November 4, 2016
Cyber Threats Occur Almost Every Minute of Every Day in Almost Every Industry
An Interview with Tom Ridge
In an interview with the Canadian Council for Public-Private Partnerships (CCPPP), the former Governor of Pennsylvania and first US Secretary of Homeland Security Tom Ridge says “the fifth dimension of warfare –whether it involves national security or economic espionage – is the digital space,” adding governments and business need to do more to protect against cyber-attacks.
Governor Ridge believes “democracies are particularly vulnerable – particularly democracies with strong economies because there’s a great potential for stealing intellectual property, as well as disruption - let alone state secrets.”
It’s Ridge’s view that cyber threats occur at almost every minute of every day in almost every industry and predicts that “it’s going to get worse.”
Ridge says countries around the world are already taking this threat seriously. He suspects “that China and Russia, Iran and perhaps a few other countries are probably spending massive sums of money through their government to create and build offensive and defensive (cyber) capability.”
Governor Ridge is schedule to deliver a keynote address at the 24th Annual CCPPP National Conference on Tuesday, November 15th at the Sheraton Centre Hotel in Toronto.
We conducted the interview with Governor Ridge on September 30, 2016.
Q: You’ve made a stark statement to the effect: ‘We see these cyber threats at almost every minute of every day in almost every industry’. How prevalent is the threat?
TR: I don’t believe that observation is an understatement. I believe that more often than not the general public may think that governments are spying on governments and there may be some economic espionage going on but I don’t believe that the general public, and I’m not being critical – it’s just a matter of knowledge – I don’t believe the general public appreciates the number, the sophistication and in many instances the significant financial backing that hackers have – be they state-owned, state-sponsored, state-ignored, organized crime, etc.
I think democracies are particularly vulnerable – particularly democracies with strong economies because there’s a great potential for stealing intellectual property, as well as disruption - let alone state secrets, as it were.
So, yes, I stand by that statement and would only add the other caveat that it’s going to get worse.
It is a dynamic environment which to a certain extent calls for a different public-private collaboration and that’s the information sharing from government down to the private sector and the private sector up to its respective governments. They have a mutual interest in collaborating to reduce an ever changing and ever expanding risk.
Q: If it’s that prevalent, then why do you suppose it isn’t part of the narrative in the media about our national security?
From the economic disruption, from stolen defence secrets to the personal identification information that’s been stolen to the loss of equity value after major corporations have taken a publicized hit – they gather everyone’s attention for that moment or two. Our attention span is somewhat limited. The fact that (global news organizations) tend to go from one crisis to another rather than focussing - to the extent that journalists can focus - on a long term sustained threat.
Some of our political leaders, in fact some of our corporate leaders, have failed to accept that reality and talk about it – not in a breathless kind of way.
I’ll give you an example. I chair the Homeland Security Task Force for the U.S. Chamber of Commerce. It’s one of my volunteer activities. It took us nearly five years – and I’ll say it again – it took us nearly five years to urge congress to come up with a modest – underline – modest piece of legislation that provided a safe harbour for private sector companies to share information with regard to cyber-attacks, precursors, everything related to that to the federal government.
Now one would think, as I do, that if it’s such a significant problem – and there’s probably not a week goes by when there’s not some kind of public revelation of another attack – fortunately there’s a lot of attacks and not quite so many incursions – but having said that, it frankly just shows to me that maybe, in our democracy, unless there’s a major cyber-attack that affects our security or national economic interest then people aren’t going to take it as seriously as they should.
The reaction to North Korea infiltrating the SONY network twice – by the way if the horse kicks you once it’s the horse’s fault. If the horse kicks you twice, it’s your own fault. It got everybody’s attention for a couple of days. There were a couple of very critical articles of Sony’s management team and then everybody forgot about it. And that’s just Sony.
I’m hopeful that conferences like the CCPPP is hosting and far more public conversations from both corporate and government leaders reminds everybody that we all have a role to play.
And if you think about it, by the year 2020, I’ve seen estimates of 50-75 billion devices being connected to the internet. And with every opportunity, with every efficiency, every wonderful personal connection, every benefit associated with all these devices hooked to the internet – every one of them is potentially a point of vulnerability.
What I guess we’ve emphasized, writ large, is everybody loves the convenience, the connectivity, we haven’t emphasized as governments and the private sector – the vulnerability it creates for those who use it.
Q: Is this a matter of business and government not taking it seriously enough or just not being able to keep up with the exponential growth in that convenience and technology?
TR: Great question. It’s probably a combination of both. I do expect there’s a lot more innovation going on and focus inside our respective governments because of the vulnerability associated with the operation of our government and our military. I think corporate America is getting around to it.
My gut tells me, and I don’t have any empirical information, but I suspect that China and Russia, Iran and perhaps a few other countries are probably spending massive sums of money through their government to create and build offensive and defensive capability.
I do know that there are probably hundreds of thousands of small technology companies trying to develop their own defensive technology.
So, I’m not saying we’re not keeping up. I’m just saying it’s a dynamic environment and you never catch up.
Q: The narrative in the States is focused on email hacks, which is serious enough on its own. But when national security officials telling us it was ‘state sponsored’ – that adds a whole new layer of concern and danger.
TR: Yes and we kind of minimize it.
I think we have pretty good attribution tools. But even if I can attribute the attack what are the means of holding the attacker accountable?
What form of attack constitutes an act of war? Or do you need one of such significant measure that you as a country don’t, in a very covert way, respond aggressively yourself?
Let’s face it. The Russians have been in Estonia, in Georgia, I think when they went into Crimea they deployed it but when the world became aware that US had deployed offensive cyber capability as an instrument of foreign policy it was almost carte blanche for the rest of the world. The Americans are doing it so we better prepare to do it ourselves or defend against it.
It’s the fifth dimension of war.
When I was a soldier, way back in the 60s, it was the air, land and sea. Then there was space – that was the fourth and the fifth dimension of warfare –whether it involves national security or economic espionage – is the digital space.
There are public documents from Russia and China and Iran that speak specifically to the need to build up that capability.
Q: If we turn to the threat on infrastructure, we are hearing regular reports of our healthcare services and facilities being hijacked through ransomware. That quite literally puts community health and safety at risk. Are we thinking enough about how this kind of threat can affect larger infrastructure?
TR: More companies are paying more attention to their cyber networks whether they’re in the utility industry, healthcare or others. But I still believe there is significant work that has to be done, more education and a greater acceptance of that reality.
The reality is we should pay as much attention to all the extraordinary, human, corporate benefits associated with the connectivity that the internet has provided. We need to pay comparable attention – the same level of attention to the potential disruption its misuse can affect.
If we just got an equal balance of that and looked at our enterprises on a day to day basis, the threat would be diminished. It will never be eliminated but I’d be a hell of a lot more comfortable.
We need that commitment and advocacy from the top of the organization – we need to be as worried about risk and resilience as we do about profitability and convenience. Then I think we will substantially reduce the threat to our economy, to our prosperity and our national security.