The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

Transcription

1 The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco. 1

2 Calling All CEOs Are You Ready to Defend the Battlefield of the 21st Century? It is not the norm for corporations to be the focal point of a war fought between nation states, but the threats of today place us in exactly that situation. The reason these threats jointly implicate the public and private sector is that the cyber domain is under attack by an organized public/private sector threat, and until we recognize that fact and address it, we will continue to fail to protect it. The truth is that unless corporate America the private sector works with the public sector, we may not stop a cyber event that could be as destructive as Pearl Harbor or 9/11. This post is the first in a series of posts that will examine the nature of the threat we are facing, offer guidance about how companies can effectively and properly reduce the threat, and also illustrate the other business benefits of addressing these issues. The Threat. The Internet as we know it started as a public sector project that quickly morphed into what it is today a large, interconnected network connecting an unimaginable number of different devices that are both public and private sector, which never turns off. While in the past people imagined cyberspace as simply just a series of websites, those days are long gone. Today, with the number of devices that are constantly connected to the world wide network that is the Internet, the cyber domain includes a number of different computers, including those that control our financial system, critical infrastructure, as well as a variety of other devices in any number of different industries. These devices are central to our everyday existence, particularly when one includes mobile devices, as well as the ever increasing number of control devices that are networked. Since this always on world of connectivity places the resources of the United States, both public and private sector, on the same global network as those of nations and others who seek to do us harm, you cannot raise the drawbridge in today s world of cyber attack if you are part of the cyber domain, you are constantly open to potential attack. And the threat we face in the cyber domain is no longer the lone 15 year old trying to boost his hacker street cred by hacking the government it is now an organized, often well funded, effort to systematically damage our economy or our nation directly. The way these groups work are to find and exploit an information imbalance and create an asymmetric threat. An information imbalance is a situation where one side of a conflict has superior information regarding the weaknesses of the other. If that superior information relates to the weakness of another party, it can then be used to create an asymmetric threat, which is a threat that is targeted to, and exploits, another s weaknesses. 2

3 The best example of this is 9/11, contrasted with Pearl Harbor. Pearl Harbor involved an organized, but symmetric threat. It was the Japanese Military attacking another nation state s military. And while Japan exploited an information imbalance, it was a fight between combatants with roughly equal resources. For 9/11, Al Qaeda did not need their own army or air force, in fact, they didn t need organized military. They simply needed utility knives (perhaps even box cutters), training, and more importantly, information about how our system of air travel worked. By creating this information imbalance, they were able to perpetrate a devastating asymmetric attack on the United States. The lesson of 9/11 was not lost on the public sector it realized the nature of the threat and has taken steps to address it, and one need only examine recent Executive Orders, and the words of General Keith Alexander, the Director of the National Security Agency, and a recent speech by Defense Secretary Leon Panetta to see this. In 2005 President Bush issued Executive Order Further Strengthening the Sharing of Terrorism Information to Protect Americans, with the goal of giving information sharing of terrorism information among key stakeholders, including the public and private sector. In 2010 President Obama reaffirmed the need for public sector and private sector cooperation, and information sharing, to address cyber security concerns when it issued Executive Order 13549, Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities. A detailed examination of these Executive Orders are beyond the scope of the post, but the important point is that the Executive Branch recognizes the need for public and private sector cooperation and information sharing. These views were also recently reiterated by General Alexander, when he spoke to the largest hacker convention DEF CON, and asked for their help: We as a global society are extremely vulnerable and at risk for a catastrophic cyber event. Global society needs the best and brightest to help secure our most valued resources in cyberspace: our intellectual property, our critical infrastructure and our privacy. DEF CON has an important place in computer security. It taps into a broad range of talent and provides an unprecedented diversity of experiences and expertise to solve tough problems. The hacker community and USG cyber community share some core values: we both see the Internet as an immensely positive force; we both believe information increases in value by sharing; we both respect protection of privacy and civil liberties; we both believe in the need for oversight that fosters innovation, doesn t pick winners and losers, and retains freedom and flexibility; we both oppose malicious and criminal behavior. We should build on this common ground because we have a shared responsibility to secure cyberspace. Moreover, in a recent presentation, Secretary Panetta illustrated the true nature of the threat state sponsored activity that is increasing in intensity and, with the potential to disrupt to our way of life. The video is below, but in discussing the nature of state sponsored activity, he was clear. A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11, and Panetta also believed that Such a 3

