Verizon Director of Security Joe Folk Speaks on Modernizing Federal Government Cybersecurity
Cybersecurity threats against government agencies', such as the FAA, are rapidly evolving, with spikes in ransomware, insider, and supply-chain attacks. In their ongoing modernization efforts, these agencies are seeking outside expertise to more securely harden their networks. Verizon says it's uniquely qualified for this role, by dint of its own network being part of the national critical infrastructure. Through its many Information Security Operation Centers (ISOCs), Verizon claims its visibility into threat trends makes it well suited as a cybersecurity partner for the US Government.
We sat down with Joe Folk, Director of Information Security at Verizon. Here's what he had to say about these on-going threats.
Mel: Tell us a little about your background in security and your work at Verizon.
Joe Thanks Mel, I've been working in the security field for almost 25 years now. I have held multiple security roles in telecommunications, in airline IT security and in support of the US Department of Health and Human Services. When I started at Verizon, I was the Director of Security for Verizon Wireless. I spent three years leading teams that manage the multiple security layers in our wireless network. Also, I was dotted line to the Verizon CISO, and thus had visibility into the security work going on in many areas of our business and was able to assist in corporate security strategy. Recently, I've moved to the Verizon Corporate Information Security team as the Director of Engineering leading teams setting security standards and managing security tools.
Mel: We've seen an alarming increase in business-targeted attacks in the last year: ransomware, Distributed Denial of Service [DDoS], and supply-chain attacks. People are naturally concerned about the security of government infrastructure. In broad strokes, what is Verizon Business Group's role in protecting US Government Agencies?
Joe: Verizon has existing contracts for various elements of US Government critical infrastructure, but we also have our own network that is considered a crucial national asset. We have to protect that network, and we continue to identify and monitor the threats you mentioned. We've seen these threats across virtually all industry sectors: Federal, state, and local government agencies; small- and medium-sized businesses; and large enterprise customers. It's a growing trend because it's very profitable for the bad guys. So we've had to upgrade our security controls and protection mechanisms against those for ourselves.
You mentioned supply chain attacks. That's not a new issue; it's something we've been tracking and defending against for years. They have gained more prominence due to the challenges of COVID-19. As a national critical infrastructure provider, we have to buy from a variety of manufacturers, and we have to test the security of those products. We do a significant amount of security qualification testing of all the equipment we buy and deploy using our ICSA labs. We constantly monitor all suppliers to determine if we should do business with them. Our sourcing team ensures that we have multiple sources of supply in case we identify a risk or potential disruption in the supply chain.
Other predominant threats we see today are insider attacks and nation-state attacks. Every company and agency has to take insider threats seriously, so at Verizon we have developed a significant number of internal programs to always be vigilant against these threats; moreover, we share what we learn with Federal critical infrastructure agencies and law enforcement, as well as other companies that potentially deal with large-scale insider threats like we do. Every year, we analyze the state of the industry and publish a highly regarded security report known as the Data Breach Investigation Report (DBIR) where we partner with Law Enforcement, Global companies and Governments globally to track key threats, trends and impacted industries. We learn from each other and evolve our programs to counter existing and emerging threats.
Mel: Every year we read the aforementioned annual Data Breach Investigations Report [DBIR]. Does Verizon deliver any more timely intelligence products to the Government, including the FAA, to help them see new threat spikes coming, instead of looking at them retroactively?
Joe: We have products we sell, in addition to the DBIR, as well as reports from the sensors we have around the world on our global networks, gathering threat intelligence. From there we can quantify the scope of emerging threats plus build trend lines and indicators of compromise that we use to protect our customers and ourselves. We share that information with the industry's ISACs - Information Sharing and Analysis Centers. In some cases, we publish information freely to the industry as a whole, as with the DBIR. For example, as a carrier hosting over 70% of global internet traffic, we gather significant DDoS intelligence, and as we see attacks, we share that information with other ISACs.
Mel: The current hot news item is ransomware attacks, which have crippled banking, medical, and trading organizations. Is this a threat to agencies like the FAA as well, and if so, would Verizon do anything special to mitigate it?
Joe: This threat is so profitable for the bad guys that they're somewhat indiscriminate about which organizations they attack. For government agencies like the FAA, I suspect it's not the organizational data they're after, but the information that's being exchanged in real time with the contractors, suppliers, airlines and other stakeholders. Every agency must remain vigilant to protect against this threat. What we're finding from a support standpoint is that it's most effective to monitor the criminal enterprise's own sales organizations to see what they're doing. We track the evolving threat of ransomware and can then say to our customers "Here's what we see trending, and here is how you can protect yourself."
Mel: Much of the telemetry infrastructure to government facilities such as radar sites is still on TDM circuits like T1 and ISDN. Though we know differently today, historically, IT considered these impervious to attack. As TDM links migrate to IP, how does Verizon smoothly add the necessary hardening?
Joe: Converting TDM networks to IP networks is something Verizon has been doing for decades, not only for customers, but also for our own internal data network. Our experience has developed a set of industry best practices that wraps security controls around the endpoints to integrate the IP security infrastructure with extensive internal monitoring capabilities. We monitor these endpoints for any indicators of compromise or suspicious activity, quarantine or isolate where possible, and use our security expertise to investigate and mitigate potential threats without impacting operations. This is a major improvement over TDM security as TDM was never impervious to threats.
Mel: 5G standards have put a lot of emphasis on security with technologies such as network slicing and Security Edge Protection Proxy. How is Verizon maintaining those security standards being maintained throughout deployment?
Joe: The technologies you mentioned – slicing and edge protection – plus segmentation and advanced encryption, are all being deployed as part of the network build-out. Security is integrated into every one of our network designs before it is deployed. As we deploy in phases, our modular architecture and security designs enable us to adapt to meet an evolving 5G standard and incorporate new security measures. 5G will reduce latency and support much greater information flow.
For agencies like the FAA and DOT who are responsible for monitoring new flows of data associated with nascent missions like unmanned flight and self-driving vehicles, these capabilities become absolutely essential to their core competency. Threat evolution across all government agencies is the ultimate focus of Verizon's security teams, as they set the standards to protect new missions from future attacks.