september 13–17, 2017

Cybersecurity: Risks and Recourse

Daniel Prieto

CEO of Incubate and former Director

Cybersecurity Policy
National Security Council

Daniel B. Prieto has worked for two decades in the private sector, government, and academia at the intersection of technology, public policy, and national and homeland security issues, including service as the Director of Cybersecurity and Technology in the Department of Defense, where he led the development of cybersecurity strategy and policy. Mr. Prieto is the author of numerous publications on cybersecurity, including Meeting the Cybersecurity Challenge: Empowering Stakeholders and Ensuring Coordination and Global Movement Management: Commerce, Security, and Resilience in Today’s Networked World. Mr. Prieto’s presentation focused on the highly integrated, complex economic systems that move people, goods, conveyances, money, and information around the world today, creating a circulatory system for the global economy, which he refers to as the “global movement system.”

Global movement systems embody a unique intersection of public and private interests, Mr. Prieto said.  However, the tight integration of global systems means that disruptions that may seem small or localized at first, can rapidly magnify, spill over into other systems and cause more serious harm that is difficult to envision or predict.  Mr. Prieto discussed the range of invasive activities that can occur in cyberspace, the impacts of those disruptions, and strategies for the States to provide cybersecurity legislation to protect their citizens.

A Brief History of Cybersecurity

The path to a world where cybersecurity issues are relevant for everyone started as early as 1995, when Netscape went public. By 2000, there were 500 million Internet users, in 2017, 3.4 billion users, and, projections suggest that, by 2020, 4.1 billion linked devices will be used by 7.7 billion people, along with 21 billion networked devices in the Internet of Things.

Billions of transactions are accomplished electronically, from banking, to buying and selling, and healthcare, among others. Every transaction is an opportunity for a data breach, and every transaction provides an opportunity to be surveilled and profiled. These transactions have significant economic value, not only in themselves, but also for the value of the information they capture; information for which there is a dynamic market.

Cyberspace Crimes

Not only are commerce and communications empowered by the connected world, but bad actors also harness this power for criminal activities. There is a broad spectrum of negative cyber activities, Mr. Prieto reported. Most of these activities fall below the threshold of cyber-war, but still can do significant damage. The first level is vandalism, for example, when ISIS broadcasts its messages over the Internet. A second level is theft, profiting from the market for stolen information, or theft for disclosure, for example, when stolen celebrity information is used, or addresses are found to target people for terrorist attacks.  The third level is disinformation, as is seen in false reports of inter-racial violence that can spur community hostilities. The fourth and final level is strategic and tactical leverage of the Internet.

Strategic cyberattacks can be dramatically disruptive, Mr. Prieto warned. If enemies develop surveillance and access to electric, water, and gas utilities, they could disrupt these services. Hackers can allow nations to keep pace with military advances. The theft of intellectual property can give advantages in R&D at no cost to the thieves. And enemies can find people with security clearances and by hacking their accounts conduct counter-espionage.

Cyberattacks may take the form of operational disruptions, such as the denial of service or Internet access. Targeted disruptions that take down specific sites as the Chinese have done to Google and others. Cyberattacks may be coordinated with military tactical operations to conduct supportive psychological warfare. A lethal cyberattack could be one that causes kinetic impact, such as blowing up a nuclear reactor and killing people in a region, Mr. Prieto advised.

Countering Cyberattacks

The goal is to counter the risk of cyberattacks, rather than combatting them as they occur, Mr. Prieto pointed out. State policies can and must be designed to reduce the threat of cyberattacks, but there are challenges to overcome. The first is the vulnerability of most people because they do not understand how the connected system works, so they have to rely on others’ expertise. “The second challenge is to understand what bad guys are after and what cyberattacks they could launch,” Mr. Prieto said. This requires an analysis of what threats exist and the potential impacts of those threats. Finally, State leaders must realize the likelihood of an attack, recognizing that 97% of companies have reported cyber-security breaches, and hackers are likely to strike State institutions as well.

