Cipher Brief Expert and former Secretary for Homeland Security Michael Chertoff is Executive Chairman and Co-Founder of the Chertoff Group. He served as Secretary of the U.S. Department of Homeland Security from 2005-2009.
The Cipher Brief wanted to get the former Secretary’s thoughts on where we are with cyber today in the wake of both SolarWinds and the Hafnium breach as well as his perspective on the greatest pain points felt by private sector companies. Our conversation was part of The Cipher Brief’s recent Cybersecurity Summit and has been edited for length and clarity. You can watch the original interview with Secretary Chertoff on The Cipher Brief’s YouTube Channel.
The Cipher Brief: You run one of the world’s leading advisory companies with the Chertoff Group. Tell us, what are companies most worried about right now, and what’s top of mind for you when it comes to the cybersecurity threat landscape?
Secretary Chertoff: Nation-states are being much more visible and much more active and know that because the scale of what we are now seeing in terms of breaches is beyond what we saw even a few years ago. So, from a reputational standpoint, a lot of companies are very concerned that they may have been breached or that they may have vulnerabilities, and they’re scrambling to see what they can do to plug the holes. Another issue, which I think is challenging, is that more and more of what we see in addition to the typical phishing attacks and the targeted attacks, are efforts to infect the supply chain by either identifying or creating vulnerabilities. An example of that is in the network management software, like what we saw in the SolarWinds hack, or on other kinds of software that may be involved using coding, for example, which could be incorporated into new updates.
That means you’re not only now responsible for training your own workforce and checking your own perimeter and vulnerabilities, but you also need to worry about your vendors and your service providers and whether they are exposing you to broader threats.
I can’t help but be slightly amused over the discussions about cyberattacks that are now resembling what we heard about the COVID-19 virus. Now, you have to worry about being infected by somebody else or being in a crowd and questioning who’s providing you with something in a restaurant that may wind up becoming your problem. In many ways, there’s an analogy between the kinds of precautions you need to take in the physical environment and those in the cyber environment.
I think what we see now is a real focus on how you manage what looks to be an almost inevitable amount of breach – by at least reducing the dwell time and identifying it once there has been a penetration so that you can respond before you get any serious damage.
In the last couple of months, we saw an attack on the water system in Florida, which actually could have poisoned people in the real world. That reminds us that in addition to theft of data and intellectual property, and, of course, typical criminality, we have to worry about this sliding over into real damage in the physical world. That’s going to require the companies that are in critical infrastructure to be particularly mindful of this, but also the government is going to have to work even more closely with critical infrastructure to identify threats.
The Cipher Brief: We’ve been talking about a cyber 9/11 for years. Is it going to take one of these events like the one you cited in Florida, but where lives are actually lost in connection to a cyber incident in order for everyone to raise the bar and move faster on updating systems and sharing information?
Secretary Chertoff: I don’t think people are failing to appreciate the threat. What I find with a lot of clients in the private sector, is there are so many solutions that they’re overwhelmed. Again, to use the analogy of the virus, when the public health authorities get out and tell you all the things you can’t do so that leaving the house becomes akin to planning D-Day, a lot of people throw their hands up in the air and say, “I can’t bother. I’ve got to just take my chances.”
Part of what we need to do is manage expectations. For example, one of the key points I make is if you think you’re never going to get attacked successfully, it’s akin to saying, “I’m never going to get sick.” It’s not realistic. What you want to do is reduce and mitigate those consequences. So, to me, a key issue is managing expectations and giving people a doable, sustainable approach that is tailored to the particular threats that are aimed at their sector and that allows them an option that won’t totally absorb all of their resources in trying to play whack-a-mole.
The Cipher Brief: Private sector leaders are often bemoaning the complexity of the environment. They’ve got tools that they are trying to integrate so they can get to what they call a single pane of glass in their security operations center, where they can see everything. But that’s exactly what SolarWinds did. It was software that integrated other people’s software, and it gives you basically a nice big target for entities to go after because instead of having to solve 100 problems, a hacker only has to solve one problem, and then they have access to all the stuff they need. So, really, it’s a tough problem.
Secretary Chertoff: I think it’s incredibly important to have this discussion. I’m in touch virtually with a lot of counterparts in Europe and Asia and Japan, and I have seen how this issue, particularly as a supply chain issue, has now elevated and is really a big focus of concern. I know, for example, that the EU is looking very hard at the question around promoting resilience among critical infrastructure. I think there’s more of an appetite now to cooperate with the US and have like-minded nations and allies work together to do things like manage supply chain security and make sure that we are careful about who is providing our critical infrastructure. Because, as you know, China is making a big play to become the world’s dominant supplier in 5G, which would cause all kinds of problems for us. So, there is a spirit of cooperation, and I think there are folks now–I know you know Anne Neuberger, who’s at the White House–who understand both the government and the private sector, and I think there’s an opportunity now to make some real progress.
Find more expert-level insights on cyber issues impacting national security on The Cipher Briefs YouTube channel and read more expert-driven national security perspective and analysis in The Cipher Brief