NDTA’s Cybersecurity Best Practices Committee: A Conversation with Chairman Ted Rybeck
By Sharon Lo, Managing Editor, DTJ & NDTAGram
Originally established as the Security Best Practices Committee to examine both physical and cyber issues in a post 9/11 world, NDTA changed the name to the Cybersecurity Best Practices Committee in 2014 to reflect an an even greater cyber focus. The Cybersecurity Committee provides a forum for understanding the emerging cyber challenges and requirements for effective transportation and supply chain partners. For greater insight into the committee, DTJ sat down with its Chairman Mr. Ted Rybeck.
DTJ: Thanks for meeting with us today. To start, I know US Transportation Command (USTRANSCOM) played a significant role within the committee and especially in the decision to refocus the committee on cybersecurity. Can you talk about how the various stakeholders came together on that decision?
Mr. Rybeck: ADM James Loy [who was at the time the Administrator of the Transportation Security Administration and then served as the Deputy Secretary of the Department of Homeland Security], Gen John Handy [who was the Commander of USTRANSCOM at the time] and his successor Gen Norton Schwartz helped us get the original Security Committee up and running after 9/11. It included a focus on physical security, as well as cyber security, in the context of preparedness response and recovery. That was when former NDTA President LTG Ken Wykle was guiding the creation of the committee. We also benefited from the coaching of LTG Wykle’s predecessor LTG Ed Honor.
The decision to further focus the committee came in 2014 and 2015 when then USTRANSCOM Commander Gen Paul Selva, followed by current Commander Gen Darren McDew, along with VADM William Brown during his time as the Deputy Commander at USTRANSCOM and then as the Director for Logistics (J4) at the Joint Chiefs, all supported an increased concentration on cybersecurity. NDTA past President RADM Mark Buzby promoted the notion of taking the Security Committee—which included cyber and physical—and naming it the Cybersecurity Best Practices Committee.
DTJ: It’s great that the committee has received such strong support from senior leadership. Who exactly is a typical committee member?
Mr. Rybeck: Committee membership always started with the notion that this is a CEO team mission-driven effort—with the CIO often acting as the point person—but that contrasts to calling this a technical mission issue. At its onset, the Security Best Practices Committee was led by the CEO of the various committee members. This ranged from CEOs of giant corporations to the CEOs of small family businesses that are in the transportation industry and part of NDTA. For the larger corporations, a company’s CIO often serves as the CEO’s point person.
DTJ: And how do your various members from government, military and industry work together within the committee?
Mr. Rybeck: We start by prioritizing which challenges are the most pressing for our members and the public-private sector partnership. Then we educate to those priorities. One of the strongest ways to upskill is exchanging best practices among the members. That way all the NDTA members share a common foundation of lessons learned.
Cyber is one of those issues where competitive questions are less important and “united we stand” issues are more important. There’s no stronger common ground issue than cybersecurity. That’s also why the NDTA Cybersecurity Committee communicates what we’re doing into all the other committees, who also have cyber as integral to what they’re working on.
DTJ: What are the committee’s main objectives?
Mr. Rybeck: Our overall objectives are best stated in the committee’s charter: ‘The NDTA Cybersecurity Best Practices Committee, like the Security Best Practices Committee before it, represents shared cybersecurity interests and concerns between USTRANSCOM and its transportation and logistics industry partners.
Across this community of interest and within the NDTA educational mandate, committee members create, instill, and inspire collaboration to increase cyber readiness. Specifically, committee members exchange and develop best practices and policies that prevent, manage, and respond to current and emerging cybersecurity threats. Ultimately, the committee’s efforts contribute to operational mission assurance for transportation and logistics.’
Within that charter, we have our 2018 priorities. First, the committee will continue to strengthen the understanding of all NDTA members on cybersecurity best practices and contract compliance requirements. This focuses on all businesses, but especially small businesses who may not have as many resources to dedicate toward cyber issues. How do we do that? One fundamental way is to help highlight the small number of supply chain data elements that need the most security. Otherwise, we can all get overwhelmed trying to protect oceans of data that are less sensitive or already public.
These priorities align with the standard planning requirements of the National Institute of Standards and Technology (NIST) 800-171 controls. In doing so, the committee supports each NDTA member in complying with the Department of Defense (DOD) requirements for NIST compliance by all DOD contractors. This includes strategic issues as well as device-level compliance issues such as the use of secure phones, which is an especially big challenge on ships.
A prerequisite for any steps forward will be to keep it simple. A classic example of this has been password protection. Many of us know someone who got so overwhelmed with managing their passwords that they they put a Post-it note with the passwords on their computer screen. The takeaway is that new security regimens have to be practical enough that they don’t inadvertently create more problems than they solve.
The committee aims to support the categorization of challenges and threats so that everyone in the public-private partnership can better assess their own vulnerabilities as well as the potential cyber attack paths by any adversaries. Threat analysis also involves evaluating how fast NDTA members, USTRANSCOM, the Defense Logistics Agency, and the DOD overall can recover from a breach. This is a kind of proactive resilience or “prosilience” for mission assurance to use an expression from USTRANSCOM’s Chief Security Officer. That’s all hard to do, but from an educational perspective, this fits the NDTA mission.
