Former U.S. Secretary of Homeland Security Tom Ridge issued a stern warning to delegates at the recent Canadian Council for Public-Private Partnerships (CCPPP) conference in Toronto that cyber attacks could have profound consequences on critical infrastructure and urged them to consider cyber security as an integral part of builds rather than an afterthought.
Using language that fit the setting, Ridge called for a new era of "digital P3" consciousness in which the public and private sector would work together to develop comprehensive plans involving vulnerability assessments, cyber monitoring and cyber risk insurance.
The partnership is essential, given that government uses privately owned digital infrastructure, he said, and everyone would suffer if water, grid or other systems were struck down.
In the era of what he called the "digital evermore," where there will be 50-billion digital devices connected through the Internet of Things by 2020, the former governor of Pennsylvania and current security consultant through his Ridge Global brand said hacks happen every day, and every enterprise should expect to be hacked at some point.
"We understand the advantages of a connected world," he commented during a briefing to reporters in advance of his speech on day two of the CCPPP conference Nov. 15, "but do we understand and appreciate the peril?"
"I thought this would be an appropriate conference to discuss this since we are talking about public-private partnerships and collaboration. To talk about the necessity for there to be a digital P3. The same resourcefulness and the same innovation that government and businesses use in the area of building infrastructure, we need the same kind of relationship to set standards for cyber security, to share information about cyber security. And really to preserve and protect that critical infrastructure."
Ridge reminded the CCPPP delegates how disruptive a simple power outage can be to daily living and the economy.
"I don't know where you were in August of 2003 when they had the northeast blackout," said Ridge.
"Ten million Canadians were affected and 45 million Americans. Some communities were without lights and electricity for a couple of days. And that was simply an overloaded powerline that hit some branches on a tree south of Ohio and a series of technical and manmade mistakes, and all of a sudden you have millions of dollars' worth of damage, several lives lost, and that is a naturally occurring event."
The issue is not one to bank for future awareness, Ridge said, rather it's arrived, and getting "hotter" all the time. "If someone thousands of miles away decided to get into the industrial control system like we did in Iran with Stuxnet, and started playing around in our critical infrastructure, the circumstances could not only be disruptive but disastrous," said Ridge.
"My intention today is to talk very specifically about a digital peril where governments and the private sector collaborate to reduce the risk of a cyber attack, to reduce the risk of disruption to the economy."
In the 21st century, said Ridge, there are two kinds of organizations — those that are being hacked and know it, and those that are being hacked and don't know it.
He estimated that about 60 to 65 per cent of the attacks are undertaken by well-financed organized crime, sometimes abetted by government, he mentioned China and Russia specifically, with criminal goals such as intellectual property theft, sabotage and theft of personal information among the main activities.
"Attackers have first-mover advantage," said Ridge, a former infantry staff sergeant in Vietnam who earned several medals of honour. "They need only penetrate one point of entry, directly or through malfeasance of an employee, it could be through a third party or through a vendor.
"Business owners should accept the fact that they will probably be infiltrated and damage will probably ensue."
And thus digital P3 planning, he said, should not only incorporate preventative measures, but also response plans after the attacks take place that enable businesses and the public sector to continue to operate.
President Barack Obama's 2013 executive order titled Improving Critical Infrastructure Cybersecurity established a blueprint for public and private sector co-operation in dealing with cyber threats, Ridge said.
"The standards were built around the need to identify and detect the threat, protect against the threat, and build the capacity to respond and recover in the event of an attack," he said.
Information sharing is at the essence of the collaboration, said Ridge, but it must not come at the expense of citizens' privacy. Obama's directive recognized the balance, he said.
"Government can achieve these objectives without violating the privacy and civil liberties of its citizens," said Ridge.
"Cyber security must be viewed as a business risk, not as an IT problem. Leaders must understand that the impact of a cyber attack is real, not virtual. Leaders must understand that in the 21st century you can't wait for it to happen, you have to be prepared, you better be engaged in preemptive activity as much as possible."