Colorado Capitol Report

Cyber-Threats: Clear and Present Dangers


Cyber-Threats: Clear and Present Dangers

Ann M. Beauchesne, Gen. Michael Hayden, Michael Morell (photo by Evan Semón Photography)

Yesterday at the CACI Annual Meeting Luncheon, two of the nation’s leading experts on national security painted a dark and troubling picture of cyber-security threats that face the U.S.

More than 250 CACI members and guests attended the Luncheon at the Hyatt Regency Denver at the Colorado Convention Center.

Sponsored by the U.S. Chamber of Commerce, the two panelists were:

Gen. Michael Hayden, Michael Morell (photo by Evan Semón Photography)

  • General Michael Hayden, U.S. Air Force (Retired), who is a now a Principal with The Chertoff Group.  He served as director of both the Central Intelligence Agency (CIA) and the National Security Agency (NSA).
  • Michael Morell, former deputy director of the CIA, who twice served as acting CIA director.  He is a 33-year veteran of the Agency and is now a Senior Counselor with Beacon Global Strategies.

Ann Beauchesne (photo by Evan Semón Photography)

The panel was moderated by Ann Beauchesne, Senior Vice President, National Security and Emergency Preparedness, U.S. Chamber of Commerce.  October is “Cybersecurity Awareness Month,” she said.

In the U.S. each year, said Beauchesne, cyber-crime costs the U.S. $6 trillion.  The Chamber encourages businesses to work together to improve the security of their information-technology (IT) networks to combat cyber-crime, she said.

The Challenge for Boards of Directors and C-Level Corporate Officers

Morrell said the issue of IT used to be just the province of IT professionals, but that is no longer the case.  He said that, in the four years since he left the Federal Government, he has seen “the arc” of increased awareness among Board members and corporate executives when it comes to cyber-security.  The 2013 case of Target was a major factor in this increasing awareness, he said.

Boards of Directors now understand that they are “under the threat” of responsibility for cyber-crimes committed against corporations just as boards are responsible for such risks as fraud and violations of the Federal Foreign Corrupt Practices Act, Morel said.  Board members should think of cyber-crime as “like any other risk” to a corporation, he said, and then figure out how to manage that risk.

Boards should hold senior executives accountable for a company’s cyber-defenses, Morrell said, and require periodic briefings by chief executive officer and the chief information officers.  “It’s as simple as that,” he said, “All Board members need to pay attention.”

Morrell said that, in 2009, he made a joint appearance in New York City before a “Wall Street crowd” to discuss cyber-security along with George Tenet, former CIA director, and Mike McConnell, former director of the National Security Agency (NSA) and former director of National Intelligence.  After the trio had made their presentation, it was time for questions-and-answers with the audience, he said.

“How much is this gonna cost?” once audience member asked, Morrell said, noting that the questioner clearly saw cyber-security only as a “subtraction from” the bottom line.

Corporate executives and Board members should see the cost of cybersecurity “as integral as any other element” of how a business functions, Morrell said.

Boards should contain at least one member who has expertise in cyber-security, said Morell, just as they should have a member who has expertise with the Federal Sarbanes-Oxley Act.  Cyber-security experts may be hard to find, he cautioned, to serve on a Board.  Boards of Directors “need to take the pledge” to be vigilant about cybersecurity, Morrell urged.

If both the Board and the chief executives are vigilant when it comes to cyber-security, Morrell said, then a company’s workforce will understand that the company’s survival “depends on getting it right” when it comes to strengthening the company’s cyber-defenses.

Phishing” has become the most common way for IT networks to be penetrated, Morrell said, and it accounts for 90 percent of penetrations.  A company should educate its workforce to prevent clicking on links or opening attachments of phishing emails, he said.

Phishing emails have become much more sophisticated, Morrell warned, compared to the past when hackers sent out mass phishing emails, which were not successful.  With the growth of information about a company or an individual on the Internet through social media, he said, targeted, sophisticated phishing emails now can be aimed directly at individuals.  (Phishing attacks aimed at an individual are called “spear phishing.”)

Adversaries evolve their attacks just as targets evolve their defenses, Morell cautioned.  “Be really aware,” he urged.  Company C-suite officers are often unaware about how fast attacks can evolve, Morrell said.