The deck is stacked against the good guys, Mr. Prieto pointed out. It takes 150-200 days to detect a cyber intrusion or breach. But only 1-2 days for the hackers to change their malware and outwit an anti-virus detection. This leaves the bad actors with 5-7 months to operate freely within a system they have breached, with significant risks to penetrated entities such as banks, utilities, healthcare institutions, and government systems.

Federal Government Initiatives

The Obama Administration, which Mr. Prieto served, focused on building up cyber defenses.  Policies and laws on information-sharing designed to protect data were enacted. Strategies to increase connectivity and cooperation between corporate entities and states designed to accelerate the “respond and recover” process were implemented.  Treaties and alliances were established to set international agreement in place to deter and disrupt malicious activities, for example, prohibiting cyberattacks on hospitals, just as bombing hospitals is prohibited in war.  The Trump Administration has continued to pursue cybersecurity initiatives consistent with prior approaches, Mr. Prieto reported.

Cybersecurity Policy at the State Level

Mr. Prieto acknowledged that State governments are challenged to create policies that keep pace with the rapid evolution of technology. He discussed four areas where State policy plays a critical role in cyber security, including consumer protection, privacy, environmental protection and the governance and modernization of State IT enterprises. Mr. Prieto pointed out that computers should be considered as susceptible to outside events as the environment. Cyberattacks can be as destructive and violent as hurricanes, he said.

Mr. Prieto described what he called the Crown Jewels Exercise, which he conducted for the US, ranking the top 50 systems in the US for cyber risk.  Describing the process, he said, “You identify the likely targets in business, communications, the military or IT and consider what would happen if they were disabled, including how this would disrupt the supply chain, creating unknown second and third line effects.” This is a multidisciplinary exercise to determine what is at risk in your State, he continued. You need connectivity among first responders, law enforcement, communications people, IT, and your State Homeland Security adviser. He recommended that cyber defense is a part of state preparedness, and noted the development of a National Cybersecurity Center in Colorado.  He stressed the need for talent cultivation to close the current gap in the 1 million cybersecurity professionals that will be needed before 2020.  Finally, he proposed that the use of Artificial Intelligence would improve the productivity of current cybersecurity measures.

Sen. Tom Alexander (SC) and Sen. John J. Cullerton (IL), at left, and Sen. Eduardo Bhatia (PR) and Sen. Robert Stivers (KY), at right, pose with Daniel Prieto, center, whose presentation on cybersecurity provoked extensive discussion.

Q&A

Q: Sen. John Cullerton (IL): The recent Equifax breach has gotten everyone’s attention and legislation has been introduced to limit the impact. How effective can legislation be?

A: It is hard to predict when and what negative effects will come from a data breach.  To date, the focus has been on reporting the breaches, not the consequences. And it is difficult to determine where liability for a breach should be placed. In the Equifax case, millions of records were breached. But is Equifax the responsible party, or are the software or hardware manufacturers liable? The chain of information security connects all of them. Where liability is assigned will be determined by the courts. But the States can use existing privacy rules guarding banking and healthcare data.  States also can promote best practices, creating a framework for cyber security, and focusing on IT standards and compliance.

Q: Sen. Tom Alexander (SC): I recommend that every State Senator should get to know your Chief IT officer. Understand what their needs are and get their opinions on whether to focus policy broadly or in a specific area. Determine how your State can better partner with the federal government on these issues.

A: Mr. Prieto: Understanding the probable goals of an attack can help focus your resources. There are very active domestic and international markets for credit cards and health data. Utilities can be targeted by other countries, if they know what power sources you have, they can shut them down.  State information on employees may be pranksters showing off, or looking for ransom, but they also can be used by nations to create maps of relationships and corporate information.

Iranian hackers, for example, focus on banks and military information, while the North Koreans implant political messages. The Russians are very pervasive in the Internet but were formerly very hidden. Today, their attitude seems to be “I don’t care if you can see me.”

Q: Sen. Wayne Niederhauser (UT): We hear a lot about cyber defense but what about going on the offense. Are we doing anything to disrupt, limit, or disable the bad actors?

