NASHVILLE – Former directors of the National Security Agency (NSA) and CIA may seem unusual choices to keynote an event on supply management, but the security and intelligence challenges Keith Alexander and John Brennan faced during their tenure are not that different from the cybersecurity threats plaguing the private sector today.
"Everybody’s getting hacked," Alexander, the former NSA director, told attendees at the Institute for Supply Management’s (ISM) conference in Nashville, Tennessee.
From ocean carriers to retailers, no company is immune to data breaches. Hacks have devastated companies and their supply chains, slowing operations, hurting brand reputation and affecting the bottom line.
"Our approach to cyber has to change," Alexander said. That approach, he said, starts with bridging the gap between the public and private sectors.
He compared fighting today’s cyber wars to the Revolutionary War, when generals realized the military alone couldn’t win the war and recruited civilians to fight alongside soldiers. In the same way, neither the government nor the private sector can do enough to battle cyberattacks alone.
Former CIA director Brennan asked, "What constitutes an act of war" in the cyber world? When a missile strikes, "there’s a return address," he said. "We know where it came from."
A cyberattack, on the other hand, is not so clear cut. Hackers worldwide can disguise themselves and encrypt IP addresses, leaving no trace. A company can be under attack and have no clue who is attacking – or even worse, not even know it’s under attack.
"I’m shocked that so many CEOs don’t understand the vulnerabilities," Brennan said. Without knowledge and understanding of cyber vulnerabilities, the C-suite "won’t be able to make the right decisions."
Alexander said public-private partnerships can speed awareness and response to cyberattacks by the two entities "sharing information at network speed."
Faster information sharing means quicker response times and getting in front of a threat, rather than always reacting. Instead of scanning for known threats, agencies and companies can start to monitor cyber behavior, noticing patterns in the space and potentially preventing breaches before they happen.
Sharing customer information with the government, however, brings up serious privacy concerns. Both the CIA and NSA have faced criticism for programs that reportedly spy on citizens or tap into phone calls. A company in the private sector might not want to risk sharing sensitive information on its customers with government entities.
One solution, Alexander said, is for the government to give industry liability protection for sharing data with the public sector, ensuring the company won’t be sitting on a pile of lawsuits.
Another is to incentivize data sharing with the government and make the process cost neutral, appealing to companies’ needs to improve the bottom line.
As the amount of data grows exponentially, many companies are exploring ways to store that data, with blockchain an enticing tool.
But for Brennan and Alexander, blockchain has its limits. Adding transaction after transaction to ledgers will make them expand to an "untenable" point, Alexander said. Although blockchain is largely regarded as resistant to hacks, both speakers said the technology is just one more access point for the bad actors.
“It helps generate some of the bad behavior we don't want to see,” Alexander said.