The next topic to be discussed was “ransomware,” which is malware that hackers manage to install in a company’s IT system that locks up, or encrypts, data.  The hackers then demand payment to release the data or they threaten to not unlock it or destroy it or sell it on Dark Web or the Deep Web.

Hayden urged the audience to be very careful about how they respond to ransomware attacks.  He said the FBI urges businesses and individuals to not pay the ransom that hackers demand.  Hackers may, however, only demand a relatively small amount of money to release the data, he said, which makes it difficult for corporate officials to decide whether or not to pay.

The Role of the Federal Government in Fighting Cyber-Crime in the Private Sector

A debate exists about whether or not the Federal Government should be brought into the world of corporate IT to defend against cyber-crime, Hayden said.

Government has taken the lead in protecting the nation when the foreign threat comes by land, sea, air or space, Hayden said.  These traditional “domains” are now joined by cyber-space, he said, and it’s not clear that government can protect the U.S. in cyber-space the way it has in the traditional four domains.

Cyber-threats are “sufficiently different” from threats in the other domains, Hayden said, and the response demands speed, technology and experience, which are more dominant in the private sector.  Governmental intrusion into the networks of companies and individuals raises serious questions about privacy and civil liberties, he cautioned.  “Do you want government spying on your home network?” he asked the audience.

Consequently, individuals and companies should be “more responsible” for cybersecurity threats than they are for threats in the four traditional domains, Hayden said, in which Government protects the country.  Individuals and companies should provide their own security, he said, adding “That’s just the way it is.”

Publicizing Cyber-Threats

To focus more public attention on cyber-crime, Morrel said more leaders are needed.  He said that the cost of cyber-crime exceeds that of the illegal drug trade.  One strategy is to “tell stories” about the impact of cyber-crimes on individuals, who have had their identities stolen, as well as on consumers, who face higher prices for goods and services because of the cost that cyber-crime adds to prices, he said.

Hayden said the U.S. needs “digital natives” to develop the leadership to communicate the dangers of cyber-crime to the public.  He called for a public education campaign about cyber-crime–similar to that for drunk driving which made driving while intoxicated socially unacceptable and increased penalties—to protect children from Internet predators as well as the finances of individuals and companies.

The Many Faces of Cyberthreats

Beauchesne said the FBI is seeing a “blurring of different kinds of threats” from organized crime, rouge nation-states (like North Korea, Russia, and Iran), drug cartels, “hacktivists,” and terrorist organizations.

In the past, small hacker groups were the main threat, Morell said, but there is now a  growing number of nation-states and organized criminal enterprises that are pursuing cybercrime and acquisition of information, both economic and national security in nature.

Sometimes, there is a mixture of actors, Morell explained.  A hacker may work for the Russian government during the day and go home and at night work for organized criminals.  The skill level of hackers working for nation-states has increased more than that of organized crime, he said.

Are Small Businesses a Target?

Morell said small businesses are mistaken if they think that cyber-criminals are more focused only on major corporations.  As large corporations beef up their cyber-security defenses, hackers will go after small firms, he said.  Hackers will go after finances, intellectual resources and information about customers, Morell said, and executives have to decide what is important to protect.

The China Question

Hayden said many nation-states around the world routinely engage in industrial espionage for economic reasons but not such countries as the U.S., Canada, New Zealand, Australia and the European countries.  In 2016, China agreed with the U.S. that cyberespionage should only be used for national security purposes and not for economic reasons.  Since then, there has been some evidence that the number of cyber-attacks from China aimed at American businesses has decreased, he said.

There may be three reasons for this decrease, Hayden said:

  1. The Chinese government may not be seeing attacks that originate within the country’s borders;
  2. China may be decreasing its governmental economic attacks; or
  3. China may be concerned that “cyber-piracy” will hurt it.

Hayden said the U.S. Department of Homeland Security is exploring how economic rewards and punishments can be used to influence foreign companies or governments that engage in economic spying.

From Russia, with Love; The U.S. 2016 Elections

Next, Hayden and Morell discussed the topic of Russian cyber-meddling in the 2016 American elections.

Morell said the Russians pursued three strategies:

  1. Cyber-espionage that resulted in the penetration of the Democratic National Committee and the emails of John Podesta, chair of Hillary Clinton’s presidential campaign, which were then provided to WikiLeaks and made public;
  2. Attempted penetration of state election systems, which appears to have been unsuccessful; and
  3. “Weaponization of social media to push propaganda into our country.”

