Here’s a non-partisan question for Mitt Romney, the corporate board of whatever stock you own or, for that matter, those flea-bitten Wall Street occupiers: Why aren’t American CEOs doing more to defend our companies against cyber thievery, from the Chinese and practically everyone else?
In case you missed it, Mike McConnell, Bill Lynn and Michael Chertoff wrote last week in The Wall Street Journal that “the Chinese government has a national policy of economic espionage in cyberspace. In fact, the Chinese are the world’s most active and persistent practitioners of cyber espionage today.” These gentlemen are, respectively, our former director of national intelligence, former deputy secretary of defense and former secretary of homeland security — and thus able to tell the rest of us just how bad the Chinese espionage threat really is.
The U.S. Chamber of Commerce must have applauded more enthusiastically than anyone. Right before Christmas, printers at the Chamber suddenly began spitting out Chinese characters. According to ABC News, Chinese hackers had access to everything on Chamber computers, including U.S. trade policy secrets and inside information on American companies doing business in Asia. Even an office thermostat was transmitting data directly to a computer in China.
The scale and scope of hack-attacks keeps getting worse. Weeks after the Chamber was attacked, Zappos, the online shoe store, had 24 million customer identities stolen while Stratfor, the highly regarded intelligence and security firm, was penetrated by the hacker group Anonymous. The hackers include Chinese intelligence officers, ordinary criminals, nihilists like Julian Assange and members of shadowy groups like Anonymous.
So what’s going on here? The short answer: Humankind’s Second Information Revolution, which is bringing to every corporate IT department a fundamental dynamic that has recurred throughout military history: every great innovation creates new capabilities; but those same capabilities lead inexorably to dependencies, vulnerabilities and often to exploitation, normally by the weak against the strong. Think of cyber-warfare as the high-tech insurgency of the 21st century.
It’s a form of conflict for which the American business community is poorly equipped, a point I argued in my 2004 book “Business as War.” Rather than the familiar certainties of spreadsheets and stock prices, 21st-century business warriors must realize that the terms of survival have now shifted decisively. Here’s why:
1.) Security has become a bet-the-company proposition. Corporations now store everything from their most prized intellectual property to their most sensitive customer information in databases and virtual warehouses containing information by the terabyte. Because of threats ranging from insider espionage to networked cyber-crime, even cyber-war, securing those crown jewels will be a constant battle of wits and dollars.
2.) Electronic defenses are only part of the answer. Most IT professionals assume their expensive electronic defenses are impregnable. Some security professionals make that same mistake, even though they supposedly understand the concept of strong chains and weak links. Can the company’s physical security close back doors, literally and figuratively? Can its personnel security procedures detect employees with agendas, grudges or other vulnerabilities? If not, just remember the cyber-thief mantra: haul ass and bypass.
3.) Our corporations are hierarchies; their opponents mostly networks. Think of it as the tortoise-versus-hare fable updated for the 21st century. While networks are faster and freely share information, hierarchies (like empires) can strike back — but only if they are patient and persistent. Whether the problem is delaying Iranian nukes or fighting computer viruses, hierarchies can alter the landscape by sticking together, sharing information and using their collective strength to set and enforce new standards.
4.) Intelligence in business is no longer a contradiction in terms. Any military unit worth its salt systematically gathers actionable intelligence to anticipate enemy actions, usually relying on its G-2 to provide a vital combat edge. Although historically overlooked in American corporations (though certainly not elsewhere), the equivalent function in business is competitive intelligence. To anticipate disruptive changes, to test competitive strategies through simulation and to deter cyber-espionage, the chief intelligence officer may soon be coming to a corporation near you. Basically, CEOs and corporate boards need their own Mr. Spock.
5.) The government is NOT here to help you. Government security agencies are their own alphabet soup, partially insulated from irrelevance by the sheer weight of their own paperwork. Just as 17th-century merchants learned that naval cannon provided essential protection against pirates, today’s business leaders must realize that only self-protection (individual and collective) can realistically satisfy stockholders, corporate boards and customers. If the cavalry arrives in time, fine — but don’t count on it.
In the end, we can reconcile ourselves to a brave new world where no corporate secret is safe, where intellectual property is nothing more than a quaint joke from an earlier era. Or we can try something completely new and different, an appropriate thought on the eve of Groundhog Day.
Colonel (Ret.) Ken Allard rose from draftee to Dean of the National War College. A former military analyst for NBC News, he is a prolific writer on national security issues. He is the author of Business as War.