A: Mr. Prieto: There are offensive measures such as honey nets and fake lures that attempt to trap, for example ISIS hackers, or to disrupt other nation’s cybersecurity intrusions. However, there are constraints, because the US does not want to endorse activities that could disrupt banking or utilities. We gather a lot of information, but once we see the bad guys, they also see us and can block us. The challenge is how to reach out and stop bad guys without breaking the privacy laws by violating other people’s computers.  The key is to go after and stop the high-end hijackers, not the low end.

Q: Sen. Robert Stivers (KY): Keeping up with technology is a challenge. How can we protect our people given all the information that is gathered in electronic commerce?

A: Mr. Prieto: Based on the sites they visit, people are profiled and then targeted by advertising. All connectivity leads to marketing. But this also allows bad guys to craft emails that attract you to open them because they look like personal messages; once you open them, they put malware on your computer.  Fraud schemes also are becoming very targeted and sophisticated.

Q: Sen. Eduardo Bhatia (PR): Is voting over IPhones a security problem? Will it put democracy in peril?

A: Mr. Prieto: Fragmentation increases security and election systems are very diverse. There is no global election system, they differ for every state, so this provides a level of protection. Connected systems can make it easier to vote, but security protections have to be put in place such as retina scans, facial recognition, or fingerprints.

Speaker Biography

Daniel B. Prieto

Daniel B. Prieto is a recognized expert on national security and cybersecurity. Formerly the director of cybersecurity policy for the NSC, he has a record of leadership and innovation in government, in the technology sector, on Wall Street, and at leading think tanks and universities.

Dan has served as a senior policymaker at the White House, the Department of Defense, and on Capitol Hill. His work in the private sector includes deep strategy, technology, finance, and operating experience at IBM, America Online/Time Warner, and J.P Morgan. He has held fellowship appointments at Harvard University, Stanford University, the Council on Foreign Relations, and the Center for Strategic and International Studies.

Dan is founder and CEO of Incubate, LLC, which provides advisory services at the intersection of technology and national security. He is an external Senior Advisor to McKinsey & Co.. He is also an adjunct Senior Research Scholar at the School of International and Public Affairs at Columbia University.

In addition to serving in the Obama White House on the NSC staff, Dan worked in the Office of the Secretary of Defense as chief technology officer. He has testified before the U.S. Senate and his writing and commentary have appeared widely. Dan is a former trustee of Wesleyan University and a member of the Aspen Homeland Security Group; the Council on Foreign Relations; the Cosmos Club; and the National Academy of Sciences' Committee on Law and Justice.

State policies can and must be designed to reduce the threat of cyberattacks.

Cyber-security planning: Identify the threats and your vulnerabilities; assess what the impacts of breaches may be; determine the likelihood of those scenarios.

Sen. John Cullerton (IL)

Sen. Tom Alexander (SC)

Sen. Wayne Niederhauser (UT)

Sen. Eduardo Bhatia (PR)

Daniel B. Prieto

CONTACT

Senate Presidents’ Forum

26 Main Street

Hastings-on-Hudson, NY 10706

 

Tel: 914-693-1818

Copyright © 2017 Senate Presidents' Forum. All rights reserved.

september 13–17, 2017

Cybersecurity: Risks and Recourse

Daniel Prieto

CEO of Incubate and former Director

Cybersecurity Policy
National Security Council

Daniel B. Prieto has worked for two decades in the private sector, government, and academia at the intersection of technology, public policy, and national and homeland security issues, including service as the Director of Cybersecurity and Technology in the Department of Defense, where he led the development of cybersecurity strategy and policy. Mr. Prieto is the author of numerous publications on cybersecurity, including Meeting the Cybersecurity Challenge: Empowering Stakeholders and Ensuring Coordination and Global Movement Management: Commerce, Security, and Resilience in Today’s Networked World. Mr. Prieto’s presentation focused on the highly integrated, complex economic systems that move people, goods, conveyances, money, and information around the world today, creating a circulatory system for the global economy, which he refers to as the “global movement system.”

Global movement systems embody a unique intersection of public and private interests, Mr. Prieto said.  However, the tight integration of global systems means that disruptions that may seem small or localized at first, can rapidly magnify, spill over into other systems and cause more serious harm that is difficult to envision or predict.  Mr. Prieto discussed the range of invasive activities that can occur in cyberspace, the impacts of those disruptions, and strategies for the States to provide cybersecurity legislation to protect their citizens.

