Cybersecurity a vital responsibility in risk management

Admiral Dennis Blair

Publications Cybersecurity a vital responsibility in risk management

“In our hyper-digitalized age, virtually any company is vulnerable to cyber larceny. So how does a company like Coca-Cola keep its ‘secret formula’ safe from hackers for so long? By writing it down on a piece of paper and storing it in a safe.”

Admiral Dennis Blair

In advance of the Cyber3 Conference Okinawa from November 7 to 8, Admiral Dennis Blair, Chairman and CEO of Sasakawa USA, spoke at the U.S. Embassy in Tokyo at a Cyber Security roundtable.

Remarks by Admiral Dennis Blair

November 5, 2015

22217991123_e1abb44c63_k“The digital age is now into its fifth decade. It continues to change our personal lives, our professional lives, and even the economic health and national security strength of our countries.

It has happened very quickly, in one professional lifetime. I remember well as a midshipman at the Naval Academy in 1965 writing code in IBM’s FORTRAN language and running stacks of paper cards through a compiler in order to load algorithms into a stand-alone computer. A year later, I could program directly into a much more powerful computer that was shared by a several colleges and universities.

Connecting computers into a network of research centers was first developed by the Advanced Research Projects Agency in the American Department of Defense. Soon it outgrew its niche application to become the Internet.

It was not long before consumers, businessmen and banks; naval ships and planes were connecting their individual computers into networks so the information that each held individually could be shared rapidly and analyzed all together, with the results being available instantaneously to everyone on the network.

Advances have continued in computing power, communications bandwidth, and storage capacity. The digital content of virtually all pieces of machinery – large and small – has greatly increased; they have been connected with one another, and virtually all spheres of human activity – personal, organizational and societal – have been affected.

What has not changed in that 50 years has been human nature. It has always had both a light side and a dark side. The dark side of the digital age is its application to traditional criminal activity, from illegal gambling through illegal ripping of music, movies and books, to prostitution and extortion. Cyber criminals can be much more effective and efficient.

In addition, the cyber vulnerability of the digital age has opened up an entire new threat to our personal resources and safety, our companies and other organizations, and even our nations.

More and more information has moved onto computers that are accessible over the internet, and that information is made accessible to a larger and larger number of users who can wittingly or unwittingly compromise it.

In my early years in the Navy, if I wanted to send a secret message to another ship, I had to go through the following procedure: I would write the message in block capital letters on a sheet of paper. I would hand that sheet of paper to a sailor, who would take it back into a secure compartment on the ship and type it into an encryption machine that would turn it into a coded message.

Admiral Dennis Blair

Let me illustrate with a military example. In my early years in the Navy, if I wanted to send a secret message to another ship, I had to go through the following procedure: I would write the message in block capital letters on a sheet of paper. I would hand that sheet of paper to a sailor, who would take it back into a secure compartment on the ship and type it into an encryption machine that would turn it into a coded message. At the receiving end, the process would be reversed, finally resulting in another plain text message on paper that would be physically carried to selected individuals on another ship. The vulnerabilities were the strength of the encryption and the integrity and skill of the relatively small number of communications personnel.

Today, dozens of officers and sailors on the same ship can sit down at a computer terminal, type a secret message and send it to thousands of other soldiers, sailors, airmen and marines, officer and enlisted, around the world. The chances of making a mistake that compromises the security of the system are enormously greater, the number of operators who must be trusted is enormously greater, and the complexity of the system itself offers literally thousands of different ways for an enemy to gain access to the system.

Of course, clever engineers have devised many different ways to protect the security of computer networks, even with large numbers of users. However, as long as the inherent advantage of a network is the sharing of information among many users, networks will be inherently insecure. Security will depend on correct and conscientious actions by many unskilled individuals, offering many, many human and technical vulnerabilities.

