For the past quarter century, communications technology has evolved and grown the point where practically every business, service, and family platform is connected to the internet.
But that interconnectivity was approached from a from a commercial development approach, according to cybersecurity expert Melissa Hathaway. That means the first-to-market, free market approach means security and resilience weren’t concerns as the internet was embedded in critical infrastructure.
“One of our biggest vulnerabilities is that we, now 25 years later, have a very porous, vulnerable core of all of our critical services: water, power, transportation, you name it,” Hathaway said. “We also have embedded it in each one of our businesses, and those are being exploited either for political activism, crime espionage, and in some cases, worse cases, we’re seeing business disruption and business destruction.”
Hathaway spent her early career with security firm Booz Allen Hamilton, and now leads Hathaway Global Strategies LLC. She advises the U.S. and other governments, organizations, and industries on risk management, technology, and policy surrounding cyber security. She thinks it will take another 25 years to reduce these vulnerabilities and increase resilience to the point where consumers will still trust and use technology.
“One of the things that we need to start to do is look at where we can incentivize the IT industry to create better-engineered products with less vulnerabilities and create the marketplace that’s desirable – whether that’s through a regulation or more of a market incentive, and get the consumers and the businesses to drive demand,” Hathaway said.
Hathaway worked for both the Bush and Obama administration as the Director of the Joint Interagency Cyber Task Force and the Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils. Having worked for two presidents, she said one approached cybersecurity from a security and threat perspective, and the other approach it from an economic opportunity. She says these two agendas need to be aligned.
“We can’t be looking at it as adopt and embed for productivity and efficiency and we’ll worry about the resilience and vulnerabilities later and vice versa,” Hathaway said. “As I adapt the next generation information technology, I really need to think about how this is going to create risk to my company and reflect it on a risk register.”
KGOU and World Views rely on voluntary contributions from readers and listeners to further its mission of public service with internationally focused reporting for Oklahoma and beyond. To contribute to our efforts, make your donation online, or contact our Membership department.
SUZETTE GRILLOT, HOST: Melissa Hathaway, welcome to World Views.
MELISSA HATHAWAY: Thank you very much.
GRILLOT: Well, given your background as a former acting director for cyberspace at the National Security Council and in charge of cyberspace policy reviews at the White House, could you start by telling us, Melissa, a little bit about what our greatest vulnerabilities are when it comes to cyberspace issues and the internet and all of the day-to-day activities where you rely on. Is it a threat to our infrastructure or utilities? Are we worried about weapons stock market? All these things? What're our greatest concerns here regarding cyber security?
HATHAWAY: Well, thank you. For the last 25 years we have embedded information communications technologies and connected every infrastructure, service, business and family platform to the internet. As we have done that, those technologies were largely based on commercial development which were first to market, fast to market, much functionality and didn't really think about security or resilience as they were embedded into those key infrastructures. So, one of our biggest vulnerabilities is that we, now 25 years later, have a very porous vulnerable core of all of our critical services: water, power, transportation, you name it. We also have embedded it in each one of our businesses, and those are being exploited for either political activism, crime, espionage, and in some cases, worse cases, we're seeing business disruption and business destruction.
GRILLOT: So, when you bring up this concept of protecting cyber protection for government versus business or government and business, obviously, both are vulnerable, but where are we spending most of our time? You've been working in government and with government. Has your attention largely been on how to protect our government and our state from cyber-attacks or business from cyber-attacks?
HATHAWAY: So, for the last ten years mostly the government has been focused on how do we gain resilience and help defend government systems and infrastructures. And then we talk about critical infrastructure protection as a government. How do we encourage businesses to take more steps to help them protect themselves and embed the right technologies in place? Today, our government is thinking more upon a regulatory approach to each of these industries, forcing a minimum standard of care whether that's through the Federal Trade Commission and on consumer protection. Whether it's through the Securities and Exchange Commission on making it a material risk for core businesses, or the Federal Communications Commission, again how do we protect private sector data. Those are just a few of the areas that are being regulated to have businesses take on more responsibility for defense.
