ceocompass – may 20156

The battle for cyberspace

Digital technologies are so much a part of our lives today that it’s strange to think that as little as 20 years ago most people hadn’t even heard of the worldwide web. Back then, it was quaintly referred to as the “information superhighway,” and to get on it you needed an achingly slow contraption called a modem. Yes, there were already a few mobile phones back then, but they were the size of a brick, and the only way to get information from them was to dial the operator. Today, you can slip a smartphone out of your shirt pocket and not only make a call but make a home movie and then send it to relatives halfway around the world, all while checking your bank balance and how many “likes” a snapshot of your cat has received on Facebook.

Forty percent of the world’s population is now online, and it’s not just ourselves and our PCs and smartphones that are connected. Since 2011, there have been more machines than people hooked up to the Internet. Within the next five years, some 50 billion devices — from cars and home appliances to roads, hospitals and even the clothes we wear

— will be identified, connected and communicating through the Internet of Things, a study by DHL and Cisco predicts. The ability for machines to relay and act on information about their environment will soon allow us to use driverless vehicles, or pacemakers that can be monitored by computers thousands of miles away, or drones to deliver goods.

But for all the great benefits of this new digital way of life, an even greater number of risks seems to pop up every day. The digital revolution, like all revolutions, has entered its own reign of terror. Our societies, our very lives, have become so dependent on these new technologies that without them, we’d be lost. And the bad guys know this.

“Cyber is the number one threat to national and economic security,” says Rhett Hernandez, lieutenant general (retired), West Point Cyber Chair at the Army Cyber Institute. “Daily, we face a full range of cyber threats with a wide range of motives. They are attempting to steal secrets, plans, intellectual property or personal identifiable information. They range from nation-states to ’hactivists,’

In today’s connected world, data is our most valuable resource. It’s also our most vulnerable. From identity theft to financial fraud, from acts of terrorism by fanatics to acts of war by nation states, from the legitimate needs of authorities to prevent crime to our equally precious rights to privacy, cyberspace is the new battleground between the forces of good and evil.

by Marc Stegeman

COVER FEATURE

ceocompass – may 2015 7

which includes cyber armies, opportunists, criminals, spies, terrorists and insider threats ... In our interconnected world, everything and everyone is at risk.”

Cybercrime today siphons off up to US$575 billion a year from the global economy, according to a report from McAfee, the security-software subsidiary of Intel. A separate study by HP claims that the cost of cybercrime for the average US-based company reached a staggering US$12.7 million last year. Experts estimate that over one million consumers each day are violated by cyber criminals.

Attacks against individuals and businesses are not just occurring with increasing frequency but also with increasingly dire consequences. Among the high-profile cases, the Target retail chain was hit by the cybertheft of 40 million credit card details and over 100 million bits of customer data. The attack led the company to oust top management and take a US$145 million charge against 2014 earnings. Adobe Systems last month moved to settle a class-action lawsuit over security breaches reported to have compromised more than 38 million customer accounts, including details for some three million credit cards. And in a hacking the FBI blames on North Korea, Sony was victim of an attack in which massive amounts of sensitive documents were stolen, internal databanks erased, and 75 percent of its servers destroyed, forcing the company to shut down its computer systems throughout the world and effectively grinding business to a halt. Certain forms of cybercrime, meanwhile, have become so sophisticated that the targets don’t even realize they’ve been hit, until the FBI notifies them of suspicious activity.

The stakes are soaring, and keeping our information systems up and running safely is no longer just a matter for the techies.

“Right now, I find that companies often rely almost exclusively on their IT departments, but this is not just an issue of technology,” warns Sandra Jeskie, chair of the Information Technologies and Telecom practice at Duane Morris LLP. “People at the highest levels of the business need to

be involved. You have to put robust security policies in place and ensure that all your employees understand the risks. It’s also advisable to have what we call an Incident Response Plan, so that you’re prepared for the inevitable disclosure of information. Preventing the breach is done with comprehensive security policies, with technological, physical and administrative controls, by training employees and auditing.”

Exposure can mean crippling civil lawsuits, but in certain sectors under strict controls, such as financial institutions or health care, the victims of cyberattacks can face action from regulatory agencies as well as state attorney generals. For companies that deal with consumers, the Federal Trade Commission can also bring action under Section 5 of the FTC Act for deceptive or unfair trade practices, notably if a company claimed to have robust security in place and then failed to protect the data of its customers.

