It’s necessary to modernize legacy systems like Supervisory Control and Data Acquisition (SCADA) systems to better perform cybersecurity.

Donna S. Bennett, Chief Information Security Officer at the US Department of State, speaks at a talk held in Hanoi. Photos: Linh Pham/The Hanoi Times

Donna S. Bennett, Chief Information Security Officer at the US Department of State, stressed the importance of upgraded systems in protecting businesses as the SCADA systems have never been modernized in years following its existence of about 25-30 years.

Indeed, critical infrastructure is such a huge gateway for a lot of threat vectors if the systems are not modernized, with the existence of operating systems like Windows 3.11 (a major release of Microsoft Windows released in April 1992), DOS (Disk Operating System), and some of these SCADA systems are running off of this type of operating system. 

The cybersecurity expert named the threats for the fact that “a lot of people feel that they’re not necessarily susceptible to cyberattacks.” “But that is not true,” said Bennett who has served in various cybersecurity leadership positions throughout the US Navy and the Department of Defense.

“So I think one of the main things is that we need to be very content and aware that those systems exist. And then we need to start mapping out compensating controls and how to protect those systems, and then also start to look at how do we start to modernize?” noted the cybersecurity industry veteran who brings over 25 years of experience leading large enterprise information security architecture programs, policy, operations, and modernization.

In reality, the systems have been deployed and installed, and no one has really thought about modernizing those systems. Even when they think about modernizing them, they introduce a whole other set of threats because modernization is on the network. It’s not separated.

In the IT world, the term “legacy system” describes an older computer system, software application, or technology infrastructure that is still in use but is considered outdated or is no longer actively supported or developed. Meanwhile, critical infrastructure consists of the assets, systems, and networks that provide the functions necessary for our way of life.

Bennett addressed the issues in the talk titled “Cybersecurity and Emerging Trends held at the US Embassy in Hanoi last month with the participation of young professionals from public to private sectors and university faculties and students who engage in the cybersecurity industry. 

The talk moderated by Ngo Tuan Anh, CEO of SafeGate and Vice President of the Vietnam Information Security Association (VNISA).

Moderated by Ngo Tuan Anh, CEO of SafeGate and Vice President of the Vietnam Information Security Association (VNISA), the talk centered on emerging trends in cybersecurity for governments and businesses, collaboration between industry and governments to address and reduce risk, certification programs, enterprise risk management, and national policies. 

The Q&A also focused on attack vectors, solutions and policies, and lessons from the US government to help businesses mitigate these kinds of risks.

The questions were raised by representatives of the National Cybersecurity Center of Vietnam, Microsoft Vietnam, officials working in private companies, students specializing in a wide variety of networks, and Vietnamese students studying in the US.  

Concerning legacy systems, Bennett compared the outdated SCADA system to a system used for building control. If the building has contemporary architecture but an antiquated control system, it will not be sufficient.

Regarding risk prevention and how businesses should invest in cybersecurity, especially small and medium ones. Bennett said that both small and big companies are all susceptible to ransomware and she supports the protection.  

Importantly, companies need to be aware of cyberattacks as they provide long-term protection. “Maybe this is not that important at the moment until they’re susceptible to a ransomware attack where everything is encrypted. And now it affects their bottom line, it affects their business,” the security industry veteran advised.

In some instances, it's hard for companies to recover from a ransomware attack. In case of being attacked, the firm’s operation and reputation will be hurt and seriously, they may not have enough money to pay the ransom. 

Young audiences at the talk.

Risk sharing

To protect business and brand, the expert advised companies to have a professional service, including service level visibility, and move to protection and monitoring because it remains unknown when cyberattacks happen to their systems and when they begin to attack. Therefore, it’s better if firms can address the problem early.

And putting information in the cloud is a way to protect data, which Bennett called “risk transference”. “You’re transferring the risk to someone else to manage it for you, you got to be very mindful that even though you’ve transferred the risks, you understand what risks are transferring and how well they protect your information in the cloud?”

However, the expert also warned that this method would pose risks as well. According to her, “a risk to one is a risk to all” so businesses need to be very cognizant of that and they have to weigh the risks associated with doing this transference. 

An audience raises a question for the Chief Information Security Officer.

AI development

Bennett’s talk also covered artificial intelligence (AI), which she said there is a lot of good utility with.

The professor highlighted the role of AI in cutting processing time down in some instances, from months to minutes, with a full report on everything made.

However, she reminded users to validate information because the data is only as good as the element that they are training, both the learning model with good data and with bad data. “There’s been a number of incidents that I have seen in the news, where there have been some companies that have been susceptible to cyber-attacks because the code has been injected in their learning model,” she warned.

She shared experiences in the field with things called ‘bug bounty’ and ‘AI bounty’. “One of the things that we are implementing within the State Department is we’re looking at a term that I had mentioned earlier, it’s called bug bounty, but we’re looking at AI bounty, and that is to make sure that we can attest to where do we get the code is to code secure, and really making sure that we have safe and unbiased learning models that are introduced into our environment.”

One of the things that has come out of legislation within the United States government is that as they implement AI into their organization or any federal organization, they have to have those pieces in place. 

The talk attracts a large number of audiences.

Cybersecurity workforce

When asked about the development of the cybersecurity workforce in the US, Bennett gave the audience an overview of the situation in her country, which started roughly 10 years ago.

The National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce promoting US innovation and industrial competitiveness, started looking at the human aspect of cybersecurity, and the field has evolved over the years in terms of professionalizing the workforce.

Bennett, at the time, worked with NIST before she came to the State Department to come up with the process and started looking at what types of education and background a person needs to be in some specific career field.

Then, while she was working in the Defense Department, they saw the need, and they also looked at how they professionalize the workforce from the standpoint of not just doing on-the-job training but also looking at certifications.

On the NIST website, they talk about nice standards, the different facets of cybersecurity, the skills needed to have in each of those sections, and specific certifications to help professionalize the workforce.

According to Bennett, there is a huge demand in the cybersecurity field. And it is no secret that most government organizations are not going to pay someone very well, unlike major corporations.

“And what I have found is that most people that come to the government that stay, they do it because of the greater good, the passion that they have, they really want to help, the federal government, they really want to help the mission, the agenda, move it forward,” she shared.

The expert stressed the importance of training in cybersecurity to have better workforce, with many working remotely. “And many people in Vietnam, in cybersecurity do work remotely is commonly and they have a higher salary than people in another country," she noted.