Last month, President Obama called together leaders from several large U.S. corporations to discuss how the public and private sector can work together to offset the increased risk of cybercrime. As former White House chief information officer, Theresa Payton is very familiar with the nation's cybersecurity vulnerabilities and who needs to be involved in these complicated cybercrime prevention efforts. In part one of this two-part video interview, Payton, now CEO at Fortalice LLC, a cybersecurity solutions company based in Charlotte, N.C., sits down with SearchCompliance editor Wendy Schuchart to discuss the tenuous state of U.S. cybersecurity.
I'm here today with former White House CIO Theresa Payton to talk about U.S. cybersecurity. Theresa, what are some of the nation's biggest vulnerabilities when it comes to cybersecurity?
Theresa Payton: Well, there's a couple. So one is, you have to think about 'What is the motive?' before you get into the actual vulnerability itself. Some of the motives against the nation's infrastructure are they want to create a distrust in the infrastructure. If you suddenly don't trust that you can get your money out of the bank because [banks] create a disruption, they want to create that. If you suddenly don't trust the health care system because people got the wrong blood types during an infusion because they did something, they want to create that. They want to create a distrust in our infrastructure. That's one motive.
We have to be able to figure out a way that we encourage and incentivize information sharing.
Theresa Payton, CEO, Fortalice LLC
Another motive is they want to steal intellectual property. They know the best way to shorten the research and development cycle: 'Eh, don't do it yourself. Just go steal it from America and other countries.'
Then the last piece is, you've got sort of a group of 'hacktivists' who just don't like a particular industry, so you have the hacktivists who have a perception that banking has done them wrong or energy has done them wrong or health care has done them wrong, and they specifically target those industries as part of their payback.
Then you have the element of state-sponsored -- that they just want to be there and be available in case they decide they want to pull the cyber trigger. Those are kind of the different threats and vulnerabilities that are strategically aimed [at] our nation's infrastructure. So then, when you think about that, at the vulnerability level you've got different places where you have vulnerabilities. You have aging systems that, when they were developed, they really didn't know anything about today's threats, so they don't know what to do about it.
You have an aging infrastructure -- for example, with IPv4 versus IPv6 -- and because we haven't been quick to adopt that in this country, the cybercriminal element has figured out, 'If I just create an IPv6 tunnel, I can run around, and IPv4 doesn't even know I exist.'
Then you have these aging control systems which, when they were built, didn't talk to the Internet. Nobody even had it connected, but now, to have interoperability and to be able to work on a global scale, these data systems are actually on networks that have other connections to the Internet.
So you've created sort of this aging infrastructure issue. Then you have the human element. We just had a power plant go offline at the end of last year. An engineer didn't mean to do it, but he brought in a thumb drive, it was infected, connected to the network, and the power plant's offline for three weeks.
Now that was a good guy just going to work -- that wasn't a bad guy. That was a good guy going to work. And then you have the perspective of, you have these different types of defenses and nothing is foolproof. So these bad guys, they have the means, they have the time on their hands, they've got nothing better to do, and we only have one shot at getting it right. They have all day and lots of shots at showing we're wrong. So that's the real challenge as well -- you can't protect it all. They are going to get in. So that's where, from a nation's infrastructure perspective, you really want to think about alert, recovery, detection, mitigation and getting back into business.
What can the public sector do to protect themselves from online vulnerability and cybercrime?
More on cybersecurity strategy
Will the U.S. ever pass comprehensive cybersecurity legislation?
President Obama discusses cybersecurity with U.S. business leaders
Payton: It's a very tough issue. I mean, first of all -- and the buzz word drives me crazy, I think we need to coin a new one today -- the whole 'information sharing' piece. There's a perspective sometimes of 'I don't have to outrun the bear, I just have to outrun you,' or 'If I lock my door, then the thief will go to my neighbor's door that's unlocked,' and that's not really good for our overall nation's infrastructure to have that type of mentality.
We have to be able to figure out a way that we encourage and incentivize information-sharing. It is going on today and it is helping, but we don't really create sort of this safe harbor where you're not worried about legal retribution, where you're not worried about your competitor finding out and then basically capitalizing on the fact that you've got a vulnerability. Or worse yet, it gets out in the press, and now the bad guys know you're vulnerable and somebody else got in, so all they have to do is just come in [through] the open back door.
So we've got to create sort of this environment where, in real time, when these events are happening -- U.S. cybersecurity incidents -- that we're able to share in sort of this safe-harbor, nonattribution mode, so that we can warn the rest of our neighbors, 'You need to lock your doors. They're coming,' but at the same time, let's not all make fun of the house that got broken into.