"and, as appropriate, hold these senior officials accountable."
If that happens it might cause changes of attitude more widely.
Serial tech and digital privacy critic Senator Ron Wyden (D-OR) laid into UnitedHealth Group's (UHG) CEO for appointing a CISO Wyden deemed "unqualified"– a decision he claims likely led to its ransomware catastrophe of late. Wyden lambasted UHG in a letter sent to Lina Khan and Gary Gensler, chairs of the FTC and SEC …
In fact his previous role was a high level information security role. It's a bit lazy of the senator not to look behind job titles. However...
https://www.businesswire.com/news/home/20200413005255/en/Change-Healthcare-Appoints-Steven-Martin-as-Executive-Vice-President-of-Enterprise-Technology
"In his new role, Martin will oversee all of Change Healthcare’s R&D, information security and IT operations and he will be responsible for the overall technology direction of the Company’s product and service portfolio."
That's an alarmingly wide portfolio and probably the real problem. God knows who was doing security before him, no one? Perhaps one has to give the benefit of the doubt and assume he knew a thing or two about security and eventually managed to argue it needed someone's sole focus and as the one most familiar with the overall technology of the company he'd have been a decent pick for that role, but that only happened a couple of months before the attack..
It's been traditional to fire the CISO after a security breach, to placate the masses. The Board of Directors effectively says: "Look, look, we're doing something about this problem!"
The most technically-skilled and most security-knowledge-credentialled CISO in the world will still be hamstrung if the BoD votes down his/her/etc. budget requests and proposed policy/procedure changes.
The CEO and board constantly balance perceived costs against perceived benefits and risks. Perhaps the scale of the risks were not well understood at the board level, making it easier to dismiss pleas for better tooling and procedures. Unfortunately, the risks were borne by far more than UHG, but UHG was only weighing *their* costs and risks. Hopefully this will cause other organizations to place more emphasis on the risks of attackers, allowing them to spend more appropriately on security.
That's WAY too much responsibility.
It's quite common to blame your head of IT security. And if that is their only role, appropriate as well.
But this guy was overseeing way too many things. And I stated in a previous comment in the original article, and so did the other commenter in this thread, you can bet the BoD was NOT spending the money needed for security. I'm leaving a company that has just done the same thing to their head of IT security. Too much responsibility and frozen budget.
What you are calling his "previous job" is his current job - the senator was not wrong. Change Healthcare is the same as United Health since 2022.
UnitedHealth Group completed its purchase of Change Healthcare, the company announced Monday morning, after defeating the Department of Justice in federal court over the agency's attempt to block the $13 billion deal. It does not appear the DOJ will challenge the deal in appellate court. [healthcaredive dot com Oct 3, 2022 ]
Theirin lies a (the?) major problem - the monopolization of the healthcare industry. Why should they fix the security problem? It costs less to pay the ransom and the alternative to so-called customers is to go without medical care.
He took on a different job title at the parent company which acquired the business his previous role was at. My point is precisely that his job didn't change all that much so he had more experience than the senator implies. The senator's specific complain was: that Martin was promoted to CISO *in 2023* having not worked "a full-time cybersecurity role before". In fact he would have had extensive knowledge of not only cybersecurity but of cybersecurity in the relevant business unit, and that seems important to gloss over, albeit the actual job title does imply the security overseeing wasn't full-time. We don't really know for sure, job titles and responsibilities don't correlate well.
Let's just agree the senator is likely not wrong but is spinning the facts. As is his wont as a politician *shrug*
I do wonder about the suspicious timing of the promotion (the senator says June 2023, other sources give Nov 2023). Did UHG have some kind of warning an attack was in progress? It's entirely possible a foothold was gained in late 2023, which prompted an 'oh shit' moment, the promotion, and ultimately a failure to prevent the attack progressing as it did by Feb 2024.
This was his previous job!
Martin brings more than 20 years of experience through the various roles he held at GE, including chief digital officer and chief commercial officer, where was responsible for engineering, sales, marketing, product management, and services across GE’s global digital portfolio.
In a business that size, you need effective managers at the top more than you need subject matter experts at the top. A good manager would trust his SMEs and take their advice when it comes to technical matters beyond his knowledge.
Now if this guy wasn't doing that then he was a bad manager. But not every cybersecurity expert is going to make a good manager regardless of how much experience they have in the field, and might be even more unwilling to listen to those under him if his opinion differed and he assumed because of his experience and position that he knew best.
United Healthcare has been cutting corners for years in various ways. I'm not surprised they weren't interested in spending more than the minimum on security.
On an unrelated note, I'm impressed that no one mentioned this guy's 14 year stint at Microsoft as having any impact on his decision making in the C suite.