The use of social media by the Russians was the “most successful” of the three strategies, Morell said, and it “moved daily tracking polls” for the 2016 presidential race by being targeted down to the precinct and county levels.  It will never be known, he said, if the effort actually “changed any votes.”  Nonetheless, the Russian social-media campaign attacks damage “us was a people,” he said.

The social media attack and creation of “fake news” by the Russians was “much bigger, broader and deeper” that was initially known, Morell said, and it sought to exploit divisions based not just about politics and the presidential campaign but about divisions based on race, sex and income inequality.

For Russian President Vladimir Putin, Morell said, the cyber-campaign against the American election is an example of a much broader Russian strategy the combines military force, as in Crimea and the Ukraine, with cyber-initiatives that sow disinformation and confusion among those that Putin considers the enemies of Russia.  Putin seeks to weaken America as a nation, he said.

The Russian cybercampaign continues today, Morell said, and Russian state hackers quickly reacted to exploit the recent quarrel between President Trump and the National Football League as well as the campaign aimed at President Trump’s National Security Advisor, H.R. McMaster.

What to Do about the Russians?

Morell said Congress could create a commission similar to the 9-11 Commission that could address the following two questions:

  • How do we defend ourselves?
  • How do we deter Putin from his campaign of cyber-attacks and use of social media against the U.S.?

Hayden said that the “hybrid warfare” strategy of integrating military force with cyber-weapons has publicly been articulated by a Russian general.  Russia seeks to influence global events in addition to its military excursions into Crimea and the eastern Ukraine, he said.

Russia is taking aim not only at the U.S. but also at NATO and the European Union, Hayden said.  “Russia has a full head of steam,” he said, “and it will continue with its cyber-offensive.  We have to “heal ourselves” to keep the Russians from capitalizing on our cyber-weaknesses, he added.

In addition, Morell said, such other nation-states as China, North Korea and Iran are watching Russia’s actions to learn how to improve their own cyber-capabilities.

The Threat from Organized Crime

Hayden said organized crime is launching cyber-attacks on companies to obtain valuable information, which can then be used to extort money from companies.  Cyber-crimes will put companies into a crisis “not of your own making,” he said.

The Challenge for American Tech Companies Operating Abroad

The perception that U.S. technology companies are cooperating with the Federal Government on cybersecurity will hurt them as they try to sell their goods and services abroad, Morell said.  Such a perception overseas will hurt such firms as Apple, Cisco and Google, causing them to lose market share, he said.

Such firms have to tell their foreign customers that the U.S. government can’t “get inside” their products.  An example was the iPhone of the 2015 San Bernardino mass shooter, which became the focus of a national debate and legal action when Apple refused to create a backdoor “key” to unlock the phone for investigators.

If Apple put such a key into its iPhones, Morell said, then the phones would be susceptible to cyber-attack.  Instead, the FBI and the CIA should be challenged to “break into” the phone instead of the government trying to force Apple to create the key.

Hayden added that he also did not favor forcing American tech companies such as Apple to create keys to allow the government to access its devices.

Question-and-Answer Session

One question from an audience member concerned the Russian anti-virus software company, Kaspersky Labs, whose product the Federal Government last month ordered to be removed from computers at some two dozen agencies.  About 400 million people around the world use the firm’s software.  What should the Federal Government’s role be vis-à-vis private-sector anti-virus software that may be compromised?

According to The New York Times, Israeli intelligence agents discovered that Russian state hackers were using the Kaspersky Labs network to globally search for the names of American intelligence programs by using hacking tools stolen from the NSA.

Hayden said that one approach to this problem might be the creation of public-private effort that awards a “seal-of-approval” for anti-virus software similar to the work of Underwriters Laboratory.  Government should not take control of anti-virus software and impose regulations, he said, because the private sector will be more efficient without government intrusion.

In response to a question about whether or not the U.S. should launch a cybersecurity effort similar to the 1960s “race to the moon,” Hayden said,”Sure.”  But he pointed out that the space race was an industrial-era effort that only the Federal Government could do.

Now, in a new, post-industrial world characterized by global digital interconnectivity, Hayden said, the “heavy lifting” has to be done by the private sector when it comes to meeting cyber-security challenges with government playing a supporting role.