GRILLOT: You've said in previous commentary about how we used to trust the internet or how difficult it is to trust the internet today, and I assume that this is referring to the very porous nature and the vulnerabilities that are there, but yet it's something we rely on a daily basis in so many ways. You have this great recounting of all of the ways in which we rely on the internet, but yet it is so vulnerable. Is this really a space that can be governed at all? What are our options? What are the ways in which we can protect ourselves in this very porous space?
HATHAWAY: Well, I think we've spent the last 25 years adopting and embedding this and creating the vulnerabilities. I think it'll take another 25 years to reduce those vulnerabilities and increase our resilience while we still trust or use the technology. I think one of the things that we need to start to do is look at where can we incentivize the IT industry to create better engineered products with less vulnerabilities and create the marketplace that's desirable whether that's through a regulation or more of a market incentive and get the consumers and the businesses to drive demand. Maybe that's going to be government driven demand. I also think that we need to look at the telecommunications system because it's the pipe of the internet and it's the delivery now of water, of energy. Of course it's already telecommunications, but it enables our financial systems. It is enabling all of these activities. Could we ask our telecommunications systems and providers to do more? I think they can whether that's early warning of something bad coming into our businesses or our infrastructures or telling us when we are infected and helping us get clean.
GRILLOT: So, it seems to me that this is an approach that has to come from both the top down and the bottom up. You're referring to regulation and activities of government, policy that needs to be put into place, certain best practices, but that we as individuals and in the private sector, businesses, need to do better in terms of what we do. We teach our children you've got to be safe on the internet. You can only share so much, but then again we're stuck in some ways. We use this technology on a daily basis for so many things. What is it that we can do as individuals versus what the government can do in terms of regulation? How can we be better and more responsible? Better prepared and more responsible to provide for a safer cyber world?
HATHAWAY: Yeah, I think that when you start to look at what it is that you turn on in the morning. Your TV is coming over the internet. Your cell phone is coming over the internet, and your text message is being delivered over the internet, etcetera. It's interesting, as you buy your new phone or you download the new app, have you thought about what are the already enabled portions of it? So, everything's on and you have to start thinking about what you're going to turn off. We're never going to opt out of the internet. We're going to always opt into the internet, but when we opt in we should be thinking about what is it that we want to protect. Do we want to share all of our data with everybody or do we only want to share some of the data with some people? So, that would be one of the key things that we need to do. I think a second thing, as we're doing more and more transactions online, you know, click, connect, search, buy and it gets delivered to your door or go and do online banking and all of the other transactions that you really actually want to keep private because you don't want your credit card to be stolen. You don't want your bank account to have a problem, is to really think about, is this a secure connection? Am I doing it on a private network? Let's say you're home, or am I doing it in an airport on a wireless network, and think twice of who can observe what you're doing and is it really a secure line or is it an open line?
GRILLOT: Well, I'll tell you I've been there on that Wi-Fi at the airport thinking to myself, "Do I really want to connect to this and open my computer up?" But at the same time I need to send some emails. I've got to do something work wise. So, I feel stuck. I feel limited in what I can do. I'm just going to take the risk. You referenced crime, stealing of your credit card, criminal activity. But there's also a lot of other, kind of, more underground criminal activity going on here in terms of money laundering, exchanges of, perhaps, drugs, weapons, other things. Some of the stuff that we refer to in the deep web. I mean, are you getting into that as well, and how does that affect our day to day use when I'm just logging on in an airport to send email?
HATHAWAY: Well, if you're logging on at an airport or at a Starbucks or pick the local wireless exchange that's free to the public, think of it as free to everybody and everybody's watching you. All data has value, and your credit card, your MasterCard or your Visa is worth a dollar on the underground market and your American Express is probably worth $5. Your social security number, your birth date has a value and all of it is sellable and sellable for some monetary value. It could be five cents and it could be $5. So, maybe you're willing to take that risk because you'll get your credit card replaced and it's just a matter of convenience versus inconvenience. I'll use it and I'll take the risk and the inconvenience is it got stolen and it gets replaced. It's maybe a minor disruption. But when you're identity is stolen, and somebody's taken and stolen your identity, replacing and creating or creating the integrity back into your life is actually quite difficult, and so when you're taking those types of risks, you really need to think twice. I think there's one aspect, because you and I could be sitting in the airport and thinking about whether we're going to take the risk: opt in or opt out. But our children don't really think about this. Maybe they shouldn't have to because it would require more of us to take more responsibility but, there's certain studies that have said more than ten percent of our children's lives, identities have already been stolen because their social security numbers were stolen because we, as parents or institutions aren't necessarily watching that. And then, if you start to think about how much debt or how their identities have been stolen over a course of ten or fifteen years, and then they apply for their first job or their first phone or they're applying here to OU and they're in debt or somebody else has recreated their life and now you're trying to untangle that for how many years? And that's one of the things that we need to start paying more attention to.