This >is< a big deal! Pharmacy access was significantly impacted for weeks, and PII of over 100 million people was released. If the top managers of this corp are responsible for its successes, and are rewarded accordingly, why are they NOT responsible for its failures?
The question is not whether they are responsible in theory, as that's what having that position means. The question is whether the level of blame attached to this person is correct. If they had named someone with more security experience, do we have reason to believe that would have improved things? If the answer is no, then focusing on this is distracting from a different and larger problem. Of course, this depends on lots of little points that we don't have information on, which is why most retrospective examinations take a long time and produce long reports.
For example, if the lack of MFA issue is determined to be an important issue, did the CISO know about it? If he did, was he trying to do something about it or not? If he was, did he have enough time between finding out about the situation and the attack that he should have completed his actions or not? If he didn't know, why didn't he? If he should have been told but wasn't, why not? If he shouldn't have been told because it was being managed by a lower level, repeat all these questions with the manager of that group.
It's boring work, but if you need a problem to stop, it is not enough to fire the person nominally in charge and put someone else in. That someone else will probably change something, but without asking all these questions, it could end up being the wrong thing and that person just becomes the responsible party in the next breech. In this case, there actually appears to be several technical failures involved, but exactly the same blame is ascribed to anywhere that had a negative event, no matter how much responsibility the tech areas had for causing the event. Did someone in sales get bribed to get the customer list, to which they had access because sales needs to annoy the customers to keep having more sales, and send a copy? Fire the CISO, that's what they're there for. It can easily be the right response, but it shouldn't be an automatic one.
While the CISO is a manager, they need to understand the needs of security. The risk analysis questions that CISOs face are unique compared to other C*O managers. They cannot just rely on their deputy CISO to provide that risk analysis.
Why does that matter? Knowing the details of infosec allows the CISO to understand which efforts to prioritize inside their division, which initiatives are likely to be a more effective use of funds.
SMEs provide expertise in their specific area, but are not the persons to balance competing efforts from their own department.
It's hard to find a more intelligent or reality aware elected official than Ron Wyden.
UnitedHealth Group? They're pathetic parasites IMHO. Parasites are renowned for not having much in the intelligence department.
Thank you again, Senator Wyden! And thank you Oregon for keeping him in office.
The main job of the CISO (other than to be ablative armor for the CEO in situations like this) is to get budget. I'm willing to be that that is BY FAR the main challenge. You don't need to be a SME for that, you need to be a salesman. This is going to be more true the larger the corporation.
Yes, you need to learn enough that the various directors lying to you get caught. But given that they should not be SMEs either...
I'm a big fan of the Senator when it comes to tech. But this really isn't a tech issue.
One such critic is Tom Kellermann, SVP of cyber strategy at Contrast Security, who previously told The Register: "I'm blown away by the fact that they weren't using multi-factor authentication. I'm blown away that the networks weren't segmented. And I'm blown away that they didn't conduct threat hunting robustly into that environment knowing that they had been compromised. I think it's egregious negligence, frankly."
I remember failing to persuade a client to install internal firewalls on their network to segregate things like their finance department, from their R&D and their main businesses (it was a large Govt. Department). 'Not needed because they have secured their perimeter.'
Then one senior executive brought in her 'friend' Melissa* to play one morning ...
Took them three days to clean the network.
'Once bitten, twice shy' as the saying goes.
* Link for the youngsters: https://en.wikipedia.org/wiki/Melissa_(computer_virus)
It's my job to talk with CISOs. I've discovered there are a few types:
1) former 'technical' person. Probably worked on a SOC team or did some red teaming at some point in their carrier. They view CISO as 'defend the network'. These guys tend to fail in the boardroom but tend do a competent job with what little budget they get.
2) former 'cops'. Law enforcement, legal backgrounds, program managers for TLAs etc. They view being a CISO as 'risk management'. Do somewhat better with the board room, but also tend to be a bit brittle since they have impostor syndrome pretty hard with their technical team that reports to them.
2b) Subset of 2 that has done X things that have now 'solved security'. These are the ones that get hacked hard.
And finally, I'll take objection to the Senators statement:
"The cyberattack against UHG could have been prevented had UHG followed industry best practices," said Wyden, concluding his rousing letter-cum-tirade. "UHG's failure to follow those best practices, and the harm that resulted, is the responsibility of the company's senior officials including UHG's CEO and board of directors"
MFA is a good thing, but the REAL question is how did somebody already have credentials? They were already breached, and they still haven't found root cause.
MFA is there to defend against stolen credentials, alert when credentials are compromised, and initiate a process to correct those stolen credentials.
At that point you can make the effort to discover the HOW of the stolen credentials, which almost always falls upon some user getting socially engineered in some way. Then you can re-enforce user education.