“Most people have a response plan but it’s not integrated,” agrees Thad Allen, head of the Justice and Homeland Security unit of Booz Allen Hamilton. “It’s like conducting an orchestra. You have to look at the business side, to keep the business going. But you also need to think about bringing in the lawyers to look at legal discovery for regulators or liability issues and internal communications issues. You need to predesignate someone to manage the crisis. Too often the board asks the chief information officer to manage a cyber crisis, but they’re often way too busy. The tech details need to be run by IT, but for the other issues, such as liability, brand reputation, stock prices, the board needs to understand the importance for the business proposition. You need a strong connection between the server room and the board room.”

While attacks against major corporations are often what make the headlines, cybersecurity is a concern for everyone. Proof that no one is safe came just last month, when it was reported that Russian hackers, believed to be working for

COVER FEATURE

ceocompass – may 20158

Moscow, obtained President Obama’s personal emails from the White House’s unclassified computer system. In turn, the US government itself has been accused of eaves-dropping on the private communications of foreign nationals, including state leaders such as Germany’s Chancellor Angela Merkel. In a world where information represents both the ends and the means, it’s becoming increasingly difficult to draw the line between the legitimate need to obtain critical information about suspicious activities and the fundamental right to privacy for individuals and states alike.

“Therein lies the great struggle,” says CEO member Bob Rosen, rear admiral (retired), and Chair with his wife, Florence, of CEO’s upcoming Cyber What? Seminar. “On the one hand, we need to track suspicious characters who want to do harm to the Western world, who use the Internet to teach methods for making bombs or for fund raising or rallying support. On the other hand, we need to prevent the risk of abuse by government agencies or police authorities. Hopefully, we will find the right balance between national security and the privacy rights of private citizens.”

US law still requires search warrants and a special judicial panel with a sitting judge to determine probable cause, Bob notes. But many countries do not have such safeguards, and the legal landscape is shifting quickly. A further problem is that national and international laws are today based on the notion of physical borders, and activities on the Internet reside

in the nebulous realm of cyberspace, putting many of them beyond the reach of our existing legal structures. In this context, national authorities desperately need to work together, to pool resources and share information. But this, too, seems beyond the reach of those same structures.

“The biggest issue right now on the table for decision makers is the thorny knot of information sharing,” says Deborah Housen-Couriel, special counsel at Zeichner, Ellman and Krause LLP, Fellow at Tel Aviv University’s Ne’eman Workshop for Science, Technology and Security and daughter of CEO member Charley Housen. “Looking, for instance, at cyber terrorist threats, we need to share information on the money trail for funding terrorists as well as the recruitment trail. For threats to private companies, like the one that culminated in the Sony attack, we need to get buy-in from industry for information sharing. But regulators have yet to work out the right balance. We’re still on a learning curve.”

The definition of “cyberspace” itself is cause for debate. In legal terms, is this brave new digital world limited to the virtual bits and bytes within it and the physical networks and servers through which the data transits, or should it include human operators as well? And what happens if an illegal

activity against a victim in one country is executed with equipment physically based in another country that doesn’t ban the activity? In some countries, such as Israel, the legal definition of theft requires that the owner be deprived of the use of the stolen property; so if data is simply copied, but nothing is physically removed and the owner can still benefit from the use of his original data, does this act of copying meet the legal definition of theft in that country? Last but certainly not least, if we freely opt to make our personal information available to social networks or to third parties such as retailers or banks or credit card companies, can we still claim to own it? In a world where information is so freely accessible “anytime, anywhere and from any device,” at what point will we be forced to stop thinking about our data, or our digital identities, as our own private, protected property?

“Digital identity is the next big challenge,” Housen-Couriel says. “I call it the ‘Michael Jackson’ phenomenon. After he’s physically left us, and in his existence as a digital entity, Michael Jackson continues to be a presence as we keep listening to him sing and watching him dance. He’s involved in digital transactions, he could continue to give concerts as a hologram, he might act in films, and

COVER FEATURE

The biggest issue right now on the table for decision makers is the thorny knot

of information sharing.

ceocompass – may 2015 9

he continues to be an entity in the lives of his fans. We are not all Michael Jackson, but we are all digital entities now, and the issues this will raise can only get more complex.”

Cybersecurity is also much more than just malicious attacks by criminals, she adds. What happens if a machine – say a driverless vehicle or a computer monitoring a pacemaker – makes a mistake? Who is legally responsible? And how can we agree on the legality of cyber acts committed by nation states? Is it acceptable to use cyber technology to knock out the power grid, stock exchange or communications infrastructure of another country? Is this an act of war?

