“You don’t need to be afraid of cybersecurity”

Chris Painter is spending seven weeks as Principal Visiting Fellow at The Hague Centre for Strategic Studies and was recently a guest at PwC. Mr Painter is a renowned expert in the field of cybersecurity and cyber policy. He worked as a public prosecutor and then at the US Department of Justice on the first cyber cases of their kind. He prosecuted ur-hacker Kevin Mitnick in the 1990s and dealt with the first stock market manipulation cases in the Internet age. He worked for the FBI, “where digital dangers have been in the top three points of attention for decades,” and then at the Obama White House. “I took two days off in two years,” he says. “That’s how terrific it was – and it was also a terrific amount of work.”

At Obama’s request, Chris Painter initiated the Office of the Coordinator for Cyber Issues at the US State Department. “Obama’s 2008 presidential campaign had been hacked, so he took the dangers of cyber very seriously,” he says. From that office, Painter served the interests of the US as the world’s first cyber diplomat. “There are now about thirty cyber diplomats,” he says. “The Netherlands has got one too.” After serving for six months under President Trump, Painter resigned. Not long after, his former position as Coordinator for Cyber Issues was demoted.

What aspects of government policy on cybersecurity do you think could be improved?

“The strategy is good, but in the end it’s all just words on paper if no action is taken in response to cyber-attacks by countries. Indeed, not taking action implies that it’s acceptable. The Russian interference in our elections, the NotPetya malware attack that came from the Russians, and the Wannacry attack by North Korea had huge effects on governments and on the private sector in the Western world. We need to get much better at deterring this kind of behaviour. We have diplomatic options for doing that. They work with countries like China, whose leaders are sensitive to how the rest of the world sees them. But that doesn’t apply to Russia or North Korea. Targeted economic sanctions can then help change behaviour. Randomly sanctioning companies in Moscow doesn’t work, but going after Putin’s personal finances probably will.

The biggest problem with the current US government is that it’s not consistent about this issue. Trump is personally undermining international cyber stability by questioning publicly whether the Russians did in fact interfere in our elections. You can think up all kinds of fine strategies, but with such statements you undermine any attempt at justice and at dealing with the matter. The messages from the top need to be consistent. That applies to presidents, but also to top executives in the business world. If they send mixed signals about the strategic importance of digital security to their own employees and to the outside world, it undermines every policy.”

- As the first cyber diplomat, you’ve been working on international cooperation since 2011. What role can companies play in that cooperation?

“It’s important for companies and the government to share information about attacks, but that’s awkward. Companies are reluctant because they’re concerned about liability and the trust of their customers. In the US, we are trying to deal with those concerns one by one by means of legislation. And companies will share information more easily if they have a commercial reason for doing so. So we’re trying to reinforce those reasons, for example by giving back valuable information in return. I tell companies that they should get in touch with the authorities to find out how they can be of service to one another in that regard.”

- Do boardroom executives understand the subject sufficiently?

“A lot of executives are aware that cybersecurity is important, but they often don’t know why, or what to do about it. It’s not just a security issue – it needs to be treated as a risk control matter. If I reduce it to four key questions that every executive should ask himself, then they are: What are our company’s most important assets: customer data, intellectual property, communication platforms, or something else? Do I understand the main cyber risks to those assets? Do we have procedures in place to avert those risks? And do we have an incident response plan for if things go wrong? That final question is particularly important, because it’s not possible to make cyber activities one hundred percent secure. Chief information security officers (CISOs) rightly complain that they are often assessed based on a double standard: they’re doing great as long as there aren’t any problems, but if there’s an incident, they get fired. Having a CISO doesn’t mean that nothing will ever happen. It’s important that the CISO examines the risks and opportunities, directly with the board. He or she needs to arrange for the incident response plan, the security procedures, and the basic ‘hygiene’ – that software patches are always actually applied for example, that employees are well trained and that they report it if they’ve done something stupid like clicking on a phishing e-mail.”

- Do you see differences between sectors in how cybersecurity is tackled?

“The technology sector performs best because the subject is so close to their core competencies. The communication sector is doing well and the financial sector is now in reasonably good shape because it’s been targeted so often. Other sectors, such as manufacturing, are lagging behind because they think they aren’t really so much subject to the threats. That’s unwise. In my time with the FBI, I saw numerous examples of companies that didn’t realise they had been targeted until we told them. But let me finish on a positive note. The aim of cybersecurity isn’t to make companies frightened about the Internet. It’s like designing a car that’s one hundred percent safe: that car can’t then drive. So what you need to do is be aware of the risks and then make use of the tremendous possibilities of the Internet.”