You would think that – in the midst of a global pandemic that is confirmed to have killed almost 500,000 people worldwide – that the healthcare organizations working to find a cure would be able to conduct their work and research without the threat of cyberattack. But that’s clearly not the case.
This is indicative of a larger trend in the threat landscape facing the public sector, according to James Yeager, the Vice President of Public Sector at CrowdStrike:
“What we’ve found is that – no matter how noble the cause of the organization they’re targeting – there’s great indifference in the mind of the adversary. There’s no conscience. They will spare no one. They’ll target anyone.”
James is one of many exciting public sector and private industry speakers and panelists planned for the upcoming Fal.con for Public Sector virtual event, where the threats facing public sector entities – from state and local governments, to federal agencies, to educational institutions and healthcare providers – will be analyzed and explored.
We recently had an opportunity to sit down with James to talk about the threats facing these organizations, what adversaries are looking to accomplish with these cyberattacks and what attendees at the upcoming conference can expect to learn about defending their networks and data. Here is what he had to say:
GovCybersecurityHub (GCH): Can you tell our readers a little bit about yourself and your current responsibilities with CrowdStrike?
James Yeager: I joined CrowdStrike approximately four years ago when I was brought in to start our public sector practice. Before my arrival, the company didn’t have any dedicated resources focused on the public sector.
That doesn’t mean CrowdStrike didn’t work with the public sector – or didn’t think it was important – but they were a young company that hadn’t really started taking the hard steps needed to do business with the government. Working with the public sector takes time, dedication, resources and knowledge. And it’s all I’ve ever done, so I was brought in to help them make that transition.
I started my career in sales in telecom before moving on to Oracle. I was an athlete in college, had coached sports teams and really liked coaching and educating people, so I transitioned into leadership so that I could coach and train salespeople. When I made that transition into sales leadership at Oracle, I also transitioned into working in the public sector.
I then moved on to McAfee, where I got to work with state, local and education sales and learned about cybersecurity. Then I moved over to Tanium, where I got to stand-up their public sector sales organization. With Oracle and McAfee, their public sector sales teams were established. At Tanium, I was standing that up from scratch, and it was an amazing challenge that prepared me directly for my role at CrowdStrike.
In my role with CrowdStrike, I’m responsible for all of public sector – which includes every aspect of federal government, state and local government, education and healthcare.
GCH: You work with federal, SLED and healthcare clients. How are their threat landscapes similar? How are they different?
James Yeager: It’s unique…but it’s not at the same time. The threat landscapes across all of the different parts of the public sector are surprisingly very similar. The attack patterns are very similar. The behaviors don’t change a great deal. As sophisticated as the adversaries have become, at the end of the day, this is human-generated activity and we’re all creatures of habit. Adversaries are leveraging historically-documented, highly-successful attack vectors repeatedly to perpetrate these attacks.
Where they differ is the level of efficacy based on the level of sophistication of the target.
State and local governments and agencies, for example, have a tendency to be a bit less sophisticated in their defense. While some of the large states and cities are quite sophisticated, the smaller ones tend not to be – especially when we get into the municipal government organizations and K-12 education. And that makes sense. They just don’t have the resources. They’re not as well equipped as other government organizations and agencies – like the federal government, which has gotten the lion’s share of the investment and has focused extensively on cyber.
And this is why we see state, local and education (SLED) impacted more by ransomware. These aren’t highly sophisticated attacks, but these organizations are less prepared to defend against them. So, these ransomware attacks are more successful at this level. They don’t have the right people. They don’t have the right tools. They’re dealing with antiquity in their brick and mortar locations and their legacy IT systems.
Compare that to the federal government. There’s more modernization in their IT systems and infrastructure. There are more sophisticated defenses and security tools. There’s higher spending on cybersecurity and, in general, security is considered a priority.
GCH: Does this lack of investment and defense impact the types of attacks that they face? Does it impact which kinds of e-criminals attack them?
James Yeager: It makes SLED more of an e-criminal target and opens them up to more “big game hunting.” That’s what we call attacks where multiple adversaries band together to create strength in numbers. Adversaries will link arms with other bad actors, teaming up to identify targets where the potential returns are higher.
Compare that to the federal government, where we’re dealing much more with nation-state attacks. The resources that they have and their focus on security makes them harder targets for the e-criminals – even when working collaboratively. However, the nation-state attackers obviously have both the motivation and resources to attack their networks.
