Search
Close this search box.
Search
Close this search box.

Fmr. Homeland Security Sec. Chertoff On New Cyber Threats Of Ukraine Crisis

© AdobeStock
In the midst of the Russian invasion of Ukraine “you’ve got to be aware of what the new threats are," says former Secretary of Homeland Security Michael Chertoff.
Getty Images

When it comes to the dark corners of the Internet and their threat potential for companies—and countries—there are few people more well-versed or as plainspoken as former Homeland Security Secretary Michael Chertoff.

For two decades, both in government and as Co-Founder and Executive Chairman of Chertoff Group, he’s been at the vanguard of efforts to help companies think of emerging threats from cyberspace—whatever they might be.

At our 2018 Cyber Risk Forum, he spoke about the big threat being the theft of intellectual property, and how boards and CEOs could keep pace with security. Now the threat is shifting. In the midst of the Russian invasion of Ukraine “more and more companies are going to find their IT systems and their networks as part of the combat zone of geopolitical conflict,” he says.

Once again, there’s a big role for leaders to play, says Chertoff. What follows are excerpt from our conversation on Monday, edited for length and clarity.

The last time we spoke was a few years ago, and you had a lot of concern, as did a lot of people, that business was not as prepared as it should be when it came to the realities of cyber defense and cyber security. Where we are now? What’s your sense? Are we better prepared for what might be happening in the wake of the Ukraine invasion than we were then?

Well, we’re better, but the adversaries are better too. A couple of years ago we were thinking mostly about terrorists or criminals, or nation-states that were trying to steal things, but not nation-states that we’re trying to shut down our critical infrastructure or damage it.

Obviously now, in light of what’s going on with Russia, there’s much more of a concern that cyber just becomes a field of conflict. So while we’ve improved, we still have a ways to go, and we need to get active about it.

We have not heard a lot in the headlines so far about attacks either on Ukraine, Ukraine’s infrastructure, or on the West. Are you surprised, or are we just not hearing about attacks? What’s your sense of the current state of cybersphere and Russia’s invasion?

Well, there have been reports of attacks on websites and taking down government sites in Ukraine. So that has been reported and that’s, of course, been a pattern over the last several years. I don’t think we’ve seen it here yet, but I would not assume that means we’re not going to.

The thing I’d be most concerned about, because of the nature of the financial sanctions, is that there would be an attack on banks and the financial system because they may view us as having made that an area of conflict. Putin’s obviously angry about it.

There’s also the possibility of an attack on energy infrastructure, particularly because that’s now the one area that has not been fully sanctioned, but in terms of their ability to market, because of the bank sanctions, they can’t really get paid. So I would take that as a significant threat.

You obviously talk of lots of CIOs, CEOs, and CISOs. What are they asking you about right now? And what are you hearing from them?

People, in general, are focused on: what are the Russians going to do? What’s their game plan? We’ve told people in advance of this that if there was going to be a conflict with Russia, where we applied significant sanctions, that there would likely be a potential cyber attack, particularly our financial institutions and our infrastructure. This is not a big surprise.

I can’t predict what Putin is going to do. What we talk about is: What are the areas that are the most critical to your business? What the likely threats are in those? Then the issue becomes monitoring to make sure you put into place various defensive measures, particularly as new information comes out, for example, about new malware attacks.

A lot of that comes from the U.S. government. Make sure that your security people are responding and putting into place the recommended responses to those attacks. So that’s really what, at this point, you have to do. You’ve got to be aware of what the new threats are. And then when there are recommended patches or reordering of your network to deal with it, to take steps to do that.

We both grew up in a time where mutual assured destruction in the nuclear sphere worked fairly well for the better part of 50, 60 years. Do we have the same kind of deterrent effect with cyber warfare? Are there things that perhaps the public is not necessarily aware of that are in place to deter catastrophic attacks through cyber warfare? Are there conversations going on where we might not see some of the big attacks because Russia knows what we could do?

I can’t speak for where there are conversations going on. I do think it’s been more complicated because there are always differences in attribution. How do you prove who launched the attack? The Russians use criminal groups or third parties to carry out the attacks.

And then, of course, we’re still in the process of discussing what are the next step levels for various things. I mean, you don’t react to a theft of intellectual property in the same way you do the shutting down, for example, all the energy.

So there’s quite a gray area, and we don’t have the same track record or experience that we had in a nuclear age. We’ve said publicly that an attack that was equivalent to a kinetic attack would get a response that would be comparable and might not even just be limited to kinetic. So I do think that the adversary knows we have the capability and the will. Exactly where that line is, in many ways, they don’t know, and that’s not a bad thing.

Final thoughts for CEOs, directors, CIOs, CISOs out there as we all try to move through this very bumpy period?

We’re entering into a period where, no matter how this particular issue gets resolved, where more and more companies are going to find their IT systems and their networks as part of the combat zone of geopolitical conflict.

The Biden Administration has been urging better coordination with the private and public sector. That’s very important. We have to be nimble and quick in responding, and not treat it as kind of an afterthought.


MORE LIKE THIS

  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events

    Roundtable

    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)

     

    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.