Morell said, “tensions are rising” between Congress and Silicon Valley over cyber-security, citing Congress’ initial negative  to Facebook’s reluctance to provide information about Russian-connected ads on Facebook during the 2016 presidential election.  Facebook then agreed to turn the ads over to Congress.

Hayden added that Silicon Valley is now recognizing the need to cooperate with the various Federal and Congressional investigations into the Russian interference in the 2016 elections.

In response to a question about whether or not the U.S. should consider a national identity card instead of Social Security numbers in the wake of the Equifax data breach, Hayden said there is no political support for such a card.  The U.S. will instead stick with a mid-20th Century system of Social Security numbers for the purpose of personal identification, he said.

Morell added that biometrics may be used increasingly for personal identification.

In response to a question about what small companies should do to increase their cyber-security, Hayden said that they should buy anti-virus software from “reputable providers.”

Hayden explained that a company’s cyber-perimeter will be breached.  Thus, a company should focus on protecting its valuable data, not its network.

Morell said that one of the most dangerous threats to a company’s cybersecurity is the disaffected employee, who may be angry at a company for any number of reasons.  Edward Snowden succeeded in the theft of the NSA data because he picked the last part of the NSA network that was not monitored for activity, he said.

Resources of the U.S. Chamber of Commerce

Beauchesne detailed the activity of the U.S. Chamber on national security and cybersecurity, which are top priorities for the Chamber, and how it can act as a resource for U.S. companies.

The Chamber has three strategies for addressing the cybersecurity issue:

  1. Advocacy, through lobbying the U.S. Congress on cybersecurity legislation;
  2. National Security Task Force, chaired by Tom Ridge, former Secretary of the U.S. Department of Homeland Security; and
  3. Education across the country of businesses to strengthen their cybersecurity defenses by working in concert with the U.S. Department of Homeland Security, the Federal Bureau of Investigation, the White House and the U.S. Department of Commerce.

Building Partnerships in Non-Traditional Ways via CACI HealthCare Council

Heather Woolbright,  Account Manager

Why did you begin attending the CACI HealthCare Council?

My clients are in health care.  I wanted to become part of that community, to better understand the issues, and be able to speak to my clients about them.  I wanted to build partnerships in non-traditional ways.

What have you found through your participation?

I have learned about legislation that is coming and have been able to speak with my clients about issues that will impact them, before they know about them.  This is a great conversation starter that leads to more about their business and how I can be a better partner for them.

Have you built any new business relationships?

Yes, I’ve been meeting people at the meetings.  By coincidence, I did meet a new client and Aerotek has already placed a new employee with them. 

Do you think participation will help you in your job?  Will it help your business? 

Definitely!  I’ll continue to attend and plan to bring a colleague who is new to health care so she can learn what I’ve been learning. 

What should others know about participating in the HealthCare (or any) Council at CACI?

I’d tell others that if they aren’t in health care as a job, they may think that health care doesn’t directly impact them, but it does or it WILL.  As a buyer and a user of health care, the HealthCare Council is a direct channel to the issues that impact you and your employees.


Now Accepting 2018 EXECs Advocacy Applications

The CACI EXECs Advocacy Program delivers experiential insight into prominent Colorado companies. Through business tours and policy-based forums in partnership with key Colorado executives and elected officials, you will learn about the different industries that impacts Colorado’s economy.

WHAT ARE THE BENEFITS?

  • Develop a strong foundation in Colorado business policy and advocacy
  • Network with other leaders from Colorado companies
  • Gain perspective on critical issues that impact the different regions of Colorado and the industries that support them

WHO SHOULD APPLY?

Rising leaders who are passionate about shaping and enhancing Colorado’s economy and strengthening Colorado’s business climate.

WHAT IS THE COST?

$2100 per person includes all required program materials, travel, food, and beverages. Class fees are non-refundable and non-transferable. Programs range from half day to full day commitments.

Program runs from February through October. We meet once per month. 2018 dates will be finalized and posted to the website by Dec. 1st.

Click here to apply

For questions regarding the program, please contact Lalitha Christian at LChristian@COchamber.com


More Municipalities Adopt Standardized Sales & Use Tax Definitions

During 2015 and 2016, CACI’s Tax Council members and Colorado Municipal League representatives worked on a project to standardize current sales and use tax definitions to ensure that Colorado taxpayers can rely on a consistent definition for a taxable item from city-to-city.