4 destructive cyber terrorist attack could virtually paralyze the nation. Panetta continued, We know of specific instances where intruders have successfully gained access to these control systems, and he also stated that We also know they are seeking to create advanced tools to attack those systems and cause panic, destruction and even loss of life. The critical point is that the examples Secretary Panetta uses are not attacks on DoD, or other public sector resources they are attacks on the financial institutions and energy sector by the government resources of another nation state. And this threat is not limited to the financial or energy industry. If you are a group seeking to do us harm, why attempt to detonate a WMD, when you instead can attempt to hack a Supervisory Control and Data Acquisition (SCADA) device that controls a water supply? Or why not attempt to disrupt the medical services in a large area by attacking the systems of a large hospital chain, or even a major health insurer. This can be done by a direct attack on the company, or by an attack on a company that is part of the chain of delivery of the necessary product or service. As a result, the threats are nearly endless and span a multitude of businesses that are not just in the energy or financial sectors. In sum, as the physical war in the Middle East winds down, we now face a new, more diffused threat organized well funded, attacks by entities that are state sponsored or part of organized crime networks. These actors seek to create information advantages that can be turned into asymmetric threats, and these threats are a clear and present danger to our society. How can the private sector protect itself from an organized, well funded, public sector threat? By organizing, and funding a solution that includes the public sector in the United States. This can be done through Information Superiority, and increased information sharing. Information Superiority and Information Sharing A Solution for the Public and Private Sector. In order to understand the solution to the problem, it is important first to focus on the root cause of the threat the information imbalance which permits the organized actors seeking to do us harm by understanding and exploiting our weaknesses i.e. creating an asymmetric threat. In other words, this is not exclusively a technology problem, or one where we simply need to spend more, or buy better technology. If the problem is information, the solution is information. The best example is 9/11, where the private sector spent a significant amount on technology for security in airports, and the technology the enemy used was utility knives (or perhaps even box cutters), coupled with extensive information about our system of air travel. Al Qaeda was able to gain an information advantage, which they turned into an asymmetric threat, with very rudimentary technology. That is the nature of the threat we face, even in the cyber domain, because the technology that is used to attack us is often rudimentary and very 4

5 available the utility knives of the cyber world and we must address the root cause of 9/11 in the private sector in the cyber domain, or risk facing the same consequences. While the threats are different, the challenges for the public and private sector are the same reduce information imbalances that can lead to disruptive or asymmetric threats. So if the solution is information, what does that really mean? It means that the private sector needs to realize that it is facing an information based problem, created by a well organized foe, and it must organize to combat it. The way to do that is to implement information governance solutions that reduce the information imbalances that exist, and also increase information sharing. Information Superiority. The reason this problem is really a governance problem is that the senior executives in private companies typically have no idea what information or systems their company have that are truly sensitive, or important, and there are inherent barriers to information sharing in any organization. Information is typically kept in stove piped verticals that often do not talk to each other and information imbalances inherently result. This is what helps to create the environment where organized actors can exploit the cyber domain, but, as will be discussed in future posts, it also creates business issues for the private sector. The good news for the private sector is that the public sector has already had to try to address these issues post 9/11. While there isn t a plug and play solution from the public sector, the private sector can learn from, and adapt, some of the doctrines and governance methodologies that the public sector has created to help deny our enemies an information advantage, and break down information verticals that create risk. The first doctrine the private sector must try to utilize is Information Superiority. The Department of Defense defines Information Superiority as A relative state achieved when a competitive advantage is derived from the ability to exploit an Information Advantage, and as The ability to develop and use information while denying an adversary the same capability. Under DoD doctrine, an Information Advantage is achieved when one competitor outperforms its competitors in the information domain. In order to implement Information Superiority, according to the DoD, technical and behavioral modifications to how data is collected and processed had to be made, so it could drive value for DoD. It is important to note that technology was viewed as enabling Information Superiority, but it was not the center of the doctrine, which illustrates that Information Superiority is more focused on governance of information, not the technology that enables its use. For the private sector, it must implement Information Superiority by focusing on making superior use of information by getting the right information, to the right executives, at the right time, which will help companies achieve a variety of goals, including: Avoiding the next 9/11; 5

