BOSTON – Former Homeland Security secretary Michael Chertoff gave enterprises a pep talk Wednesday during his keynote address at the Advanced Cyber Security Center’s annual conference.
In a climate where massive financial services organizations such as JP Morgan Chase have been breached, the White House’s unclassified network was hacked, and the Christmas shopping season could beckon another giant retail breach, Chertoff’s message was essentially: Chin up.
“I do think we can deal with it,” Chertoff said.
Making familiar calls for cooperation and information sharing between industry competitors, the public sector and security experts, Chertoff equated the Internet to a 21st century battlefield—and unlike during the Cold War, the military isn’t on the hook to protect consumers and enterprises from Russian cybercriminals and state-sponsored hackers.
“If you’re going to wait for the government, you’re going to wait a long time and suffer damage,” Chertoff said. “The government has valuable intelligence, tactics and techniques, but what has to happen is the good old-fashioned American tradition of the local militia defending themselves against bad actors.”
Chertoff said enterprises must do what they can to mitigate risk, in essence conceding that attackers are going to penetrate network perimeters and defending them at the expense of prioritizing risk is a mistake.
“I always sense some disempowerment and hopelessness [with the enterprise]. When they hear about breaches, they shrug their shoulders and don’t do anything because the problem is too complex. They buy AV and hope to get lucky,” Chertoff said. “There is a sense of disempowerment, but you do have the ability to affect an outcome.”
Chertoff preached about risk management and prioritization in the context of threats, vulnerabilities and consequences. Understand who is attacking you, whether the vulnerabilities they’re targeting are hardened against attacks, and assess what happens if you’re attacked and how you’ll mitigate. “How can you turn something potentially catastrophic into nothing more than a nuisance,” Chertoff said.
Today’s primary threats are threefold: criminal; state-sponsored hackers; and hacktivists. At risk is a bevy of data and money, from banking transactions, to intellectual property and personal information that could impact a company and/or person’s reputation. And sometimes the lines between criminal and state-sponsored operations are blurred with some nation states borrowing and modifying cybercrime tools for use in APT-style attacks. Cooperation between nations and cybercrime groups gives nation states a measure of deniability, Chertoff said.
“Imagine that instead of just a hacker trying to get an identity, they had an effort to corrupt or destroy the capability of financial institution to accurately maintain financial records or execute trades domestically and globally,” Chertoff said. “It wouldn’t take a lot before we would see a major impact on the national and global economy.”
Chertoff also spoke of resiliency, certainly a theme during the ACSC event and the importance of prioritizing assets that are absolutely crucial to the company’s lifeblood.
“You’ve got to understand in your enterprise what are the issues of most strategic value; what can you live with and without, and repair and not repair,” Chertoff said. “Prioritize and build an internal architecture that mirrors your issues of value. These are not technical decisions.”
Part of vulnerability and threat management requires continuous monitoring, he said, in addition to access and privilege controls in order to minimize exposures. And when the inevitable breach comes, managing consequences becomes an utmost priority.
“It is manageable as long as you have reasonable expectations,” Chertoff said, reaffirming the need to identify and eliminate network security gaps. “Intelligently examine threats you face and don’t kid yourself about them. Have training exercises and a consequence management plan. And think outside the box about what new threats are out there. Invest in resilience.”
