Listen to the podcast:
On January 4, President-elect Donald Trump’s transition team announced that Jay Clayton, co-managing partner of the general practice group at Sullivan & Cromwell, a New York City law firm that works closely with Wall Street investment banks, would be nominated to become the next chairman of the Securities and Exchange Commission (SEC). In a statement, Trump noted that Clayton is “a highly talented expert on many aspects of financial and regulatory law, and he will ensure our financial institutions can thrive and create jobs while playing by the rules at the same time.”
Clayton is no stranger to Knowledge@Wharton readers. In June 2015 he co-authored this opinion piece with David Lawrence, founder of the Risk Assistance Network and Exchange, Frances Townsend, executive vice president of MacAndrews & Forbes, and several other associates. The article lays out a plan for companies and governments to collaborate to deal with cyber threats.
The Knowledge@Wharton show, part of Wharton Business Radio on SiriusXM channel 111, also interviewed Clayton and Lawrence in 2015 about what is needed to combat cyber threats and other security risks. Listen to the podcast using the player at the top of this page.
Socrates is known to have declared, “The only true wisdom is in knowing that you know nothing.” This became a starting point for his pursuit of knowledge.
On the issue of cybersecurity, the world is in the early stages of the Socratic process. Throughout the private and public sectors, there is justifiable apprehension about how little we understand and how much more needs to be done.
Now is the time to become wiser for this admission.
There is complexity and nuance to the subject of cybersecurity. There is also more than enough common ground for everyone to grasp the magnitude and ubiquity of the threats and our limited means of response. Whether natural or man-made, virtually every catastrophic threat reinforces at least four lessons about risk-management. The cyber threat is no different.
- The best time to prepare for a disaster is before it occurs.
- Crises are preceded by opportunities — often missed — to explain the risks, both local and systemic — and adopt measures for prevention, mitigation and recovery.
- If history doesn’t always repeat itself exactly, it rhymes closely enough that our mistakes need not be repeated.
- Together, our expertise and resources can be formidable. Apart, we are highly vulnerable.
Cybersecurity is a multidimensional problem that transcends the risk management and response capabilities of any single community — technology, defense, law enforcement, public policy and business. No group has an answer or even a claim to superiority. All share in the exposure.
With so much at stake, why has there been so little collective progress?
Fifty years ago, Bob Dylan offered this utilitarian insight about risk management from “Subterranean Homesick Blues”: “You don’t need a weatherman to know which way the wind blows.” It is obvious which way the wind is blowing, and it is time to take collective action.
Ten years ago, the 9-11 Commission shared one of its principal findings about the “attacks that changed everything”: Just because events come as a shock, [this] doesn’t mean they arrive as a surprise.
With recognition that any comparison to 9-11 must be undertaken cautiously and respectfully, we recently re-read the 9-11 Commission report. We did so because so many security experts believe that the world is at a similar inflection point with respect to our collective state of preparedness for digital exposures. The Commission reached an overarching conclusion about exposure to terrorism: Even our most consequential threats can be prevented or mitigated with the benefit of shared recognition, shared intelligence and shared action.
On the issue of cybersecurity, the world is in the early stages of the Socratic process.
As reflected in the Commission’s findings and recommendations, our approaches to complex risk must offer transparency, utility and resiliency to be effective.
Here then is a proposal with respect to cybersecurity efforts for the U.S., offered in the hope that other countries will benefit from the effort and can develop their own versions of the same solution. Within this moment of relative calm, we have the opportunity to provide foresight, not hindsight; a biopsy, not an autopsy; a blueprint, not a Code Blue.
The U.S. President and Congress should appoint a 9-11-type Cyber Threat Commission. This Commission should:
- Convene the best minds and intents from all sectors and political parties –divorced from self-interest and outside influences — with sufficient power and authority to move quickly and effectively.
- Recruit beyond national borders — reaching the leading authorities from around the world.
- Produce a report on the state of the digital union, including an assessment of the risks and a plan for addressing them in plain language that all can understand.
- Follow the lead of the 9-11 Commission and communications experts in offering the narrative — not a typical government report — that all will want to read and follow.
- Utilize social media to continue to communicate and gain feedback.
No “big bang” event is required. The Commission must answer these questions:
- Why do we have a problem? Why does it matter?
- What is the extent of the problem? What needs to be done?
- Who are behind the threats? Who should respond and own the effort?
