Archives for April 2015

Cyber Deterrence Is a Strategic Imperative

In this post, the advice offered looks at deterrence from a U.S. perspective, but applies in full measure to many other nations who find their critical infrastructure and companies under attack. This article first appeared in the Wall Street Journal’s CIO Journal, April 28, 2015.

We have reached a tipping point. The costs to our national and economic security are high and continue to grow higher. Whether from nation states intent on stealing military, political or economic secrets, attacking our critical infrastructures, pilfering corporate intellectual property and R&D or from criminals engaging in theft, fraud and other cybercrimes, the initiative continues to remain with the attacker. It’s time to engage in cyber deterrence through a strategy to dissuade, deter, and compel would-be attackers. Deterrence is the act of making someone decide not to do something; of preventing a particular behavior from occurring.

National Cybersecurity and Communications Integration Center

Evan Vucci/Associated Press
A view of the National Cybersecurity and Communications Integration Center in Arlington, Va.

Earlier this month, the Administration took definitive action by promulgating an Executive Order imposing sanctions against those who seek to undermine or hamper U.S. security through cyberattacks. And just last week, the Secretary of Defense announced the Pentagon’s updated Cyber Strategy including stronger language on offensive cyber operations. It also for the first time acknowledges the need to develop a comprehensive cyber deterrence strategy which Congress initially called for in the National Defense Authorization Act in 2014. This is a good beginning and must be a critical part of a deterrence strategy for which we must be prepared to wield all instruments of statecraft including political, diplomatic, economic, law enforcement and military capabilities. Let’s be clear: this is not about deterring or temporarily defeating technologies; it is about deterring actors beyond traditional military domains, both State and non-State alike as well as their proxies by carefully crafting our policies and calibrating our tools accordingly.

To do this, we must fashion a strategy that significantly raises the stakes for threat actors. We must make the cost so high and decrease their payoff so significantly that the advantages of cyber attack activity will be greatly reduced. We must deny the adversary their objective. Penalties as envisioned under a sanctions regime will certainly help; but the plain reality is that sanctions, especially if unilateral, will not deter those seeking to reap the benefits of robbing U.S. companies. Resilience must be a key part of our cyber deterrence, allowing those U.S. companies on the front lines the ability to apply threat information and conduct joint efforts, like several we have recently seen against botnets, with a cross section of private and government participants.

Of course, many instantly connect nuclear and cyber deterrence. But let’s recall that the nuclear club is relatively limited and requires a high level of scientific expertise and financial cost to maintain and deploy. For cyber, the bar to entry is relatively low; capabilities can be acquired, built and launched covertly. Moreover, cyber power includes non-state actors, difficult attribution, and a wider field of players.Equally important, we see the private sector and individual companies entities forced to defend against state actors. The private sector has adopted practices that could be part of a deterrent strategy. From botnet takedowns to joint activities with Europol, companies have begun the process of “taking the gloves off” and incrementally challenging cyber threat actors. There is a role to be played in cyber deterrence by nearly every public and private entity in the U.S. – a much broader domain than the nuclear one.

We must also contend with the inevitable gray lines between Computer Network Attack (CNA) and Computer Network Exploitation (CNE). In simplest terms, this is the issue of destructive behavior – whether computer network operations actually seek to destroy as opposed to obtaining information through nondestructive means. Our strategy must recognize that offensive cyber actions must be weighed carefully against our need to maintain an exploitative capability in networks. Our adversaries collect intelligence to provide a clear economic advantage to their commercial companies, such as stealing intellectual property. Our strategy must consider these intelligence threats as such activity results in an unfair playing field in the global marketplace for U.S. companies.

Following traditional deterrence policy, we need to signal to our adversaries through covert or other offensive actions that cyber actions will result in a response.  We must signal our resolve and credibility.  Of course, there will be concerns of a cyber escalation and of potential physical damage. That is why our responses need to be incisive, surgical and clear. This is not a game of “taking down” the adversary; it is demonstrating our capability and intention to dissuade them from further damage to our national security and economy. While we need unifying principles, the specific strategies must be tailored to key state and non-state actors; the strategy to deter Russia will not work for China or Iran or North Korea and certainly not for  non-state actors such as criminal enterprises.

