Cyber-attack preparation – hot topic for everyone
The question is not whether more cyber attacks will occur, but how prepared we are to deal with them. The Incident Response Forum in Washington, DC. on April 4 focused on just that issue. The panel I participated on was “National Security and Cyber Attacks.”
My fellow panelists were true heavyweights of the cybersecurity world: John Carlin, now a partner at Morrison & Foerster LLP but formerly Assistant Attorney General for the DOJ’s National Security Division; Susan Hennessey, a former NSA lawyer now with Brookings but well known as Lawfare blogger; Aaron Hughes, the former Deputy Assistant Secretary of Defense for Cyber Policy; and Benjamin A. Powell, a partner at WilmerHale and the former GC to the Director of National Intelligence. The moderator was Anthony Scaramucci, the founder and co-managing partner, SkyBridge Capital.
One of the things that struck me about the Forum discussions is the importance of having a formal plan in the event of a cyber-incident. Of course, as the military says, no plan survives contact with the enemy, but having a plan provides a starting point, and does provide a good place to collect information and contacts one would want to have in a crisis situation.
But more than just having a plan, organizations need to exercise that plan – and do so with the actual people who would be involved in a real-world situation. In addition, there is real utility to meeting – in advance of an attack – the law enforcement people you would need to contact as well as the prosecutors who are responsible for cyber investigations.
Specific to my panel, discussion ensued about what should be the role of DoD in cyber-attacks beyond defending its own systems and certain critical infrastructures. For now, it seems that given that most cyber-attacks are the result of criminal activity, law enforcement would properly be the “first responder.” In light of how intrusive cyber investigations might have to be, I think that deference to law enforcement trained in interfacing with the public is the way to go.
BTW, there is an excellent collection of links to materials relevant not only to my panel, but also to several other panels at this very interesting conference found here.