Summing up: ten commandments for enterprises.
Michael Chertoff closed the conference with a "call to action" that amounted to a call to mindfulness, which he sees as key to security. People generally worry not just about cyber security, but about physical security as well.
A consideration of where the situation stands.
Cyber concerns have become pervasive in contemporary life—they arise in commerce, communication, and infrastructure, to take just three areas. Consider the way businesses' threat surfaces have evolved. Many unvetted endpoints enter your networks under bring-your-own-device polices. Businesses depend upon subcontractors, and in so doing take on the subs' attack surfaces as well. The supply chain is vulnerable to a variety of cyberattacks, and the Internet-of-things makes its own considerable and increasing contributions to this threat surface.
Chertoff quickly reviewed the familiar set of threat actors—states, criminals, and hacktivists—and their increased activity in cyberspace. "Our elections have received hostile attention," and the disruptive potential of that attention is expanding. "Nation-states are increasingly involved in attacks of all kinds. They're sophisticated, and their activities are more difficult to anticipate than those of criminals."
The immune system as metaphor.
Given that cybersecurity is about risk management, Chertoff invited the audience to consider the human immune system as a metaphor for resiliency. Some risks will inevitably arrive, and so you want to be able to resist, recover, and learn. Immunization, he suggested, is in effect a form of information-sharing, and information-sharing ought to play a role in security analogous to that which immunization plays in public health.
Ten commandments of cybersecurity for any enterprise.
In risk management, we ask who are the threat actors, what are the consequences, and what are the vulnerabilities. With that, Chertoff offered his ten commandments for approaching cybersecurity.
1. Know your perimeter. That means knowing, minimally, who's allowed in.
2. Establish segmentation And reflect that segmentation in administrative privileges.
3. Establish strong access controls and identity management. The password is no longer good enough; every enterprise needs stronger methods of authentication.
4. Employ continuous monitoring and diagnostics.
5. Balance convenience against security. (And note that it's a balance—too much emphasis on either can be dangerous.)
7. Consider and plan for the malicious insider threat. (Consider the damage Edward Snowden did.)
8. Consider and plan for the innocent, non-malicious insider threat improperly trained personnel present. (Behavioral monitoring and analysis can help here.)
9. Design your network as a whole for security. Configure devices securely (and ask of every device if it needs to be connected).
10. Develop and exercise a sound incident response plan.
Final thoughts for CISOs on dealing with boards.
Chertoff's basic advice on dealing with the board is to empower its members. Don't inundate them with solutions or with unexplained data. Manage their expectations, and present them with understandable, technically-based options as they manage enterprise risk. And enable them to empower people to take responsibility for security, and, with that empowerment, to hold those empowered accountable.
Discussion: the Internet-of-things, artificial intelligence, and international norms.
Chertoff responded to questions from the audience at the close of his presentation. On the Internet-of-things, he observed that its deployment was running far ahead of any general security awareness. Currently, the IoT requires every consumer to validate security, and that's an approach that's destined for failure. "The IoT should be like groceries. You should be able to assume it's safe." As with food safety (we don’t vet every piece of produce we buy at the supermarket for cleanliness or safety) there's a proper role for regulation. "Regulation, properly applied, is a good thing."
With respect to artificial intelligence, he observed that we now collect and manage data faster than any human can understand. This is where artificial intelligence gains its technological momentum.
Finally, he noted the shape international conflict has assumed in cyberspace. "We've weaponized our banking system," he said. "We use it to impose sanctions on bad actors. That's generally preferable to kinetic war, but when you put finance into play as a battlespace, the financial system could be at risk in a global conflict."
The Internet is a global commons, like the sea, and, as we've done for that commons, we should evolve laws of conflict that protect the essentials—critical infrastructure—from wanton destruction. There are of course difficulties in doing so, he noted (for one thing, deterrence, a cornerstone of security, depends upon attribution, and attribution in cyberspace is notoriously difficult). But the public debate is essential, invaluable, and inescapable.