After many years of fledgling and unproductive efforts, we now have an opportunity to develop a broad cyber strategy including both sanctions and deterrence. We have an opportunity to bring relief to the private sector and bring credibility to our cyber policy.  Yet success will ultimately depend on our commitment to act and translate the nouns into verbs. As Nathan Bailey put it: “Threats without power are like powder without the ball.”


By Frank J. Cilluffo, SDI Cyber Risk Practice, and Rhea D. Siers, Scholar-in-Residence at CCHS and Special Counsel at Zeichner, Ellman & Krause.

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

April, 28 2015

Exploring the Cybersphere

cyber Tuesday option 3

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite.  Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.  

The big item for this coming week will be the deliverables from the RSA Conference in San Francisco — tens of thousands of people will flock to the Moscone Center (28,000 attended last year) April 20-24 to attend the largest cybersecurity conference. If you can’t be there, Information Security Media Group offers live streaming video feed of program security leaders.  And for those who simply want the highlights in 140 characters or less, follow @RSAConference. The theme this year is to “challenge today’s security thinking.” In line with that theme, do you know all your company’s device entry points for hackers? Few, if any do. This Forbes article may interest you.  A father-son team has found a way to secure thousands of devices at once.  Visa, Amazon, Best Buy, the U.S. Department of Defense and Nasdaq are users.

Surfacing last week, The Norse Corporation and AEI released a report “The Growing Cyber Threat from Iran: The Initial Report of Project Pistachio Harvest” detailing Iran’s cyber activities.  It concludes that they have invested heavily in their cyber attack capabilities and have revved up both the frequency and sophistication of their attacks. Clearly a concerning development executives – especially in the financial services and energy sectors — need to keep a close eye on.  I first testified before Congress on this topic in 2012, and again in 2013.

Congress will consider two cybersecurity bills this week, “Protecting Cyber Networks Act” and the “National Cybersecurity Protection Advancement Act of 2015.” Both deal with the sticky area of data sharing and liability protection for sharing information on cybersecurity threats. In our cyber blog, a colleague, Kevin Carroll of Quinn Emanuel, and I outlined pros and cons CEOs are considering as this type of cyber legislation begins to take on more actionable focus. The Hill presented another angle — a coalition of security experts urging Congress to reject the legislation outright.

Bringing the conversation down to the personal, Rhett Hernandez, SDI cyber risk management practice and former commander, Army Cyber Command, in remarks last week to board leaders, U.S. and global cyber experts, C-suite executives, and cyber security law enforcement leaders, leaned in to pinpoint the biggest threat to cybersecurity in any company – its own people. Need to change the culture; people pose an unacceptable level of threat to networks said Hernandez. That’s echoed in Help Net Security’s article on indifference in the workplace. Daniel Velez, senior manager for insider threat operations at Raytheon Cyber Products says in DARKReading that it’s user behavior, not data restrictions that provides a stronger approach to breach threats and reputation damage.

Choosing the right hats to manage a crisis when it arrives is examined in CSO — companies may be better served financially by outsourcing cyber crisis management and should have partners in place way before the crisis. Finally, our infrastructure security community just got a new leader … North American Electric Reliability Corporation just tapped Marcus Sachs to lead NERC’s efforts to protect the electric sector. Sachs will step into the roles of senior vice president and chief security officer. While the term “critical infrastructure” is thrown around frequently these days, the electric sector is unequivocally at or near the top of the list.  If the grid goes down, so does everything else.  It’s good to see NERC is bringing in a pro.


Frank Cilluffo, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

April 21, 2015


Call on These Tips to Improve Conference Calls

Conference CallIt’s an all-too-common scene in offices and conference rooms. You’ve been moving mountains for your client, displaying all the estimable skills you and your team were hired for. You’re juggling schedules, projects, timelines, billing hours, personalities, egos and expectations. You have time for nothing, and now you have a conference call with the client. Well, good, at least that’s something you don’t have to prepare too much for or think about, just deliver updates on your progress, see if there are any questions or additions, and keep on moving.  That’s efficient and effective, right?

Probably not, for all but the briefest encounters.  There’s a whole lot going on in a conference call that doesn’t meet the eye.  Over the airways, much can get lost in translation as non-verbal communication cues are absent. No one objected to your idea … did that mean consensus or reticence? Do participants feel engaged and energized or disenfranchised? That’s often difficult to know if those feelings aren’t purposely projected.

