Driven by the fallout of major data breaches at Target, Sony Pictures, Anthem and hundreds of other large and small organizations, cybersecurity is now a problem of strategic importance in organizations of all sizes.
ThirdCertainty sat down last week at the RSA Conference in San Francisco with Howard Schmidt, former White House Cybersecurity Advisor under Presidents Bush and Obama, to discuss the wider context. The fireside chat was sponsored by TaaSera, supplier of pre-emptive breach detection systems.
Q: Are the dots starting to connect in the minds of senior executives that their organizations are facing profound new exposures?
A: Yes, they are starting to look at cybersecurity as a strategic issue that needs to be dealt with at the corporate level. The financial services sector years ago said, “OK, we can lose this amount of money through credit card fraud, and we can work within that.” Now the exposures are much more than that. It’s reputation, it’s government regulation, it’s customer confidence, and so a lot of attention is going into it.
Q: Security vendors certainly are paying attention. There’s no shortage of clever technology to defend networks.
A: Yes, clearly. Every year at RSA and at Infosec Europe, I see products developed to react to what happened this past year or last week or last month, so you wind up in a situation where you are chasing the problem instead of developing systems to deal with those problems before they occur. For example, we have tremendous capabilities: intrusion detection, intrusion prevention, malware protection, breach detection, all those sort of things. They’ve been good, but they have not been as effective as we need them to be.
Q: Because they’re perimeter-focused?
A: That’s correct, they’re all perimeter-based, so when somebody gets in and it looks like they should be inside, they can start doing things a normal employee would not do. And they’ll go undetected for a long period of time. We’re starting to develop systems to detect this type of anomalous behavior. But just as important, if not more important, is we need to create an ecosystem that does strong authentication and strong encryption, as well as secure coding, that basically puts you into a position where you have everything in your favor.
Q: Developing a security ecosystem like that implies a high level of intel sharing, a very big topic these days with President Obama, whom you served.
A: Many people don’t realize that in 1998 President Clinton signed Presidential Decision Directive 63 that said three things: One, the government is not well organized to deal with cyber, which they were not. Second, private industry owns the vast majority of critical infrastructure, about 85 percent. And the third thing is, we’re not sharing information with one another.
This was in 1998, so it’s before all the things we’re seeing today. President Clinton’s order prompted the financial services sector to create the first ISAC (Information Sharing and Analysis Center). It was about sharing information among companies in the financial sector. Zooming ahead, a big, big part of the national strategy to secure cyberspace that Tom Ridge and I released in February 2003 was about government sharing intelligence with the private sector, not sucking everything out of the private sector.
Today we’ve started looking at international strategy, at things like the national strategy for identities in cyberspace. It’s all about sharing information, and yet we still seem to have a conversation about it. I was at an event recently that was all about information sharing. We’ve been talking about sharing for all these years. And for some reason, we just can’t seem to get it right.
Q: With data breaches accelerating and showing no signs of slowing, and with the C-suite staring to pay attention, maybe we’ve finally reached a tipping point.
A: I couldn’t agree more. There’s a larger impetus to share, and there are legal implications—the liability is huge. And it’s a global issue. We keep talking about what the president is doing and about U.S. companies. Well, the Internet is not a U.S.-based issue. As matter of fact, many of the U.S. companies we talk to are quick to point out, “We’re a global company.”
Q: How much room is there for greater sharing at a very basic best-practices level?
A: With large companies, that opportunity is huge. As you start going down the supply chain to the small and medium-size companies and to the startups, there is no mechanism by which they can share information and can take some action.
That’s why there’s a discussion about turning this whole mechanism around. So for instance, information classified as law-enforcement sensitive can be classified for no more than 24 hours, unless it meets some parameters that the private sector can understand.
You don’t have to give out all of the sensitive information. But you do want actionable intel turned around in 24 hours. You’ll then have the ability to inform a system administrator who does not have security clearances, and who does not go to the meetings in Washington D.C., to block this IP address or to be alert for this piece of malware. And he’ll be able to actually do something to reduce the likelihood of falling victim to some of these things.
Q: Sort of like shining a flashlight into some of the corners of the Darknet.
A: Absolutely correct. That’s a good analogy.
This article originally appeared on ThirdCertainty.com.