The Cipher Brief sat down with Michael Chertoff at the Aspen Security Conference to discuss emerging issues in cybersecurity. He feels that businesses and the government need to more proactively engage with cybersecurity problems and work closer together to minimize their vulnerability to hackers.
TCB: What would you say for businesses, is the biggest take-away from the OPM and Sony hacks?
Michael Chertoff: I would say that there are two different take-aways. For OPM, it’s important to understand what value your data has. A lot of the time people think “Oh, the data I have is not really that relevant or it’s not that important or it’s not that damaging. And actually you really need to assess the significance of the data both in terms of its damage to third parties but also in terms of your own business. …
The second take-away from OPM, frankly, is: It’s great to have a strategy, but you must implement it. It’s been years since we talked about what needs to be done across the US government, and it’s pretty clear they got a menu of things they were supposed to [do]. Their answer was, “Well, we just haven’t gotten around to it.” That’s not satisfactory.
I think the Sony thing is a little different. There it raises the issue of whether we’re going to get into the world of destructive hacking where you actually try to destroy a system, and that obviously raises the game. It also is a reminder for people in any enterprise that when you are writing emails, it is like you are having a conversation and recording yourself. So be guided accordingly.
TCB: Would you say though, generally speaking, the threats seem to be constantly evolving? Where do you see it going, and what are folks going to have to worry about tomorrow?
MC: It’s evolving, although in many ways the techniques are the same ones we’ve been talking about for years: They’re phishing; watering holes at websites; zero-day exploits; lost credentials. I mean, that’s been around for a long time.
I think what we’re going to worry about more is when we have control systems that are connected fully to the internet. There was a story in Wired magazine about an automobile, a Jeep, that was remotely controlled. That’s not the first time that’s been done. But a wider and wider range of control systems are connected without adequate thought for security, and then that’s compounded by the growth of smart devices. Now, when you have a smart device, and it’s connected to your router at home or whatever, you open a vulnerability. Now, is there a provision in the refrigerator to update when you discover malware? I’m going to bet that most refrigerators are not going to have that.
So, I would say that there are two things. One is, we really need to start to insist that people who are providing smart devices that are going to be wirelessly connected to a network need to build in some security and some updating features. And I also think that people need to ask themselves a question. Every time you connect yourself wirelessly, you’re opening up a surface area to attack. Sometimes it’s worth doing, sometimes it’s not and we need to educate people that they need to make choices, intelligent choices.
TCB: One thing that I’ve heard talking to people is there seems to be surprise at the fact that businesses, while they are aware of the problems, are still behind the curve on applying fixes or solving them. Is that something that you continue to bump up against in your work?
MC: I do. To me the way you approach this is, first, you have to give people reasonable expectations. While it’s important to prevent, it [is] as important, or more important in many cases, to respond and to mitigate. And if you do the M&M theory of security, where there’s a hard shell outside and a soft center, you’re doomed.
On the other hand, if you look at your human body, your body keeps a lot of stuff out of it, but it is configured with an immune system that anticipates that bacteria and viruses will enter. It characterizes them and, if they are harmful, it kills them. In fact, if we vaccinate, we’re essentially information sharing – we’re giving signals to your body. And if you think about it, that is a system where response is every bit as important as prevention. In fact, if you get sick, it actually makes you healthier in the long run because you develop immunities.
So I think, step one is to give people a reasonable expectation about what their aim is. Second, I think you need to make people understand that in the end they are dealing with human beings – the adversary is a human. So, it’s like any other human threat. You have to assess whatever is a high-consequence target in your enterprise. You’ve got to think about where the vulnerabilities are, where the threats are coming from, and then you start to organize yourself, your policies, and your procedures in a way that is configured to your enterprise. And then the technical pieces and the operational pieces fit within the overall construct of their operations and make sense. So, in a nutshell, it’s about demystifying cybersecurity.
TCB: What are the ways that DHS can better interact with the private sector? And what lessons are there to be shared between the two?
CM: Right now we have an organization that’s sector based, I think, in the area of cyber. The president issued an executive order to have a plan to do information sharing organizations that could cut across sectors. I think that would be a good idea. I think that we could build platforms that could allow real time sharing, that would be helpful. To do that, we would probably need to have some legal protection for that. And a lot of it, which Suzanne Spalding (Under Secretary, National Protection and Programs Directorate at the Department of Homeland Security) was talking about the other day with us, was getting out and about more, getting into the field more. They are getting more operational, they’re putting more people out there, and I think that’s beneficial.
