An ‘operational imperative and competitive advantage’: CEOs must lead whole of nation response to ransomware

  • Karen Evans is the former chief information officer for the Department of Homeland Security. She and Parham Eftekhari, senior vice president and executive director of the Cybersecurity Collaborative and chairman of the Institute for Critical Infrastructure Technology, point to the need for business leaders to prioritize cybersecurity alongside traditional corporate objectives. (Department of Energy/Donica Payne)

    As the nation cautiously turns the page on a health pandemic that brought the United States to a standstill, a digital pandemic has emerged threatening the stability of our nation and our long-term national security. A perfect storm fueled by great power competition from Russia and China, criminal gangs who have commoditized ransomware, and a world reliant on technology have all led to a dangerous challenge to our country’s security. Technical capabilities that rely on software code developed with security as an afterthought are now encouraging threats and causing havoc to our nation’s critical infrastructures.

    The result of this intersection of political, criminal, and technological forces has created a level of disruption to commerce and everyday life that has come to the forefront of the American psyche in recent weeks. When ransomware first arrived on the scene, scenarios on the potential devastation experienced of late by the American people was not even comprehensible, or alternatively ignored, by senior leadership across disciplines. Today, corporations are realizing hundreds of millions in losses, government officials are comparing ransomware to 9-11, and our citizens lives are being disrupted due to the lack of understanding and/or failure to act by those with the power and resources to develop responses and mitigation strategies.

    Parham Eftekhari, ICIT andCybersecurity Collaborative

    Public-private partnership to support national security and critical infrastructure resiliency has been touted for years, but what does it look like in action? In today’s environment, where most of our critical infrastructure is owned and operated by the private sector who must now play first responder and is responsible to defend their assets, it means taking a whole of nation approach, where business leaders prioritize cybersecurity alongside traditional business objectives.

    Security – both when developing technology and when using it – has become both an operational imperative and competitive advantage. Security has to be viewed as a necessary part of preserving and improving revenue, not a cost center and necessary evil. CEOs, their boards of directors and CIOs, all must demonstrate their commitment to security through actions, which include the hiring of dedicated cybersecurity leadership and resources. The cyber resources must be empowered with the appropriate authorities to manage the commensurate risk associated with the threat, while integrating cybersecurity across all internal business disciplines including human resources, finance, operations (including operational technology), procurement, and information technology.

    Collaboration and knowledge sharing are also powerful tools in our arsenal to combat the well organized criminal gangs and nation state actors working to exploit the vulnerabilities in our critical infrastructures. The whole of nation approach to national security requires CEO support for involvement in organizations offering peer-to-peer information sharing for cybersecurity leaders and democratize access to best practices.

    As a nation, we should prepare for future attacks with increasingly damaging kinetic outcomes as adversarial tactics become more aggressive and sophisticated. We must not yield our fate to bad actors looking to degrade our democratic institutions and disrupt our lives. Our nation has the technology and capacity to strengthen its critical infrastructures and defend our digital borders to the same level as our physical ones. It is now up to our country’s CEOs and their boards to prioritize cybersecurity to defend not only their assets, but our country’s economy and our national security.

    Karen S. Evans is the former chief information security officer for the Department of Homeland Security, and also served as the first assistant secretary for cybersecurity, energy security and emergency response at the U.S. Department of Energy. She was national director for the U.S. Cyber Challenge for almost a decade, and was the administrator of the Office of Electronic Government and Information Technology at the Office of Management and Budget. Parham Eftekhari is senior vice president and executive director of the Cybersecurity Collaborative, a membership organization for chief information security officers and sister brand of SC Media. He also serves as chairman of the Institute for Critical Infrastructure Technology.