When you've got some of the cybersecurity industry's best and brightest practitioners in one room, just how do you top the conversations they're having across the breakfast table? By getting one of the foremost experts on cybersecurity to deliver a top notch speech on the future of the industry, threat actors, and strategies for businesses to survive and prosper in a hostile environment! This was the scene last week as General Michael Hayden, a thirty-nine year military veteran, former director of the National Security Administration (NSA) and CIA, and currently Principal at the Chertoff Group, addressed a packed house at MIRcon® 2013.
Hayden framed his talk by identifying the three key players in the cybersecurity arena - the attackers, the government, and the
private sector. He gave the room pause for thought as he described how both state-based threat vectors and private groups and individuals are becoming more sophisticated and more deliberate in their cyber attacks. Using the analogy of the rising tide lifting all boats, Hayden explained that all attackers are becoming better at what they do and less interested in data theft and more in system-wide destruction.
In his opinion, this change from criminal mischief to societal level destruction is why governments have a legitimate role to play in cyber-defenses. The key issue, however, especially for the United States is that as a country, we've yet to know what role we want the government to play in securing our online environment. Where the role of government is very clear cut in other domains of engagement (land, sea, air, and space), cyber-defense is far more complicated particularly because, as the Snowden affair and other recent issues have demonstrated, privacy and other issues of freedom of information are at the core of the solution.
Cue the private sector.
Given its dual role as provider of cybersecurity solutions and principal target of cyber-attacks, the private sector, in Hayden's opinion is "the engine of innovation" in the cyber realm. In fact, while the government provides the solutions in other domains of engagement, in the cyber realm, private industry, based on their knowledge, expertise, and hands-on experience, should be the lead and the government should act in a supporting capacity. Given the current situation where cybersecurity legislation has either died on the vine, or is stalled in Congress, if we want the types of regulation that will lead to better cyber-defenses - and in a timely manner - then the private sector needs to forge ahead with what it's already started.
For Hayden, the most valuable avenue of cyber-defense will come from the cybersecurity companies working with businesses and insurance companies to codify risk and resilience to ensure that the consequences of inaction in implementing genuine cyber-defenses becomes clear. Using examples of car and homeowners' insurance, Hayden outlined a compelling case for an insurance-driven approach to cybersecurity. In essence, by taking actions akin to requiring your children to take drivers' education, or knowing the composition of the shingles on your roof, the home insurance consumer uses knowledge to reduce risk. And, in turn, the insurer rewards that knowledge and awareness through lower premiums motivating consumers to act in less risky ways to achieve a more preferable rating. In his words, a "cyber insurance regime may actually enforce cyber standards that we would find offensive from the government, but that we'll accept for favorable insurance."
Nothing like starting the day off with a radical idea is there? What do you think of General Hayden's vision for driving cybersecurity preparedness and compliance?