GRILLOT: It's a terribly scary thought, but let's move on to a different scary thought, and that is cyber war among governments. One of the things that we do know that is going on is that people are obviously spying using cyber activities and perhaps even targeting one another's weapon systems or particular capabilities. China and the United States recently discussed, in fact it made the news for the newest form of arms control, tried to limit cyber warfare and restricting hacking activities. Where do we see this going on in terms of the biggest perpetrators. We hear often about China and their attempts to hack. I mean, the United States is obviously doing this. They've targeted the Iranian nuclear program for example in the past. So, what're some of the key things that are going on in terms of cyber warfare among states and governments and military action, and what are the ways in which they're trying to limit or control this type of activity.
HATHAWAY: So, I think that there's more than 100 countries who are cyber capable, and there are many non-state actors ranging from political activists like Anonymous or terrorist groups like Hezbollah or Hamas who all have capabilities. So, it's not limited to nation states, but what nation states have come to realize certainly over the last three years, four years that their vulnerability and the strategic vulnerability of the entanglement of their critical infrastructures and core services as a country that are touching the internet are now vulnerable to pretty much almost anybody. From a low level kind of country or capability to a very sophisticated country that it has caused them concern, and that concern is coming into international venues like the Organization for Security Cooperation in Europe is talking about confidence building measures, or the UN government group of experts which is talking about the threat from this information communication technology to our peace and stability of a country is worrisome. So we need to work together as countries to limit actions which is part of what the Xi-Obama agreement was - building on, from the UN government group of experts, sort of, concerns and outlining of how we're going to voluntarily self-limit or voluntarily keep transparency on these actions so it doesn't get out of hand and move into, from one incident, into cascading or escalating into warfare.
GRILLOT: Well, this clearly is a new area of international cooperation that's required. Cyberspace is not governed or controlled by any particular country or actors referring to. You've said in previous commentary that it's time to reboot our cyber future. What do you mean by that and how can we go about doing that? What do we need to do to reboot? What can we do to best protect us going forward?
HATHAWAY: So, I look at this as, we're in a presidential election season, and, having worked for two presidents of the United States, I watched one really approach it from a security perspective and threats and a second one approach it from the economic opportunity. What really needs to happen is those two agendas have to be aligned. We can't be looking at it as adopt and embed for productivity and efficiency and we'll worry about the resilience and vulnerabilities later and vice versa. You can't say it's all about threat and vulnerabilities and we'll worry about the economics later. It really has to be aligned. So, the first thing is is that the next president of the United States has to align these two agendas, and every CEO and major corporation has to align it. As I adapt the next generation information technology, I really need to think about how this is going to create risk to my company and reflect it on a risk register. I think second is that currently in the United States we have a defined 15 critical infrastructures, and when you define 15, 15 is too many and nothing is critical. It's time that we actually start to say that there are only three critical infrastructures. The first is power whether it's electric or nuclear power. Nothing runs without power. We've learned that through major incidents like hurricanes and floods and earthquakes, etcetera, and that has to be our number one priority followed by telecommunications because no other service can be delivered without telecommunications. It is the backbone of the internet, and actually telecommunications doesn't run without energy. The third is that we need to have a sound financial infrastructure that allows the free flow of goods, services and money, and those are our only three infrastructures, and without those we are unstable as a country and as a nation. We need to start with those.
GRILLOT: Well Melissa, thank you so much for being here today. This has been very enlightening. So, thank you so much.
MELISSA: Thank you for the time.
Copyright © 2015 KGOU Radio. No quotes from the materials contained herein may be used in any media without attribution to KGOU Radio. This transcript is provided for personal, noncommercial use only. Any other use requires KGOU's prior permission.
KGOU transcripts are created on a rush deadline by our staff, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of KGOU's programming is the audio