A Brief History of Cybersecurity

The path to a world where cybersecurity issues are relevant for everyone started as early as 1995, when Netscape went public. By 2000, there were 500 million Internet users, in 2017, 3.4 billion users, and, projections suggest that, by 2020, 4.1 billion linked devices will be used by 7.7 billion people, along with 21 billion networked devices in the Internet of Things.

Billions of transactions are accomplished electronically, from banking, to buying and selling, and healthcare, among others. Every transaction is an opportunity for a data breach, and every transaction provides an opportunity to be surveilled and profiled. These transactions have significant economic value, not only in themselves, but also for the value of the information they capture; information for which there is a dynamic market.

Cyberspace Crimes

Not only are commerce and communications empowered by the connected world, but bad actors also harness this power for criminal activities. There is a broad spectrum of negative cyber activities, Mr. Prieto reported. Most of these activities fall below the threshold of cyber-war, but still can do significant damage. The first level is vandalism, for example, when ISIS broadcasts its messages over the Internet. A second level is theft, profiting from the market for stolen information, or theft for disclosure, for example, when stolen celebrity information is used, or addresses are found to target people for terrorist attacks.  The third level is disinformation, as is seen in false reports of inter-racial violence that can spur community hostilities. The fourth and final level is strategic and tactical leverage of the Internet.

Strategic cyberattacks can be dramatically disruptive, Mr. Prieto warned. If enemies develop surveillance and access to electric, water, and gas utilities, they could disrupt these services. Hackers can allow nations to keep pace with military advances. The theft of intellectual property can give advantages in R&D at no cost to the thieves. And enemies can find people with security clearances and by hacking their accounts conduct counter-espionage.

Cyberattacks may take the form of operational disruptions, such as the denial of service or Internet access. Targeted disruptions that take down specific sites as the Chinese have done to Google and others. Cyberattacks may be coordinated with military tactical operations to conduct supportive psychological warfare. A lethal cyberattack could be one that causes kinetic impact, such as blowing up a nuclear reactor and killing people in a region, Mr. Prieto advised.

Countering Cyberattacks

The goal is to counter the risk of cyberattacks, rather than combatting them as they occur, Mr. Prieto pointed out. State policies can and must be designed to reduce the threat of cyberattacks, but there are challenges to overcome. The first is the vulnerability of most people because they do not understand how the connected system works, so they have to rely on others’ expertise. “The second challenge is to understand what bad guys are after and what cyberattacks they could launch,” Mr. Prieto said. This requires an analysis of what threats exist and the potential impacts of those threats. Finally, State leaders must realize the likelihood of an attack, recognizing that 97% of companies have reported cyber-security breaches, and hackers are likely to strike State institutions as well.

State policies can and must be designed to reduce the threat of cyberattacks.

The deck is stacked against the good guys, Mr. Prieto pointed out. It takes 150-200 days to detect a cyber intrusion or breach. But only 1-2 days for the hackers to change their malware and outwit an anti-virus detection. This leaves the bad actors with 5-7 months to operate freely within a system they have breached, with significant risks to penetrated entities such as banks, utilities, healthcare institutions, and government systems.

Cyber-security planning: Identify the threats and your vulnerabilities; assess what the impacts of breaches may be; determine the likelihood of those scenarios.

Federal Government Initiatives

The Obama Administration, which Mr. Prieto served, focused on building up cyber defenses.  Policies and laws on information-sharing designed to protect data were enacted. Strategies to increase connectivity and cooperation between corporate entities and states designed to accelerate the “respond and recover” process were implemented.  Treaties and alliances were established to set international agreement in place to deter and disrupt malicious activities, for example, prohibiting cyberattacks on hospitals, just as bombing hospitals is prohibited in war.  The Trump Administration has continued to pursue cybersecurity initiatives consistent with prior approaches, Mr. Prieto reported.