6 Increasing profit for businesses; Reducing costs; Optimizing risks; Reducing the industrial espionage threat; and Reducing brand damage. The focus of these posts to date has been to focus on the first point, but as noted above, implementing Information Superiority will also help companies achieve a variety of other goals that are core to business. There are four key steps that the private sector must take in order to implement Information Superiority. The first step companies must take to implement Information Superiority, and reduce the chances of an exploitable information imbalance, is understand what information they have. Most companies do not completely understand what information they have, including what information is critical to their business. By creating an information inventory, particularly of systems with critical information, private companies can begin to understand what information they have, and where it resides. The second step companies must take is to create a governance structure that includes key senior stakeholders from departments that are relevant to governing information. This can include IT, HR, Privacy, Audit, Legal, Treasury, Security, and others. This governance structure will enable companies to better understand the results of the information audit, and hopefully help each department understand what information exists, with the goal of having the key stakeholders better understand how information can be effectively utilized for executive decision making, including to increase cyber security. The third step companies must take is to create a framework that classifies the company s information based upon sensitivity. Again, the public sector has some tools that can be instructive for the private sector. The intelligence community utilizes an information classification system that bases controls, security, and use of the information upon information sensitivity, and the categories, with the general descriptions are below. Top Secret Information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe. Secret Information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. Confidential Information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe. 6

7 Unclassified. While the descriptions the private sector should use are different, data classification is a key issue. The private sector should modify the terminology used and create a structure that focuses on sensitivity both to the business and to consumers. There are a number of prior works in data classification, including ones that argue that proportionality is central to privacy. One such model is a modified version of the intelligence community s data classification system called Privacy 3.0 The Principle of Proportionality, which used tiers labeled: highly sensitive; sensitive; slightly sensitive; and non sensitive. This structure should be utilized by the private sector both for individuals data to focus appropriate privacy protections, but it is even more applicable in the Information Superiority structure for business data, as it will help your company understand what information it has, and what systems are critical, so that focused effort can be made to reduce a potential information imbalance that can be exploited by an organized adversary. The Lares Institute has done ground breaking research on consumer perceptions of data sensitivity, which can serve as a guide on the privacy issues, but this does not define sensitivity for business data, and this can vary widely between companies. The governance structure can help guide your business to understand how business information should be categorized, and this is a key early step in the information governance program. The fourth step companies must take is to make systematic behavioral changes to how information is collected and processed, so that information is appropriately shared with key stakeholders, both internal and external. The Information Governance structure that I recommend companies put in place must play a key role in changing behavior and encourage horizontal information sharing. Horizontal information sharing is a sharing of information across departments, or organizations. It is customer service sharing complaints with the engineering department so that issues are resolved in products. It is engineering department sharing solutions with customer service to improve customer satisfaction. It is also, for the public sector, different agencies sharing intelligence to prevent the next 9/11. And that really illustrates a final key point the public and private sector face the same issue, and need to work together to solve it. Whether it is the engineering and customer service divisions in a private company, or the CIA and FBI, information gathering and sharing are critical issues that must be addressed to deny our adversaries the information advantage they seek to gain. While much of this post has been about increasing information sharing in the private sector, the fact remains that we still face an organized, often state sponsored, threat on the other side. As recognized by the Obama Administration when it issued Executive Order 13549: 7

8 The need to share actionable, timely, and relevant classified information among Federal, State, Local, Tribal, and Private Sector (SLTPS) partners in support of homeland security is self evident. The way to do that is for the public and private sector to create structures, and share doctrines, such as Information Superiority, that facilitate this sharing, and increase our homeland security by working to eliminate the information advantage our enemies seek to exploit. Solving this problem will not be easy, and it will take time and resources, but there are resources that can assist. Through systematic and focused effort, coupled with the adoption of better information governance Information Superiority and sharing, we can address this threat, but to defeat an organized threat, we must organize our efforts, or we will fail to protect ourselves as we should. 8