Over the past decade, a number of

international forums and initiatives have been launched to examine just such issues. Between 2009 and 2012, the NATO Cooperative Cyber Defense Center of Excellence, based in Tallinn, Estonia, invited an international group of top legal experts to address the issue of how to apply international law to cyber operations. The result, the Tallinn Manual on the International Law Applicable to Cyber Warfare, remains a non-binding document, but it nonetheless represents a solid first step toward the development of future international cyber security norms among nations.

Another initiative that has been gaining traction in the context of Internet governance is the NET

Mundial process launched in April 2014 in Brazil. It is in such forums that a consensus is progressively building to create some sort of international understanding to manage cyberspace.

“There are a lot of questions around the core issue of whether it’s even feasible to decide who runs the Internet or who is in charge,” says Housen-Couriel, who has closely observed the Tallinn and Brazil initiatives. “Some big things are happening. The governance of the domain name system, which has been dominated by ICANN (the Internet Corporation for Assigned Names and Numbers) and IANA (the Internet

Join Chairs Bob and Florence Rosen for a behind-the-scenes look inside the cyberworld battle that attacks us all and is a growing threat.

In the last year alone, there have been countless attempts and successes “hacking in” to governments, military, banks and financial institutions, retailers, credit card companies, medical records, personal information, identity theft and more. We all know that businesses have been targeted and hit very hard, losing hundreds of millions of dollars and more in extra costs, exposure and consumer confidence due to cybercriminal activity. Where do we go from here? How do we protect ourselves? What is being done? How exposed are we?

In this intensive Seminar, you will learn about the measures and countermeasures, laws, codes and policies from the most knowledgeable speakers from government (US domestic and foreign), law enforcement, military, banking, medical, insurance, law, business, retailers and major corporations such as Visa, Cisco and Microsoft. You will also participate in a hands-on cybergaming experience to show you the threats and countermeasures personally. Evening events will be held at Washington locations arranged just for CEO, featuring key legislators and senior military officers and other VIPs as our guests.

This Seminar is intended for a general audience; you don’t need to be“cyber savvy!”

W A S H I N G T O N , D C , U S A : 1 7 - 1 9 S E P T E M B E R 2 0 1 5

cyber what? seminarcybercrime, cyberwarfare and how you are directly affected

COVER FEATURE

continued on page 31

Interested in knowing how cybercrime affects you personally?

Want to hear firsthand from our expert resources cited above,

plus many others?

For more information, please contact CEO Associate Director of Education Leah Romero at leah.romero@ceo.org or +1 202 813 1891.

ceocompass – may 2015 31

COVER FEATURE

Assigned Numbers Authority), is now in question. By 2020, some estimate that the majority of users of the Internet will be Chinese speakers. Many different stakeholders — other countries, nonprofit organizations, individuals — are now thinking of moving to a model that is not under US or Western dominance.”

Pending any consensus in the near future on whether or not to establish an international body of laws and structures to regulate cyber activities, decision-makers, legislators and security experts throughout the world are struggling to come up with their own strategies. A few interesting models are emerging in Canada and Europe. Most of these are government-driven, but industry is also moving to self-organize to share information on threats. Here, too, the question of how much a company can or should reveal to its competitors, or to the government, remains a sticking point.

Some countries are now seriously considering whether nations or regions should each take control over their populations’ access to the Net, effectively limiting what their citizens can see and do in cyberspace. But the very thing that made the worldwide web such an explosive and revolutionary phenomenon is precisely that it is worldwide, and unrestricted. So there remains a deep grassroots resistance to proposals for government regulation of the Internet.

In the end, the solution may not be in the hands of the politicians, lawyers or philosophers. The unspoken question, behind all the arguments pro and con, is whether it’s even possible to control anything as viral and untamed as the Internet, which was originally designed by engineers to be a freely distributed, non-authoritarian network. Since it was built for use by a small and select group of people, there was no need for regulation or governance, the whole idea being to develop a tool that was as open and accessible as possible. Obviously, no one could have imagined that 40 percent of humanity would be online, or that the system itself could become a weapon.

In the end, it may be up to the engineers to determine what is technically feasible. And it is from this more limited range of options that we, as a society, must pick and choose what is ultimately desirable. In the meantime, it is up to each of us to remain vigilant and prepared.

continued from page 9

Will this new battle, this cyberwar, between good andevil ever end?“I do not call it a war,” Gen. Hernandez says, “but I do believe we are at the beginning of a new age that will not end. We are at the dawn of the digital age. The physical and virtual worlds are converging. Everything we do is interconnected and we are only beginning to discover this new world and the powerful implications. With this age we can expect threats, challenges and unprecedented opportunities.”