Others in this roundtable will talk about the technical means that have been developed to make networks more secure, to improve Cybersecurity, to thwart unauthorized access to the networks we use in our private, professional and public lives. I would like to talk about two basic concepts of Cybersecurity that should be considered before technical solutions: information classification and storage and threat.

First, information classification and storage.

There are definite advantages to having all the information used in our private and professional lives accessible from a single computer. What could be more convenient than working on a company spreadsheet for a couple of hours, then during our lunch hour using the same computer to shift to the internet to make reservations for our next family vacation? Isn’t it convenient to have our company e-mail accounts and our personal e-mail accounts in a single inbox folder on a computer that we dock in our office, and then take away from the office for a couple of hours of work in a study at home?

For our company, isn’t it convenient to have company databases and e-mail accounts accessible from the same computer in our office? We can attach a set of blueprints to an e-mail sent to engineers throughout the company, or send out quarterly reports of our companies’ earnings to all our board members in a group e-mail. Isn’t shareware convenient, allowing company officials across the country or even around the world to interact with the same set of diagrams, or power-point slides, or spreadsheets?

All of these interconnected data and communication systems have inherent advantages in increasing efficiency and reducing costs, but they all incur significantly greater risk of compromise.

Admiral Dennis Blair

All of these interconnected data and communication systems have inherent advantages in increasing efficiency and reducing costs, but they all incur significantly greater risk of compromise. The more people that have access to a database, and the more databases that are interconnected, the greater their vulnerability to hacking.

The single layer of protection that most companies and individuals have today is a firewall. They believe that a firewall will protect all their networks. It will not. A firewall is an algorithm that will block an e-mail from an outside IP address based on known suspicious signatures. However, not all malware has known signatures, and there are many other ways to attack computers to gain access to their networks and databases.

All a hacker must do is convince one official in a company to open up a piece of malware in an innocent-looking personal e-mail. That is the most common effective computer attack today, called a phishing attack. Once that attachment is open, the hacker can have access to every communications system and database to which that computer is connected. And once inside a company’s network, a hacker can remain there undiscovered while extracting huge amounts of important information. On average, a computer attacker will have access to a company’s networks for eight months before detection.

However, a company or other organization can control two basic qualities of its computer networks with no fancy and expensive protection systems. It can choose to make its networks hard or soft before it purchases the first firewall or signs the first contract with a Cybersecurity company.

This means deciding what information is stored in computer databases and how those computers can be accessed over communications circuits.

Let me give you an example. One of the most famous trade secrets in the world is the formula for Coca Cola syrup. That secret formula has to be used in the bottling operations of hundreds of Coca Cola plants around the world.

22420785458_00bf7987f7_kSo does Coca Cola have the secret formula in a central database, so that any one of its engineers can type a password into his or her computer, log onto the intranet, download the formula, print it out and take it back to the syrup mixing room in the plant? Isn’t that how it should be done in the digital age?

The answer, I have been assured by a vice president of the company, is “no.” Coca-Cola safeguards its formula the old fashioned way – written on a piece of paper, physically transported by trusted couriers, and stored in a secure safe in each of its plants.

Cybersecurity is basically risk management. An individual, a company or an organization needs to understand the data it holds, and the value of that data, and it needs to protect it accordingly.

Some information in your company is like Coca Cola’s secret formula, and should be handled by hard copy only. At the other extreme, some data will have to be accessible through the internet to thousands of customers with relatively simple protection such as a password. However, even this data needs protection. There are algorithms like those used by credit card companies to identify unusual charges and block them. Similar systems are available for most other databases with large numbers of users that can identify unusual behavior. Some data should be accessible only on separate networks of computers and communications networks, with high levels of authentication and encryption. An example are the networks that banks use for clearing transactions among themselves.

Or to give you a personal example, I track my personal finances with Quicken on a separate computer that I use only for that purpose. I do not use that computer for e-mail or for ordering merchandise on line.

For a typical corporation, the categories of information I am talking about would include e-mails, patents, product designs, research results, contract proposals, quarterly results, M&A plans, and customer credit card numbers.

