Cyber has quickly become the global threat that knows no borders, nor does it distinguish between the public and private sectors. Executives from the world’s largest tech companies gathered at the World Economic Forum in Davos last month to talk about the problem and try to find solutions that could be shared on a global scale, namely, finding a way to create an effective global infrastructure dedicated to defending governments, networks and businesses.
That global threat that cyber poses is one of the issues that Melissa Hathaway had to deal with as she led both the Comprehensive National Cybersecurity Initiative (CNCI) under President George W. Bush and later spearheaded the Cyberspace Policy Review during President Obama’s Administration. She is currently the President of Hathaway Global Strategies and is a Senior Advisor at Harvard Kennedy School’s Belfer Center. The Cipher Brief caught up with her to talk about the rapidly changing nature of the global threats and what has to be done to address them.
The Cipher Brief: The cyber threat environment is changing rapidly and on a global scale. What specific trends are you seeing that worry you the most?
Hathaway: I think that the threat, the volume, velocity, and variety of events that are happening around the world, are growing year over year. Cybercrime alone has grown 26% year over year. The activities range from simple data theft that criminals can use and monetize by selling that data in the underground marketplace, to hijacking your cloud infrastructure to use the compute power to break-in to steal the ones and zeroes that comprise the crypto currency or actual real currency from our banks, to still unprecedented volumes of intellectual property being illegal copied from our companies to now more destructive malware or destructive activities happening against our corporations and core infrastructures.
I’d say the thing that worries me the most, and what we saw in 2018 that we have to prepare for, is the pre-positioning of the access to the core of our infrastructure to deliver malicious capabilities — cyber weapons. The alert that went out last year from the Department of Homeland Security, the FBI and the United Kingdom’s National Cyber Security Center, warning about the targeting of core infrastructures by Russia, should alarm all decision makers. We can’t sit back and be complacent anymore about what’s happening.
The Cipher Brief: You’ve worked for two administrations, both President Obama’s administration and the administration of President George H.W. Bush. So, you’re very familiar on the policy side with the challenges associated with staying ahead of the threats. What about the ripple effect of smaller countries around the world who don’t have the capabilities to build up an infrastructure to protect themselves, what then, does that mean for the responsibility of the U.S. and the UK and some of these other countries that do have means to invest in cyber security protection? What role do they take on from the leadership perspective?
Hathaway: You have to heal thyself or take care of thyself before you can take care of others. The United Kingdom is ahead of the United States at this point, in my opinion, on its ability to extend a broader cyber defense to its critical infrastructures. It has a better outreach to its private sector, and it seems to have a better functioning cross-government activities and partnerships. They’ve spent a lot of resources (time, money, personnel) on improving their defensive posture.
The United States really, in many ways, certainly in the last two, five or six years, hasn’t shown great unity of government. Our agencies are working in their lanes of expertise and this is creating gaps in our defensive posture, shortfalls in our foreign policy with respect to cyberspace, and has affected our cyber operations. We really need to inspire a ‘Team America’, which should be comprised of all of the government activities working together with a better and stronger partnership with private industry. Despite the new policy initiatives, we have not prioritized cyber security and overall, the security posture of the United States has diminished significantly in the last five years.
The Cipher Brief: That’s a big statement. To help the non-cyber focused people understand what you mean when you say the U.S. is not focused enough, what should the U.S. be doing that they are not doing to focus on cyber?
Hathaway: I don’t think that we’re having a sufficient national dialogue about the pre-positioned weapons placed in our core infrastructure or the real risks that our corporations are facing. There are reasons you may not want to limit public discourse, because creating fear or panic in society is unhelpful, but the United States is quite resilient, creative, and innovative when people actually understand how bad the situation is. I believe that people would mobilize and they would start to address the problems and surface creative solutions. We’re not talking about the Russians targeting our critical infrastructure, which was the focus of that alert that was issued in April of last year.
People are not connecting the dots, so what does that mean? That means that the electric power grid could go down or some particular service could be shut off. We’re not talking about the “so what” or impact of the issue so nobody can get to the “now what?” I would argue that we’re not even talking enough about the “what” and then connecting the dot of the “so what, and now what” Well then, what’s the “what?” The Chinese stole intellectual property from company X. Okay, that’s the “what.” The “so what” is that now they are going to actually field that same product at a lower price point and put you out of business. Then the “so what” is you lose your job as a result and America’s GDP strength is diminished. Then, the “now what” is, ‘Okay, we need to shore up our corporate defenses here and we need to share this information with you.’ And, the “now what” is that the government needs to take more action to prevent that in the future through policy and other means.
We’re not completing the narrative and I would argue, there isn’t a narrative right now in the United States, so people are hearing bits and pieces of a “what” every day in the newspaper but not the “what does it mean to me?” And the “now what will I have to do about it,” or “What should I do about it?”
The Cipher Brief: You mentioned that there isn’t a sufficient national dialogue. In regards to the targeting of critical infrastructure, I think the response has been, “Well, we know they are there, but we don’t believe that anybody will dare act on that because the consequences would be too great for them.” How much longer do you think that response will hold up?
Hathaway: It is my experience – watching this now for a very long time – that we’re not following through with a meaningful threat of response. There have to be consequences for actions. I think our adversaries have observed us to be complacent and unwilling to bring meaningful consequences to their actions. Therefore, I think that from the adversary’s perspective they don’t have much to lose. They have already pre-positioned access and weapons, so it’s a question of whether or not somebody has the will to actually execute.