Cybersecurity Policy at the State Level

Mr. Prieto acknowledged that State governments are challenged to create policies that keep pace with the rapid evolution of technology. He discussed four areas where State policy plays a critical role in cyber security, including consumer protection, privacy, environmental protection and the governance and modernization of State IT enterprises. Mr. Prieto pointed out that computers should be considered as susceptible to outside events as the environment. Cyberattacks can be as destructive and violent as hurricanes, he said.

Mr. Prieto described what he called the Crown Jewels Exercise, which he conducted for the US, ranking the top 50 systems in the US for cyber risk.  Describing the process, he said, “You identify the likely targets in business, communications, the military or IT and consider what would happen if they were disabled, including how this would disrupt the supply chain, creating unknown second and third line effects.” This is a multidisciplinary exercise to determine what is at risk in your State, he continued. You need connectivity among first responders, law enforcement, communications people, IT, and your State Homeland Security adviser. He recommended that cyber defense is a part of state preparedness, and noted the development of a National Cybersecurity Center in Colorado.  He stressed the need for talent cultivation to close the current gap in the 1 million cybersecurity professionals that will be needed before 2020.  Finally, he proposed that the use of Artificial Intelligence would improve the productivity of current cybersecurity measures.

Sen. Tom Alexander (SC) and Sen. John J. Cullerton (IL), at left, and Sen. Eduardo Bhatia (PR) and Sen. Robert Stivers (KY), at right, pose with Daniel Prieto, center, whose presentation on cybersecurity provoked extensive discussion.

Q&A

Q: Sen. John Cullerton (IL): The recent Equifax breach has gotten everyone’s attention and legislation has been introduced to limit the impact. How effective can legislation be?

A: It is hard to predict when and what negative effects will come from a data breach.  To date, the focus has been on reporting the breaches, not the consequences. And it is difficult to determine where liability for a breach should be placed. In the Equifax case, millions of records were breached. But is Equifax the responsible party, or are the software or hardware manufacturers liable? The chain of information security connects all of them. Where liability is assigned will be determined by the courts. But the States can use existing privacy rules guarding banking and healthcare data.  States also can promote best practices, creating a framework for cyber security, and focusing on IT standards and compliance.

Q: Sen. Tom Alexander (SC): I recommend that every State Senator should get to know your Chief IT officer. Understand what their needs are and get their opinions on whether to focus policy broadly or in a specific area. Determine how your State can better partner with the federal government on these issues.

A: Mr. Prieto: Understanding the probable goals of an attack can help focus your resources. There are very active domestic and international markets for credit cards and health data. Utilities can be targeted by other countries, if they know what power sources you have, they can shut them down.  State information on employees may be pranksters showing off, or looking for ransom, but they also can be used by nations to create maps of relationships and corporate information.

Iranian hackers, for example, focus on banks and military information, while the North Koreans implant political messages. The Russians are very pervasive in the Internet but were formerly very hidden. Today, their attitude seems to be “I don’t care if you can see me.”

Q: Sen. Wayne Niederhauser (UT): We hear a lot about cyber defense but what about going on the offense. Are we doing anything to disrupt, limit, or disable the bad actors?

A: Mr. Prieto: There are offensive measures such as honey nets and fake lures that attempt to trap, for example ISIS hackers, or to disrupt other nation’s cybersecurity intrusions. However, there are constraints, because the US does not want to endorse activities that could disrupt banking or utilities. We gather a lot of information, but once we see the bad guys, they also see us and can block us. The challenge is how to reach out and stop bad guys without breaking the privacy laws by violating other people’s computers.  The key is to go after and stop the high-end hijackers, not the low end.

Q: Sen. Robert Stivers (KY): Keeping up with technology is a challenge. How can we protect our people given all the information that is gathered in electronic commerce?

A: Mr. Prieto: Based on the sites they visit, people are profiled and then targeted by advertising. All connectivity leads to marketing. But this also allows bad guys to craft emails that attract you to open them because they look like personal messages; once you open them, they put malware on your computer.  Fraud schemes also are becoming very targeted and sophisticated.

Q: Sen. Eduardo Bhatia (PR): Is voting over IPhones a security problem? Will it put democracy in peril?

