Social Security numbers today are worth far less on the dark web than they once were — a result of hackers increasingly looking to steal bigger hauls from institutions, like intellectual property and cryptocurrency, according to Howard Whyte, chief information security officer at Truist.
That is one of many insights Whyte shared with American Banker in a wide-ranging interview that touched on topics that ranged from ransomware to the cybersecurity talent shortage and more.
Like many people in cybersecurity, Whyte has an extensive military background. He started out as a Europe-based communications manager for the U.S. Army and later became an information technology specialist for the Department of Defense.
Before joining the Charlotte-based bank holding company in January, Whyte had stints as CISO for Boeing, the Federal Deposit Insurance Corporation, and NASA. Collecting knowledge from a variety of institutions along his career path has given him a unique ability to put banks’ cybersecurity challenges in perspective.
In this discussion, Whyte discussed a forward-looking approach to adopting quantum-proof encryption, the virtues of paying hackers to look for security vulnerabilities, the benefits of a diverse cybersecurity workforce, and more.
As you know, there is and long has been a large shortfall in the supply of cybersecurity labor. For firms looking to add to their cybersecurity workforce, is it worth it to train up their own cyber talent in house at the risk of having that talent poached or leave? Or, should you be looking to just hire new cybersecurity talent?
HOWARD WHYTE: It’s invaluable to develop your own talent in-house because it gives the folks that know the business an opportunity to pivot into an area that is in high demand. I know there are statistics out there about millions of cybersecurity positions that are left open, so I see high value in training our own talent, because they know our environment.
If they go somewhere else, they will always know our company, the reputation that we have, our purpose, and hopefully they take what they’ve learned within our organization, go off and learn more, and then come back with even more knowledge and expertise to help us.
We look at this as an opportunity for the whole nation to uplift the skills that are needed for this critical mission space.
Employers looking to hire software developers sometimes look at whether the candidate has spent time contributing to open source projects, as a sign they are passionate about programming or well-respected by others. I was wondering whether there is a corollary in hiring cybersecurity talent — whether you’d like to see that people have contributed to or participated in bug bounty programs, for example. What are the green lights you look for on a résumé?
I don’t necessarily look for the folks who are contributing to hacking other companies as a white hat hacker or gray hat hacker. I look for folks who are thinking about cybersecurity end-to-end.
If I’m a coder, how am I thinking about the vulnerabilities of the environment? How do I work with my risk team to ensure that they’re aware of those threats? What are the risks associated with the software and the infrastructure on which it operates? What are the risks associated with the customers who are using it?
I look for someone that has knowledge and expertise that’s more broad-based than just their current technical capabilities — that’s looking at the threat landscape, what’s the attack surface of the capability that they’re bringing to the table.
What do you think of bug bounty programs? You mentioned white-hat and gray-hat hackers; do you think it’s useful to try to attract those people to find vulnerabilities in your system in a controlled way, like a bug bounty program?
I absolutely do. I think there are invaluable contributions from that community that we cannot ignore.
In my mind, it takes a community — it takes all players coming together to add the value of what they see, what they detect, what they can fix, what they can risk, mitigate or accept. The knowledge and skills out there in the community cannot be ignored.
Some of these folks, though not on our payroll day to day, can add significant value from their abilities to look at things from a different perspective, to bring new tools to test our capabilities that are externally facing, and let us know about them so that we can take action on them before someone with bad intent has the ability to impact our systems and or applications that serve our customers.
Does Truist have a bug bounty program?
We do not have an official bug bounty program, but if someone was to find something, I am sure that we would be open and receptive to that finding and look at what we could do to ensure that we acknowledge that person for their finding, or whatever their ask was.
We are looking into what other banks are doing and will be aligned to those frameworks and our principles. We do have teams inside that conduct those kinds of activities for us, but they’re officially sanctioned by our cybersecurity program.
All technology that is meant for good scares me because I know that someone can turn it around and use it for bad.
Howard Whyte, CISO at Truist
How do you see the threat of ransomware compared to more mundane threats like password reuse and the fallibility of humans through social engineering?
Well, they could all lead to ransomware. I try to think about it as: A ransomware event starts with another activity, where someone gets the ability to load malware onto a system, and it potentially gets propagated against the entire ecosystem.
I think about our ability to identify, to protect the environment, to detect the action if it’s taking place, but the biggest part of that is what preventions do you have in place, internal to your own environment, with the likes of Akamai or other companies that provide detection capabilities and protections.
Some people worry about the possibility of hackers stealing encrypted data now and, in the future, when quantum computers are more widely available, using them to decrypt that information. How much does that scare you? At what point is that something for banks to worry about?
All technology that is meant for good scares me because I know that someone can turn it around and use it for bad.
I believe that folks in the near future, including nation states that have penetrated large caches of data, will have the ability to use quantum computing for purposes that it was not designed for — for unencrypting swaths of data at speed, which could be within the next five to 10 years.
If that data is Social Security numbers, we know the value of a Social Security number on a dark web is now pennies, but you’ll still be able to build a dossier of information about a company, its employees, health records — it is downright scary.
Just like the U.S. government is using the National Institute of Standards and Technology to develop frameworks for quantum-safe encryption, we have to take it seriously and start planning for it and not wait for a year or two before quantum computing becomes mainstream.
We know that our environments — no matter whether a bank or another part of the critical infrastructure — will have to get these capabilities implemented, so we should start planning now. We need to get those algorithms in place, tested and validated to ensure that they can operate in normal day-to-day activities as we expect.
You mentioned Social Security numbers are now worth pennies on the dark web. I was interested to hear you say a little bit more. Can you explain what you meant?
A couple of years ago, if you got someone’s Social Security number, you could sell it on the dark web for a lot of money, but the value has gone down because there are other commodities that threat actors want to get, like cryptocurrencies and things like that. The identities that have been stolen in the past have been reused so many times that the value has gone down.
Is cryptocurrency the main thing cybercriminals want, or are there other things they’re out to get?
There are always other things that they’re out to get, like the secrets of a company’s intellectual property. But, a lot of the attacks are focused on breaking into crypto banks because they are so easy to manipulate. They are also untraced, so once you get it into a wallet you own, you can reutilize it at speed.
Is there anything else you want to mention before we wrap?
One is that it is important for CISOs to consider how their institutions measure up against NIST’s cybersecurity framework and how they are using the framework.
It’s paramount to us — using standards, measuring ourselves against those standards to always continuously improve, but to also proactively manage risk. That is a commitment that we should make each and every day we come to work — to continuously look at our environment and improve our controls.
Another is one we touched on with recruiting talent. Talent doesn’t always have to look and feel like you. It has to be diverse.
We have to think about equity and inclusion, but also get in different people with different perspectives into cyber to do analytics in different ways, to look at the problem from a different point of view. That helps support the infrastructure, which is absolutely critical not only for the financial industry, but for the entire critical infrastructure supporting the U.S. and our global community.
Read More: www.americanbanker.com