I led the Comprehensive National Cyber-Security Initiative for Bush 43, which really laid the foundation for many of the cyber programs across the federal government. Not just in the national security space but for the FBI, for the Department of Homeland Security and other agencies. I transitioned these programs and conducted the Cyberspace Policy Review for President Obama and set up the office within the National Security Council that’s dealing with cyber issues. I also recommended that the cyber-coordinator position have second set of responsibilities and influence in the National Economic Council because that’s where many of our core infrastructure decisions are being made that had to have a security perspective and address the need for resilience. Positioning the United States for a stronger cyber posture has both a domestic and a foreign component – underpinned in economics and national security.
The Cipher Brief: With the elimination of the Cybersecurity Coordinator role at the NSC, how much of a vulnerability do you think that creates in terms of the government being able to coordinate among all of its different areas on these pressing cyber issues?
Hathaway: I think it’s significant. I think there are a lot of challenges, and again, we don’t have Team America working on this issue right now and we don’t have a natural convening power of full transparency of what’s going on across the government coming from the White House. You have activities happening individually at each of the departments and agencies, at NSA or Cyber Command or DHS or FBI, but you don’t have this natural forming or convening function to get everybody to be working more harmoniously against what I see is as a growing threat.
The Cipher Brief: So, let’s go back to the Team America concept for a minute because I think you mentioned that Team America also includes the private sector and used the UK’s National Security Center as an example. There has been so much resistance in the U.S. for more than a decade now with companies saying they don’t want to share too much information, and that the government doesn’t share enough information back. You’ve heard all of these arguments before, so what do you think the right solution would be?
Hathaway: A lot of us are trying to look at it as what is, in many ways, yesterday’s problem, so we have this core infrastructure that is vulnerable because it’s been fielded with primarily vulnerable commercial products in its backbone. So, we’ve operated on the principle of field it fast and we’ll fix it later.
I think in order to advance a functional private-public partnership, then we need to look at tomorrow’s digital transformation and where things are headed, from 5G, the Internet of Things, advances in quantum computing that put our encryption at risk to other emerging technologies. We need to be asking where do we want to be five to ten years from now? Do we want to be dependent on foreign technologies that are not trusted, or do we want to change the course and path and do something else? Can the government be proactive in advancing industry’s ability to field secure, resilient, next-generation technologies?
Then you’ve changed the conversation to a growth strategy, a partnership for getting to bridging that gap from weakness and no player to a player or a set of players. It starts to solve the national security problem, it helps it flourish, so it’s a different narrative. But, right now the private-public partnership is all about yesterday’s problems with the vulnerabilities that are core to the current infrastructure, which are important – but it’s a conversation that is old. So, if you look at some things in the future where we could actually do something positive together about a problem, I think it would change the nature of the discussion.
The Cipher Brief: What worries you most from the global perspective when you specifically think of getting these countries together and tackling some of these issues? Where do you think the areas for making real progress are versus the area where there needs to be a lot more focus?
Hathaway: I think that all countries are starting to come to a common view on data privacy and data protection. Europe is ahead of the U.S. in many of the data protection issues and the publication of their General Data Protection Regulation that went into effect in May 2018 has had led the world in this area. The U.S. is making progress, like in the case of California’s data privacy law that will go into effect in January 2020. China, Singapore, Vietnam, Brazil, Europe, the United States and many other countries, have recognized the importance of protecting data and citizen’s desire for data privacy. It’s possible that we could all work together, so these laws are more harmonious or more consistent with how we’re demanding the breach notification and requiring standardized protection levels from our companies.
The Cipher Brief: In closing, any particular issues that you lead with in your classes when you’re teaching or notice when you’re sitting in board rooms watching companies struggle? What are your headline issues right now?
Hathaway: Headline issues, most companies are not managing the digital risk of their digital business. They still look at cyber-security as an IT issue and the IT, led by the CIO or the CISO, will manage the risk to the corporation. This delegation of risk management is inconsistent with how companies manage other risks, like credit risk or liquidity risk. Companies need to elevate digital risk management (cyber security) to their enterprise risk management process and govern it. The digital risks – or their cyber insecurity is not just an IT problem, it’s the backbone of whatever these companies do. It needs to move into a broader risk governance framework. Right now, I see that as the biggest gap when I sit in boardrooms or sit down with a company’s leadership.
The Cipher Brief: It’s surprising a little bit because we’ve heard the same advice for CEOs for so long, not seeing those gaps close on a broad scale.
Hathaway: I don’t think they’ve really wrapped their heads around that they’re a digital business. Once they make that leap, once they understand, usually largely after a major event, then they’re like, “Oh, wow! This is a risk that I’ve got.” They start to change the way they’re governing the risk, from a corporate perspective.
The Cipher Brief: How important is it to have some sort of a global dialogue on these issues?
Hathaway: I think it’s really important to have a global or international dialogue on these issues. It’s a venue where you can hear the different points of view. The United States is quite comfortable working with Europe and becomes less comfortable as we start to move more into the Asia Pacific or even into the southern hemisphere. If you look at most international conferences, they’re more focused on the northern hemisphere than the entire globe and the diversity of views is really important to understand. What the issues are in South America or on the African continent? Are they coming up with different solutions? How is their industry handling it?
The Cipher Brief is a proud media partner of the International Conference on Cyber Engagement, presented by Cipher Brief Expert Catherine Lotrionte and The Atlantic Council on April 23, in Washington DC.
What do you think about Melissa’s perspective? We invite you to leave your point of view on this Cyber Initiator column by submitting your comment via the POV link below.
If you’re interested in submitting your own thought leadership column for publishing consideration, please submit it to: [email protected] with ‘Cyber Initiator’ in the subject line. Please also include the name, bio and contact information for the author. Cyber Initiator guidelines prohibit the use of columns that promote specific products or services. A submission of a column for consideration is not a guarantee that the column will be published.
Check out other Cipher Brief cyber analysis and expertise
