Cyber security, to be successful, has to be a "team sport," former Homeland Security secretary Michael Chertoff told attendees of the Advanced Cyber Security Center (ACSC) Conference at the Federal Reserve Bank of Boston Tuesday morning.
Chertoff, cofounder and executive chairman of the Chertoff Group, who gave the keynote speech at the conference, titled "Left of Boom: How and where to invest across the kill chain," said organizations that go it alone, and especially those that focus only on prevention to maintain their security from cyberattacks are "doomed."
Not that this was a surprise to an audience that included numerous information security experts who have been preaching that message for some time. They are familiar with the image Chertoff invoked of the "M&M" defense -- hard on the outside but soft on the inside -- and that most of the past year's catastrophic high-profile breaches have been caused either by insiders or attackers who compromised insiders.
They are also aware that the attack surface is almost unlimited in an "Internet of Things" (IoT) world with an explosively expanding number of smart embedded devices.
"The architecture of the Internet creates level of connectivity that is radically different from the way we live our physical lives," Chertoff said, noting that physical document dissemination requires either, "an affirmative action on our part," or theft.
With the Internet, "everything is connected by default," he said, "so things in your study can become part of the wider world. The camera in your PC can literally create Big Brother in your own room."
Add to that everything from BYOD in the workplace to apps that allow users to adjust the heat, lock the doors and more in their homes, wearable medical devices, smart cars, critical infrastructure and aviation, and it is clear that, as Chertoff put it, "you're not going to eliminate risk -- this is about managing risk."
Done effectively, he said, it could reduce the damage from breaches from catastrophic to a nuisance level.
But so far, even managing risk has not been going so well. Chertoff noted many "very adept" organizations that have been breached during the past year.
Look at JP Morgan, which is at the forefront of cybersecurity," he said. "And we've been reading stories about breaches at the White House and Russians penetrating a whole host of targets including electrical grid."
Still, Chertoff said he was bringing, "an encouraging message." He said Boston and the New England region "has the intellectual firepower" to improve risk management through teamwork. "That's symbolized by this group," he told the audience.
"You can't wait for government to do it for you," he said. "Government does have value to add in intelligence and tactics. But everyone has to be part of the battlefield."
That, he said, would help to mitigate a "sense of powerlessness" he observes in many organizations. He said one executive told him that his company didn't even know what was on its network, and figured, "if we don't know, the bad guys don't know."
"That's a sense of disempowerment," he said. "We need to let people know they can have an effect."
Chertoff said there are three major components to risk management: Threat, vulnerabilities and consequences.
Threats, he noted, come from criminals seeking to profit from things like stolen IDs and credit cards, hackers, nation states and insiders (or those who are able to pose as insiders.
The damage, he said, can range from personal embarrassment to the loss of intellectual property to damage to the nation's infrastructure or even the global financial system. While people might assume that even hostile nation states don't want a global financial meltdown, "in a world of sanctions, the intent could be to destroy," he said. "We need capability to defend against that. All you have to do is go back to 2008 to know how fragile the trust in the global financial system is."
Regarding vulnerability, he said each organization needs to determine what its priorities are. "What can you live without, or repair? You need an internal architecture that reflects that," he said, adding that security must be rigorous both outside and inside, since a perimeter will "slow people down, but it won't stop them. You need to do continuous monitoring to know what's going on.
Finally, addressing consequences means knowing, "how you are going to deal with the reality that you are going to be breached."
This, he said, requires a "crisis management playbook" that everybody knows and is regularly rehearsed. His firm, he said, has regularly found in client companies that many people, "thought they knew the plan but didn't. That's critical for resiliency."
That and teamwork with others facing the same threats, he said, means, "you will have every reason to think you will survive anything thrown at you."
Obstacles to effective collaboration remain, however, according to others at the event. William Guenther, CEO and founder of Mass Insight Global Partnerships, which launched and supports ACSC, said in opening remarks that while collaboration is a worthy goal, most companies, "have a hard time finding talent," even in a region as prestigious academically as New England.
But, at a panel discussion later in the morning, where there was also talk of collaboration, Katie Moussouris, chief policy officer, HackerOne, suggested one, "giant, untapped reserve of talent is hackers, if we're interested in hearing from them instead of prosecuting them."
She acknowledged that much of what hackers do is illegal, but said, "a lot of them want to do the right thing -- report a vulnerability and get it fixed. There needs to be a better way -- we shouldn't incentivize them to stay quiet, but to join the team of defenders."
Moussouris, who previously worked for Microsoft, cited that company's move about a decade ago to recruit hackers from Poland who called themselves LSD (Last Stage of Delirium) after they discovered a vulnerability that led to the release of the Blaster worm.
"That was a really progressive move on Microsoft's part," she said.