Both government and private enterprise must abandon their culture of secrecy on cybercrimes and partner up if the United States is going to beat increasing cyber breaches, a panel of security experts said on Aug. 6.
| Preet Bharara
Photo by Tom Stoelker
U.S. Attorney for the Southern District of New York Preet Bharara, moderating a distinguished panel representing the FBI and private industry, illuminated a tug of war that often plays out between the two sectors following a serious cyber attack.
“Once a company knows it has an intrusion, then what? The FBI says ‘Don’t do anything about it,’ because they want to look into your system and identify who the intruders are, so [they tell you to]just hang out.
“From the perspective of the private sector, it’s like having an intruder in your home and being told ‘don’t do anything, go fix a sandwich.’”
The panelists spoke at day two of ICCS 2013, the fourth cybersecurity conference co-sponsored by Fordham and the FBI. They were: Michael Chertoff, chairman and co-founder of the Chertoff Group; Kevin Mandia, CEO of Mandiant; and Joseph Demarest Jr., assistant director of FBI’s Cyber Division.
ICCS 2013 continues with an appearance by CIA Director John Brennan, FCRH ’77, on Aug. 8. For live coverage, follow @FordhamNotes and @ICCSNY on Twitter at #ICCS.
Mandia, whose company spent months tracking cyber infiltrations of several U.S. corporations by a Chinese division of the People’s Liberation Army, said that companies that fear agreeing to an “observation period” when they discover they are hacked should consider the overall consequences.
“Sometimes it is better to get the ‘Mike Tyson uppercut’ – to understand what they are doing, and get them out full scale rather than piecemeal,” said Mandia. He noted that 90 percent of Mandiant’s customers agree to be monitored rather than opting for the quick fix.
For a private company, that could mean exposing itself to potential liability if personal or critical information remains vulnerable during the observation period, or becomes public if the intruders are caught and brought to trial. Demarest said that the FBI would not seize access to a hacked company’s critical information without permission. Mandia suggested that the government might want to offer companies a “liability waiver.”
Chertoff, who served as the nation’s secretary for Homeland Security from 2005 to 2009 and who now works in the private sector, said that the government can play a unique role in helping American companies because it can impose trade sanctions against the Chinese and other nations who steal American intellectual property. But “the reality is that the people who are developing their economies by stealing western secrets will not change until such time as they see the cost exceed the benefit.”
One thing the government is doing, he said, is helping educate companies about cybercrime and encouraging a more amicable relationship between government and private industry—and between private companies themselves. (Earlier this year, President Obama signed an executive order, Improving Critical Infrastructure Cybersecurity, which encourages companies to adopt cyber security standards developed in by the federal government.)
Prosecuting international cybercriminals, however, remains an uphill fight that will require better international government partnering, as it is unlikely that global companies benefitting from intellectual property theft will step up to battle cybercriminals, said Demarest.
“There are still countries that don’t take it seriously,” he said, “and there are different statutes in different nations. But it’s that idea that anywhere in the world [the cybercriminal]can be arrested that will leave some of them unnerved.”
|Below, Michael Chertoff (left), Kevin Mandia (center), and Joseph Demarest Jr.
Photo by Tom Stoelker