Data centers and the cloud sit at the heart of modern infrastructure, and thus are a natural focus when it comes to discussions about security. With us today to share his perspective is DataBank’s Chief Information Security Officer Mark Houpt. Mark accompanied a delegation led by the Kansas City Tech Council to a TECNA DC Fly-in event in Washington DC in early February, before COVID-19 shut down much of the country. They were there to provide input on the development of privacy legislation for the US that would take aim at similar issues as Europe’s GDPR, as well as to discuss top security concerns that today’s internet infrastructure faces. Also included in this Industry Spotlight are his thoughts on the pandemic as it relates to cybersecurity.
TR: So, who were you in DC with and what was everyone talking about?
MH: We were invited to be part of the delegation from the Kansas City Tech Council, because we have data center facilities in Kansas City, and through various webinars, onsite training sessions, roundtable discussions, we have a pretty good reputation and presence with them. The Kansas City Tech Council has been in the process of lobbying congress for privacy legislation and other types of cyber-related legislation and education. Personally, I went to speak on a panel regarding cyber resiliency, including ransomware. I then met with a couple of the senators’ offices, one from Kansas and the other from Missouri. Then, the delegation met later with a couple of representatives from the House. The particular topic of discussion with the legislators and their policy folks was privacy legislation, which is being drafted in congress right now (and since released sponsored by Sen. Moran (R-KS)). They are working on a responsible privacy law for the consumers in the United States that does not necessarily mirror but responds to the European GDPR and the new California Consumer Privacy Act. Instead of having a privacy law for every single one of the 50 states and how many other territories there are that would fall under US jurisdiction, they're looking at a federal law so that there can be some consistency across the entire country regarding consumer privacy.
TR: What type of legislation are they considering, and what role were you playing with it?
MH: There is currently a draft bill being reviewed. Our conversations were having input with those that are in the process of drafting the law, and we wanted to make sure that these policy advisors understood the cultural differences between the United States and Europe in regard to privacy. We also wanted them to understand some of the economic impacts of privacy legislation upon small, medium, and large businesses within the United States.
TR: What cultural differences between the US and Europe do you think would affect such legislation?
MH: In Europe privacy is viewed as an extension of the person or the persona. Data that we in the United States would frequently view as owned by a company, is viewed in Europe as still owned by the person. For example, if I am in Europe and I'm a citizen of Europe, photographs that are taken of my face and any data that is retained about me, such as medical or biometric data whether it’s fingerprints or simply height, weight etc., and my buying and spending habits are all viewed as personal data and part of my persona. They are something that I as the person have control over, so I can reach out to a company and ask for a list of everything they retain on me and then I can go down that list and say what they can keep and what they must delete. There are some exceptions to that, such as if I have chosen to do business with a company then they are legally allowed to keep my data for the purposes of conducting the business only. But here in the United States, it’s practically the opposite. I don't have any control over the data that a large insurance company, for example, keeps on me. That is considered their data because they either purchased that data or spent money to collect it. If I do business with a company then it's considered common (and expected) practice to do analytics on that data to try and market that and other products towards me. In some cases that data is also sold to other companies so that they can do their own analytics. Things like Apple's Siri or Amazon Prime are collecting data on my habits and then turning around and marketing towards me. In Europe, that's not an acceptable practice unless I explicitly allow that. Where in the United State, it's assumed that that will happen.
Now, the California Consumer Privacy Act (CCPA) has established for California residents some very European-like laws which is causing some conflict within the United States. Some other states are also considering similar kinds of laws. That's one of the reasons there is a lot of effort and attention from Washington on a US national privacy law. Businesses want to get ahead of this, so that they can protect a very viable and valuable research and revenue stream.
TR: What form do you think that legislation will take?
MH: First, the privacy legislation that I'm aware of is a joint sponsorship by members of both of the two major political parties. As with any type of political situation, there's going to be a lot of negotiation. But I do not believe that it's going to look like the California Consumer Privacy Act. I think most companies and most people outside of California believe that there's two things wrong with the CCPA. 1) It's too stringent. 2) It’s too immature. An issue with the CCPA is that they rushed to get a law on the table with the intent that over time new amendments and new functions would be added.
One of the things that they've been modifying recently is about employment, considering exemptions for employers to collect data on either pre-employment or current employees in order to fulfill the employment obligations. It's actually starting to become a little bit chaotic because each industry will step up and get a sponsor and get an amendment passed for their industry. For example, right now one of the industries that is looking for some exemptions is the trucking industry. Trucking companies are doing a lot contracting with out-of-state drivers, and so the companies are being held to CCPA standards, whereas the drivers are not really residents of California and they're having to do a lot of extra effort to maintain CCPA compliance. I think it's a moving target and if we have this conversation two months, three months, or six months from now, the details will be more clear.
TR: Do you think they will be able to find an acceptable compromise between the interests of consumers and businesses on this?
MH: I think so. The people who do not believe that there should be any sort of privacy legislation whatsoever are going to have to realize that the time and the place is now for a new and responsible privacy legislation. The only privacy legislation that exists in the United States is siloed within HIPAA, the Fair Credit Reporting Act, and a couple of other things. We want to broaden the scope of those things that already exist that have worked. Meanwhile, the other camp is going to have to give up the thought that we can basically take GDPR and put it inside the US jurisdiction and give all of the rights to the consumer. We're going to have to land somewhere in the middle.
TR: What are the biggest hurdles currently impeding such a compromise?
