Last week I had the privilege to lecture on cyber security at Harvard's Kennedy School of Government program for Senior Executives in National and International Security.
What a great program they put together to address the issues of security in today's global environment. Approximately eighty senior level executives from twenty countries attended. Not surprising, the vast majority of attendees were military officers -- over a dozen holding the rank of Brigadier Generals. I attended the multi-hour social event that included a barbeque the evening after I spoke.
It has always been my experience that interacting in smaller groups at these events is where the real learning occurs for both me and those attending the program and this was no different. Here are the top five take-aways from that interaction.
1. The issue of cyber security and the current threat level posed by cyber attacks is not being over stated. I am concerned that if anything the threat demands more aggressive action of business, governments, militaries and law enforcement worldwide. The level of international cooperation required when investigating acts of cyber aggressions is perhaps the biggest challenge for governments around the world who seek to protect their nations from cyber attacks. Secretary of State Hillary Clinton and the United Nations have critical roles to play in this area and must accelerate these discussions. These activities will take a substantial amount of time and again time we may not have.
2. As if the complexity of the cyber conflict environment was not high enough, when you add the foreign relations issues, the intricacies of international law and the blur of attribution as well as the political issues that surround cyber conflict, the delay in establishing foreign policy, military doctrine and government regulations covering cyber attacks will require an extended amount of time. This will in turn delay finalizing the proper responses to acts of cyber aggression.
3. Militaries around the world are busy developing strategies to address cyber warfare and the operational doctrine they need in this unique threat environment. This is no small task given the characteristics of offensive and defensive cyber operations and cyber intelligence collection and analysis. Former Department of Homeland Security Secretary Chertoff has stated, the international community must "write the doctrine" (cyber warfare) and ask "what is the meaning of deterrence in a world of cyber warfare? Both of these statements have been echoed by multiple military and government executives around the globe and an answer must be developed soon.
4. Public private cooperation is not critical, it is essential, if these threats are going to be addressed and proper safeguards put in place to protect the critical infrastructure from increasingly hostile cyber attacks. That has historically not worked that well here in the United States and it appease other countries have had the same challenge. The technical nature of cyber security and the cyber attacks have made it difficult to understand for non-technical individuals and have caused some reports of actual events not to be technically correct. This has obscured what is really a threat and what is a potential threat. More clarity is needed around these issues and that leads me to the fifth and final take-away.
5. All too often data breaches and cyber attacks occur on sensitive systems in the public and private sector alike. The sensitive nature of these systems coupled with law enforcement investigations that take months and sometimes drag into years tend to restrict the information that can be openly disclosed and discussed. When you layer on top of that classified systems and classified intelligence about cyber attack techniques and those behind the attacks, the little information that becomes public is often dismissed. Some call it fear mongering, some call it a conspiracy to invade electronic privacy, while still others just refuse to believe anything that is not fully disclosed.
This program brought together senior executives from twenty countries and began a dialog on the threat we all face that enables terrorists, extremist groups, rogue nation states and militaries to project power and influence. This dialog must be expanded to include representatives from every country that is connected to the internet, critical communications equipment manufacturers, software companies and other critical stakeholders. The question left unanswered is: Can we get everyone to work together and address this issue before it is too late?