Ahead of a cyber security event in New York last month, David Burg, a principal at PricewaterhouseCoopers, told me over a firm handshake that he and Keith Alexander—the former director of the U.S. National Security Agency, known as “the general”—did not want the day’s message to be “fear.”
Of course, fear is a tough sentiment to avoid in the amygdala-juicing cyber security business.
Delivering a keynote, the retired 4-star U.S. Army general raised his eyebrows when citing the nation’s menaces, including radical Islamic terrorist organization ISIS, nation-state hackers, distributed denial-of-service attacks, and Wiper viruses targeting vulnerable network infrastructure. It’s the kind of thing that will keep even a hardened veteran up at night. “When you look at what’s going on around the world—threats to our country and our European allies—there are two key things that can hurt us,” Alexander said. “Terrorism and cyber.”
Alexander’s speech came as prelude to the release of PwC’s annual Global State of Information Security Survey. According to the latest edition, acts of cyberwar between countries are on the rise. The number of respondents who reported a compromise by nation-states increased 86 percent this year, making such attacks one of the fastest growing threats.
Incidents perpetrated by insiders, including current employees and third-party contractors, occur more frequently than those by nation-states. (In Alexander’s case, former U.S. defense contractor and mega-leaker Edward Snowden.) Still, the surge in state-sponsored attacks is cause for concern. With the mounting sophistication of opposition, what’s a business, industry, or country to do?
Alexander motioned to a gray dining table in a distant corner of the room. If something happened at that far table—he turned and gestured near his podium—the people at the front of the room would want to know about it. In a computer network, they often don’t, he said—and hackers are exploiting these uncoordinated systems. “We’ve got to set up an integrated solution,” Alexander said. “We’ve got to work together.”
To improve the situation, Alexander called for behavioral modeling of threats and a messaging framework between businesses and government agencies that might enable better, quicker information sharing. His suggestion may be more easily said than done—it can be a challenge to get competing businesses to open up and collaborate. According to the PwC survey, only about half of respondents said that their organization has a cross-organization team that meets regularly to discuss, coordinate, and communicate information security issues. One might wonder how businesses will collaborate and share information externally when often lacking such means internally.
Alexander remains hopeful. Advances in technology will help push people along, he said. “We’re headed for some great times. We really are,” Alexander said, brow fixed, inflexible. “And we don’t want to slow it down.”
After Alexander left the stage, I followed him to ask him about his new security startup, IronNet Cybersecurity, which has recently been under some scrutiny. (Congressman Alan Grayson has questioned the ethicality of taking classified information into the private sector. Alexander maintains he has done nothing improper.) We’re still testing the product, Alexander told me, and declined to elaborate further. There’s something admirable about how ultra-secret Apple keeps quiet about its new products until release day, he added. So much, I guess, for information sharing.