MH: One of the challenges that we're going to have is dealing with the arbitration of disagreements. If I'm the consumer and I want a company to delete all my data or to provide me with information on what they are retaining on me and they are not responding to me, one of the remedies is to take them to court. The court system is legitimately concerned that would flood the court system further. So, one of the compromises might be to use sort of extra arbitration system where qualified people can sit down and say what is a legitimate request and what is frivolous or prevents the company from fulfilling contracted obligations, etc. What kind of legal ramifications and recourse a consumer and a company would have is probably going to be a sticking point.
TR: In today’s heavily divided environment, this sounds like a difficult path. Are you optimistic?
MH: Actually, I was very encouraged by what I heard. The people that I spoke with were knowledgeable, they were sincere, and they were serious about getting something done in a bipartisan way. I do believe that there's probably some significant sticking points on the foundational belief of how much of a persona is owned by the person. I didn’t run into anyone that really believed in the European GDPR way. Somewhere they will have to come in the middle, but the key thing here is that I think they're cordial, they're collegial, and frankly, they're talking about it. They're not just butting heads. I think everybody agrees that something needs to happen, and they just have to sit down and negotiate it.
TR: What other security threats are looming large right now?
MH: One current topic is intellectual property theft. I think the US is woefully naive on the subject. There are a lot of country- or nation-sponsored organizations making a lot of effort right now to hack into US company systems to steal technology so they can reverse engineer it and build it within their country. Not all of them are what we would deem as adversaries, which would typically be China, Iran, North Korea, etc. There are allies that do this kind of thing as well.
And then, there's ever-present infrastructure attack concerns, where a nation-state or another large potential hacker has the ability to get into our power grid or some other critical system that can impact a society as a whole.
TR: How does the coronavirus pandemic impact cyber security?
MH: The situation with the coronavirus is also a cyber threat because it affects the supply chain that technology is based on. Things coming from Asia and other places in the world can be impacted when people are not able to get to work. From a cybersecurity perspective, this actually introduces some risk into our environment because US-based companies are being impacted by supply-chain weaknesses, in addition to the heath and travel issues. They might turn around and buy a product that is inferior or has not been tested from a cybersecurity perspective and could have back doors or whatnot within it.
Then from a CISO's perspective I have to deal with continuity of operations. If in fact the virus impacts the United States or geographic areas in the United States that my company operates in, I have to have an effective continuity-of-operations plan (CoOP), so our company can continue to operate through the problem when people may be quarantined. [Editor’s note: this interview was conducted on 2/28/20 before this became reality. We went back to Mark on 3/27/20 to get his current input. The following was added:]
With the Coronavirus now widespread in the United States, we have had to do exactly what I predicted and activated our CoOP. In fact, DataBank has been designated by the Department of Homeland Security (DHS) – Cybersecurity and Infrastructure Security Agency (CISA) – as a “National Critical Function” (NCF) which means we remain open, operational and fully staffed. However, we have taken extra precautions including more rigorous cleaning of frequently touched surfaces (biometric monitors, door hands, etc.), and screening of visitors to our data center facilities to check for symptoms as needed. The health of our staff is obviously paramount.
TR: Does the current security environment feel more dangerous than normal, or are we just on a treadmill as we overcome some threats as new ones appear?
MH: I think there legitimately are bigger threats than in years past. Over just the past four to six months, I've seen ransomware just shoot through the roof. People are paying the ransoms and learning how to deal with Bitcoin to do it. New tactics within ransomware are exploiting vulnerabilities in systems to allow the ransomware attackers to gain access to the systems and do more damage. I think overall awareness of cyber threats has resulted in a cyclical thing. When you make people aware of cybersecurity problems with the intent of making the cyber landscape healthier, that also increases exposure and brings new people into the discussion who become aware of these nefarious ways to gain revenue. It can just snowball, cycling around and growing every time.
The nation-state attackers are, generally, the same entities over time, but they're attacking at a little bit more aggressive rate. Over the past five years, we've seen a series of large attacks that can all be tied back to China, publicly.
TR: So how do you view the role of DataBank and your own role as CISO within the broader infrastructure security environment?
MH: We have 300,000-square-foot facilities that are hosting tons and tons of data. And although I'm not directly responsible for securing all of that data in its whole, I have a piece of it. For some customers, my job is only to keep people out of the building and put physical security controls in place that prevent the wrong people from getting in. For customers that purchased managed services from us, as a CISO my responsibilities in response to attacks grow. If they choose our network managed services, for example, then it's my job to see that a lot of these network attackers are prevented from getting in to conduct ransomware and intellectual property thefts. DataBank is certainly on the forefront of that.
TR: What would you most like people to know about the cyber security side of this business?
MH: What makes this job interesting is the fact that even though I don't wear a uniform and I'm not in the military anymore, there are very few jobs out there where you are still on the front end of a real warfare type of situation as a civilian. And yet that's what we do. What I try to convey to people is that we are in a cyberwar. Things are going on every day behind the scenes that people don't know about, that people never hear about. There are legitimate attacks that if they occurred visibly with a military force, would be acts of war. And yet, we have people like me and others in similar roles and security engineers and other professionals in civilian organizations that are defending our nation and our nation's companies against nation-state attackers. I take it very seriously. I'm passionate about it. I love it. And it gets me up every morning, ready to go and fight the day's battle.
TR: Thank you for talking with Telecom Ramblings!
If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!Categories: Datacenter · Industry Spotlight · Security