Yet, conference calls remain one of the most used and effective means by which we communicate with our clients, partners and teams. And while the dynamics of interaction are different from face-to-face meetings, etiquette and preparation for conference calls are just as important. Much of it is a matter of just being aware of those dynamics and employing good time and people management skills.

Here are some ideas on how you really can run meetings by phone that are efficient and effective.

  • Join the call a few minutes before the start of the meeting to focus your thoughts and demonstrate your commitment to the meeting. Follow the axiom, “If you’re on time, you’re late!”
  • Make sure everyone knows who’s on the call. If there’s a new member of your team in the meeting or someone the client might not be familiar with, introduce them at the beginning so that no one is surprised when they eventually speak up.
  • Have an agenda. Whether it’s a formal copy shared with the client or a quick list for your own eyes, it will help steer the conversation and ensure that everything important is covered.
  • Prioritize your agenda. Put the most important items at the top to guarantee you’ll get through them without running out of time.
  • Stay on topic, but be flexible. Follow your agenda to make sure you get through all your key points, but don’t be so rigid you miss allowing creative or inspiring ideas to develop from the group.
  • Make sure attendees put their calls on mute when not talking. No one enjoys listening to someone else’s crunchy potato chips.
  • Ask for questions or comments periodically. That opening can encourage input from individuals or the group and ensure everyone has the opportunity to participate.

Remember, this is your client’s time and money.  Use these tips to make each conference call productive and successful.


By Jayne Davis and Sam Burns, SDI

April 17, 2015

Do Benefits Balance Risks in Proposed Cyber Legislation?

cyber Tuesday option 3At least five bills touching upon cybersecurity may soon be introduced on Capitol Hill.  Early drafts of three primary bills, including the Senate Select Committee on Intelligence’s Cybersecurity Information Sharing Act, the House Permanent Select Committee on Intelligence’s Protecting Cyber Networks Act, and the House Homeland Security Committee’s National Cybersecurity Protection Advancement Act share a great deal of common language, and present both opportunities and risks for the directors, officers and general counsel of private businesses.

The proposed legislation seeks to increase information sharing about cyber threats between the government and private sector on a voluntary basis.  To that end:

  • Businesses providing the government with cyber threat data would not waive intellectual property or trade secret protections on the information provided.
  • Businesses would be specifically allowed to monitor and defend their own systems, including with measures modifying or blocking data packets presenting cyber threats, perhaps also encompassing techniques such as long passive walls and proactive forensic collection such as beacons and “honey pots.”
  • Businesses monitoring their systems and sharing cyber threat information with the government and other businesses in good faith would receive some legal liability protections.

The bills also helpfully buttress the Justice Department and Federal Trade Commission’s recent joint policy statement that antitrust laws should not be roadblocks to the legitimate sharing of technical cybersecurity information, as distinct from competitively sensitive information such as prices, output or business plans.

Yet most of these positive developments for business come with catches that are worth noting:

  • In all three bills, liability protections for businesses monitoring their systems and sharing information do not extend to willful misconduct, or in the National Cybersecurity Protection Advancement Act, to gross negligence as well.

Monitoring or defensive measures, if used, must themselves be protected from unauthorized access.  And efforts by businesses to defend their computer systems may not damage others’ systems through “hack-backs.”

  • Businesses must make “reasonable efforts” to minimize, safeguard and remove personally identifying information (PII) within data, unrelated to cyber threats, that is shared with others.

This places the burden on businesses to remove PII from cyber data sought by the government, and the financial cost may be too great for many small and medium sized businesses.  Companies must then comply with federal and other restrictions on the further use of that shared data, raising the risk that businesses will lose control of the data they share.  These provisions may dis-incentivize businesses from collaborating with the government on cyber threats in the first place.

  • The Protecting Cyber Networks Act would rule out businesses sharing information directly with the Defense Department generally or the National Security Agency specifically.
  • The Protecting Cyber Networks Act would establish a private legal cause of action against the government for intentionally or willfully violating privacy and civil liberties guidelines, and provide the higher of the sum of actual damages or $1000 per violation, along with plaintiffs’ attorneys’ fees.

