand jury indicted two Iranian hackers. Their crime was reminiscent of Russian tactics: They were indicted for election interference. They stole information from a state's election website and built a disinformation campaign targeting Americans. Iran is also working with ransomware tools.
Will this be the year of the International Accord on Cybercrime? No, probably not. There'll be a lot of talks, but, most likely, nothing will be passed.
There is a draft that started in December 2019. Before the pandemic hit, the UN General Assembly adopted a resolution to draft a global comprehensive cybercrime treaty. Before the omicron COVID-19 variant, discussions were planned for January of 2022.
The UN, the United States, the EU and many states parties to the Budapest Convention feel this is not the right direction and want to enhance the Budapest Convention treaty on cybercrime.
What are some emerging cyberthreats that you expect make a significant impact in the next five to 10 years, and how can organizations prepare for them?
Payton: To continue to better prepare for the future, I have predictions of how cybercriminals may decide to invest their time and energy in 2023:
Space will be hacked. The race to send private citizens to space, allowing more connectivity with Low Earth Orbit (LEO) satellites, added to the ubiquitous use of satellites, makes space an attractive target. Space will be hacked beginning with the disruption of new connectivity provided by LEO satellites. As governments and businesses rush to connect the disconnected via a string of LEO satellites, these will become a prime target for cybercriminals. Our critical transportation infrastructure will be at risk, as everything from trucks, autonomous delivery vehicles, planes, shipping vessels and more depend on GPS, continuous navigation and communications with just-in-time updates.
Design consideration/action: Have a backup plan if your systems leverage LEOs. Ask yourself if you can temporarily offline landlines or ground internet?
Artificial intelligence code generators will generate dormant security flaws. As AI-supported software development takes hold and code generators become more popular, this combination will provide the next great frontier for third-party supply chain attacks. By leveraging machine learning to augment developers' processes, the code should, in theory, be more secure and reliable. However, it only takes one successful social engineering campaign to allow a cyber operative to taint the machine learning or inject a change into the algorithm to generate dormant security flaws they can take advantage of later.
Design consideration/action: Create trust but verify the development process with peer reviews to ensure that code builds are valid. Regularly run red team assessments of code bases to look for hidden security flaws.
Forgeries and theft rock the blockchain. Cybercriminals will harness computing power and AI to find a vulnerability in blockchain hashing. This will allow them to mimic the blockchain to conduct stealth movement and pilfering of cryptocurrency, NFTs and other items stored on the blockchain and replace them with decoys, making it appear as if the theft never happened.
Design consideration/action: Have old school storage of certificates, printouts of logs and backed up information that you can store in a safety deposit box or out of the band in the event of a theft. Put alerts and monitoring systems in place.
What are the most important pieces of advice you'd give to companies when it comes to staying ahead of the curve in terms of cybersecurity?
Education and awareness of your staff are essential. A study from Tessian and Stanford noted that 88% of all recent cyber incidents are caused by human error and not by sophisticated criminals.
Have a digital disaster playbook for the 2023 predictions I mentioned above.
Check trusted, vetted news organizations by going to their site directly. Always have three sources: one local, one national and one from outside your country.
Ask employees before clicking on links or opening attachments to think twice. If they still need to take action, this free tool can do a quick scan looking for danger.
For more insights from Payton, make sure to attend her session at the IFA’s Annual Conference. You can also read her book, “Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth.”