The Champion Brand | Global is Local | Know Whats Next | Integrated Insights | Return on Reputation

The Cyber Security Challenge:

The Global Risk of Inaction

n his first term, President Obama declared that the cyber threat is one of the most serious economic and national security challenges we face as a nation and that Americas economic prosperity in the 21st century will depend on cyber security. However, this is a global issue with implications that extend across borders and industry sectors, and was the topic of discussion as APCOs International Advisory Council and Global Political Strategies convened its monthly meeting on January 17. Topics addressed included the failure of the U.S. Congress to pass legislation on the issue, the threat to essential utility infrastructure, the balance between cyber security and collaboration, and potential nightmare scenarios

Cliff Stearns, former U.S. congressman and leading authority in the Congress on cyber security, noted the primary challenge facing the Congress and Senate in passing a bill on cyber security is drafting a one-size-fits-all piece of legislation on an issue that requires flexibility; particularly since technology and cyber threats change quickly. The House bill, H.R. 3523, the Cyber Intelligence Sharing and Protection Act (CISPA), focused on information sharing and would have given companies incentives and legal authority to share cyber security measures with each other and the government. The Senate bill, S. 3414, the Cybersecurity Act of 2012, was much more expansive and included an information-sharing component, but also set critical infrastructure standards, the terms of which Republicans and Democrats could not find consensus. An executive order by the president will likely not solve the problem, because Congress would still need to act to put in liability protections for companies who share information. However, the presidents executive order may get the discussion going. In fact, Professor Laurens Jan Brinkhorst, former minister of economic affairs in the Netherlands and director general with the European Commission, noted that for the first time the World Economic Forum report on global risks mentioned cybercrime and cyber security as one of the 50 major cases where attention should be drawn in the coming times. From the European perspective, things are finally moving as part of Europol. On January 11, 2013, a European cybercrime center was established in The Hague to act as a focal point for expertise and coordination in the European fight against cybercrime. It is a result of an earlier meeting in 2012 between the United States and Europe, so we all realize it is a global threat. Transatlantic cooperation is necessary to address this issue. There is a strong feeling in Europe that although business is very much affected by the natural effects of internet fraud and
1

its particular effect on banking, a lot of businesses feel quite ambiguous about it. On the one hand, businesses keep their own attention to their own business secrets, but on the other hand, if businesses share experiences with others, we can be collectively more effective in combatting cybercrime as a whole. Andy Serwin, chief executive officer and executive director of The Lares Institute, a think tank focused on technology, privacy and information governance, asserted that this is an information problem. There are organized actors who try to use information against us and create an information imbalance. It is not exclusively a technology problem. Serwin noted this is stuff that your kid could go on the internet and use against your company, so it is less about companies not having the right technology and more about a lack of understanding what information they need to protect themselves from these very low-tech threats. This is why the U.S. Department of Defense looks at these as an asymmetric threat. We need to get companies to organize and share information, both among themselves and with the government, where appropriate, because we are facing organized threats by other nations and organized crime, and if the companies deal with this as they typically do, which is one-off or as an island, they wont see the threat coming. The presidents executive order is a step in the right direction, but if companies are not sharing information (not the information itself about their technology) about the threats they are seeing, we are doomed to fail. And companies have to be engaged at the c-suite level. John Magaw, founding director of the Transportation Security Administration and former director of the U.S. Secret Service, stressed the importance of including law enforcement officials in the dialogue. The Department of Homeland Security, U.S. Secret Service, FBI, U.S. State Department and local law enforcement officials work on this issue every day and have access to many issues and problems that private and public sector companies face, sometimes quietly. The federal agencies cooperate, investigate and arrest violators worldwide. For more than 30 years law enforcement has not been consistently involved in these discussions, and it is a mistake. They find themselves reacting without participating in the prevention aspect of the issue. Cyber security threats challenge the safety of essential utility infrastructure, including electrical grids, water, gas and telecommunications. These threats affect consumers, as utilities must invest resources to protect themselves from potential cyber breaches. It is a critical issue for electrical utilities to identify and implement along with other priorities as they begin to modernize the electric grid. Highlighting a GAO report, Congressman Stearns noted four key challenges that require attention in securing smart grid systems, including: a lack of 1) a coordinated approach to monitor industry compliance with voluntary standards; 2) security features built into smart grid devices; 3) an effective information-sharing mechanism within the electrical industry; and 4) metrics for evaluating cyber security.

This is a public- and private-sector problem, because even if you tighten the government side of cyber security, it is just as easy for a terrorist or other state-sponsored actor to take out a private-sector entity that will really impact the nation. But even if the private sector wants to share information with one another and perhaps the government, there are liability issues. The traditional model has been the private sector sharing with the public sector. Serwin noted that this has to go, in part because of liability concerns, and in part because the private sector actually sees more than the government does. Therefore, you need a model where the private sector can share with each other, where appropriate. Then, it is up to them to share that information with the public sector when they see a threat. This would minimize the liability for sharing information with the government and also permit a broader and deeper understanding of what you are seeing, because you typically see it across the companies and across segments of the economy. Professor Brinkhorst stated that it ultimately boils down to a question of trust. That is why the military dimension is important on the security side. To what extent can you trust that information you share is not ending up in different hands? This is the reason the European Union is about to start legislation and why the Commissioner has been given mandates to draft legislation about data protection. These are precisely the kinds of things we should share between the United States and Europe; it is very clear that if we dont take a joint approach here, we will be separated by foreign and alien forces. If this is truly cyber war, what is the role of offensive cyber strategy and what role does the private sector have in that? This is a very difficult issue given some of the laws in the United States. It also raises a host of international issues, depending on where that offensive cyber-attack may originate from. It could be anything from the shutdown of an oil or water supply to causing a nuclear reactor to go offline or malfunction. Anything that is connected in any way to the internet and almost every device is these days is susceptible to an attack. Three main takeaways from this discussion include: 1. Cyber security needs to be on the global agenda. This issue needs to move from the public discourse to the development of actionable plans and sharing of information across industry and between the public/private sectors. 2. Dialogue among nations is crucial, as cybercrime stretches across borders and over hemispheres. Indeed the entire world is at risk of cyber attack. 3. Cyber security is not solely about technology. It is about companies understanding what information they need to protect themselves. The private sector must achieve information superiority command and control of the information domain.
Driving Global Dialogue
For more information, please visit www.apcoworldwide.com/forum
2013 APCO Worldwide Inc. All rights reserved.