A: Mr. Prieto: Fragmentation increases security and election systems are very diverse. There is no global election system, they differ for every state, so this provides a level of protection. Connected systems can make it easier to vote, but security protections have to be put in place such as retina scans, facial recognition, or fingerprints.

Speaker Biography

Daniel B. Prieto

Daniel B. Prieto is a recognized expert on national security and cybersecurity. Formerly the director of cybersecurity policy for the NSC, he has a record of leadership and innovation in government, in the technology sector, on Wall Street, and at leading think tanks and universities.

Dan has served as a senior policymaker at the White House, the Department of Defense, and on Capitol Hill. His work in the private sector includes deep strategy, technology, finance, and operating experience at IBM, America Online/Time Warner, and J.P Morgan. He has held fellowship appointments at Harvard University, Stanford University, the Council on Foreign Relations, and the Center for Strategic and International Studies.

Dan is founder and CEO of Incubate, LLC, which provides advisory services at the intersection of technology and national security. He is an external Senior Advisor to McKinsey & Co.. He is also an adjunct Senior Research Scholar at the School of International and Public Affairs at Columbia University.

In addition to serving in the Obama White House on the NSC staff, Dan worked in the Office of the Secretary of Defense as chief technology officer. He has testified before the U.S. Senate and his writing and commentary have appeared widely. Dan is a former trustee of Wesleyan University and a member of the Aspen Homeland Security Group; the Council on Foreign Relations; the Cosmos Club; and the National Academy of Sciences' Committee on Law and Justice.

september 13–17, 2017

Cybersecurity: Risks and Recourse

Daniel Prieto

CEO of Incubate and former Director

Cybersecurity Policy
National Security Council

Daniel B. Prieto has worked for two decades in the private sector, government, and academia at the intersection of technology, public policy, and national and homeland security issues, including service as the Director of Cybersecurity and Technology in the Department of Defense, where he led the development of cybersecurity strategy and policy. Mr. Prieto is the author of numerous publications on cybersecurity, including Meeting the Cybersecurity Challenge: Empowering Stakeholders and Ensuring Coordination and Global Movement Management: Commerce, Security, and Resilience in Today’s Networked World. Mr. Prieto’s presentation focused on the highly integrated, complex economic systems that move people, goods, conveyances, money, and information around the world today, creating a circulatory system for the global economy, which he refers to as the “global movement system.”

Global movement systems embody a unique intersection of public and private interests, Mr. Prieto said.  However, the tight integration of global systems means that disruptions that may seem small or localized at first, can rapidly magnify, spill over into other systems and cause more serious harm that is difficult to envision or predict.  Mr. Prieto discussed the range of invasive activities that can occur in cyberspace, the impacts of those disruptions, and strategies for the States to provide cybersecurity legislation to protect their citizens.

A Brief History of Cybersecurity

The path to a world where cybersecurity issues are relevant for everyone started as early as 1995, when Netscape went public. By 2000, there were 500 million Internet users, in 2017, 3.4 billion users, and, projections suggest that, by 2020, 4.1 billion linked devices will be used by 7.7 billion people, along with 21 billion networked devices in the Internet of Things.

Billions of transactions are accomplished electronically, from banking, to buying and selling, and healthcare, among others. Every transaction is an opportunity for a data breach, and every transaction provides an opportunity to be surveilled and profiled. These transactions have significant economic value, not only in themselves, but also for the value of the information they capture; information for which there is a dynamic market.

Cyberspace Crimes

Not only are commerce and communications empowered by the connected world, but bad actors also harness this power for criminal activities. There is a broad spectrum of negative cyber activities, Mr. Prieto reported. Most of these activities fall below the threshold of cyber-war, but still can do significant damage. The first level is vandalism, for example, when ISIS broadcasts its messages over the Internet. A second level is theft, profiting from the market for stolen information, or theft for disclosure, for example, when stolen celebrity information is used, or addresses are found to target people for terrorist attacks.  The third level is disinformation, as is seen in false reports of inter-racial violence that can spur community hostilities. The fourth and final level is strategic and tactical leverage of the Internet.

