A Note To My CEO


Hi Boss and welcome back from your New Year's holiday vacation. I know you were mostly off-grid and incommunicado for the past couple of weeks so you may not have heard about the most recent cybersecurity issue in the headlines. I hate to welcome you back with bad news but the world collectively greeted the new year with perhaps one of worst security vulnerabilities ever seen. Vulnerabilities named Meltdown and Spectre were reported on January 3rd and affect virtually every computer made in the past 20 years. Remember those two names, you'll be hearing them a lot in the coming weeks.

Without getting into too much technical detail, Meltdown and Spectre are different from the typical software vulnerability, since the flaws are in the actual microprocessor hardware of all Intel, AMD, and AMR processors. These represent close to 100% of all computers on earth today so there is no safety in numbers. The vulnerabilities take advantage of an architecture flaw where a feature these microprocessors use called speculative execution is employed to speed up performance. The vulnerabilities allow bad actors to access information at a very granular level of the microprocessor and reveal highly privileged data.

I've established a small tiger team here at the company and the first thing we did after the vulnerabilities were announced was to review our configuration management data base to determine if we could identify all of the potentially vulnerable computers we have in the company. This was a particular challenge for our remote facilities in Europe, Australia and Asia. While it's impossible to track our supply chain and inventory down to the chip level, we were able to get a fairly decent accounting of the risk Meltdown and Spectre represent for us and no surprise, it's almost everything.

Hardware and software vendors across the globe have been responding, with updates and patches being released almost daily since January 3. Because of the complexity of these vulnerabilities, I decided to take a go-slow approach in applying patches since a mistake, on our part or on the vendor's part, could have catastrophic impact on our global operations, especially in our industrial control system manufacturing environments. There have been several instances where vendor patches completely disabled the computers and other cases where there were significant performance related problems so I'm satisfied with our focused and deliberate deployment strategy. There aren't patches for everything in our inventory so we are identifying potential compensating controls where a patch is not available.

We've also been working very closely with our shared hosting cloud providers and have direct points of contact for any emerging problems they identify. Because of the nature of cloud computing, where physical servers are often shared between multiple customers, this vulnerability could make data from one customer exploitable by another customer and the cloud providers are acutely aware of the security issues this raise for us and all their customers. I'm comfortable that the cloud providers are being as proactive as possible and are staying close to the vendors for additional information and updates.

If there is any good news at all, it's that there are currently no known exploits for Meltdown or Spectre at this time. That, however, is sure to change. This vulnerability will be with us for years and since it will require a fix to the actual processor design, until that is available from the chip manufacturers, even life-cycle replacement of our computers is not a solution. Bad guys will take advantage of this time-gap in our ability to completely remediate the problem.

Two things I want to prepare you for, this is not going to be inexpensive and it isn't going to be quick. I'll do what I can to address it within my current budget, but will also prepare a realistic budget for the longer-term strategic mitigation requirements, including replacement infrastructure. This of course will only happen after new processor technology has been developed and manufacturers begin shipping new computers and industrial control system appliances.

I know you have your monthly call with the Board on Friday and I'll have a detailed summary ready for you to present on this issue. I'm happy to join you on the call if you think it would be helpful. I'll also be prepared for the quarterly Board meeting next month with more detailed risk metrics on both our current status and our long-term strategy for addressing Meltdown and Spectre, including those specific instances where we've had to develop compensating security controls.

Sorry for the bad news but I hope you feel comfortable that we're addressing the issue with all appropriate actions.

Mark Weatherford

Mark Weatherford is the Chief Information Security Officer at AlertEnterprise, the Chief Strategy Officer (and a Board member) at the National Cybersecurity Center, and the Founding Partner at Aspen Chartered Consulting, where he provides cybersecurity consulting and advisory services to public and private sector organizations around the world.

Mark has held a variety of executive-level cybersecurity roles including Global Information Security Strategist at Booking Holdings, Chief Cybersecurity Strategist at vArmour, a Principal at The Chertoff Group, Chief Security Officer at the North American Electric Reliability Corporation, and Chief Information Security Officer for the state of Colorado. In 2008 he was appointed by Governor Arnold Schwarzenegger to serve as California’s first Chief Information Security Officer and in 2011 he was appointed by the Obama Administration as the Deputy Under Secretary for Cybersecurity at the U.S. Department of Homeland Security.

Mark is a former naval officer where he served as a cryptologist and was Director of Navy Computer Network Defense Operations, Director of the Navy Computer Incident Response Team (NAVCIRT), and established the Navy’s first operational red team.

He is an investor and on the Advisory Board of several cybersecurity technology companies where he has a very successful track record in helping startups through the M&A process to acquisition.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.