“It’s a MAD, MAD, MAD cyber world” – ILTA 2014 day two keynote
With day two of ILTA 2014 underway, technologist Rod Beckstrom offered a rousing keynote to start the day.
In contrast to yesterday’s address by Peter Diamandis, Beckstrom leveraged his experience as former president and CEO of ICANN, founding director of the U.S. National Cybersecurity Center, and co-author of the best-selling book The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations, to lead a large-scale, round table discussion on the challenging, chaotic, but not entirely hopeless cybersecurity landscape.
At Beckstrom’s behest, one attendee shared a grim outlook on cybersecurity, “We can’t stop it, we can’t stop the breach.”
“Before we get into a cheery note, let’s talk about how bad it can get,” Beckstrom quipped, as he then described the case of Saudi Aramco, the Saudi Arabian national petroleum and natural gas company, which experienced a catastrophic cyber attack in August 2012 that shut down approximately 20,000 computer systems.
Later, a legal IT staffer from Saudi Aramco, who was serendipitously in the audience, explained how her department dealt with the 2012 attack, and the still-lingering fallout of the event.
Beckstrom cited this as a case of Mutually Assured Disruption, a modern analog to the Cold War doctrine of Mutually Assured Destruction, both with acronyms (MAD) that inspired the keynote theme. Compounding the issue was the third “MAD” concept — Mutually Assured Dependence — a somewhat reassuring notion that society’s reliance on the Internet keeps networks running and helps maintain order.
But if Saudi Aramco and the Iranian STUXNET attacks are at one end of the spectrum, Beckstrom reminded the audience that smaller firms are not immune to cyber threats.
“More than 71 percent of cyber attacks are on firms with less than 100 people,” he said. With that in mind, he later stated, “The antelope in Africa doesn’t need to be faster than the lion, just faster than the other antelope.”
But with cyber threats from nation states, lone hackers, and insiders, firms also have to contend with client pressure for data security. Annual security audits and penetration testing by individual clients are inconsistent, with some seeking for more strict security measures beyond common industry-wide standards, such as ISO 20001.
While firms can look to regulation for guidance, Beckstrom noted, “Regulators rely on the past, but the risk in cyber security is based in the present.”
Beckstrom offered one possible answer — client advisory boards, where firms can gather key clients to collaborate and establish a standard security audit process that meets their broader demands. He also challenged firms to consider cybersecurity as a piece of the larger risk management framework. The goal, he added, was to keep IT and leadership in synch with its potential, large scale impact.