The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) was established in 2015 to provide both the public and private sector in the state with a diverse set of cyberthreat analysis and security incident information.
As described on their government website: “The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) is the State's one-stop shop for cybersecurity information sharing, threat analysis, and incident reporting. A component organization within the New Jersey Office of Homeland Security and Preparedness (NJOHSP), the NJCCIC works to make the State of NJ more resilient to cyber attacks, to promote statewide awareness of local cyber threats and widespread adoption of best practices. Located at the Regional Operations Intelligence Center (ROIC), and acting in a cyber fusion center capacity, the NJCCIC is comprised of members from NJOHSP, the New Jersey Office of Information Technology (NJOIT), and the New Jersey State Police (NJSP). …”
With such a huge task that spans the public and private sectors and reaches around the globe to 35 countries, how can anyone possibly achieve such a challenging mission?
Fortunately for New Jersey, Michael T. Geraghty is up to the task. He wears several hats, serving as the chief information security officer (CISO) for the state of New Jersey and the director of NJCCIC within the New Jersey Office of Homeland Security and Preparedness.
Geraghty brings a wealth of public- and private- sector knowledge and experience into the role, having served as CISO of the Hudson’s Bay Company, chief information officer of the National Center for Missing and Exploited Children, and vice president of High Technology Investigations at Prudential Financial. Previously Geraghty served 12 years with the New Jersey State Police, where he led the formation and development of the High Technology Crimes Investigations Unit.
Geraghty has lectured extensively throughout the world on the topic of cybersecurity, high-tech investigations and computer forensics, providing technical and investigative assistance to law enforcement agencies both domestically and internationally, including the FBI, Secret Service, Department of Homeland Security, Naval Intelligence, New Scotland Yard and the Royal Newfoundland Constabulary Service. He has provided expert testimony before Congress and in federal, state and international courts on computer crime investigations and forensics.
Geraghty is also a past president of the Northeast Chapter of the High Technology Crimes Investigation Association and has held leadership roles in the National Strategic Policy Council on Cyber and Electronic Crime.
In preparation for this interview, I was able to speak with Mike on a few occasions, and his humility, focus on his team getting the credit and his focus on results really stood out to me. I was also impressed with his “team sport” mentality. However, I couldn’t draw him into a “Big Ten” football rivalry debate about Rutger’s chances in the Big Ten this year (with other government CISOs) — since he still loves and follows his Baylor Bears (from Texas).
You can get a sense of Geraghty’s engaging style from this recent speech at the 2018 Cybersecurity Symposium in New Jersey for Thomas Edison State University.
Exclusive Interview Between Dan Lohrmann and New Jersey CISO Michael Geraghty
Dan Lohrmann (DL): What attracted you to the job as director of the NJCCIC and how did that evolve into also taking on the CISO role for the state of New Jersey?
New Jersey CISO Michael T. Geraghty (MG): What attracted and inspired me was and is the mission of the New Jersey Office of Homeland Security and Preparedness (OHSP), the role of the NJCCIC in supporting that mission, and the fact that responsibility for cybersecurity strategy and oversight for the Executive Branch — the CISO function — had recently been transitioned from the Office of Information Technology (OIT) to OHSP. That alignment told me that New Jersey was serious about cybersecurity and had positioned it to maximize its potential for success. I’m honored to be entrusted with the responsibilities that come with the position and energized by the opportunities it presents to make a positive impact and to do something purposeful.
DL: Describe a few top cyberprojects and NJCCIC accomplishments over the past two years.
MG: We’ve done a heck of a lot — implemented next-gen firewalls at the perimeter, replaced the enterprise SIEM [security information and event management], implemented a cloud-based WAF [Web application firewall], established a vulnerability management program, wrote a completely new set of information security policies and standards, and a whole bunch more. But I think the biggest “accomplishment” is the development of the NJCCIC team. Our model is a bit different than most cybersecurity organizations in state government. We’re located at the Regional Operations Intelligence Center (ROIC), which is New Jersey’s fusion center. As such, we are organized using the fusion center concept. We have staff from OHSP, the New Jersey State Police and the Office of Information Technology assigned to the NJCCIC. They and their respective senior management teams have bought into the mission and concept of the NJCCIC. That has fostered a great level of cooperation, broken down agency silos, and has allowed us to be very nimble and effective.
