Cybersecurity is for the C-suite, ‘not just the IT crowd’
FORTUNE — “Ninety-seven percent of Fortune 500 companies have been hacked,” says Peter W. Singer, “and likely the other 3% have too, they just don’t know it.” Such is the less-than-rosy picture painted by Singer — director of the Center for 21st Century Security and Intelligence at D.C. think tank Brookings Institution and bestselling author of 2009’s Wired for War — and co-author Allan Friedman in the opening pages of their new book Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford University Press).
It’s not the most optimistic introduction to cybersecurity that one might hope for, but following a banner year for massive data breaches within both the U.S. government and private industry, an honest appraisal of the cybersecurity landscape is particularly appropriate. “This is now a very real problem, one that we have to recognize, that we have to manage,” Singer says in a conversation with Fortune. “Stop looking for others to solve it for you, stop looking for silver bullet solutions, and stop ignoring it.” Edited excerpts:
The notions of cybersecurity and cyberwar, however nebulous, have been around for some time. Why are these issues particularly important in 2014?
I would argue that there’s no issue that’s become more important that’s less understood than cyber. You can see this gap in all sorts of areas, including on the business side. For example, 70% of business executives have made a cybersecurity decision for their company. Not 70% of CTOs or CSOs, but 70% of executives in general. Yet no major MBA program teaches on it.
That same gap exists in the public policy world. President Obama declared that cybersecurity risks pose “the most serious economic and national security challenges of the 21st century.” Yet when the President was being briefed on cyber issues he reportedly requested that they repeat it back to him “in English.” Our former CIA director [Gen. Michael Hayden] has said that “rarely has something been so important and so talked about with less and less clarity and less apparent understanding.”
This isn’t just an American problem. We’ve seen the same thing in Paris and London and Abu Dhabi. It’s a huge, crucial issue between the U.S. and China, yet the leaders on both sides that are negotiating it don’t understand it. The point is: These issues are critical whether you’re in business or media, in the military or just a citizen or parent trying to keep your kid safe online. Cybersecurity and cyberwar questions are going to be with us as long as we use the Internet, so we have to stop being scared and start figuring out how to manage it. And when I say “we,” I mean it’s not just for the IT crowd anymore
So if not the IT crowd then who?
Everyone. In the year ahead we have a series of things to figure out from the global level. There will be negotiations over the underlying governance of the Internet itself — who’s in charge of it is under threat particularly from certain authoritarian states. We’ll see this play out at the national level; in the U.S., for example, how do we handle the various issues of NSA reforms? How do we try to roll back some of this hugely negative impact it’s had on American technology companies, which have lost a reported $180 billion worth of revenue because of the various NSA disclosures and activities? At the corporate level, every single firm, whether it’s a defense company or a paint company, has to figure out what they are going to do about cybersecurity. And on down to the individual level — how do we protect ourselves and our kids as we engage more and more online?
Let me frame the insecurity out there in a different way. There’s a poll that came out that shows that Americans fear cyber-attacks more than they fear Iranian nuclear weapons, North Korean nuclear weapons, the rise of China, climate change, or Russia. Think about that for a minute. We fear most what we don’t understand, and we have to get past that, we have to start to understand these issues whether we’re a president, a CEO, a lawyer, a journalist, or a dad who worries about his kid and what just happened on Snapchat.
A big concern of mine at both the business level and the national level is that we often fear things that we shouldn’t but don’t act on very real threats that we should. And we get taken advantage of at all levels by what is frankly a brewing cyber-industrial complex. A couple years back there were four companies lobbying Congress on cybersecurity issues. Now it’s over 1,500. There’s been more than a half-million online references in the media to a “Cyber Pearl Harbor,” which is this phrase we’ve seen generals and senators and CEOs use to describe some kind of cyber-cataclysm. But I would argue the real national security threat right now is death by a thousand cuts: The massive loss of intellectual property — by one measure the largest theft in all of human history — that is happening right now to American industry.
What’s driving this knowledge gap? Why are our cybersecurity priorities often so skewed in your view?
