so you kind of have the forming storming norming kind of thing and this was our storming phase so anyway one of the early things that happened this was um I was asked our security team I hadan a security team of around 30 professionals and we were asked to put um wireless networks in all of the conference rooms in state government and so um at that time that was kind of a Cutting Edge issue now you know everyone has Wireless everywhere in their homes and and you know coffee shops and everything but the reality is um that was a Cutting Edge thing at the time and I was my background was you know National Security Agency and we call three letter agencies in Washington so NSA CIA Dia FBI and and I had done my homework and I knew that this was bad you know security you know we couldn't allow Wi-Fi in conference rooms because it was it was uh going to be a problem it was not secure and there were stories in the papers there lots of stories in the US papers about people pulling into home Home Depot and Walmart I'm not Walmart but Home Depot and Lowe's and and different uh parking lots or car parks and and hacking into cash register because the Wi-Fi weren't secure so I had all these papers so basically Terry asked me to prepare we were in the staff meeting and it was like 10 of us in the staff meeting and we got to that agenda item and Terry says dan tell us how we're going to securely put Wi-Fi in all of our government conference rooms and I said um well Terry I've decided to cancel this project we're not going to do it we're not putting Wi-Fi in any of the conference rooms and Terry just looked at me with this stunned look and and I have you know she asked everyone to leave the conference room but me so it was just me and Terry looking looking at each other and I've never seen a government agency meeting end so quickly in my life because you know this was an hourong meeting it was 15 minutes in and she just ended it and she looked me in the eye and she said Dan if that's your answer sir you cannot be the ciso in the state of Michigan basically I was worried I was going to get fired and I said well wait a minute Terry you know you don't understand let me explain I had all these white papers and all this I was going to show her all my background materials about and articles and and books about why this was a bad idea and she says no stop I read all those articles I know what you're going to say I I know what you're thing is but but she said uh I've been to D Ford Chrysler and General Motors they all have Wi-Fi in their conference rooms what do they know that you don't know and so they're like telling so I'm like whoa she says I'm giving you one week to figure this out and come back and give us a plan not the not to deliver it but to give us the plan to do it securely or you're fired so that was a real scary moment for me because it was scary I almost thought I was gonna lose my job I ran back yeah yeah I just sou one more quick thing I'll tell you I went back to my team they were like Did we tell them we're ging Wi-Fi and I said no we're doing Wi-Fi we've got to figure this out so two years later we actually win the award for top Wi-Fi security in the whole country but that really was a a a paradigm shift for me as a person you know that security needs to be enabling they need to be coming with Solutions and not just problems security Pros can't just say no can't do it you've got to come up with a solution that's going to do security or time on budget with the right level of security so that's my most embarrassing story how I almost got fired but it turned into a good thing Terry and I are still friends 20 years later actually well 18 years later and now BOS I want to know what your most embarrassing moment in your career Place sure sure I I I would be happy to but before that did you manage to get fired no but you tried but you tried I kept my J honestly did not get fired and uh it ended up being real a paradigm shift for me because I I started to think about security differently and I you know whenever I had a security challenge it's like who's doing this best who can we learn from look around um and you know state government is not known at that time certainly as one of the leaders in security and and like I said the private sector was doing that better than us and we learned from that and we actually improved we actually got better through that experience interesting very interesting learning I I I believe that there's a lot of interesting takeaway as well outside of uh a very entertaining story for sure so let me share mine yes so this is quite a long time back so almost like couple of decades back and and as a kind of little bit Prelude to the story which is important I used to do a lot of magic shows I mean long time back and by magic shows I don't mean the rabbit out of the Hat trick kind of magic shows but more like the David Blaine kind of stuff mentalism and closeup magic and those kind of stuff I I used to do on stage as well so I was doing like opening shows for college fests and closing shows for college F so I'm doing I I was doing it at a pretty decent level so and and also I started my first startup around that period we were doing this automated penetration testing on the cloud so that was what we were working on so now I went for a visit to Paris to meet some partners and that that was like a slightly gloomy day and little bit of drizzles and I remember I was walking down the stairs um of um they call it Subway right yeah Subway yeah like the underground yeah they call it Subway yeah so or no they call it Metro oh the Metro gu the Metro yeah yeah the underground transport system yeah us is the subway and London is the underground yeah down the stairs and there was a guy who looked like from east Europe he came and told me that I'd like to sell this um iPhone iPhone just got launched and would you like to buy and I was the Blackberry guy during those days yeah now I'm happy with my phone so I was walking down and this guy still followed me and said you know what I need some money badly and my sister is at the hospital I need some money it'll be great help if you could buy this and he eventually came down like he started with somewhere around few hundred EUR and came down to some2 EUR and eventually he told me you know what I need it very very badly can you give it to me I mean I'll give it to you at € 10 or something like that and here's the iPhone and I'm also going to give you this camera a small point and shoot Auto automatic camera and I took that phone and I swiped and everything was working fine and I thought this is interesting because at € 10 EUR if you get a device which is working in worst case even if things are not perfect we can go open it up and look into and use it for hacking so I found that and I think I became a little bit greedy I wouldn't say I tried to help that guy but I said okay here you go I gave the €1 he took this iPhone and the camera put it into a small brown bag and gave it to me and I took that and he started running up the stairs and I opened this brown bag and inside that there were two potatoes oh wow so right in front of me he did the classic switch which I I was pretty well trained to do switch in front of me and that was probably the most expensive pair of potatoes I have