Like all the committees, we want to continue support of USTRANSCOM’s continuity of operation exercises. These exercises give everyone a chance to see what happens if USTRANSCOM or any of USTRANSCOM’s partners have to operate without the systems that they usually depend on. That also raises the question of how you assess whether the information we’re dealing with from a partner is accurate or valid. All of this is about best practice sharing, which has to do with aligning those best practices between the military and the private sector leaders both technically and operationally.
DTJ: And do you still focus on physical security?
Mr. Rybeck: Physical security by nature is a part of cybersecurity and cybersecurity by nature is dependent on physical security. Cyber was a big part of the NDTA Security Best Practices Committee from the start because there’s no way to avoid it. Old-fashioned perimeter security has been so integrated with digital assets that there is no way to separate the two. For example, the NIST Cybersecurity Controls include issues that relate to physical access. Another example, that many NDTA members will be familiar with, is the Transportation Worker Identification Credential (TWIC). The credential still has a long way to go in part because it requires agreement by policy makers and infrastructure owners on how to handle the challenges where physical security and cybersecurity intersect.
DTJ: What do you feel have been the major accomplishments of the committee since refocusing on cybersecurity?
Mr. Rybeck: There are three I think are most significant. First, clarifying the requirements for large and small businesses with the DOD as a whole, and with USTRANSCOM in particular.
Second, beginning an exchange between the companies on their actual experiences with threats and remediation. This is a breakthrough example of why NDTA is so unique—the participants care enough about the DOD mission as a whole that they are able to share challenges that in another environment would be seen as negative exposure. There’s an old expression, “the nail that stands up shall be pounded down.” As it happens at USTRANSCOM, Gen McDew and his team, as well as his predecessors, have made it clear that it is about progress and not about looking good in an area that the entire world knows doesn’t look good.
A third accomplishment—and a concrete example of upskilling, awareness, and then providing specific resources—is what the committee’s Working Group on Small Businesses did in pulling together a resource list that we have put on the NDTA website [located at www.ndtahq.com/media-and-publications/cyber-resources/]. To be clear, these resources are relevant to all businesses, as well as small businesses. Having said that, we acknowledge that a large business often has more staff available to coordinate and distill their organization’s documentation on cybersecurity best practices.
DTJ: I’d like to switch gears a bit to get your thoughts on more general cyber issues. For starters, what do you feel are the biggest cyber challenges or threats facing transportation, logistics and supply chains today?
Mr. Rybeck: To me the greatest challenge is how to prioritize preparedness and recovery in a combined public-private network like our Defense supply chain partnership. Any supply chain faces challenges of cyber preparedness and recovery due to multiple interdependencies. But the overall stakes, the global interdependencies, and the materiel complexity are all much higher in the Defense supply chain. That may sound depressing, but fortunately NDTA has been building joint upskilling capabilities since the united effort during World War II. So this is what NDTA knows how to address. Now those upskilling and mobilization resources need to be regeared for different adversaries and tools.
DTJ: Do you find that certain threats are greater to or specific to certain modes, or being that supply chains are so interconnected do the same threats apply across the board?
Mr. Rybeck: The particulars, such as the equipment and suppliers associated, change from mode to mode. But, most of the issues are common. The larger umbrella that brings them all together is communicating the right requirements with internal and external partners in a time when we’re all networked together, but without a common concept of operations on cybersecurity. We’ve developed that common concept of operations as we needed it for secure collaboration in the past. We’ve yet to apply that discipline to the Internet and the Internet of Things.
DTJ: What are some solutions to these challenges?
Mr. Rybeck: An important start has been NIST providing a national framework of control requirements that could be used internationally. A strength of the NIST approach is that it presents the challenge in a disciplined way that needs to be resolved by each organization, but it doesn’t specify the exact solution. That gives each organization the flexibility they need to take the right steps as the cyber attackers innovate. NIST compliance gets us to come together on a baseline of good practices on the way to best practices. There are more advanced precautions to take. As a first step, adhering to the NIST control requirements will make cyber attacks against the Defense supplier chain costlier and riskier for an adversary. That’s a goal for the private sector supply chain as well. So cyber upskilling and mobilization is a larger national and international issue that goes way beyond USTRANSCOM, DLA, and the DOD. All the more reason that NDTA, USTRANSCOM, DLA, DOD, and their private sector partners should be pacesetters on cybersecurity best practices. Inevitably, there will be incidents that occur. So it all comes back to how effectively the Defense supply chain can prepare and respond compared to the status quo.
DTJ: Thank you so much for your time today. I’d like to close by asking the question that always comes to my mind when I read about cybersecurity issues—with cyber threats evolving so rapidly, how can organizations keep pace?
Mr. Rybeck: The response to cybersecurity won’t be a thing that we buy. It can only be achieved by maintaining systems internally that securely updates the organization on what’s been done and needs to be done. That means we don’t get to build systems and move on. Instead, we need to concurrently update systems globally and upskill each individual on the system about their cyber defense responsibilities. Mission assurance depends on a faster pace of continuous upgrades and joint mobilization. That’s needed and that’s hard.