First, the people that sit in the C-suite, the people sitting on the Supreme Court, the people who are generals — they likely didn’t use computers when they were in college. So there’s a learning curve. Secondly, these issues have emerged quite rapidly and it’s been difficult for businesses and organizations to stay ahead. Just a couple of years ago there was no malware designed to go after mobile devices. Very few people were thinking about how to defend mobile networks because there were very few people using them and very few threats to them. Now there are many, many threats.
Third and most worrisome to me is the notion that this is for the IT crowd. This is for the nerds to handle. That’s how it’s been treated before: “I don’t understand this stuff so I’m going to hand it over to the techies.” First, that’s an abdication of leadership. Secondly, the IT crowd understands the software and hardware, but they don’t understand the wetware. They don’t understand the humans and the organizations and the ripple effects around them that are equally, and in many cases more, important.
Then there are some people who take pride in their ignorance and luddite-ism. These are the kind of people that joke about not being able to program the clock on their VCR. We have to move beyond a situation where it’s considered completely acceptable for senior leaders to say “I don’t use email or social media, I have my assistant print out my emails.” And this describes a lot of people from a former Secretary of Defense to a former Secretary of Homeland Security.
So how can those in charge of making cybersecurity policy — whether in Congress or in the C-suite — close this knowledge gap? How can organizations get in front of the threat?
It’s about getting the human side of this right — the people and the processes and the way they fit in with the technology. There’s what’s known as the Top 20 measures, they’ve been found to be effective against anywhere from 80 to 94% of threats, depending on the study. Some of them are password-related, some are equipment or accounting, but they’re fairly basic things. What’s interesting is that almost all of the most important incidents, whether they’re ones that happened to companies, ones that happened to the U.S. military or to the NSA, they all could’ve been avoided if they’d just followed these very basic, very easy-to-implement protocols. The biggest, most important outside penetration of a U.S. military network happened when someone picked up a memory stick they found in the parking lot and plugged it into their computer. Not only did they not follow basic cyber-hygiene, they didn’t even follow basic hygiene — the five-second rule. If they had, the most important cyber-attack on the U.S. military never would’ve happened.
So this “people problem” is not just at the C-level. It extends down to mid-career folks, down to how we’re recruiting right now. There’s not good data on the corporate side, but on the government side the data shows that we’re finding only about 10% of the cybersecurity specialists that we need. Of the ones they’re finding, hiring managers describe that they’re only happy with the quality of about 40%. That’s not a good situation — this can’t all be left to the IT department. So whether you’re working in the IT department or you’re a lawyer or you’re working in operations or wherever, you’re increasingly going to be dealing with cybersecurity questions, whether it’s managing people who work on them or figuring out how to protect yourself and your company from threats to your intellectual property, to your services, to your contract negotiations, or deciding “how much should I spend on this in my budget? Who should I be hiring?”
So this is not just for specialists, it’s not just for the C-level, it’s an important area for general management expertise now that we all need to build.
We’re at an interesting point in history where these issues are concerned, if only because people are becoming more aware of the problem if not the potential solutions. Have people like Chelsea Manning and Edward Snowden significantly altered the cyber landscape?
We are at a crucial point in the short but important history of the Internet. You can see this obviously in the continued growing scale of use but also how it’s changing, particularly the shift to the “Internet of Things.” Some numbers, just to illustrate: The first electronic mail was sent in 1971. The grandchildren of those scientists now live in a world where 40 trillion emails are sent per year. The first website was made in 1991. Today there are over 30 trillion individual websites. But the Internet right now is shifting, it’s no longer about sending or compiling information. It’s shaping the real world via the Internet of Things. Over the next five years Cisco estimates there will be as many as 40 billion Internet-enabled devices — cars, refrigerators, and gadgets not yet imagined all linked in.
With the rise of this dependence we’re also seeing the dangers grow. Last year, nine new pieces of malware were discovered every second. Ninety-seven percent of Fortune 500 companies have been hacked, and likely the other 3% have too, they just don’t know it. So you can see this in the numbers. You can see it in the huge issues that have arisen from everything from Wikileaks to NSA monitoring to the ramifications of things like Stuxnet.