Strategic cyberattacks can be dramatically disruptive, Mr. Prieto warned. If enemies develop surveillance and access to electric, water, and gas utilities, they could disrupt these services. Hackers can allow nations to keep pace with military advances. The theft of intellectual property can give advantages in R&D at no cost to the thieves. And enemies can find people with security clearances and by hacking their accounts conduct counter-espionage.

Cyberattacks may take the form of operational disruptions, such as the denial of service or Internet access. Targeted disruptions that take down specific sites as the Chinese have done to Google and others. Cyberattacks may be coordinated with military tactical operations to conduct supportive psychological warfare. A lethal cyberattack could be one that causes kinetic impact, such as blowing up a nuclear reactor and killing people in a region, Mr. Prieto advised.

Countering Cyberattacks

The goal is to counter the risk of cyberattacks, rather than combatting them as they occur, Mr. Prieto pointed out. State policies can and must be designed to reduce the threat of cyberattacks, but there are challenges to overcome. The first is the vulnerability of most people because they do not understand how the connected system works, so they have to rely on others’ expertise. “The second challenge is to understand what bad guys are after and what cyberattacks they could launch,” Mr. Prieto said. This requires an analysis of what threats exist and the potential impacts of those threats. Finally, State leaders must realize the likelihood of an attack, recognizing that 97% of companies have reported cyber-security breaches, and hackers are likely to strike State institutions as well.

State policies can and must be designed to reduce the threat of cyberattacks.

The deck is stacked against the good guys, Mr. Prieto pointed out. It takes 150-200 days to detect a cyber intrusion or breach. But only 1-2 days for the hackers to change their malware and outwit an anti-virus detection. This leaves the bad actors with 5-7 months to operate freely within a system they have breached, with significant risks to penetrated entities such as banks, utilities, healthcare institutions, and government systems.

Cyber-security planning: Identify the threats and your vulnerabilities; assess what the impacts of breaches may be; determine the likelihood of those scenarios.

Federal Government Initiatives

The Obama Administration, which Mr. Prieto served, focused on building up cyber defenses.  Policies and laws on information-sharing designed to protect data were enacted. Strategies to increase connectivity and cooperation between corporate entities and states designed to accelerate the “respond and recover” process were implemented.  Treaties and alliances were established to set international agreement in place to deter and disrupt malicious activities, for example, prohibiting cyberattacks on hospitals, just as bombing hospitals is prohibited in war.  The Trump Administration has continued to pursue cybersecurity initiatives consistent with prior approaches, Mr. Prieto reported.

Cybersecurity Policy at the State Level

Mr. Prieto acknowledged that State governments are challenged to create policies that keep pace with the rapid evolution of technology. He discussed four areas where State policy plays a critical role in cyber security, including consumer protection, privacy, environmental protection and the governance and modernization of State IT enterprises. Mr. Prieto pointed out that computers should be considered as susceptible to outside events as the environment. Cyberattacks can be as destructive and violent as hurricanes, he said.

Mr. Prieto described what he called the Crown Jewels Exercise, which he conducted for the US, ranking the top 50 systems in the US for cyber risk.  Describing the process, he said, “You identify the likely targets in business, communications, the military or IT and consider what would happen if they were disabled, including how this would disrupt the supply chain, creating unknown second and third line effects.” This is a multidisciplinary exercise to determine what is at risk in your State, he continued. You need connectivity among first responders, law enforcement, communications people, IT, and your State Homeland Security adviser. He recommended that cyber defense is a part of state preparedness, and noted the development of a National Cybersecurity Center in Colorado.  He stressed the need for talent cultivation to close the current gap in the 1 million cybersecurity professionals that will be needed before 2020.  Finally, he proposed that the use of Artificial Intelligence would improve the productivity of current cybersecurity measures.

Sen. Tom Alexander (SC) and Sen. John J. Cullerton (IL), at left, and Sen. Eduardo Bhatia (PR) and Sen. Robert Stivers (KY), at right, pose with Daniel Prieto, center, whose presentation on cybersecurity provoked extensive discussion.

