With just weeks to go until the release of the 60-day cybersecurity review being led by Melissa Hathaway, what opportunities might the review hold for the commercial sector? For answers, ExecutiveBiz recently turned to Bill Crowell, former deputy director of the National Security Agency. An independent consultant specializing in information technology, security, and intelligence systems, Crowell is a recognized expert on information security for both the federal government and private sector. Here Crowell weighs in on the likelihood of a public-private partnership to combat cyber threats and how ultimately we might see that partnership take shape over the years to come.
How high is the cybersecurity threat?
Bill Crowell: Clearly the threat is extremely high to demand the level of attention we are now seeing from this administration and Congress. The threats are not just to our national security, but also to our economic security. Our critical infrastructure for both defense and business has moved to network-based operations. This is a vulnerability that we must address quickly to ensure our national and economic security.
How can critical infrastructure be protected that is not owned by the government nor directly addressed by the government?
Bill Crowell: Ultimately, I think we need to have a public-private partnership in that area. In my opinion that will require legislation. The legislation will take two forms. One is to amend certain laws already on the books —the Sherman Antitrust Act, the Freedom of Information Act, and the Privacy Act, for example — so they encourage the kind of cooperation and interaction that’s important to solving the problems. The second area for legislation is to develop incentive structures that will encourage particularly critical components like financial services, transportation, and energy to take the necessary steps to use best security practices. Those might be in the form of tax incentives or other compliance measures.
Let’s talk about the 60-day review being led by Melissa Hathaway. What opportunities do you think the review will present the commercial sector?
Bill Crowell: The opportunities fall into three general areas of tactical, strategic, and long-range objectives. “Tactical” objectives are things like reducing the number of internet connections of the government IT systems, the dotgov connections. “Strategic” includes better education and more research of leap ahead technologies. “Long range” includes major research on new approaches to content security and the development of deterrence principals. Obviously, the communities called upon to help in these three areas will include the customary system integrators who specialize in cyber defense as well as the innovators in the security arena. The other major initiatives of the CNCI are a set of classified enablers that are primarily in the areas of defense communications and protection, as well as intelligence operations, and will involve contractual efforts to build new capabilities, which will be channeled in a classified environment.
What should companies be asking their IT staff to strengthen cybersecurity?
Bill Crowell: Well, a number of questions should be asked. One of the most important is the issue of attribution — having strong authentication and identity management of the people who have access to your networks in order to restrict access by the outsiders who seek to steal, damage or destroy your data. The second is asking if they have robust auditing of access and use of the systems. The third is what I would call “continuity of operations.” How resilient and reliable are your networks for conducting business operations? Supply chain issues are also important … where are you getting network elements like routers, for example. Particularly in the case of offshore developed code, it’s important to look for potential compromises. Encryption is also a key ingredient in security protection; it is extremely important to make sure telecommunications, which can be routed anywhere in the world to reach their destination today and which contain considerable sensitive information, are protected by strong encryption.
What’s the biggest misconception about cybersecurity?
Bill Crowell: That there is a single silver bullet; that there’s one thing you can do — one product that you can buy or one way in which you can control people and processes — that will make a difference. The truth of the matter is there isn’t one security solution. Rather, security comes from building a series of layers of different kinds of security activities that together can afford you a reasonable amount of protection.
Do you think the cyber threat will ever be solved or reduced to a minor nuisance issue?
Bill Crowell: Not in my lifetime. It will take a determined effort to make progress in achieving trusted network operations and it is doubtful that significant progress will be made in the next five years, but we have to start. The truth of the matter is we will be working to solve this problem for many more years to come.
Interview conducted by JD Kathuria
Read more interviews here: https://blog.executivebiz.com/category/interviews/