US Intel Chiefs Urge Business Cooperation On Cybersecurity
But what are the trade-offs in terms of privacy and civil liberties? Highlights from General Keith Alexander and John Brennan keynote at #ISM2018.
During the American Revolutionary war, military commanders of the 13 Colonies realised that the conflict could not be won with soldiers alone. Civilians left their towns and farms to swell the ranks to a level where the British could be pushed back and eventually overcome.
Retired four-star general Keith Alexander (former Director of the National Security Agency) tells delegates at #ISM2018 that just as civilians fought alongside soldiers 240 years ago, there’s currently an urgent need for a public and private partnership to defend against cybersecurity breaches. In other words, business and government need to cooperate if the US is to have any chance of defending against offshore cyberattacks and resultant IP theft.
Calling for a partnership
“I think our approach to cybersecurity has to be changed,” says Alexander. “We need a new strategy.” Companies that suffer data breaches tend to fall into two camps – those that have been attacked and know it, and companies that have been attacked and don’t know it. Alexander says that in an environment where “everybody’s getting hacked,” industry has a responsibility up to a certain level.
The issue is that intelligence agencies (such as the NSA) can’t see what’s in the packets of information that pass through cyberspace at light-speed until after the fact, which means they are relegated to reactive incident response. The solution is for companies to help build a common picture by sharing information so the government can then defend effectively. Alexander gives the example of the energy sector, where 18 companies are working together to share information at network speed.
Alexander also raises the issue of companies that have been attacked being treated as a guilty party, with some organisations getting sued after a cyberattack. “If you want industry to work with government and share what’s hitting them, you’ll have to give them liability protection. We also need to incentivise it so it’s cost-neutral to build up your cyber defence.”
Former Director of the CIA, John Brennan, comments that as difficult as counter-terrorism was, dealing with cybersecurity was even more challenging. “The digital domain is 85% operated by the private sector, and there’s currently no consensus on the government’s role in that environment,” he says. The nature of globalisation means it’s not always easy for a security agency to figure out what’s an American company. “The ecosystem is so interconnected,” says Brennan. “You’re not going to stop globalisation, but you need to [respond to it] in a way that protects government and business interests.”
Privacy trade-offs?
Panel facilitator and ISM CEO Tom Derry raised the question of how you can protect privacy and civil liberties while acting to defend against cyberattacks. According to Alexander, you can do both. “If we’re completely transparent in what we share and ensure everybody agrees to it, we can build a picture that defends our nation.” The consolidation that is taking place as businesses increasingly move into the cloud (usually via a managed service) will help in a cybersecurity sense. “It’s going to come down to consolidation,” says Alexander. “The cloud is going to be the future, collective security in the cloud will be so much better, and you’ll be assured that both your data and your privacy are protected.”
Brennan was less reassuring when it comes to privacy trade-offs. “Lots of privacy and civil liberties have been given up already. People would be shocked about how much of their information is being shared online. We need greater transparency and obligations, and need to be aware of the risks and opportunities. You can’t secure your data the same way you can secure a building.”
What can be done?
Most companies, says Alexander, have a firewall and other measures in place to defend against cyberattacks, but he gives the example of a company with 2,500 people and 5,000 systems that was discovered to have 400,000 unpatched vulnerabilities. “Most companies only try to patch the critical ones.”
Alexander and Brennan list the following solutions:
- An unprecedented level of partnership and information-sharing between government and business.
- Behavioural analytics, where a system-user’s behaviour raises red flags if it changes dramatically.
- Freezing or isolating systems when malware signatures are detected.
- Better hiring practices, training, procedure and policies to protect against the human element (e.g. Edward Snowden’s data theft).
- Machine learning and AI systems to cope with the sheer size of the challenge.
- Be clear on policy: what constitutes an act of war in cyberspace?
In other news from #ISM2018:
ISM Appoints First Chief Product Officer
Susan Marty to Lead Member Engagement, Market Development and Growth Initiatives for ISM.
In its mission to reflect the voices of everyone in the supply management community, ISM has appointed Susan Marty as it first Chief Product Officer. Ms. Marty will focus on member engagement, market development and growth for ISM, the leading not-for-profit, independent, unbiased resource for everyone in supply management.
“As Chief Product Officer, I am strongly committed to meeting the current and future needs of all ISM members and constituents in a timely and meaningful way. We will continue ensuring that all our offerings–from education and events, to discussions and publications–enable members to advance professionally while making their organizations stronger and better,” said Ms. Marty.
“Susan Marty is an exceptional leader with a talent for building strong customer, partner and industry relationships, and innovating in response to market shifts. At a time of rapid transformation for supply management, she will help ISM remain vital to our entire industry,” said Tom Derry, CEO of ISM.
In addition to her focus on ISM’s educational offerings, Ms. Marty will concentrate on making ISM a source for compelling, customer-driven content, including research, thought-provoking conversations with subject-matter experts, and issue-oriented articles.
She will also lead efforts to bring supply management leaders and practitioners together with technology providers, analysts, and other members of the broader professional community. Whether online or via social media, she will focus on maximizing opportunities for the profession to access all ISM has to offer.
“We are thrilled to have Susan Marty join the ISM team. She is a high-caliber talent with a wealth of experience to help us deliver superior products that are valued by our customers,” said Debbie Fogel-Monnissen, Chief Financial Officer, ISM.
“Susan Marty is exactly the kind of product leader that ISM needs to fulfill the strategy of increasing engagement with the supply management professional. Her background in creating value offerings and communicating them clearly and through multiple channels will help today’s supply management professional leverage ISM’s vast resources,” said Jim Barnes, Managing Director for ISM.
Ms. Marty comes to ISM after serving as Vice President Marketing, Product Management and Sales at WorldatWork. She previously held senior roles at Inter-Tel (now Mitel), Voice Access Technologies, OmniSky and AT&T Wireless (now AT&T Mobility).