Bits and Borders: Navigating Asymmetrical Risks in a Digital World
Previously, the risk landscape was defined only by physical boundaries. Today, digital borders, measured in lines of code impact trade and commerce. Economies can grow or shrink due to seemingly unrelated events like political actions, the gig economy, cyber attacks, sanctions, and management (or mismanagement) of global information systems. These digital risks trigger the need for fresh solutions and a new private/public sectors approach to risk mitigation. What role does the private sector play in the response to cyber incidents? Are businesses aware of the resources and strategies needed to mitigate risk? What role does the private industry play in protecting personnel from digital threats to life safety?
Selected Quotes
Bryson Bort, Founder/CEO of Scythe, Founder of Grimm Cyber, National Security Institute Fellow, Co-Founder of ICS Village, Advisor to the Army Cyber Institute
“In my experience, there are two kinds of companies: There’s companies where the leadership cares about security, and those that don’t. And no amount of professional talents, technical controls, policy, or anything is going to change. If the leadership doesn’t care, nothing happens.”
“I’d say the biggest understanding that I’ve seen for companies is now recognizing the risk of their supply chain. I think this should sound obvious to everyone in the room, but this is a relatively recent understanding: that our risk is no longer just our own. Our business is not the sole owner of that risk; it’s distributed, it’s shared. That whole supply chain, those partners, have access into your environment, and are, more often than not, the access vector for getting to your intellectual property.”
“That supply chain is rarely, you know, another Accenture. It’s small business. Well, guess who’s below the cybersecurity poverty line? And I’m going to quote Wendy Nather. The cybersecurity poverty line is this concept: these companies have no chance. They don’t have the resources, let alone the understanding, to do anything about what the problem is, and they’re a part of your risk.”
“Because we’re now all in this interconnected world, our consumers that go and buy all of these cheap Chinese products that are what, always interconnected to everything? So, those are great access points. Well, those are our employees, and they bring devices into our environment, as well. So, you know, how this proliferation or poorly engineered equipment that comes into your corporate environment which is an effective walking backdoor that your own employees are accidentally bringing in. How do you control that? What do we do? And I start to look at that as a societal problem, not just an individual problem for companies.”
Tim Weir, Former Managing Director, Global Asset Protection, Accenture; Global Fellow, Wilson Center
“Traditionally, things have been defined at the atom level. You could stop goods and individuals leaving borders. You could inspect them. Countries could have rules and laws. If you think of it as the analog town square; if people gathered, there were rules about decorum and behavior. And in the bits world, the digital town square could be, as my friend Bruce McIndoe likes to say: ‘From Seattle to Shanghai.’”
“Being in the industry for almost three decades, coming out of school, the function was definitely in the back office. 9/11 was one of the game-changers that moved it to the front office. It certainly got a new level of attention and budget, and I would argue today, with the transformation that’s going on with cyber, it’s certainly in the head office. The boards certainly know their directors of security, the CISes.”
“Accountability has elevated the function, and I don’t think that there is any going back; I think that’s a positive amongst many of the negatives. And the collaboration that’s occurring between CISes, CSOs, and various agencies has improved greatly…. There is more guidance as to what constitutes evidence. Your companies are looking at the P&L, not trying to make cases, but in some instances, like William [Green] said, you have to send a message that there are ramifications for people [who] do things, either at the nation-state or employee level…. But at the end of the day, still, even though AI and other things are happening, the FBI doesn’t arrest computers. They arrest people. It’s still a people issue. And we have to not lose focus that automation bring new opportunities, but we still have to manage this in a people realm.”
Evan Wolff, Partner at Crowell & Moring; Global Fellow, Wilson Center
“There’s sort of fractured interaction between government and industry. Ostensibly, government is responsible for all things offensive and they’re the only ones who can do things like gain access to foreign systems without authorized access. Industry is not allowed to do that, because of laws like the Computer Fraud and Abuse Act. So that means industry can just sort of sit and wait to have an incident and wait to be hacked, and they really can’t do anything, and they’re predominantly responsible for defensive measures.”
