When Xconomy convened a dinner discussion earlier this year that included prominent San Diego cybersecurity innovators, startup founders, and system administrators, I was stunned to learn that Gary Hayslip oversees an IT network that blocks an average of 800,000 cyber attacks a day.
Hayslip is deputy director and chief information security officer (CISO) for the city of San Diego. He oversees a web of government computer networks that enable city residents to pay their parking tickets, submit bids on city contracts, and make online payments for city taxes and sewer fees.
Many of the 800,000 daily attacks on the city of San Diego are the result of automated tools “that are just running out on the Internet,” Hayslip said. Some of them are sophisticated attempts to access city networks. In any case, Hayslip is the one responsible for guarding the city’s data networks against intruders.
From time to time, Hayslip brings in new technologies from local cybersecurity startups. “When we partner with a startup,” he said, “part of the agreement is we receive the technology for free for one year. They get to use the city as a test bed, and my team works with their teams to help develop their technology. At the end of the year, if we decide to keep them, we negotiate a new contract and become a paying customer.”
Hayslip recently responded to e-mail questions from Xconomy about the city as a cybersecurity test bed. His answers have been condensed and edited for readability.
Xconomy: Can you describe the state of cyberwar between hackers and government websites like the city of San Diego’s?
Gary Hayslip: First off, I want to state there is not a “State of Cyberwar.” Cities are businesses. We have many of the same components a private business contains, and because of that we are a target. We also happen to be a business that is public and required to state when we have breaches, so many of our issues are more public than a private business that may keep their issues in-house.
With that said, there is an increase of cyber-attacks against public organizations, whether it is cyber activists or criminal organizations looking to steal and/or ransom information. The one point I want to make here is that we are in a cyber cold war, one side innovates and does damage, steals information, etc. Then the other side innovates, and comes up with new technologies to attack or defend itself. I don’t believe there is going to be a winner. This will be a long struggle between vague “us vs. them,” and I don’t see it changing anytime in the near future. Until we are able to solve the monetization of stolen data issue—i.e., encrypting data and demanding a ransom—we will be in this struggle. Organizations must understand that if you are connected to the Internet, you are involved whether you know it or not.
X: What cybersecurity companies have used the city of San Diego as a test bed?
GH: We currently have partnerships with PacketSled, AttackIQ, Cyberflow Analytics, and PivotPoint Risk Analytics. We are actively involved with all four companies.
We use PacketSled as part of our overlapping security controls to assist us in seeing an attack as it develops, and to help us document any indicators of compromise so we can remediate the issue or block the attack entirely. One thing we found interesting about PacketSled technology is that it gives you an amazing view into an attack sequence, and you can replay it—similar to a digital video recorder (DVR)—so you can gain a better understanding of what is happening and coordinate your response to the issue. It integrates well with many of our other technologies. It’s not a tool to replace everything. It’s a solution that helps make them more relevant, and it provides better situational content during a cyber incident.
AttackIQ is a platform of attack scenarios that we use via lightweight sensors to test our networks’ security and to verify our controls and whether we need to make adjustments.
Cyberflow Analytics is technology we have installed in the core of our networks that provides risk analytics of user behavior on computer systems and other assets installed in the interior of our enterprise.
The last partner is PivotPoint Risk Analytics. This solution takes in our technology, security controls, and provides a risk baseline. It can actually provide us a dollar amount for the cost of a breach, based on the technology and security control decisions we have made as an organization. All four of these solutions provide an extra piece to the overall security puzzle I am in charge of implementing for the city of San Diego.