DL: You call your team "Maxwell's Demons" — why?
MG: It’s a play on James Clerk Maxwell’s imaginary demon. Maxwell was a Scottish scientist and mathematician who is best known for his work in electromagnetic theory. In 1867, prior to his publication of electromagnetic theory, Maxwell proposed a thought experiment to contradict the second law of thermodynamics that states simply — entropy in an enclosed system always increases. Maxwell imagined a hypothetical being, a demon, that could separate fast-moving gas molecules from slow-moving molecules in a box, thereby reducing the amount of entropy. Entropy is often associated with chaos, and in cybersecurity the ever-increasing threat landscape can be seen as chaotic. As such, I view the NJCCIC team performing the work of Maxwell’s demon in that we’re bringing order to cyberchaos — reducing entropy.
DL: How has the vision of the NJCCIC become a reality over the past year? Where do you see things heading next?
MG: We’ve only taken baby-steps toward making the vision a reality. There is so much more that needs to be done for the NJCCIC to be impactful at scale. In the next year, we’ll continue to grow and mature the programs we’ve initiated while also expanding into other areas. This year we’ll roll out a statewide threat grid that will provide us with situational awareness about attacks against county government networks, in addition to what we already have on the state network.
We’re continuing to develop partnerships with both the public and private sectors. And we’re forging a strong working relationship with the New Jersey National Guard’s Army and Air Force cybercomponents in order to better protect the state. All of this is intended to create a cybersecurity ecosystem across the state that will make us more resilient to current and emerging cyberthreats.
DL: Your team has broken down silos and built unity across NJ executive branch departments and agencies. How did that happen? Any lessons learned?
MG: We’ve built some trust and unity, but we still have work to do. I think it’s really important that we’re seen as a partner by the agencies. To be a partner, we have to understand their missions, goals and objectives. Too often, information security is viewed by business units as the Department of No. If the mission of state government is to provide services to its citizens, then our job is to help the agencies do that while also managing risk. And managing risk is not a one-size-fits-all formula for managing risk and there are a lot of approaches you can take to do it effectively. It means tailoring information security controls based on the business objectives, the sensitivity of information and the criticality of the systems. And so it’s imperative for us to partner and work with the agencies to identify the best approach. In law enforcement, this approach is referred to as community policing — partnering with the community to proactively solve problems.
DL: Tell us about your New Jersey Statewide Information Security Manual.
MG: The Statewide Information Security Manual (SISM) was one of the first projects we took on. In the Executive Branch we had a collection of information security policies that were written over a period of time. They became fragmented, some were outdated, confusing, contradictory, and oftentimes ignored. Our goal in rewriting the policies and standards was not to write a series of “thou shall” and “thou shall not” compliance directives but to create a road map to cyber-resilience that the agencies could adopt. The SISM is that road map.
It’s an interconnected series of policies and standards that has been derived from applicable laws; industry best practices including the National Institute of Standards and Technology (NIST) Cybersecurity Framework for Improving Critical Infrastructure; NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations; the Center for Internet Security (CIS) Top 20 Critical Security Controls; the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM); lessons learned; and other New Jersey state government business and technology-related considerations.
And while this project started out as a rewrite of the Executive Branch’s policies, we also realized early on that what we were developing was applicable beyond just state government. The SISM can be used as a template for any organization that wants a comprehensive and cogent information security manual. It is intended to provide organizations with a means to tailor cost-effective security controls necessary to protect the confidentiality, integrity, availability and privacy of their information and information systems commensurate with their sensitivity and criticality, while also maintaining and ensuring compliance with legal requirements.
DL: How does your team work with the private sector and coordinate with businesses in your state?
