An attempted cyber-attack against L-3 Communications that was thwarted with the assistance of the Canadian government is an example of how criminals are coming at companies through unexpected routes, according to the firm’s vice-president of corporate security.
Speaking at a session of the Conference Board of Canada’s recent event on insider threats in Ottawa, Level 3’s Vincent Jarvie told the audience he couldn’t provide many details about the attempted attack, except that it involved doing an end run around the company, which sells systems to the space industry.
“We have more problems with our contractors than our staff. You need to know who your key suppliers are, and to educate them (about possible dangers),” he said. “We found out that an adversary was interested in one of our products, so instead of targeting us they started hitting our suppliers. Only because we educated them were they attuned to that activity. We actually worked with the Canadian government to stop the threat, but it was cross-border.”
Jarvie said the incident brought home the importance of establishing what he called a “counterintelligence program” to learn as much as possible about potential risks to an organization in order to mitigate them. This can make working with members of an IT department, including the CIO, somewhat challenging, he added, because threats can encompass a wide range of factors that may involve physical security and human nature as much as software.
“Partnering with IT is a pain in the neck,” he said. “They think the solution to everything is ones and zeroes. That’s only part of the solution.”
On the other hand, Jarvie said he has created a organizational structure at L-3 that effectively combines tech talent with other areas of expertise. He reports into the ISP’s COO as well as its CEO, and a staff of seven who report into him directly. This includes “half a person” who spends 50 percent of their time acting as the company’s CISO, but who spends the remainder working for Level 3’s CIO. Although this could sound like a constrained use of resources, Jarvie said it can be helpful to have a staff member with a foot in both areas.
“The CIO builds the track that the information traverses,” he said. “A lot of this is about building the relationship.”
Besides IT, Jarvie said his team often get involved in investigations about corporate ethics that turn out to have more to do with security. He said a good counterintelligence program involves monitoring people, the pace of information travelling inside and outside the organization, and the fusion of strategies and tools such as intrusion detection, forensics threat intelligence. There’s also a need for security teams to be on the front lines as much as possible, working directly with various departments to build security into processes from the beginning.
“We’re not just ivory tower guys who write policies,” he said. “I’d like to keep all of my hair. I can do a lot of worrying — and I do a lot of that — but I can also do some strategic planning.”