For Cybersecurity, the Motto is Partner or Perish
Government and industry must find common ground to address a cyberthreat that could have serious economic implications.
AFCEA International Cyber Symposium 2014
The SIGNAL Magazine Online Show Daily: Day 1
Quote of the Day: "Cyber is the ultimate team sport."—Adm. Michael S. Rogers, USN, commander, U.S. Cyber Command
Government and the private sector must determine ways of cooperating in the fight to defeat cyberthreats or else both will face potentially catastrophic consequences. For the commercial sector, individual companies or even entire economic sectors could face total collapse. For the government, the critical infrastructure could suffer attacks that permanently alter the way of life for hundreds of millions of people.
This and many other issues were discussed by industry and government leaders on the first day of AFCEA’s two-day Cyber Symposium being held in Baltimore June 24-25. Titled “Cyber Awakening: Protecting a Nation’s Security,” the symposium laid bare how much government and industry need each other’s cooperation to defeat increasingly dangerous cybermarauders.
Officials from the Department of Homeland Security (DHS) emphasized the importance of the public/private partnership in the department's efforts to protect the homeland from cyber attacks. Suzanne Spaulding, undersecretary for the National Protection and Programs Directorate at the DHS, described the department’s whole-of-nation approach in bringing in private sector partners.
She described how the private sector is essential to the department’s cybersecurity work. One focus area is innovation. “We need to break through in terms of innovation,” she said, adding “We need greater innovation in the context of malware detection and prevention.”
Spaulding also pointed out that the private sector must take the lead in some of its own endeavors. “We need improved cyber hygiene,” Spaulding declared, adding that it could stop up to 90 percent of attacks. “We need to impress upon the market the improved capabilities of cyberthreats.”
To the commander of the U.S. Cyber Command (CYBERCOM), industry holds the key to several items high on his wish list. Adm. Michael S. Rogers, USN, listed situational awareness, automated decision making and a new way to refresh work force skills as key developments needed from industry.
Adm. Rogers said that situational awareness tools are necessary because cyberspace is the one military realm that lacks visualization—and it needs it badly. “We need to display the mission set in a visual way that enables faster decision making,” the admiral said. “We don’t have that visualization in the cyber arena.”
The admiral explained that automated decision making also is needed. However, the command first must determine where “the man in the loop makes sense, and where the man in the loop does not make sense,” he emphasized, adding “We can’t do all of [the decision making].” Speed, agility and accuracy also are key, he added, noting that these three often conflict.
Third on the industry wish list is a way of keeping the work force relevant over time. Adm. Rogers decried the traditional approach of sending a skilled worker off to a brick-and-mortar schoolhouse every five years. That works for initial training, but it cannot be sustained over time, and industry needs to help by finding a way of providing ongoing work force training.
In terms of forming partnerships with industry, Adm. Rogers allowed that CYBERCOM faces some unique challenges. Both industry and academia are not perfect fits for partnership with the command.
“How do we bring together expertise from the private sector and academia with government?” he asked. “How do we do that when one of the partners is not fully trusted?”
A partnership is essential for efforts to protect and defend the infostructure against cybermarauders. “If we can’t create an environment with a dynamic information flow and information sharing in a real time basis, it’s like we’re fighting with one hand tied behind our backs,” Adm. Rogers declared.
“Cyber is the ultimate team sport.”
The admiral also warned that he expects to see a destructive cyber attack on the U.S. critical infrastructure—either from a nation or from a group of individuals—at some point in his lifetime. Accordingly, he called for cyber legislation that will establish a working relationship between government and the private sector. “Voluntary information sharing has shown some progress, but it has not done enough,” he stated.
That information sharing, along with other private sector cyber activities, may not be voluntary if companies do not engage in self-regulation, offered experts on the day’s only panel. Companies are facing huge financial losses, and they must develop their own standards or else face government intervention.
“The problem is so serious that we will get regulation if we don’t provide voluntary support,” said panel moderator Al Berkeley, chairman, Princeton Capital Management and former vice chairman at NASDAQ. That government regulation likely will not suit all companies, he offered. “If we don’t get our arms around it voluntarily, we will find ourselves with regulation that we don’t like. [Government] regulation generally is one-size-fits-all,” he said.
And disaster looms if companies do not take cybersecurity risks seriously, panelists offered. Joel Schleicher, founder, Cyber Security Services LLC, noted that a simple data breach that leads to the public disclosure of a company’s information could put it out of business. He added that the average cost per breach is about $4 million. “When it comes to cyber and data risk management, it’s pay me now or pay me later,” he offered.
Michael Echols, chief, communications and information technology sector at the DHS, put the challenge into perspective. “If you knew that your company faced something that would threaten its finances down the road, you would rally the company to fix it,” he said. However, he added, many firms do not realize that a cyber attack could have the same result—and, it can be prevented with a commitment to cybersecurity.
In most organizations, change must be driven from the top, and the same holds true with corporate chief executive officers (CEOs). Either corporate leaders must take the initiative for improving their companies’ cybersecurity, or shareholders will demand their ouster following a damaging attack that puts corporate futures in doubt.
Schleicher said the culture of a company is set by its CEO. That CEO should take the point on ensuring the corporation has good cybersecurity. “If you have a CEO that is not talking to its board about cybersecurity, sell the stock,” he advised.
The Target data breach was “a watershed event” for cyberthreat awareness, Berkeley offered. When the company’s CEO lost his job, it proved “there is a stick in this game where you could get hurt," Berkeley said.
Coming up on the final day of AFCEA Cyber 2014: A luncheon keynote address by Terry Halvorsen, acting Defense Department chief information officer (CIO); two in-depth panel discussions with national and international perspectives; and several concurrent theater sessions exploring elements of cybersecurity and related issues.