Within a company or organization, the process of classification of company information based on value is not the job just of the Chief Information Officer, or the Chief Information Security Officer. It is a management responsibility shared between individual line managers and CIOs or CISOs, directed and overseen by the CEO. Every division of the company needs to be involved.

In addition to understanding the value of its data, a company also must understand the threat it faces.

Companies and organizations need to understand what types of hackers would be attacking them, as well as their motivation and level of skill.

The identity and motivation of hackers, of course, depends on the type of business of a company or organization and its competition.

Cybersecurity is basically risk management. An individual, a company or an organization needs to understand the data it holds, and the value of that data, and it needs to protect it accordingly.  

Admiral Dennis Blair

Virtually any company is vulnerable to cyber larceny – criminals who simply want to make money. Every day in the press, we read about a new attack on a well-known company and crimes such as the theft of credit card numbers, the diverting of bank deposits or the filing of false tax forms. Every company needs to understand what information on its networks can be turned to a profit by a criminal hacker. Remember that criminals are not just hacking big companies; they go after small- and medium-sized companies also.

Some companies – usually larger international companies – are targeted by sophisticated competitors trying to steal trade secrets, or the contents of tender offers.

Some companies are targeted by groups like Anonymous that seek to embarrass those whose line of work go against their ideological objectives.

Government organizations have separate concerns. They will be attacked by criminals seeking simply to make money, but their networks also can be attacked by the intelligence organizations of other countries or by groups like Anonymous and Wikileaks that are seeking to publicize their internal decisions and procedures.

Beyond the identity and motivation of threats, companies and organizations need to understand the level of skill and sophistication of different hackers.

There are many different systems of classification for the skill of hackers. The Defense Science Board of the U.S. Department of Defense came up with the following categories:

• Tier I-II : Hackers that primarily exploit known vulnerabilities, such as those that can be found on the internet, and are generally blocked by good firewalls.

• Tier III-IV: Hackers that take advantage of new vulnerabilities in systems. These techniques are used by the more sophisticated criminal groups, or by unscrupulous companies that will hire hackers with higher skills. These attacks are not generally known, and are not blocked by firewalls.

• Tier V-VI: Hackers that can invest money and time to create vulnerabilities in systems otherwise strongly protected. National intelligence organizations have these capabilities, but in some circumstances, they can be replicated by criminal organizations, or companies can hire hackers with previous government experience, or, in China, can hire off-duty PLA hackers.

22446956199_b8752b6e0f_kLet me emphasize again that an understanding of the threat that an organization or company faces is a joint responsibility of the CIO/CISO organization and the line managers and officials. The discussion of the threat needs to be repeated frequently, as hackers become more sophisticated, and as hacking techniques develop. Every time there is a break-in of a comparable company or organization – Target, Sony, the U.S. Office of Personnel Management, or the Japanese Pension Service, there needs to be a review of classification of information and threats within every peer company.

Once an organization company has gone through this process, then it can make intelligent technical and resource decisions about necessary Cybersecurity measures.

The internal Cybersecurity architecture of a company network needs to be designed on the basis of the value of information being protected, where it is located in the company networks, and what are the motivations and skill level of the threat. This understanding provides a risk basis for deciding which layers of Cybersecurity products to purchase. Companies also have a basis for cooperating with other companies within their industry, and with the government in exchanging information and ideas.

Let me close by emphasizing it is the responsibility of the leaders of companies and organizations to make the decisions about the resources committed to Cybersecurity and the basic architecture and procedures that are adopted. These are risk management decisions that cannot be delegated to the CIO or the CISO of the organization. By describing the concepts of information classification and threat, I have tried to provide company leaders two of the important concepts they must have to make these important risk management decisions.”

Photo Gallery:

2024 Sasakawa USA | Privacy Policy | Sitemap

Custom WordPress Design, Development & Digital Marketing by time4design