President Obama asked him to become the first cyber diplomat in the world. For the American Christopher Painter, that position was the culmination of his 27-year career in public service. Countering cyber threats requires cooperation between countries and with companies, says Mr Painter. He tells us about companies’ awareness of digital dangers. What questions should CEOs ask themselves?
Chris Painter is spending seven weeks as Principal Visiting Fellow at The Hague Centre for Strategic Studies and was recently a guest at PwC. Mr Painter is a renowned expert in the field of cybersecurity and cyber policy. He worked as a public prosecutor and then at the US Department of Justice on the first cyber cases of their kind. He prosecuted ur-hacker Kevin Mitnick in the 1990s and dealt with the first stock market manipulation cases in the Internet age. He worked for the FBI, “where digital dangers have been in the top three points of attention for decades,” and then at the Obama White House. “I took two days off in two years,” he says. “That’s how terrific it was – and it was also a terrific amount of work.”
At Obama’s request, Chris Painter initiated the Office of the Coordinator for Cyber Issues at the US State Department. “Obama’s 2008 presidential campaign had been hacked, so he took the dangers of cyber very seriously,” he says. From that office, Painter served the interests of the US as the world’s first cyber diplomat. “There are now about thirty cyber diplomats,” he says. “The Netherlands has got one too.” After serving for six months under President Trump, Painter resigned. Not long after, his former position as Coordinator for Cyber Issues was demoted.
“I don’t expect that the Democrats, with their majority in the House, will block good legislation in that area. In my experience, cybersecurity has always been a matter on which Republicans and Democrats work together. The main important exception is Russian interference in the 2016 elections. That’s become politicised by what the President has said about it. It’s interesting that Trump is continuing many of the Obama administration’s ideas on cybersecurity. For example, the government recently presented the National Strategy for Cyber Space, which is largely similar to Obama’s strategy. That demonstrates continuity. Incidentally, it’s very striking that that document states that in the area of deterrence we are stronger when we cooperate with other countries than alone. That doesn’t really look like ‘America First’.”
“The strategy is good, but in the end it’s all just words on paper if no action is taken in response to cyber-attacks by countries. Indeed, not taking action implies that it’s acceptable. The Russian interference in our elections, the NotPetya malware attack that came from the Russians, and the Wannacry attack by North Korea had huge effects on governments and on the private sector in the Western world. We need to get much better at deterring this kind of behaviour. We have diplomatic options for doing that. They work with countries like China, whose leaders are sensitive to how the rest of the world sees them. But that doesn’t apply to Russia or North Korea. Targeted economic sanctions can then help change behaviour. Randomly sanctioning companies in Moscow doesn’t work, but going after Putin’s personal finances probably will.
The biggest problem with the current US government is that it’s not consistent about this issue. Trump is personally undermining international cyber stability by questioning publicly whether the Russians did in fact interfere in our elections. You can think up all kinds of fine strategies, but with such statements you undermine any attempt at justice and at dealing with the matter. The messages from the top need to be consistent. That applies to presidents, but also to top executives in the business world. If they send mixed signals about the strategic importance of digital security to their own employees and to the outside world, it undermines every policy.”
“It’s important for companies and the government to share information about attacks, but that’s awkward. Companies are reluctant because they’re concerned about liability and the trust of their customers. In the US, we are trying to deal with those concerns one by one by means of legislation. And companies will share information more easily if they have a commercial reason for doing so. So we’re trying to reinforce those reasons, for example by giving back valuable information in return. I tell companies that they should get in touch with the authorities to find out how they can be of service to one another in that regard.”
“That’s increased significantly because of all the major incidents that were in the news. For example, the interference with the elections wasn’t aimed at companies but it made a big impression. Ransomware makes the front pages. Or take the NotPetya attack, which shut down Maersk, the Danish logistics company, for a week and caused damage of between 200 and 300 million dollars. Another alarming example is the oil company Saudi Aramco, where tens of thousands of computers were stripped of all their data by malware. Business executives are often less aware of the risk of theft. I think that’s because in such cases the company often still has the data at its disposal. You can’t see somebody walking out the door carrying it. But what’s stolen may be business secrets and valuable commercial information that, in the wrong hands, can threaten the future of the company.’’
“The more the world becomes dependent on digital systems, products and services, the more the opportunities will increase. Take what’s been made possible by the Internet of Things. Customers have so far been reluctant to pay more for products with connectivity that are well protected, but I see that changing. Security will provide a competitive advantage. But it’s important that companies no longer see cybersecurity as an end in itself but as something fundamental. They need to ask themselves how it can help them to innovate their products and services. That way, it’ll become a driver of innovation rather than a cost item.”
“A lot of executives are aware that cybersecurity is important, but they often don’t know why, or what to do about it. It’s not just a security issue – it needs to be treated as a risk control matter. If I reduce it to four key questions that every executive should ask himself, then they are: What are our company’s most important assets: customer data, intellectual property, communication platforms, or something else? Do I understand the main cyber risks to those assets? Do we have procedures in place to avert those risks? And do we have an incident response plan for if things go wrong? That final question is particularly important, because it’s not possible to make cyber activities one hundred percent secure. Chief information security officers (CISOs) rightly complain that they are often assessed based on a double standard: they’re doing great as long as there aren’t any problems, but if there’s an incident, they get fired. Having a CISO doesn’t mean that nothing will ever happen. It’s important that the CISO examines the risks and opportunities, directly with the board. He or she needs to arrange for the incident response plan, the security procedures, and the basic ‘hygiene’ – that software patches are always actually applied for example, that employees are well trained and that they report it if they’ve done something stupid like clicking on a phishing e-mail.”
“The technology sector performs best because the subject is so close to their core competencies. The communication sector is doing well and the financial sector is now in reasonably good shape because it’s been targeted so often. Other sectors, such as manufacturing, are lagging behind because they think they aren’t really so much subject to the threats. That’s unwise. In my time with the FBI, I saw numerous examples of companies that didn’t realise they had been targeted until we told them. But let me finish on a positive note. The aim of cybersecurity isn’t to make companies frightened about the Internet. It’s like designing a car that’s one hundred percent safe: that car can’t then drive. So what you need to do is be aware of the risks and then make use of the tremendous possibilities of the Internet.”