When it comes to the dark corners of the Internet and their threat potential for companies—and countries—there are few people more well-versed or as plainspoken as former Homeland Security Secretary Michael Chertoff.
For two decades, both in government and as Co-Founder and Executive Chairman of Chertoff Group, he’s been at the vanguard of efforts to help companies think of emerging threats from cyberspace—whatever they might be.
At our 2018 Cyber Risk Forum, he spoke about the big threat being the theft of intellectual property, and how boards and CEOs could keep pace with security. Now the threat is shifting. In the midst of the Russian invasion of Ukraine “more and more companies are going to find their IT systems and their networks as part of the combat zone of geopolitical conflict,” he says.
Once again, there’s a big role for leaders to play, says Chertoff. What follows are excerpt from our conversation on Monday, edited for length and clarity.
Well, we’re better, but the adversaries are better too. A couple of years ago we were thinking mostly about terrorists or criminals, or nation-states that were trying to steal things, but not nation-states that we’re trying to shut down our critical infrastructure or damage it.
Obviously now, in light of what’s going on with Russia, there’s much more of a concern that cyber just becomes a field of conflict. So while we’ve improved, we still have a ways to go, and we need to get active about it.
Well, there have been reports of attacks on websites and taking down government sites in Ukraine. So that has been reported and that’s, of course, been a pattern over the last several years. I don’t think we’ve seen it here yet, but I would not assume that means we’re not going to.
The thing I’d be most concerned about, because of the nature of the financial sanctions, is that there would be an attack on banks and the financial system because they may view us as having made that an area of conflict. Putin’s obviously angry about it.
There’s also the possibility of an attack on energy infrastructure, particularly because that’s now the one area that has not been fully sanctioned, but in terms of their ability to market, because of the bank sanctions, they can’t really get paid. So I would take that as a significant threat.
People, in general, are focused on: what are the Russians going to do? What’s their game plan? We’ve told people in advance of this that if there was going to be a conflict with Russia, where we applied significant sanctions, that there would likely be a potential cyber attack, particularly our financial institutions and our infrastructure. This is not a big surprise.
I can’t predict what Putin is going to do. What we talk about is: What are the areas that are the most critical to your business? What the likely threats are in those? Then the issue becomes monitoring to make sure you put into place various defensive measures, particularly as new information comes out, for example, about new malware attacks.
A lot of that comes from the U.S. government. Make sure that your security people are responding and putting into place the recommended responses to those attacks. So that’s really what, at this point, you have to do. You’ve got to be aware of what the new threats are. And then when there are recommended patches or reordering of your network to deal with it, to take steps to do that.
I can’t speak for where there are conversations going on. I do think it’s been more complicated because there are always differences in attribution. How do you prove who launched the attack? The Russians use criminal groups or third parties to carry out the attacks.
And then, of course, we’re still in the process of discussing what are the next step levels for various things. I mean, you don’t react to a theft of intellectual property in the same way you do the shutting down, for example, all the energy.
So there’s quite a gray area, and we don’t have the same track record or experience that we had in a nuclear age. We’ve said publicly that an attack that was equivalent to a kinetic attack would get a response that would be comparable and might not even just be limited to kinetic. So I do think that the adversary knows we have the capability and the will. Exactly where that line is, in many ways, they don’t know, and that’s not a bad thing.
We’re entering into a period where, no matter how this particular issue gets resolved, where more and more companies are going to find their IT systems and their networks as part of the combat zone of geopolitical conflict.
The Biden Administration has been urging better coordination with the private and public sector. That’s very important. We have to be nimble and quick in responding, and not treat it as kind of an afterthought.
Amid a swirl of pushback—practical, political and legal—two authors offer an alternative path to pragmatically…
In this edition of our Corporate Competitor Podcast, StretchLab President Verdine Baker shares how leaders…
To keep your company culture strong in these troubled times, don’t let the things that…
When activists act like spoiled children, business leaders need to be the adults in the room.
Making parity a priority, getting personally engaged and intentionally celebrating successes will ensure you don't…