Massachusetts leadership convened the fifth annual Massachusetts Cybersecurity Forum this week, turning attention to ransomware, growing the cybersecurity workforce and the prospect of an official U.S. digital currency.
Gov. Charlie Baker’s administration and the MassCyberCenter brought in state and federal officials alongside members of local cybersecurity firms for the event. The forum touted the theme “Building Momentum” to emphasize the state’s cyber efforts over the past several years, as well as goals for expanding collaborations and initiatives going forward.
Cyber criminals are always innovating, but Lior Div, CEO and co-founder of Cybereason, said that ransomware attacks have become more predictable. Criminals have been creative with how they make a profit — including moving from single to double extortion and building out ransomware-as-a-service business models — but many still rely on well-understood attacks and goals. This predictability allows artificial intelligence tools to better determine how ransomware attempts may play out.
“You can almost anticipate what hackers will do because, eventually, they’re trying to go after the same thing: they want to sift through your files and they want to encrypt them,” Div said. “I think that by now, we managed to create a technology that can prevent all the ones that are known … If you’re avoiding kind of the old-school technology that hackers know how to bypass and you’re leveraging more kind of new-edge technology … it will leave very small room for the hackers to operate.”
Of course, hackers continue to evolve their methods, and organizations need to be ready to defend against both ransomware and new threats like killware, noted moderator Lauren Zabierek, executive director of the Cyber Project at the Harvard Kennedy School’s Belfer Center.
Another sticking point: Not all organizations, especially small municipalities, have the funds to invest in many new practices and technology upgrades to bolster their fights against ransomware.
But several speakers like Janet Levesque, CISO for athenahealth, said that general cyber upkeep activities like disabling unused accounts and services can make a meaningful difference for organizations’ defenses. Udi Mokady, CEO of CyberArk, concurred that common slip-ups in cyber hygiene can let ransomware attackers in. (Colonial Pipeline is one notable example of hackers using a former employee’s VPN credentials to gain access).
Stephanie Helm, director of the MassCyberCenter, also kicked off the day by highlighting several resources her organization provides, including a framework municipalities can follow for guidance on achieving a base level of cybersecurity.
Gov. Baker backed the tool, stating, “I urge municipalities to act with a sense of urgency to achieve the Minimum Baseline of Cybersecurity [framework] and move on to improve areas of highest priority to your local communities.”
Both Mokady and Div recommended organizations modernize their technologies. Mokady added that governments should push organizations to move beyond compliance checklists and require more aggressive preparations. Levesque also advised that organizations take various defense preparation steps, including red teaming, joining intelligence sharing groups to help uncover trends early on, leveraging automation tools that can detect potential threats and vetting vendors regularly.
Many speakers also spotlighted technology and cybersecurity as growing sources of employment and economic activity.
“Cyber jobs will be critically important for generations,” said Baker.
State Secretary of Housing and Economic Development Mike Kennealy recommended recruiting talent from underrepresented demographics and creating additional employment pipelines — two strategies that have been getting high attention in the space.
Kennealy highlighted Massachusetts’ existing efforts, including an online job board that MassCyberCenter launched this year to list public- and private-sector cyber postings in the state.
Levesque said organizations should consider filling more junior-level roles with individuals who may understand technology and problem solving while lacking specific cybersecurity experience. Candidates like these can be trained on the job.
As Massachusetts looks to keep an eye on emerging tech, some officials are paying particular attention to blockchain and cryptocurrencies.
At the Cybersecurity Forum, a different kind of digital currency took center stage — one that may be issued and backed by the U.S. federal government in the future. The Federal Reserve has been mulling the prospect of creating a central bank digital currency (CBDC). The Federal Reserve Bank of Boston has been working with MIT to research what it takes to make a viable U.S. digital dollar that could be used for everyday transactions.
A CBDC is generally seen as a way to provide benefits of virtual currencies, such as transaction traceability and swift disbursements, while also leveraging the reputation of the U.S. financial system to win users’ trust.
James Cunha, executive vice president of secure payments and fintech at the Federal Reserve Bank of Boston, said a CBDC should not necessarily be relegated to existing financial practices if it can enable better alternatives, and that such a tool ought to be designed with a goal, such as improving financial inclusion.
“We need serious debate in Washington on what to do, what problems we’re trying to solve,” Cunha said. “I personally think a CBDC should be a public good.”
A viable long-term CBDC also requires designing it in a flexible way that would allow systems to change should new policies around privacy and other concerns emerge, he said.