- How will solutions be executed?
- When will this happen?
- Where can we turn for help?
Cybersecurity is like a “black elephant“ Twitter — a dangerous crossbreed between the “black swan” risk (capable of producing unexpected outcomes with enormous consequences) and the “elephant in the room” (a large problem that is in plain sight).
Every day brings new cyber threats. And the coming waves of attacks promise to be more than any one enterprise, sector or even country will be able to handle.
- Globally we are experiencing unprecedented thefts of money, information, intellectual property and state secrets — much of it to fund foreign regimes and criminal organizations.
- Unpredictable security costs imposed upon public and private enterprises — solely to stay in business — that effectively represent a “protection tax.”
- Possibly, the early acts of a highly asymmetrical and multi-front war that threaten national security, economy, vital infrastructure and personal safety — in which ground troops, tanks, aircraft and ships will be of little defense.
The Internet was constructed for universal connectivity and accessibility — not with an eye toward containing the darker sides of human behavior. The Internet has delivered on its promise of social and economic progress. Unfortunately, it has also delivered unparalleled opportunities to those seeking to scale global conflict, terrorism, criminal activity, state and industrial espionage and vandalism.
As reflected in the [9-11] Commission’s findings and recommendations, our approaches to complex risk must offer transparency, utility and resiliency to be effective.
Highlighting our worldwide exposures, the Global Commission on Internet Governance explained that in the packet-switched networks and data clouds of the Internet, the communications and data of all parties are mixed together. Put in context, we drive on the same information super-highway to work, school and play, as those seeking to drive home a wide range of threats. Indeed, the Internet may need to be reconstructed.
When it comes to our global state of preparedness, and our ability to respond, here are some widely accepted views from experts in the public and private sectors:
- Cyber risk is now a systemic threat to national security, economic sustainability, safety, public confidence, and to the freedoms that constitute our way of life.
- The occurrence of a large catastrophic and systemic attack is no longer a matter of “if”, only when and how costly — to life, property, reputations, the economy, and our overall sense of confidence and security.
- “If you can imagine it, they can do it. And even if you can’t imagine it, they have — and are working on it.” This is the simple operational premise that informs expert thinking about our exposure to the risks of cyber-attacks.
- Only a small fraction of the threat surfaces to the public through headlines and episodic disclosures. Rest assured, there is no shortage of plans or the talent for launching systemic strikes against critical infrastructure — defense, power, transportation, telecom, medical and finance systems. There are even “apps” for that attack on the dark web — and groups like ISIS are providing the links.
- Officials fear that it may take a “Cyber-9-11” event, before we wake up and acknowledge the magnitude of this threat. By then, broad-scale and irreparable harm will have occurred, and we may be locked into a zero-sum blame game.
- Cybersecurity is not a technology issue in need of a “patch.” Technology and its portals are the newest means for a widening range of individual, group and state-sponsored actors to achieve familiar ends. In reality, it is about fraud, theft, state and industrial espionage, extortion, illicit finance, geopolitical conflict, terrorism, economic disruption, human rights violations and vandalism. There is no simple fix — there’s no app for that.
- Most consequential threats emanate from a relatively discrete group of states, state-sponsored actors and state-protected groups. Solutions will need to reflect geopolitical realities.
- Those behind cyber-attacks may be criminals, spies, terrorists, “hactavists” or enemy states — but they are rational actors. The infamous 1930s bank robber, Willie Sutton, reportedly offered a simple explanation as to why he robbed banks: It’s where the money is. Whether as an outsider breaking-in or an insider attacking from within, our connected networks offer the keys to the castles that contain, among other assets, our money, state and military secrets, operational systems, IP, business strategies, market-sensitive information, private communications, personal identities, legal advice and reputational concerns.
- Cybercrime remains a “virtually” perfect crime and act of war. It is low risk and high reward. It is agile, cheap and remotely scalable. It morphs and innovates in ways that leave enforcement officials responding to yesterday’s battles. Victims have little or no recourse. It does not fit within our current perspective on and process for dealing with domestic and international crime. There are no laws, treaties or boundaries to limit tactics, weapons and targeting of civilians. Easily cloaked and launched from safe havens, it carries little risk of detection, prevention, apprehension or punishment. With so much to gain and so little to lose, why stop?
- The consensus annual cost of cyber-attacks to the global economy is around $445 billion. Yet, the “whisper” number of true damages dwarfs this estimate. Many successful intrusions are never detected. Other attacks go unreported due to national security considerations and business concerns over client relationships, litigation and reputational harm.
