Keeping corporate, personal, and federal data safe is an ongoing conversation in the United States as hacking becomes a more prolific cybercrime to commit. The threats to data—malware, spyware, and viruses, oh my!—are becoming more sophisticated and therefore harder to detect and expel. Organizations within the public and private sectors are kept on their toes and always struggling to match the pace of their defense with the pace of malicious actors. As the imperative to move from hardware-centric corporate infrastructures to software-first initiatives, especially as a means to improve and accelerate data analytics—digital transformation—sweeps across every industry, the conversation about keeping important data safe becomes louder; and for executives and other high-level decision makers, the pressure is coming at them from multiple fronts.
In November 2016, The Wall Street Journal’s deputy editor-in-chief, Rebecca Blumenstein, interviewed one of the United States’ top intelligence officials in front of an audience of CEOs. Blumenstein asked, “How worried should CEOs … be about the state of cybersecurity?”
Admiral Michael S. Rogers, Director of the National Security Agency (NSA), Commander of U.S. Cyber Command (USCYBERCOM), and Chief of the Central Security Service (CSS), didn’t provide an opinion about CEO anxiety levels, but he did say that there is definitely a cybersecurity challenge for corporations and agencies within the United States. He said that when the military is called in to investigate the hacking of a company’s network, they often see that a large stretch of time has passed between the unlawful breach or entry into the corporate network and the discovery of that breach—between three and six months, usually—and the set of actors is diverse.
The conversation around nation-states as one of these unlawful actors is fresh on people’s minds, but Admiral Rogers said that around 60 to 65 percent of the activity the military sees is criminal in nature. He described these criminals as individuals on the hunt for information that others might find valuable—data like credit-card numbers, personally identifiable information (PII), and intellectual property (IP). “Hacktivism” is another threat to cybersecurity, which often takes the form of groups like Anonymous, a sort of vigilante coalition that works together, with anonymity, across geographical boundaries to launch organized, large-scale hacking efforts into corporate, government, or individual computing devices and networks.
Admiral Rogers cautioned that an actor only needs to gain access once, and that it can then use hacking tools to bombard a system in search of its weaknesses until it finds an access point. After that, all the actor needs to do is remain hidden while stealing information.
What to Do in the Event of a Major Security Breach
Two years ago, Sony was the victim of a major breach by a state actor. After initially suspecting that it had been hacked, Sony pulled in a third-party firm to investigate. When the firm’s findings made it clear that the issue was perhaps larger than Sony had anticipated, Sony reached out to the U.S. government.
Admiral Rogers said he had to give kudos to Sony for doing so because of the inherent distrust that exists as a result of the separation of the private and public sectors. This isn’t necessarily a bad thing, Rogers said, but in order for the government to assist Sony, it needed full access to certain networks and data.
Sony agreed under the caveat that the government must maintain transparency and forthcoming communication about what it was doing, where it was doing it within the system, and how it was doing it. Once the boundaries were drawn, Admiral Rogers said the government, Sony, and the third-party investigator worked well together to uncover the severity and origin of the breach.
Admiral Rogers encouraged the CEOs at The Wall Street Journal conference to do the same should they find that their organizations fall victim to a cybersecurity breach, with the vow that the government would never use a company’s data for any reason beyond what the government and company agree upon.
Of those CEOs attending, about 56 percent said that they would absolutely trust the government to help their security efforts. Another 34 percent said they would only call upon the government in the event of a breach; and 9 percent said that they wouldn’t trust the U.S. government to assist in their organization’s cybersecurity efforts. Admiral Rogers found those numbers heartening, especially in the face of his thoughts on what the cybersecurity plan needs to be going forward.
A National Conversation
For those CEOs who maintain their distrust of the government’s participation in private-sector security, Admiral Rogers said that they need to realize that cybercrime does not discriminate between public and private networks. The nature of the Internet makes it impossible to apply things like geographic boundaries or the unspoken rule that America’s public and private sectors stay separate.
The burden of cybersecurity shouldn’t rest solely on the private sector’s shoulders, Admiral Rogers said, going so far as to state that it would be unfair to expect the private sector alone to fight the onslaught of unlawful actors and malignant cyber-activity that constantly probes its systems.
Top Agency Advice
Admiral Rogers, whose background includes cryptology and cyberwarfare, told the CEOs at the conference that they have a significant role to play in the future and effectiveness of cybersecurity. He said CEOs need to start with these steps:
- Lead your organization’s security initiative. Admiral Rogers said, “You don’t want your network security team deciding unilaterally what’s important to you as an organization. You, as a leader, need to set that tone.”
Strategize with your CIO and CSO about your security requirements. Decide your priorities and security requirements, and communicate what you expect your company to do to meet those security requirements.
Furthermore, Admiral Rogers believes that the innovative spirit of Silicon Valley is exactly what’s needed to drive this conversation because of its model of “the power of possibility,” the idea that technology can make anything possible. Admiral Rogers said that neither the private nor the public sector are where they need or want to be in terms of fighting back against unlawful cyber-activity, and that the sectors need to come together to collaborate in a broad, inclusive sense. The decision shouldn’t just be a consensus between the top technical experts in the military or the private sector but a conversation for the whole nation to have.
Where does the conversation start? Admiral Rogers said:
- The public and private sector need to discuss and determine the answer to “what is possible?” This conversation will largely be about the current technologies for preventing unlawful intrusions and for detecting the actors that have successfully breached and hidden within systems.
- With answers in hand from the previous question, both sectors can then start creating policies, legal frameworks, ethical determinations, and boundaries around what steps they are comfortable taking to ensure data security.
Catch the whole video over at the Wall Street Journal.
The cybersecurity conversation is always top-of-mind at Prowess Consulting, too. Prowess writers often speak to the increasing importance of cybersecurity, usually in the context of how certain hardware or software features enhance data protection. We see how cybersecurity threats keep corporations and government agencies on their toes. I agree with Admiral Rogers’ directive that the cybersecurity conversation needs to be a national collaboration because the frequency and severity of breaches will increase as more data is generated, stored, and analyzed. Data is where a company’s value lies.
For the latest on cybersecurity and cyberthreats, follow Prowess Consulting on Twitter @ProwessConsult, and you can follow my technology interests and thoughts @catinwritersuit.
 The Wall Street Journal. “Cybersecurity in an Era of Borderless wars.” November 2016. www.wsj.com/video/cybersecurity-in-an-era-of-borderless-wars/DDBB4C15-6BC5-4BD3-A484-47A6B222882C.html.