Last week I had the pleasure of hosting some of our most distinguished clients alongside government officials and other private sector executives in a candid discussion about the boundless nature and potentially life-altering threats that exist within the IT infrastructures, communications networks and computer systems that comprise our world’s cyberspace.
The list of organizations across the private and public sectors that have been breached by a cyber attack continues to grow by the week. While this fact made for a timely backdrop for our conversation, the harsh reality is that if we, as an industry and as a nation, don’t make a concerted effort to raise awareness and embed security into our core corporate and government competencies, the potential is there – as one of our panelists described – for the most disruptive force in our world to emerge since the discovery of the New World.
That statement is not only an indication of the importance of the threats knocking on our door, but is also representative of the scale and velocity with which attacks have the capacity to impact our lives on every conceivable level – at work, at home or abroad. Though not nearly as developed as it needs to be, the effort to thwart cyber attacks is well underway. During our discussion, several interesting points were raised that I’d like to share.
Public/Private Partnership – The overarching consensus, and mind you there were organizations at the table operating around the world, was that there needs to be a shared responsibility between the public and private sectors to successfully manage the future cyber threat. Lines of communication have to be maintained in order to keep up with the pace and characteristics of the attacks, make the overall effort bottom-line relevant when answering to shareholders and constituents, and develop/adopt a set of standards that all organizations can model.
Defense and Resilience – Defense of the network perimeter is crucial, but even more important is the resilience of an organization to maintain operations after an attack has occurred. More than likely, those creating the damaging code in the form of phishing attacks, botnets and the like, are going to make it into a network if they put their minds to it. Some of these threats reach a sophistication level of commercially developed and sold software used by millions of people. For this reason, resiliency and the ability to curb negative repercussions stemming from the loss of intellectual property will ultimately be the determining factor of success.
The Cyber Domain – In the national security context, cyber is more commonly being defined as a “domain” of equal importance to air, land and sea, and thus requires all of the pertinent doctrine and legal statutes. One of the fundamental differences with cyber, and, frankly, one of the positives, is that, unlike the other domains, we have the capability to control it. The group roundly applauded the Administration’s efforts to develop a set of policy standards around cybersecurity and agreed that, through collaboration with the private sector, the proposal can become a benchmark for securing the new cyber domain. We agreed, however, that the effort must gain additional momentum.
Assurance and Attribution – Last year, for the first time, computer network activity was used to cause physical damage to a nation’s critical infrastructure. There is a growing concern about the lack of trust and assurance of knowing where attacks like Stuxnet originate, and who could be selling that information to the highest bidder. Terrorist networks and enemy states are recruiting “cyber warriors” and creating more sophisticated threats. The private sector would be smart to make a concerted effort to create solutions that allow clients to withstand these attacks and even determine their origin. Without assurance and attribution, lowering our level of risk remains difficult.
The Emergence of Cloud – Cloud computing, and the evolution of the IT services industry to an “as-a-service” business model, presents organizations with the opportunity to pay for alternative networks that offer greater cybersecurity protection. In this scenario, cloud providers would develop separate architectures, provide guarantees of security and accept liabilities, and recoup their investments with higher rates than current public cloud providers.
Whatever sector to which your business belongs, we are all operating within the same threat environment, and we all share a set of extremely dynamic and persistent cybersecurity threats that pose challenges on a daily basis. While news reports of the latest hack may be on the mind of the general public, millions of intrusions go unreported every day. Together, through an open and ongoing dialogue between business and those enforcing and creating the law, we can overcome the hurdles, thwart attacks and operate confidently in cyberspace.