[BreachExchange] Cyber needs to be centre stage for every world leader, minister and business CEO
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Apr 6 21:51:12 EDT 2018
https://www.aspistrategist.org.au/cyber-needs-centre-
stage-every-world-leader-minister-business-ceo/
It seems every day brings news of another high-profile cyberattack or
intrusion affecting our personal data, national security or the very
integrity and availability of the institutions and infrastructure on which
we depend. These cyber threats come from a range of bad actors including
ordinary criminals, transnational organised criminal groups and
nation-states.
Indeed, in mid-February, Australia, the United States, the United Kingdom
and several other countries attributed the devastating NotPetya ransomware
worm—that caused billions of dollars of damage across Europe, Asia and the
Americas—to the Russian military as part of the Kremlin’s efforts to
destabilise the Ukraine.
At the same time, special counsel Robert Mueller in Washington unveiled a
remarkably detailed criminal indictment charging a range of Russian
individuals and organisations with a concerted effort to undermine the 2016
US elections.
Although active, Russia is hardly the only prominent nation-state threat
actor in cyberspace. North Korea orchestrated the attacks on Sony Pictures
and was responsible for the recent WannaCry ransomware that seriously
affected the UK’s health-care system. Iran was responsible for attacks on
US financial institution websites. And China conducted a prolonged campaign
of cyber-enabled theft of trade secrets that targeted businesses in
Australia, the US and many other countries.
Some states also pose international policy challenges—using cybertools to
monitor and repress their citizens. Criminals and other non-state actors
have caused huge financial losses and compromised personal data through
ever more sophisticated cyber schemes. Don’t yet attack critical
infrastructure through cyberspace, but use the internet to plan, recruit
and communicate.
In the 27 years that I’ve been dealing with these issues—first as a US
federal prosecutor, then in senior positions at the Department of Justice,
FBI, White House and most recently as Coordinator for Cyber Issues at the
State Department—I’ve never seen the threats we collectively face in
cyberspace to be greater, or the need to address them to be more urgent.
Fortunately, there’s now much greater public and governmental attention on
these issues then there was even a few years ago. Australia has launched
ambitious cybersecurity and international cyber strategies, created new
institutions and appointed seasoned leaders to key posts. The US has
focused on cyber issues for the last decade—among many other things
enhancing incident response, creating international and domestic
strategies, and promoting a framework for cyber stability.
Other governments are also increasingly prioritising cyber issues, as are
at least some key business sectors. Moreover, there are now so many ‘cyber
summits’ devoted to these issues around the globe that it seems we’re in
the middle of the Cyber Alps (European or Australian).
Yet, though cyber may be the new black because of all this attention and
activity, something critical is missing. Cyber still hasn’t been woven into
the fabric of our core national security and other policies. Too often it’s
seen as a separate, boutique issue.
I was in Australia earlier this year—where I completed a stint at ASPI’s
International Cyber Policy Centre—going to Canberra directly from the
Munich Security Conference (MSC)—a sort of Davos for the international
security policy crowd. Every year MSC features a number of political
leaders, industry titans and senior policy wonks from around the world
debating everything from the future of Europe to Middle East peace (or lack
thereof) to the rise of China.
Cyber is there too, represented in an ever-increasing array of side events.
But, significantly, it’s not on the main stage.
Though it’s great that MSC focuses on cyber in a myriad of side gatherings
and at standalone events, the problem with that approach (and which is
similar to other major national and economic security forums) is that the
cyber-focused events tend to become echo chambers, with the same cadre of
cyber cognoscenti traveling like a nomadic tribe from one meeting to the
next.
Heads of government, national security advisors, legislators, generals and
ministers who come to high-level policy meetings like MSC should be
participating in those discussions, especially because they don’t deal with
those issues every day and because they may be well out of their normal
comfort zone.
Of course this also requires that the cyber cognoscenti do a better job of
putting these issues into a form that senior policymakers understand—as
core issues of national security, human rights and foreign policy—rather
than as primarily technical issues.
The failure to ‘mainstream’ cyber issues into larger national security and
policy debates has real consequences. Though there’s greater awareness
these days among senior officials that ‘the cyber’ is important, there’s
little understanding of what to do to counter cyber threats or how the full
toolset of national capabilities outside the cyber arena can be used.
There’s also a real risk that these issues won’t get the sustained
attention they deserve. Although I think the discussion is more mature now,
there’s a precedent. The US launched a cybersecurity strategy in 2003. But
by 2005 it had been essentially shelved because of a lack of understanding
and the rise of other priorities.
Further, really integrating these issues with a sustained strategic focus
leads to new solutions to some of the key problems we are facing in
cyberspace. When widespread Chinese theft of trade secrets and intellectual
property was seen as a cyber issue, there was little understanding of its
long-term implications or how to respond. Only when it was finally
recognised as a core economic and national security issue was the US
willing to risk friction in the overall relationship with China, rather
than just trading barbs in cyber channels.
That allowed an expanded range of options across the entire bilateral
relationship, coupled with a commitment to a sustained multi-year effort
that produced tangible results. Unless cyber issues are understood and
integrated by non-cyber, senior policymakers, their approach too often is
episodic and ineffectual.
Of course, this is also true in the business community. C-suite folks are
increasingly aware that cyber is a big thing, but like many senior
government leaders, don’t know what to do about it or how to integrate it
into corporate decision-making or risk management. While more corporate
boards are paying more attention to cyber risks, the responsibility still
often devolves to the chief information security officer who, in far too
many cases, has limited access to the CEO or the board, and often is
dismissed as a cost centre.
There are some positive signs of change. Though there was no cyber-focused
session on the main stage at MSC, the UN secretary-general, the UK prime
minister, the US national security advisor and several other leaders raised
cyber as part of their keynote remarks. There was increased interaction
between the ‘cyber tribe’ and the broader community on the margins, and
participation of high-level executives from both technology and other
companies. More corporate boards are now getting briefings from
cybersecurity advisors and the public, at least for the time being,
increasingly appears to care about cyber threats.
Nevertheless, if we are truly to succeed in combatting the increasing
threats in cyberspace and seize the many opportunities it offers, more
needs to be done to demystify cyber policy and make it part and parcel of
our larger national and economic discourse. We can’t afford for this to be
a passing fad or the province of a select priesthood. Rather, cyber policy
should be a core concern of every leader, minister and CEO.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180406/d69b12af/attachment.html>
More information about the BreachExchange
mailing list