Too many people today think of cybercrime as only identity theft and stolen credit cards. Despite the Targets and Home Depots and other recent events in the news, this is small stuff. It is remarkable that from the halls of Congress to corporate boardrooms, the discourse is so uninformed.
Former CIA director Michael Hayden said of high officials and the Internet, "Rarely has something been so important and so talked about with less and less clarity and apparent understanding."
Remember the bygone era of Bonnie and Clyde when the FBI called petty bank robbers "public enemies"? That public was very small, and the loot was physically portable.
Today, the boardrooms of corporations and academia face true public enemies. Hackers, of course, rob much more than banks: defense companies, high-tech firms, retail chains, consumers, even universities. Hackers destroy jobs, lower GDP, and slow global growth. Criminals play in the dark web few of us ever see.
Cyber criminals should be rattling boardrooms everywhere. Attacks are incessant; SEC Commissioner Luis Aguilar noted that cyber-risk now "must be considered as part of a board's overall risk oversight."
Yet board members get appointed because they know business, not cybersecurity. And there is a generation factor: Many directors grew up before the age of computers; technology hasn't entered all their fibers. Most risks are assessed by boards' audit committees, yet organizations' potentially biggest risk - cyber theft / cybersecurity - deserves its own place at the table. If directors and trustees don't know the layered defense protocols in place to protect their organization, the fact that some hackers do should be a wake-up call.
Universities play an important role in the campaign to stop cybercrime. NYIT is a leading educator in cybersecurity, using real scenarios that adapt to fast-changing threats. Our faculty wins prestigious research grants in biometrics, swarm intelligence, authentication, cryptography, and mobile security, and has invented new authentication methods as alternatives to standard passwords.
Each year, as we did recently, we convene experts from industry, government, and academia to discuss a range of topics, including where the Internet of Things is taking us; whether it's really possible to protect critical infrastructure, organizations and individuals; the latest innovations in enterprise and mobile security; the roles of the cloud and big data, and many others.
"Security has to be moved from the hidden place in the basement to a prominent position in the organization," Marisa Viveros, vice president of Cyber Security Innovation at IBM, expressed as an increasingly common belief. Andre McGregor of the FBI's New York Cyber Branch, added that we need to "stop doing business as usual and implement dynamic, radical solutions." For sure, cybersecurity is for the fleet of mind and cyber-foot.
We're more connected than ever, and it's not just via software. Wireless technologies also do a pretty good job of connecting hackers. The Internet of Things may let them enter through cars and refrigerators and from there to centralized software. A Roomba may infect a corporate database. Several recent breaches started not in the company being targeted, but in its supplier or partner. Companies somehow need to secure their environments as well as those in their supply chain.
As more boardrooms get actively involved in risk mitigation, we can cut this threat without stymying competition or innovation. Cyber-criminals have methods and motives, but corporations have stronger ones. Cyber-criminals have money and talent, but businesses have more. Just as market economies put a near-end to crimes like piracy, we can stop this thievery, too.
- Boards need to be able to point to a board-level colleague (or two) as the acknowledged point person for understanding cyber risks and responses. They need to know there is an internal "security officer" who reports outside the IT organization. Good oversight requires a sound knowledge base.
- Boards should adopt a "war game mentality"--and know simulations are made as convincing as possible so people are prepared for the real thing. They should see the incident response plan for its internal risks and external threats, and know it is rehearsed. This includes post-event communications and incident-response components.
- Boards should recognize, support, and demand increased funding annually for cyber defense, for everything from top leadership, updated equipment, internal education, and insurance.
The board has to understand we are living in a Through-the-Looking-Glass cyberworld where if they don't want to join the ranks of organizations that are always responding, they have to heed the Red Queen's advice to Alice, "Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!" Otherwise, the organization these directors are working to protect will never catch up to where the criminals are.
The campaign to stop cyber-crime begins with educating the next wave of professionals, but ongoing education and idea exchange are the ultimate keys to confronting cybercrime on the ground and in the boardroom. We may never eradicate it, but keeping up with and potentially ahead of our adversaries is an obligation to society.