After serving as a federal judge and then leading the U.S. Department of Homeland Security (DHS) for four years, Michael Chertoff has spent much of his career observing threats to the nation, ranging from organized crime to global terrorism. And much of what he’s seen recently in the cybersecurity world tells him that the scale and impact of global threats have raised the stakes considerably. “If we screw up the global economy and our political systems, no amount of technology is going to save us,” said the former Cabinet-level Secretary.
Chertoff delivered his assessment during a daylong session held Wednesday in Palo Alto, California that was focused on how corporate boards of directors should handle security issues.
The gathering was part of a series of informational events held by his global advisory firm, The Chertoff Group.
Rise in security threats predicted
A rising tide of breaches and attacks involving the banking system, corporate operations, and the power grid have created a sobering picture of a world where anything and everything is now at risk. “We are going to see an uptick in security threats,” said Chertoff, who challenged the tech community to increase efforts to protect key systems. “We’ve got to get our game up.”
Vulnerability in the nation’s voting databases was a particular area of concern for the former head of DHS. Election databases in Illinois and Arizona were targeted by hackers in 2016.
Saying that there was work to be done on voting database security, Chertoff reminded the gathering that Russia has a long history of trying to undermine democracies and there was much work to be done on securing voter databases.
“We have really uneven security depending on the jurisdiction,” said Chertoff. “It’s a very clear warning that someone could disrupt an election at a minimum, if not impact it.”
The lack of security in many Internet of Things (IoT) connected devices was another area of concern cited by Chertoff.
An attack on Dyn, a key Internet performance management provider, in 2016 leveraged security weaknesses in thousands of IoT devices to temporarily bring down a number of highly-popular websites throughout the U.S. and Europe.“IoT threats are proceeding well ahead of any security efforts to protect devices,” Chertoff warned.
Federal legislation could impact companies
Threats to IoT devices and other consumer products have spurred action in Congress. There are currently 127 pieces of legislation awaiting action in the House and Senate that deal with cybersecurity, according to an official from The Chertoff Group. One bill in particular – Senate Bill 536 – requires that every publicly-traded company must have one board member with cybersecurity expertise.
Security executives at the Wednesday session said that knowledge gaps do exist in the corporate board-level understanding of cybersecurity issues. In conversation with Chertoff during one discussion, Steve Daly – CEO of Ivanti – offered the perspective that many boards do not fully grasp security’s importance in the enterprise until there’s a significant problem.
“It’s a very underappreciated discipline at the board level,” said Daly. “If you wait for a board to ask you to do this (security), then you’re way too late.”
Chertoff pointed out that a number of boards are being “besieged with too many security problems or products,” an issue that was echoed by other speakers at the event. “Over the last couple of years, we’ve been seeing that there’s cyber fatigue,” said Vijay Jajoo, a partner with KPMG Cyber, who described a situation where companies have too many security tools “without a reasonable level of assurance that they will be protected.”
Despite the myriad security products confronting many companies today, executives still believe that keeping the board of directors in the loop is a critical part of what they do.
Deborah Guild, the chief security officer for PNC Bank said simply “It’s my job, a key part of what I do.”
As breaches mount and security risks escalate, the likelihood of board involvement has risen as well and there are few days that companies do not have to deal with a major threat. “A really good day is quiet,” said Guild. Based on the discussion by Michael Chertoff and others, the PNC executive may not have many quiet days ahead.