still I mean I bought till date that's a great story humbling experience being a security professional I mean that reminds me to stay humble that's great great story so Dan let's get started with some real crisis example today's topic is handling crisis please share some some examples of some real crisis that you dealt with in the past well I've dealt with lots of them um you know when I was CSO for sure one of the biggest ones was the blackout the Northeast blackout of 2003 so you know we had just gone through the whole Y2K and I I I started in Michigan government in 97 and uh you know I'd come from an NSA kind of top secret background you know and Michigan Government was very different than that of course um not a lot of you know not a lot of um very uh secure facilities but the whole Focus during those years from 97 to 2000 were was Y2K so we had prepared you know what if you know all the computers break and we had done a lot of good work to prepare for that um and that went kind of without a hitch but we were all sitting there in the Emergency Center you know on January or or actually you know December 31st January 1st of 2000 but then three years later you know we had we had we had of course two years later we had 911 but not so much happened in Michigan but two years after that we had a a large blackout in Michigan where uh the whole Northeast lost power for two days basically we lost power and it was basically a situation where we had to all go to the emergency coordination Center and respond to no computers no power no huge issues a lot of people thought it was in the US thought it was another 911 they thought you know it was another terrorist attack and uh all the people at the emergency coordination Center uh we were there for four straight days in a in a bunker with you know a generator and um responding to all kinds of issues that parts of the state came back like 24 hours later other parts uh came back more like two days later and some came back three days later but it was a major emergency and and you New York was without power for a couple of days a lot of things happened you know trying to get water from one side of the state to the other um some things you wouldn't necessarily think about like um it was a very hot day it was like 95 degrees Fahrenheit in the US and and restaurants were having to close there was no air conditioning but they were serving spoiled food and so like there there food you know uh inspectors who were having to you know close restaurants because people were eating spoiled food in Detroit and and they needed the technology to support that but they had no power so there was lots of things we had to do and during that time I met tons of people who ended up becoming leaders in Michigan Government over the next decade the person worked closely with was um Colonel etu who was running the whole emergency for uh State Police in Michigan she ended up becoming the director of Michigan State Police so in those kind of emergencies if you're ready if you're prepared if you've got good plans in place um it can really strengthen your security organization to be prepared that was not a hacking attack although some people thought it was a hacking attack initially but you know we responded to that and that was a real life emergency we responded to that's interesting that's very interesting mean that happened due to more like a natural Calamity but that's something which I think all the all the nations today want to stay prepared for right right so uh Dan uh let's talk about some some some of the drills that you have done and so any of these large scale cyber crisis drills that you conducted in the government y yeah so what one of the ones that I want to uh mention was a a um a series of drills that the US Department of Homeland Security does called cyber storm at C YB R storm s o RM and uh the what I'll tell you about the story I'm going to tell you is from cyberstorm 1 which was the first one but they're now up to think cyberstorm 7 is coming they do this every two years and these are Global exercises so um you know they they do them in you know US states they use federal agencies in the US but know the United Kingdom and France and Australia and New Zealand were all part of these exercises so this was a global exercise we were at the first one and my team had prepared it is a weekl long exercise it was a not everyone on our team obviously but it was a large group of people and um I tell people if you want to understand what cyberstorm 1 was like I'm thinking this is back in 2006 so this is going back to the first cyberstorm but there's a lot of really good lessons we learned from that watch the movie Die Hard four Die Hard four with Bruce Willis um it's called live free and die hard where all the power goes out and bombs are going off and it's scary stuff um so we had a situation where we you know the first day of this exercise you know is probably over the top and most cyber exercises today wouldn't start this way but they had bombs going off kind of like 911 again they blew up our data center they blew up um big parts of government um they hacked other parts of government and all of our services were down for two days and it was very very intense and we were like getting beat up we were like humbled our team was just like we were like done I mean we were really kind of overwhelmed by Thursday afternoon though this is what I want to tell you about by Thursday afternoon we were told there was one more thing you have to do in this exercise to train your team and we said okay what is that they said we have to get our bull main frame.
post features Dan's career experiences in cybersecurity, including crisis management and drill participation.
Highlights:
Security needs to be enabling: Security solutions should facilitate business needs, not just create obstacles.
Learning from the private sector: Government cybersecurity can benefit from best practices used in private companies.
Importance of preparation: Cybersecurity preparedness helps navigate real-world emergencies effectively.
Northeast blackout of 2003: A real-life crisis highlighting the value of preparation and collaboration.
Cyber Storm exercises: Large-scale drills conducted by the US Department of Homeland Security to test cybersecurity preparedness.
Emphasizes the importance of proactive cybersecurity measures, including planning, drills, and adaptability. By learning from past experiences and adopting best practices, organizations can strengthen their defenses against cyber threats.
Speakers:
Dan Lohrmann is an esteemed cybersecurity expert and Field Chief Information Security Officer (CISO) for Presidio, celebrated for his impactful career across both public and private sectors. With beginnings at the National Security Agency and roles at Lockheed Martin and ManTech, he has been recognized as CSO of the Year among other accolades. Dan is also a prolific author and speaker, sharing insights on cybersecurity and technology modernization through his award-winning blog and publications.
https://twitter.com/govcso
https://www.linkedin.com/in/danlohrmann/
Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.
Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to the cloud.
https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/
Comments