Given the amount of metadata potentially involved in sharing cyber threat information, this is an invitation to class-action lawsuits.  While actions brought under this law would be directed against the government, businesses assisting the government by sharing cyber threat information may be pulled into expensive litigation as third parties.

No doubt these bills will undergo significant amendments in committee, on the floor and in conference, and be subject to considerable public debate, before possibly becoming law.  Directors, officers and general counsel should keep an eye on whether positive goals for business such as increased voluntary information sharing, legal authority for monitoring and defensive measures, and antitrust and intellectual property protections, can be balanced against the potential compliance burdens and legal risks of participating in these proposed cyber programs.


By Kevin Carroll, Quinn Emanuel, and Frank Cilluffo, SDI Cyber Risk Practice. Carroll is an expert in national security and cybersecurity issues and resident in Quinn Emanuel’s Washington, D.C. office.

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

April 14, 2015

The Cyber Deterrence Conundrum for Businesses

cyber Tuesday option 3Last week, together with the U.S. Chamber of Commerce, we co-hosted an event that focused on cyber deterrence and international norms in cyber space. Initial presentations were made by the Chamber’s Anne Beauchesne, General Michael Hayden and SDI’s Frank Cilluffo and General Rhett Hernandez.  Some very bright minds from business and academia, and experts who have had significant responsibility in formulating U.S. policy on cybersecurity, exchanged views on many of the most pressing issues that relate to using deterrence as a key tool in defending against cyber attacks. It’s doubtful anyone who participated came away from the conversation thinking anything but this is really challenging for government and business alike.

The event certainly was timely. On April 1 the President issued an executive order authorizing sanctions on “malicious cyber actors whose actions threaten the national security, foreign policy, or economic health or financial stability of the United States.” For many businesses, the prospect of using sanctions as a tool against cyber malactors is a welcome development, particularly if attribution is becoming more certain than historically has been the case. But even here there remains  debate over what actions are clearly sanctionable, and concern over how universal the agreement of what is sanctionable, and what deterrent actions are acceptable will become. Companies, understandably, would prefer global alignment on these issues, rather than having to follow different policies in every country in which they do business.

For a deterrence policy to be effective there has to be a credible threat of consequences. Inevitably, that means that once lines are established, if they are crossed, there must be retaliation. We must demonstrate both the means and the will to act in a way that will deter future aggression.  However, for businesses there is the uneasy belief that retaliation can provoke further attacks, and abiding concern over how much information a business that has been attacked will have to share, and with whom,  to make the case for retaliation.

Fundamentally, despite the amount of attention being paid to deterrence, we are in the very early stages of sorting through the issues.  We lack agreement on basic vocabulary that would establish a common understanding upon which to build. What constitutes a “cyber attack?” What actions are acceptable as part of active response? What actions might constitute illegal use of force, potentially violating international law? Although governmental bodies around the world are grappling with these issues, progress has been extremely slow. Corporations such as Microsoft are advancing their own views on acceptable behavior (International Cybersecurity Norms, Reducing Conflict in an Internet-dependent World”). In the end, it may be that multinational companies will be the most significant influence on developing international norms.


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

April 7, 2015

Hashtag This!

Mozart HashtagIn today’s world of constant social media updates, being on top of the best strategies for attracting attention to your content is more important than ever. Why take the chance of your posts getting lost in the social media bayou when there are a few simple things you can do to boost their effectiveness. Here’s what we think are the salient points from this handy infographic, courtesy of Quicksprout.

You can have too much of a good thing: While data shows that the use of one or two hashtags in a Twitter post can improve engagement (more than double it), using more than that will cause a noticeable drop in engagement (17% on average).

Not all social networking sites operate by the same rules: Too many hashtags can be a negative on Twitter, but Instagram and Facebook posts seem to benefit greatly from the use of larger numbers of hashtags. In fact, the use of ten or more seems to give a sizeable boost on both sites. So tag away!

Google+ (yes, it’s still a thing): Google+ actually goes the extra mile and creates hashtags automatically, which can be helpful if you’re having a lapse in creativity that day. Additionally, you can always create some of your own as well to make sure your post is hitting all the right notes.

Keep these tips in mind next time you post, and don’t be afraid to tag along.


By Sam Burns, SDI, April 1, 2015