Michael Echols is the former director of the Cyber Joint Program Management Office, National Protection and Program Directorate, at the Department of Homeland Security. In this role, he led two unique cybersecurity information sharing programs: Enhanced Cybersecurity Services (ECS) and Cybersecurity Information Sharing Collaboration Program (CISCP). Echols sat down with HSToday Executive Editor Kristina Tanasichuk to discuss his book, Secure Cyber Life The Government Is Not Coming To Save You, which is about digital self-defense and having some awareness of your environment to reduce risk.
HSTODAY: What is the genesis of your book thesis, Secure Cyber Life: The Government Is Not Coming to Save You?
ECHOLS: Important systems and networks are being exploited daily and eventually everyone will be a victim of a costly cyber exploit. The problem is there are no financial remedies, social security safety nets for cyber victims or FEMA response systems assisting the individual. This means it is incumbent on every person to reduce their digital risk using best practices that already exist. The only problem is most people believe someone is doing this for them. It is a recipe for disaster considering our government-registered identities are based on a number (Social Security) that can be stolen. Our legal and medical systems are based on chain-of-custody that can be corrupted. And, most people can’t afford to pay an attorney to rebuild their reputation after the person has been assassinated online.
HSTODAY: You’ve served in a variety of capacities in the federal government – how did the experience shape your view of what is needed in cybersecurity?
ECHOLS: As a participant in the development of the National Infrastructure Protection Plan and Executive Orders and National Response Framework types of doctrine, it became abundantly clear that the government has a unique role. The government’s national platform is one of the greatest opportunities to advance preparedness and resilience effort. However, the foundation for this this platform is an ability to show leadership. Unfortunately, when leadership is faint or absent, there is a consequence at the end-user level. This lack of apparent leadership drives me to inform anyone who will listen about cyber threats. It also encourages me to push those in leadership positions to play their parts.
HSTODAY: What do you think is different about what you say and all the rest of the advice on cybersecurity?
ECHOLS: I am spreading a message that cybersecurity is risk management. No two entities will ever have the same financial assets, talent or business priorities. However, every organization can help themselves regardless of their resources. They just need to base cybersecurity efforts on continuously understanding threats, identifying vulnerabilities and minimizing consequences. While formally implementing this risk-reducing ecosystem, an organization can simultaneously develop a culture of cybersecurity. This strategic approach will ensure that team members have insights to create the force multiplier required to battle the growing army of cyber adversaries. The return on investment for this effort is borne out by enhancing a key weakness hacker exploit daily, the human stakeholder.
HSTODAY: Do you think the current divisions in politics are hurting or helping the cybersecurity cause?
ECHOLS: While legislators on Capitol Hill seem to be increasingly partisan, there’s one thing they’ve come to agree on and that’s cybersecurity. However, the nature of politics means politicians are influenced by technology companies who fund their campaigns. And, in some cases, legislated protective measures might inhibit operations of legitimate companies who use similar techniques as the hacker. Thus, no legislative action is taken.
HSTODAY: If you could pass a law aimed at public behavior, what would you really tackle?
ECHOLS: So far, the laws in the U.S. focus more on reactive than preventative measures. Back to leadership, there are few public service measures for cybersecurity that rival the brilliant efforts that make the citizenry “aware” on topics of breast cancer screening, tobacco use and infant mortality. We need campaigns to make citizens aware that they are the real victim following a corporate data breach. Citizens need the knowledge to pressure companies for better data protection and to better protect themselves.
A baseline for this whole-of-cyber approach is to set guidelines like we have for lending in the Banking Sector or rate-setting requirements in the Energy Sector.
Recent action by the state of California is a great example of what is possible now. California emulated the EU’s General Data Protection Regulation (GDPR), which gives the user some power over their own data. This is a step in the right direction.
HSTODAY: In many ways, experts say we’re “too far gone” on cyber and that working to educate is a losing battle. What are your thoughts?
ECHOLS: They are correct if the statement is based on assessment results for current efforts. However, with a projected shortage of 1.7M cyber professionals by 2023, and the power of a negligent employee to allow the intrusion of a critical-infrastructure facility, we haven’t gone far enough. I would tie education to opportunities to end cycles of poverty, efforts to reduce victimization of the elderly and support job retraining. This would form an important partner to legislative intervention that creates a win-win situation between government and the citizenry. It would also spark a national pride that in this case would enable enhanced national security.
HSTODAY: How can employers help with their employees?
ECHOLS: There is a growing business case for not only creating a culture of cybersecurity, but training employees as sentries for the organization. Negligent employees and human error account for nearly three quarters of successful cyber intrusions. This prevention of a small percentage of associated loss would more than pay for cyber training that unites employees as “team.” Employees who are aware that their poor cyber hygiene can lead to a reduction in the workforce, or a loss of their personal data, will tap into their own competitive juices. This coalition of the willing may improve business performance as employees become more focused and as a byproduct of their role as defender.
HSTODAY: Are there larger structural ways to tackle cybersecurity challenges?
ECHOLS: Developing a national waterfall approach to tackle cybersecurity challenges is key to standing up to cybercriminals and foreign adversaries. In this case, the bottom of the waterfall may be the strongest. Resources will be pushed out to regions and delivered by local entities who can also assist entities to increase capacities. It will also create resource centers for education and the flexibility to meet emerging challenges. I call the concept “Cyber Secure Zones.”
HSTODAY: Are there developments in the cybersecurity arena that you see as promising to tackle some of these issues?
ECHOLS: Over the years, NIST and critical sector coordinating organizations have developed several frameworks to guide government, the private sector and academia in implementing risk reduction practices. The issue for most entities, who are open to doing their part, is “usability.” We need to do a better job of meeting these entities where they are and not where we wish them to be.
As an example, the more than 23 million small- and medium-sized businesses focus more on staying in business than they do thinking about reducing digital risk. An approach to this group might include enhancing the capacity of regional ISAOs and local MSSPs to service the SMB. This approach would provide the federal government with a local partner who has direct access to end users. It would also make well-meaning Executive Orders related to cyber threat information sharing and cyber education more effective.