"We have this huge green space between offense and defense and there’s not a lot of interaction in between and, in some ways, as we’ve all seen with the losing season of the Washington Redskins. When you have an offense and defense that are completely disconnected, it leads [to] a really inefficient and fractured system, and I think that’s sort of the operating environment we’re in right now.”
“When we project this to a global setting, then we need to think about: well, who is representing these companies globally? We don’t have a U.S. trade representative for cyber that’s dealing with, sort of, these multinational-state relationships. As we think about the trade war that the U.S. is in with China right now, if we project this to what a cyber war looks like, if we overtly talked about it, there is no sort of body that serves the USTR function in the cyber world that could deal with these types of interactions. And so it’s dealt with below the scene or not at all. And that adds to this problem of governance.”
Rob Knake, Senior Fellow, The Council on Foreign Relations
“What we’ve seen, lately, is that very well-protected companies are causing adversaries to come and do closed access operations to seek out insiders. They’ve gotten their cybersecurity so good that Chinese espionage actors, and in some cases, even Russian actors, have been forced come into country to carry out operations… with the goal of getting data off systems.”
“Even though the adversaries won’t stop, you’ve now created a problem that the FBI can solve for you. So, I think that that’s the divide. If I was going to say: ‘What’s corporate America’s responsibility?’ You take care of cybersecurity to an extent at which your government can actually step in and do something. If you can draw your adversaries out of their cyber safe havens, you’ve done your job. That’s when government can take over.”
“The dominant focus of the agency has been election security. That’s been what the leadership’s focused on, that’s what the technical teams are focused on, and I applaud those efforts. You can follow the FBI in terms of what else has been going on with the FBI, nationally. I think they were less focused on cybersecurity when they were enmeshed in the 2016 election, and now we’re seeing leadership focused back on the issue.”
“We’ve got some treaties in cyberspace already, some agreements in cyberspace already. What we don’t have are very strong international mechanisms for monitoring and enforcement. And, so, when I look at something like the Budapest Convention on cybercrime, it’s very hard to tell whether that’s been effective at all in creating better engagement transnationally on cybercrime issues. Because we don’t have an organization that sits at the center of it, calling balls and strikes, [and] facilitating transnational collaboration.”
Agenda:
9:00 AM: Introduction
9:15 AM: What are digital borders?
10:00 AM: What's the new normal?
10:45 AM: How have responsibilities for protecting security shifted?
11:30 AM: Red-teaming new challenges: what's on the horizon?
Speakers:
Bryson Bort, Founder/CEO of Scythe, Founder of Grimm Cyber, National Security Institute Fellow, Co-Founder of ICS Village, Advisor to the Army Cyber Institute
Anatoliy Chudnovskiy. VP Business Unit Head, EPAM Systems
William Green, Founder and Managing Partner, TD International LLC
Niloofar Razi Howe, Sr. Operating Partner, Energy Impact Partners; Member Board of Directors, Recorded Future; Sr. Fellow, Cybersecurity Initiative, New America; former Chief Strategy Officer, RSA Security
Rob Knake, Senior Fellow, The Council on Foreign Relations
Paul J. Kunas, Accenture Managing Director – Information Security, Governance, Risk and Compliance
Bruce McIndoe, President & Founder, WorldAware, Inc
Peter J. O'Neil, FASAE, CAE, Chief Executive Officer, ASIS International
Tim Weir, Former Managing Director, Global Asset Protection, Accenture; Global Fellow, Wilson Center
Evan Wolff, Partner at Crowell & Moring; Global Fellow, Wilson Center
Hosted By
Science and Technology Innovation Program
The Science and Technology Innovation Program (STIP) serves as the bridge between technologists, policymakers, industry, and global stakeholders. Read more
Digital Futures Project
Less and less of life, war and business takes place offline. More and more, policy is transacted in a space poorly understood by traditional legal and political authorities. The Digital Futures Project is a map to constraints and opportunities generated by the innovations around the corner - a resource for policymakers navigating a world they didn’t build. Read more