MG: We’ve implemented a number of programs aimed at developing a cybersecurity ecosystem within the state. The general cyberthreats that the private sector and businesses in New Jersey face are the same that we face. We made a conscious decision early on to share threat intelligence and information with NJCCIC members and the public at large. We know the attacks and the methods used by the attackers that we face are going to be the same that they’ll face. And so, we share that information through a number of vehicles. In the past year, we published 740 products including cyberintelligence reports, threat profiles, alerts, best practices and industry updates on such current and emerging topics as fileless malware exploits, the latest ransomware profiles, phishing threats and cyber-risk mitigation strategies and tactics. Most recently, we developed a series of “Be Sure To Secure” resource guides that provide NJCCIC members and website visitors with information on various cybersecurity topics as well as instructional guides designed to teach visitors how to properly secure their devices, data and networks, ultimately reducing their cyber-risk.
We’ve conducted 97 threat briefings and best practices presentations to individual organizations. And in the past two years we’ve provided hands-on training to over 1,500 cyberdefenders and investigators on topics including, but not limited to, threat methodology and defense, network intrusion investigations, and computer forensics, among others. We’ve also conducted CISSP and Security+ boot camps. And we’re very actively presenting at industry and organizational events within the New Jersey area.
DL: You mentioned successful tabletop exercises and new incident response planning in New Jersey with the agencies. How did that develop? What are your future plans to enhance incident response?
MG: In 2012, then-Director Robert Mueller of the FBI stated at the RSA Conference that “there are only two types of companies — those that have been hacked and those that will be.” Regardless of how impenetrable you think your cybersecurity defenses are, you’re only a mouse-click away from a disaster. How capable you are in responding to that disaster is as important as any other aspect of your cybersecurity program.
Last year, we began with an Executive Branch-wide tabletop exercise whereby we simulated a major data breach. We talked through all the various aspects and activities that would need to be undertaken to respond effectively. It was introductory, and for most of the participants it was eye-opening. We identified strengths and weaknesses and set out on developing capabilities. Since then we’ve held several other exercises that deal with specific scenarios and/or organizations. We’re making progress. We have a plan and we continue to practice, but in the words of Mike Tyson — “everyone has a plan until they get punched in the mouth.”
DL: Where are cyberdefenses heading next in New Jersey? What tough problems are left to be solved?
MG: The physical world is increasingly becoming IP-enabled. Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and Operational Technologies (OT) were previously only encountered in utilities and manufacturing environments. Today, they have become pervasive throughout businesses large and small. Most recently, the proliferation of “smart” devices and Internet of Things (IoT) technologies has blurred the lines between physical and cybersecurity. We’re on the cusp of smart cities and Autonomous Vehicles (AV), and Intelligent Traffic Systems (ITS) are depended on to manage traffic flows and maintain safety in our transportation systems. Medical devices, HVAC and public water filtration systems are all now IP-enabled. These are security issues that have quality-of-life and public health, welfare and safety consequences if risks are not properly account for and treated.
This convergence of physical and cybersecurity is a major focus for us. And while we continue with our efforts to solve the security challenges around protecting data and systems, we also must realize that security failures in this converged world will have potentially dire consequences. These are the tough problems we’re working on.
Earlier, I mentioned the mission of OHSP, which is to lead and coordinate New Jersey’s counterterrorism, cybersecurity and emergency preparedness efforts while building resiliency throughout the State. Our approach to security considers all threats. There is now and will continue to be a convergence of physical and cybersecurity. So that’s why I think it’s so important for New Jersey’s cybersecurity strategy to be organized under OHSP, and for our security strategy, leadership and coordination to be directed from there.
DL: Anything else you want to share?
MG: The NJCCIC was created to be the state of New Jersey’s one-stop shop for cybersecurity information sharing, threat intelligence, best practices and incident reporting but the cyber-ecosystem I refer to has to extend beyond our state borders to be effective. We have NJCCIC members in 46 states and 35 countries. Best practices here are best practices elsewhere. Threats elsewhere are threats here. We all need work together to solve the problems we’re facing. No one organization has all the answers. We’re wide open to collaborating with others and welcome them to be part of the cyber-ecosystem.
DL: I’d like to thank Mike for answering my questions, and his team for their great work in protecting New Jersey residents and global partners in so many ways. All the best to you and your team!
You can learn more about New Jersey’s cybersecurity efforts at the New Jersey government website.