GCH: When we think about healthcare and education institutions, we think about altruistic organizations that are helping to keep people healthy and educate young people. Why are cyber criminals attacking these kinds of organizations?
James Yeager: I think it’s an interesting question – and one that perplexes a lot of people. It can be difficult to get into the psychology of these adversaries. But these people are criminals, there’s no debating that. And to understand their motivations, you need to get into the criminal mind.
There are people and organizations that focus on analyzing the criminal mind and figuring out why they do what they do. And that’s what we try to do with cyber criminals. To accomplish that, you need a lot of data. Small data sets mean that you’re doing a lot of guesswork. But with the massive amount of data that we have at our disposal at CrowdStrike, coming from our threat intelligence teams and based on observations made during services engagements globally, we can rapidly analyze and quickly identify patterns in behavior. From there we can assess with a high degree of confidence what the motive is of an attacker, and in turn, we can help identify the most effective defensive mechanism to be deployed.
What we’ve found is that – no matter how noble the cause of the organization they’re targeting – there’s great indifference in the mind of the adversary. There’s no conscience. They will spare no one. They’ll target anyone.
Early in the Coronavirus pandemic, there was a feeling or belief in the industry that adversaries wouldn’t attack healthcare organizations working to actively save lives. And we thought that was ridiculous. It was running counter to everything that we were seeing. They were still attacking these organizations indiscriminately.
GCH: What are they looking to get out of it?
James Yeager: When it comes to the healthcare sector, we’ve seen more targeted intrusions and some nation-state activity. In these cases, they’re interested in stealing intellectual property, or in being disruptive. For example, let’s say you’re a large healthcare system – like a Mayo Clinic or a Cleveland Clinic – you may face attacks from nation-state adversaries that are actively working to prevent you from identifying a COVID-19 vaccine. They could be doing this to keep the U.S. from getting there first, or to stunt our growth and give them a competitive advantage.
It’s similar to what we see in education with large research institutions. With large colleges and universities with active research and development projects, adversaries will often look for the intellectual property that these institutions are creating. If they’re not looking to steal that intellectual property outright, they may be looking to halt progress. Regardless, they’re looking to get an advantage.
James Yeager: Well, we talked about ransomware already. That’s probably the most pervasive attack that we’re seeing in this space. The vectors that adversaries use to perpetrate ransomware attacks will vary, but they’re usually started with phishing and email.
With SLED it really comes down to the lack of resources, training and funding. The more outdated your security tools. The more outdated your IT infrastructure. The less dedicated security professionals you have. These things all contribute to making these organizations a massive target.
Then there’s the scope of that ecosystem. There are so many state and local governments. They outnumber the federal agencies four to one. That makes it a numbers game for the adversary. They’re low hanging fruit and there are a lot of them. So, they’ll utilize ransomware attacks on the smaller cities, smaller towns, local law enforcement, K-12 education. In these organizations, you may not have a CISO – or the CISO is also the helpdesk guy. So, the targets are plentiful and they’re easier to attack.
Adversaries do a lot of recon. They’re constantly scoping out the target. They’re constantly walking around the building looking for a vulnerability – an unlocked door or an open window. While places like NYC, Los Angeles, or Chicago will have better locks and security cameras on the outside of that building, the smaller cities just can’t afford that stuff.
GCH: What are you planning to discuss during your session at the upcoming Fal.con for Public Sector virtual event? Who should plan to attend?
James Yeager: I’ll actually be making the opening and closing remarks at Fal.con for Public Sector, so I’ll be welcoming the audience, and setting the stage for the entire virtual event. In my remarks, I’ll be establishing the groundwork and explaining what attendees are going to learn and hear about. And that’s important at a virtual event because it’s so much easier for attendees to get distracted or navigate away to focus on other things.
Most importantly, I really want to highlight some of the impressive speakers that we’ll have at this year’s event. And the list is truly remarkable. There is a star-studded cast. This is a packed event with a lot of interesting, provocative discussions and topics planned.
And we carefully curated the content so that there is content that applies to everyone. We’ll talk about election security – which is important for state, local and federal governments. We’ll talk about the changes from COVID-19 and how that’s impacting organizations across government and education.
We’re planning sessions on cloud security and the role of artificial intelligence (AI) in cybersecurity. There will be discussions about threat intelligence and how that impacts every part of government. We’ll review threat landscapes and look at the threats that are pervasive today. We’ll even discuss how experts see the threat landscape evolving in the future.
Candidly, there’s something in store for everyone at this year’s Fal.con for Public Sector.