Earlier this year, Governor Chris Christie issued Executive Order 178, creating the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). The entity, based within the state’s Office of Homeland Security and Preparedness (NJOHSP), is the state’s civilian interface for coordinating cybersecurity information sharing, performing cybersecurity threat analysis and promoting shared and real-time situational awareness between public- and private-sector entities.
Christopher Rodriguez, director of the NJOHSP, explains that since New Jersey is perhaps the most digitally-dense state in the nation, the executive order recognizes the dangers of rapidly evolving cyber threats.
The barriers to entry for those wanting to commit any type of cybercrime are very low, Rodriguez explains. “There are more gateways for intruders as more and more businesses move their business online. Malicious software tools are proliferating on the Internet. Someone can literally download free software that can scan billions of websites for their vulnerabilities and insert malicious code into them. … You don’t have to be a very sophisticated cyber intruder, today.”
The NJCCIC’s biggest role is information sharing. “If we see threat warnings coming from other government entities throughout the country, we can share that information in real time with businesses,” Rodriguez explains. For those who become members (sign in at www.cyber.nj.gov/members), NJCCIC sends vulnerability advisories on national and global cyber security issues. The NJCCIC gathers data via strong partnerships with the Federal Bureau of Investigation, the Federal Department of Homeland Security and other agencies.
On the NJCCIC website (www.cyber.nj.gov), businesses can also see Twitter feeds on cybersecurity issues and vulnerability advisories, which at press-time, offer information links to the following problems:
Perhaps most importantly, the NJCCIC conducts cyber-threat assessments of business systems, at no cost and on a confidential basis.
Rodriguez says the best way businesses can help the NJCCIC is by reporting suspected cyber incidents to the organization via its website or e-mail (email@example.com). “If the business gives us permission, we can share that information, on an unattributable basis, with other companies, not only in New Jersey, but across the country. That’s one of the messages we are trying to disseminate to the business community – that we are all in this together. If we all cooperate, build trust and relationships, we can increase the barriers to entry for malicious actors.”
The NJCCIC also provides training courses for businesses and other entities. Most recently, it held a “Cyber Implications for Critical Infrastructure” program, which emphasized the interdependency between physical and cybersecurity disciplines and opportunities to formulate risk management strategies to enhance infrastructure and resilience efforts.
According to Rodriguez, NJOHSP will be hosting additional events in the near future. Participants can register for these events and webinars on the NJOHSP website.
The NJCCIC is based out of the Regional Operations Intelligence Center in West Trenton. According to Rodriguez, the NJCCIC has become a model for other states. “We have had a half a dozen states reach out to us and ask about how we set up this capability, and what steps they need to take to replicate this model,” he says.
The New Jersey Business & Industry Association is partnering with the NJCCIC in an effort to connect the association’s 20,000 member companies with the resources the NJCCIC is offering. According to NJBIA President Michele Siekerka, “Our goal is to serve as a connector for the information coming out of the state and getting that delivered to our members. We are also educating our members on their responsibility to report potential cyber breaches back to the state so that members can be part of the solution.”
Future events are planned between the two organizations for NJBIA member companies.
To report cyber incidents, call 1-866-4-SAFE-NJ or dial 211.
— George N. Saliba
Cybersecurity is among the greatest issues facing businesses today, and Morris Plains-based LinkHigh Technologies recently held a seminar featuring renowned security expert Gideon Lenkey. Lenkey, the former president and chairman of the Board of the New Jersey InfaGard Chapter, has written numerous cybersecurity publications, and was featured in the documentary film Code 2600.
Above all, Lenkey noted that firewalls and antivirus software are no longer sufficient because hackers can readily bypass them with unique, undetectable malware – and assailants can do so without the targeted company ever becoming aware of the attack.
Lenkey stressed, “If there is one thing you take out of here today, it is: Yes, [firewalls and antivirus] are necessary, and, yes, they provide a protection value, but it’s not what you think it is. It is not what it was, 10 years ago. They are fully and thoroughly subverted at this point; it is easy to do.”
“Surfing” the Internet is one way computers can become infected: A user can simply visit a reputable website, and an advertising banner might have malicious code in it, which is then downloaded to the user’s machine.
Separately, Lenkey addressed: spear phishing attacks; the dangers of social engineering via the social media site LinkedIn; WiFi concerns; mobile phone communication intercepts; and the importance of not storing personal information on computers.
Overall, Lenkey said that businesses must understand what protections they have, and what purposes they serve. From a security standpoint, they must decide what they should do “in house,” and what they shouldn’t be doing in house. Moreover, businesses must improve their infrastructure for the “battle ahead,” and regularly review policies and procedures and practices.
One of Lenkey’s recommendations to companies was to “make sure you have protective controls; and you need to make sure you have detective controls – a third party watching over you.”