Former Homeland Security Secretary Michael Chertoff, Vice President of Cyber Security for The Chertoff Group.Credit: REUTERS/Yuri Gripas
Cyber security, to be successful, has to be a "team sport," former Homeland Security secretary Michael Chertoff told attendees of the Advanced Cyber Security Center (ACSC) Conference at the Federal Reserve Bank of Boston Tuesday morning.
Chertoff, cofounder and executive chairman of the Chertoff Group, who gave the keynote speech at the conference, titled "Left of Boom: How and where to invest across the kill chain," said organizations that go it alone, and especially those that focus only on prevention to maintain their security from cyberattacks are "doomed."
Not that this was a surprise to an audience that included numerous information security experts who have been preaching that message for some time. They are familiar with the image Chertoff invoked of the "M&M" defense -- hard on the outside but soft on the inside -- and that most of the past year's catastrophic high-profile breaches have been caused either by insiders or attackers who compromised insiders.
They are also aware that the attack surface is almost unlimited in an "Internet of Things" (IoT) world with an explosively expanding number of smart embedded devices.
"The architecture of the Internet creates level of connectivity that is radically different from the way we live our physical lives," Chertoff said, noting that physical document dissemination requires either, "an affirmative action on our part," or theft.
With the Internet, "everything is connected by default," he said, "so things in your study can become part of the wider world. The camera in your PC can literally create Big Brother in your own room."
Add to that everything from BYOD in the workplace to apps that allow users to adjust the heat, lock the doors and more in their homes, wearable medical devices, smart cars, critical infrastructure and aviation, and it is clear that, as Chertoff put it, "you're not going to eliminate risk -- this is about managing risk."
Done effectively, he said, it could reduce the damage from breaches from catastrophic to a nuisance level.
But so far, even managing risk has not been going so well. Chertoff noted many "very adept" organizations that have been breached during the past year.
Look at JP Morgan, which is at the forefront of cybersecurity," he said. "And we've been reading stories about breaches at the White House and Russians penetrating a whole host of targets including electrical grid."
Still, Chertoff said he was bringing, "an encouraging message." He said Boston and the New England region "has the intellectual firepower" to improve risk management through teamwork. "That's symbolized by this group," he told the audience.
Sign up for CIO Asia eNewsletters.