Tom Ridge might not be running the show at the Department of Homeland Security, but that doesn’t mean the former secretary isn’t up to speed on the threat cyber attacks pose to the U.S. government and private industries.
On the government front, Ridge believes the U.S. changed the landscape when it used Malware to cripple the nuclear program of Iran. Ridge says the move signaled to the world that it was OK to use cyberwarfare as a tool to implement international policy initiatives. That means the gloves are off and all U.S. entities are now fair game, according to Ridge.
Ridge was joined on a panel at CME Group’s annual Global Financial Leadership Conference by Kevin Mandia, a cybersecurity expert who is founder and CEO of Mandiant. Mandia says cyber threats can be placed into three basic categories:
- Nation-states: Governments working to affect policy changes or weaken rivals (U.S., China, Iran, Syria, etc).
- Criminals: Those looking to steal money, identities, trade secrets, etc.
- Ideologues: Those looking to advance a cause (ex: Anonymous). Mandia notes that it is the people and groups in this category that are rapidly becoming more sophisticated.
Ridge and Mandia agreed that the private sector — in the form of individual firms or industry groups and trade associations — will play a leading role in improving cybersecurity in the U.S. “Don’t for government to solve the problem,” Mandia said. “Align with industry because the threat actors align by industry.”
Noting that the financial services sector is one of the best-protected industries, Ridge explained that there is a lot the government can learn from strategies and best practices currently deployed in the private sector.
Ridge said one of the biggest struggles is to develop acceptable platforms and protocols for the government to share cybersecurity information with the private sector and vice versa. One major obstacle, according to Ridge, is security clearance. Ridge said granting private sector technologist high levels of security clearance only makes sense. “When a guy like [Edward] Snowden can get clearance, why can’t the CTO or CIO at private companies get clearance to share information?”
Speaking of Edward Snowden, Mandia and Ridge agreed that the Snowden story serves is a stark reminder that employees — both current and former — represent the greatest threat to firm’s cybersecurity. Executives spend too much time worrying about outside threats, when they should be most vigilant when conducting routine things like background check and data flow analyses.
Fitz – Lots of times there are practical workarounds.
People are worried about outside threats, but Snowden shows firms should also focus on inside jobs and who they are hiring.