Former Cyber-Security Czar Says Network Perimeter Defenses Don't Work
Instead, companies need to look at how they architect their networks. "Good companies have lots of interior firewalls and network segmentation," he said. Of course, there's more. There's also a problem with CISOs being unable to make the case for security measures that might help in limiting damage. Usually, he said this problem arises because the CISO reports to the CIO and the CFO who have conflicting interests. He said it's common for the CISO to ask for the budget to improve security, only to be turned down when they're unable to guarantee that such expenditures will keep attackers from breaking into the network. Protecting networks is more difficult than ever these days because some of the organizations trying to break in to networks aren't just criminals—they may be government-sponsored hackers."They're looking for research information, but also how companies work." Clarke said that when the Chinese government decides to open an industrial sector, they'll hack into existing companies to see how they're run, who their customers are and even what they're bidding on. "They will get information that's very short-lived like contract bidding, and they'll underbid them. We see that a lot," he said. It's critical that companies protect what's really important, Clarke said. To accomplish that, they need to appoint a risk management committee, preferably at the C-level. He said that it's also critical to have a CISO who is a C-level executive and reports to the CEO. Those people need to dedicate the resources to protect the crown jewels and the information they're legally required to protect, knowing that the bad guys will find their way into the network somehow. Clarke also said that it's critical for the risk management committee and the CISO to realize the full range of issues they'll be facing. There's crime, of course. But Clarke pointed out that there's also cyber-espionage, hacktivism and, of course, war. He pointed out that no company can protect everything against all of those threats. Instead, it's necessary that the company define what it can do to protect what's most important and focus on that. During his time managing the U.S. government's cyber-wars, Clarke learned that it's best to fight the battles that can be won and to defend high-priority assets that must be protected. The challenge for companies is making the right choices. That part, at least, may be possible.
"The Chinese national government engages in hacking on American companies," Clarke said. "It's almost on an industrial scale."