War room to boardroom: The new era of cybersecurity

War room to boardroom: The new era of cybersecurity

Facebook’s hire of its first ever head of cybersecurity policy is recognition that protecting corporations from foreign hacking is an increasingly serious matter. Sophisticated cyber threats presented by state-sponsored actors have long challenged sensitive United States government computer networks. What’s new — as Facebook’s move indicates — is that these complex state-sponsored cyberattacks are now also threatening America’s leading companies to a larger extent than ever.

The resources, skill and complexity posed by hackers managed by Russian intelligence agencies, for instance, far surpass the motivations and abilities of typical cyber criminals. In this new era, U.S. companies must bolster their defenses and leverage advanced cyber tools designed to stop state-sponsored attacks. The mounting threat against American commerce — the bread and butter of America — must be addressed. It’s not business as usual anymore.

ADVERTISEMENT

While Russia is not the only state engaging in these activities, its cyber operations are relatively known. Unable to dominate in conventional military terms, Russia views cyber operations as an affordable way to disrupt its adversaries. As part of this effort, Russia has increasingly targeted civil and commercial computer networks. This includes measures to cripple critical infrastructure, financial networks, and internet services and capture proprietary data or sensitive communications, such as a CEO’s emails. While working at the Pentagon, I saw firsthand how Russia tested these capabilities in Ukraine as major coordinated cyber intrusions shut down power grids, interrupted television broadcasts and generally disrupted commerce. Ukrainian President Petro Poreshenko stated that in the space of two months in 2016 alone, 6,500 cyber attacks were conducted against government, critical infrastructure and industrial targets.

 

Yet despite these facts, some American business executives might argue that their company’s cyber defenses are more advanced than those of Ukrainian companies or that they are not a high-priority target. “We are different and more prepared,” they might say. While this may be true, it does not always lessen the risk. In June 2017, the Notpetya computer virus began to infect Ukrainian computers on Ukraine’s Constitution Day. Generally attributed to Russian state-sponsored hackers, the virus quickly spread to European and North American corporations, notably disrupting international shipping giant Maersk’s operations for days and costing the company approximately $300 million. Maersk was undoubtedly collateral damage for Notpetya’s designers, though that was little consolation to Maersk shareholders and customers.

Indeed, cyber attacks present a historically unprecedented risk to any company. Major security breaches, such as those faced recently by several Fortune 500 corporations, have cost companies billions in market value, lost revenue and other expenses. In 2017’s Equifax case, the company lost about 25 percent of its market value in the weeks following public disclosure of the hack. The lost trust of customers can have long-term ill effects as well. There can be little doubt that the spectacular data breaches suffered by many corporations in recent years have caused many Americans to question the role of leading businesses in our society. 

Unfortunately, these high-profile hacks of Target, Home Depot, Sony, and Equifax show that the American private sector is playing catch-up. While the government may be used to countering sophisticated cyberattacks from Russia or other foreign adversaries, many companies are simply not equipped to deal with these complex hazards.

To address these threats, America’s companies should leverage the cutting-edge technology and lessons already learned by the government. Throughout the government, it employs a multi-faceted defense that incorporated advanced technology, personnel training and physical security procedures to protect national security data. While the private sector has a different focus and mission than the government, ultimately, both need to protect vital information.

What would a better secured corporate network look like? Techniques include: segmenting the network to separate highly critical information from less sensitive data; stopping insider threats via better employee training; verifying proper employee behavior; and implementing new approaches such as artificial intelligence, automation, and block chain technologies. Executing these steps as part of a multipronged approach can lower a corporation’s risk of catastrophic cyberattack.

The U.S. military has formally recognized cyberspace as a new warfare domain alongside air, land, sea, and space. Adversaries, such as Russia, have long recognized the same. The private sector must similarly acknowledge this truth and take responsibility to safeguard American’s information from foreign governments. Corporate cybersecurity isn’t an IT problem, but an issue central to every company’s daily operations. With approximately 85 percent of the nation’s critical infrastructure in the hands of the private sector, our country can’t afford anything less than a robust defense.

Jacqueline Ramos, an adjunct fellow at the Center for a New American Security, previously served in the U.S. Department of Defense as senior adviser to the assistant secretary of defense for international security affairs and Russia country director.