Q&A

Q: Sen. John Cullerton (IL): The recent Equifax breach has gotten everyone’s attention and legislation has been introduced to limit the impact. How effective can legislation be?

A: It is hard to predict when and what negative effects will come from a data breach.  To date, the focus has been on reporting the breaches, not the consequences. And it is difficult to determine where liability for a breach should be placed. In the Equifax case, millions of records were breached. But is Equifax the responsible party, or are the software or hardware manufacturers liable? The chain of information security connects all of them. Where liability is assigned will be determined by the courts. But the States can use existing privacy rules guarding banking and healthcare data.  States also can promote best practices, creating a framework for cyber security, and focusing on IT standards and compliance.

Q: Sen. Tom Alexander (SC): I recommend that every State Senator should get to know your Chief IT officer. Understand what their needs are and get their opinions on whether to focus policy broadly or in a specific area. Determine how your State can better partner with the federal government on these issues.

A: Mr. Prieto: Understanding the probable goals of an attack can help focus your resources. There are very active domestic and international markets for credit cards and health data. Utilities can be targeted by other countries, if they know what power sources you have, they can shut them down.  State information on employees may be pranksters showing off, or looking for ransom, but they also can be used by nations to create maps of relationships and corporate information.

Iranian hackers, for example, focus on banks and military information, while the North Koreans implant political messages. The Russians are very pervasive in the Internet but were formerly very hidden. Today, their attitude seems to be “I don’t care if you can see me.”

Q: Sen. Wayne Niederhauser (UT): We hear a lot about cyber defense but what about going on the offense. Are we doing anything to disrupt, limit, or disable the bad actors?

A: Mr. Prieto: There are offensive measures such as honey nets and fake lures that attempt to trap, for example ISIS hackers, or to disrupt other nation’s cybersecurity intrusions. However, there are constraints, because the US does not want to endorse activities that could disrupt banking or utilities. We gather a lot of information, but once we see the bad guys, they also see us and can block us. The challenge is how to reach out and stop bad guys without breaking the privacy laws by violating other people’s computers.  The key is to go after and stop the high-end hijackers, not the low end.

Q: Sen. Robert Stivers (KY): Keeping up with technology is a challenge. How can we protect our people given all the information that is gathered in electronic commerce?

A: Mr. Prieto: Based on the sites they visit, people are profiled and then targeted by advertising. All connectivity leads to marketing. But this also allows bad guys to craft emails that attract you to open them because they look like personal messages; once you open them, they put malware on your computer.  Fraud schemes also are becoming very targeted and sophisticated.

Q: Sen. Eduardo Bhatia (PR): Is voting over IPhones a security problem? Will it put democracy in peril?

A: Mr. Prieto: Fragmentation increases security and election systems are very diverse. There is no global election system, they differ for every state, so this provides a level of protection. Connected systems can make it easier to vote, but security protections have to be put in place such as retina scans, facial recognition, or fingerprints.

Speaker Biography

Daniel B. Prieto

Daniel B. Prieto is a recognized expert on national security and cybersecurity. Formerly the director of cybersecurity policy for the NSC, he has a record of leadership and innovation in government, in the technology sector, on Wall Street, and at leading think tanks and universities.

Dan has served as a senior policymaker at the White House, the Department of Defense, and on Capitol Hill. His work in the private sector includes deep strategy, technology, finance, and operating experience at IBM, America Online/Time Warner, and J.P Morgan. He has held fellowship appointments at Harvard University, Stanford University, the Council on Foreign Relations, and the Center for Strategic and International Studies.

Dan is founder and CEO of Incubate, LLC, which provides advisory services at the intersection of technology and national security. He is an external Senior Advisor to McKinsey & Co.. He is also an adjunct Senior Research Scholar at the School of International and Public Affairs at Columbia University.

In addition to serving in the Obama White House on the NSC staff, Dan worked in the Office of the Secretary of Defense as chief technology officer. He has testified before the U.S. Senate and his writing and commentary have appeared widely. Dan is a former trustee of Wesleyan University and a member of the Aspen Homeland Security Group; the Council on Foreign Relations; the Cosmos Club; and the National Academy of Sciences' Committee on Law and Justice.