Since that time, some cities have adopted the standardized definitions while 51 cities are still pending.  At this time, 18 cities have adopted a standardized sales tax ordinance and those cities are listed below:

1. Arvada10. Golden
2. Aurora11. Greenwood Village
3. Avon12. Gypsum
4. Cortez13. Longmont
5. Dacono14. Louisville
6. Denver15. Northglenn
7. Edgewater16. Parker
8. Fort Collins17. Westminster
9. Frisco18. Wheat Ridge

Please contact Loren Furman at lfurman@cochamber.com or at 303-866-9642 if you should have any questions regarding this issue.


Trump Administration Makes Major Tax Changes to Obama Era Tax Rules

The Treasury Department announced late last week that the Trump Administration would be complying with an Executive Order from this spring, changing controversial rules implemented by the Obama Administration.  Proposed changes include rules to punish businesses moving headquarters overseas to leverage tax incentives and breaks.  Additional rules being chosen for rollback are: a rule that limited inter-company loans, as well as a rule that limited family-owned businesses from discounting family partnerships (opponents say this discounting skirted estate taxes while Treasury says removing this rule helps families maintain the value of their companies from generation to generation.)

“This is only the beginning of our efforts to reduce the burden of tax regulations.  Our tax code has been broken for too long, and this retrospective review, along with our efforts on tax reform, will ensure that we have a tax system that fosters economic growth.” – Treasury Secretary Steven Mnuchin after issuing an 11-page report laying Treasury’s intended actions.

Background:  In April 2017, President Trump tasked the Treasury Department with reviewing federal tax regulations with the intent to lessen burdens of compliance costs; Treasury identified more than 200 rule candidates.


EPA Announces Plans to Eliminate Clean Power Plan (CPP)

On Tuesday, EPA’s Director Pruitt announced the EPA will be rescinding CPP rules put into place by the Obama Administration to address carbon pollution standards.  This repeal follows on the heels of President Trump’s Executive Orders (EOs) in March calling for repeal of the CPP, as well as the April EO setting up a formal review of the CPP.  The EPA proposal has notably not yet been officially published in the Federal Register, a requirement for public notification.

Things to watch for in coming weeks:  The Clean Air Act requires a replacement for any CPP and a replacement plan has not yet been offered or made public yet.  Second, the U.S. Court of Appeals for D.C. has a pending case challenging the CPP, so look for progress on that case and whether the EPA asks the courts to remand the case back to the agency.  And lastly, the EPA will be using this comment period to frame the conversation about carbon, as well as using public comments to bolster their case ad image in court.


Want to enjoy networking and get results? Join us on Oct. 26th to learn how.

Kendall Colman, Founder & CEO, The Corporate Coaching Company

Kendall Colman is Founder and CEO of Colman Coaching, the highly respected woman owned national provider of executive coaching, elite business presentation coaching, and media preparedness training. Over the last 17 years, C-level executives, public officials, best-selling authors, and business people from almost every industry have benefited from Colman Coaching’s programs. Companies include PCL Construction, Comcast, IHS Markit, Chipotle, the Colorado Bar Association, and the Colorado Bankers Association. Kendall has established a reputation in delivering results. Take this unique opportunity to hear directly from the expert!

This event is open to all CACI members

Date: Thurs. Oct. 26, 2017

Time: 4:00 PM – 6:30 PM

Location: PCL Construction

2000 S Colorado Blvd, Denver, CO 80222

LEARN HOW TO:

  • Introduce Yourself In Social Settings
  • Get Into Casual Referral Conversations While Staying Social
  • Introduce Yourself in Business Settings
  • Talk About the Economy
  • Appropriately Shift the Conversation to Business to Explore, Could this Person be:
    • Customer?
    • An Effective Strategic Partner?
    • A referrer?
  • End a Conversation So You Can Move On
  • Follow Up With People You Met Networking

Agenda:

4:00-4:30 Arrival & Check-in
4:30-4:45 Welcome & Introductions
4:45-5:45Presentation by executive coach Kendall Colman
5:45-6:30Networking (Optional tours of PCL available)

 

Appetizers, Wine & Beer Provided

Register Here

Thank you to our sponsor!