- Insurance can only provide a partial answer. The insurance market is still in its infancy. Policies generally have low limits and numerous exclusions. To increase the amount and scope of coverage, carriers would need better actuarial data and intelligence regarding the cyber-risk profiles of the companies they insure, as well as the steps that can be taken to mitigate those risks.
- Cyber-attack victims unfairly shoulder the blame. In the “Alice-in-Wonderland” aftermath of cyber-attacks, the perpetrators are often beyond the law and the victimized enterprise stands trial. As “defendants,” they are convicted of knowing that they were attractive, inviting the assault and then failing to fend-off their attackers.
- Our lack of coordination is inconsistent with democratic models for security. Global security has always required partnerships between government bodies and an informed and committed citizenry. Unfortunately, even the seemingly simple decision to report an attack to authorities involves a complex calculus about likely costs and uncertain benefits. Critical issues about confidentiality, privacy, information-sharing and safe-harbor notifications have not yet been addressed.
- Even the most sophisticated and costly efforts at prevention and detection have proven only partially effective — more useful in delaying the inevitable or deflecting the contagion to another enterprise that offers less resistance. Institutions are asking themselves, ‘How fast and nimble do I have to be to outrun this bear?’ In the short term, the answer is perhaps just faster than the other guys. In the longer term, the bear is still out there.
- Our Balkanized approach to security extends Einstein’s definition of insanity –we are doing the same thing over and over again, without even expecting a different result. No single entity, sector or nation can manage this risk on its own. Robust procedures and protections for shared knowledge and resources must be an essential component of a cyber security strategy. International treaties will have to be enacted and enforced.
A review of these views leads to only one conclusion: A comprehensive and collective report, in close cooperation with the private sector, is needed and overdue. International public-private sector input will be essential in this effort.
We drive on the same information super-highway to work, school and play, as those seeking to drive home a wide range of threats.
History rightfully delivers a harsh judgment when we fail to come together to protect the public interest against known threats. As a result of the tragedy of 9-11, we have a model to address our most complex threats in advance of a crisis. Now is the time to apply it to the clear and present dangers of cybersecurity.
About the co-authors:
David N. Lawrence is the founder and chief collaborative officer of the Risk Assistance Network+Exchange (RANE), and formerly associate general counsel and managing director at Goldman Sachs. Previously, he served in various senior positions with the United States Attorney’s Office, (S.D.N.Y.).
Jay Clayton is co-managing partner of Sullivan & Cromwell’s General Practice Group He is also an adjunct professor at the University of Pennsylvania Law School.
Frances Townsend is executive vice president of MacAndrews & Forbes, and National Security Analyst for CNN, and was formerly homeland security advisor to President George W. Bush.
Stephen Labaton is president of the global communications firm Finsbury, and a former senior writer for The New York Times.
Frank J Cilluffo, is the director for George Washington University’s Center for Cyber and Homeland Security, a senior advisor to RANE, and formerly served as special assistant to the President for homeland security.
Tim Murphy is vice president of MacAndrews & Forbes — while remaining active in various public-private sector efforts to address cyber and homeland security; and formerly served as deputy director of the FBI.
Ed Stroz is the founder and executive chairman of Stroz Friedberg, specializing in cyber security and risk management; he is a former special agent for the FBI and helped form the FBI’s Computer Crime Squad.
John Squires is a senior partner at the law firm of Perkins Coie, specializing in intellectual property and technology law and served as chief IP counsel for Goldman Sachs.
Matthew Lawrence is a legal and IP researcher at Perkins Coie and will be attending Fordham University Law School.
Curtis Hougland is an expert in social media and marketing and is the founder of Attention.
The authors acknowledge the contributions of Carl J. Schramm (University of California), formerly CEO of the Kauffman Foundation; Amit Sharma, senior advisor to RANE and former senior advisor to the U.S. Treasury Department on terrorism and illicit finance; Adam Robinson, CEO of Robinson Global Strategies. Although not directly involved in this article, we recognize the security leadership of various firms, including: CrowdStrike, K2 Intelligence, Kroll, Mandiant, the Promontory Group, Recorded Future and Red Owl.
Disclaimer: The views expressed by the authors are entirely their own and should not be attributed to any of the institutions with which they are — or have been –affiliated.