When it comes to the dark corners of the Internet and their threat potential for companies—and countries—there are few people more well-versed or as plainspoken as former Homeland Security Secretary Michael Chertoff.
For two decades, both in government and as Co-Founder and Executive Chairman of Chertoff Group, he’s been at the vanguard of efforts to help companies think of emerging threats from cyberspace—whatever they might be.
At our 2018 Cyber Risk Forum, he spoke about the big threat being the theft of intellectual property, and how boards and CEOs could keep pace with security. Now the threat is shifting. In the midst of the Russian invasion of Ukraine “more and more companies are going to find their IT systems and their networks as part of the combat zone of geopolitical conflict,” he says.
Once again, there’s a big role for leaders to play, says Chertoff. What follows are excerpt from our conversation on Monday, edited for length and clarity.
The last time we spoke was a few years ago, and you had a lot of concern, as did a lot of people, that business was not as prepared as it should be when it came to the realities of cyber defense and cyber security. Where we are now? What’s your sense? Are we better prepared for what might be happening in the wake of the Ukraine invasion than we were then?
Well, we’re better, but the adversaries are better too. A couple of years ago we were thinking mostly about terrorists or criminals, or nation-states that were trying to steal things, but not nation-states that we’re trying to shut down our critical infrastructure or damage it.
Obviously now, in light of what’s going on with Russia, there’s much more of a concern that cyber just becomes a field of conflict. So while we’ve improved, we still have a ways to go, and we need to get active about it.
We have not heard a lot in the headlines so far about attacks either on Ukraine, Ukraine’s infrastructure, or on the West. Are you surprised, or are we just not hearing about attacks? What’s your sense of the current state of cybersphere and Russia’s invasion?
Well, there have been reports of attacks on websites and taking down government sites in Ukraine. So that has been reported and that’s, of course, been a pattern over the last several years. I don’t think we’ve seen it here yet, but I would not assume that means we’re not going to.
The thing I’d be most concerned about, because of the nature of the financial sanctions, is that there would be an attack on banks and the financial system because they may view us as having made that an area of conflict. Putin’s obviously angry about it.
There’s also the possibility of an attack on energy infrastructure, particularly because that’s now the one area that has not been fully sanctioned, but in terms of their ability to market, because of the bank sanctions, they can’t really get paid. So I would take that as a significant threat.
You obviously talk of lots of CIOs, CEOs, and CISOs. What are they asking you about right now? And what are you hearing from them?
People, in general, are focused on: what are the Russians going to do? What’s their game plan? We’ve told people in advance of this that if there was going to be a conflict with Russia, where we applied significant sanctions, that there would likely be a potential cyber attack, particularly our financial institutions and our infrastructure. This is not a big surprise.
I can’t predict what Putin is going to do. What we talk about is: What are the areas that are the most critical to your business? What the likely threats are in those? Then the issue becomes monitoring to make sure you put into place various defensive measures, particularly as new information comes out, for example, about new malware attacks.
A lot of that comes from the U.S. government. Make sure that your security people are responding and putting into place the recommended responses to those attacks. So that’s really what, at this point, you have to do. You’ve got to be aware of what the new threats are. And then when there are recommended patches or reordering of your network to deal with it, to take steps to do that.
We both grew up in a time where mutual assured destruction in the nuclear sphere worked fairly well for the better part of 50, 60 years. Do we have the same kind of deterrent effect with cyber warfare? Are there things that perhaps the public is not necessarily aware of that are in place to deter catastrophic attacks through cyber warfare? Are there conversations going on where we might not see some of the big attacks because Russia knows what we could do?
I can’t speak for where there are conversations going on. I do think it’s been more complicated because there are always differences in attribution. How do you prove who launched the attack? The Russians use criminal groups or third parties to carry out the attacks.
And then, of course, we’re still in the process of discussing what are the next step levels for various things. I mean, you don’t react to a theft of intellectual property in the same way you do the shutting down, for example, all the energy.
So there’s quite a gray area, and we don’t have the same track record or experience that we had in a nuclear age. We’ve said publicly that an attack that was equivalent to a kinetic attack would get a response that would be comparable and might not even just be limited to kinetic. So I do think that the adversary knows we have the capability and the will. Exactly where that line is, in many ways, they don’t know, and that’s not a bad thing.
Final thoughts for CEOs, directors, CIOs, CISOs out there as we all try to move through this very bumpy period?
We’re entering into a period where, no matter how this particular issue gets resolved, where more and more companies are going to find their IT systems and their networks as part of the combat zone of geopolitical conflict.
The Biden Administration has been urging better coordination with the private and public sector. That’s very important. We have to be nimble and quick in responding, and not treat it as kind of an afterthought.