Last week, I asked cybersecurity experts about their reactions to calls from President Barack Obama, Congress and Democratic presidential candidate Hillary Clinton on Silicon Valley tech giants to use their technological wizardry to help foil terrorism.
Khalid Kark, a director in Deloitte’s CIO research program, said the government, technology companies and non-tech companies need to share information and work together to crack thorny issues like how to curb terrorism recruitment online and sniff out traces of attacks on the Web before the happen in the real world.
Gartner analyst Avivah Litan said hyperawareness on the part of everyone — the government, technology companies, retailers, libraries, shopkeepers — is needed to thwart terrorists. Using Israel as an example of a place where security is woven into the fabric of everyday life, she suggested an approach along the lines of the “If you see something, say something” public-service initiatives in the months and years following the terrorist attacks of Sept. 11, 2001 — on a massive scale.
“If everybody was hyperaware, that’s the best intelligence,” Litan said.
CIO role in sharing information
The interlocking benefits of sharing and awareness aren’t lost on CIOs. They see the implications in their own organizations: the fewer the silos, the broader extent of knowledge throughout the organization, the better the business decisions. In a national security initiative based on sharing and hyperawareness, the fewer the silos, the broader extent of knowledge throughout the government and corporate America, the better the security decisions. The CIO role could be key in keeping companies — and the country — safer.
But we may be years from it. For meaningful collaboration between the government and the private sector, Kark said, the government would need to convince companies that their customer data is not compromised. In the wake of attacks in Paris and San Bernardino, Calif., there is a renewed debate in Washington about whether government agencies should be granted “backdoor” access into encryption codes on popular apps to better monitor criminals and terrorists.
“That’s definitely a no-go zone for many of the tech companies,” Kark said. “If you want to engage them you have to ensure and you have to respect their ability to ensure privacy for their customer data.”
Hyperawareness in CIO role
For CIOs to be effective in any grand national security program, Litan said, they need to hyperaware to all signals in their organizations. That means everything from making sure cybersecurity is airtight to determining whether there are potential terrorists working alongside other employees.
But to keep any kind of threat from spreading, CIOs need a “safe harbor,” or whistleblower, policy that lets them bypass legal departments — and ensures the CEO won’t sack them.
Litan gave the high-profile, hypothetical example of the self-proclaimed Islamic State trying to take down NBC Studios by installing malware on its computers. If IT detected the malware, it couldn’t report that to the government so they could alert other companies to the threat.
“There’s a bunch of lawyers at NBC Studios that would stop the IT department from sharing that level of information,” she said. “All they could say is, ‘We see signs of suspicious activity.'”
A bill working its way through Congress, the Cybersecurity Information Sharing Act, would give companies some legal immunity for sharing data with the government. But the legislation has drawn criticism from tech companies like Apple to groups like the American Library Association, which say it doesn’t adequately safeguard Americans’ privacy. As is, the bill allows the Department of Homeland Security to share information — including personal customer data — with the FBI or National Security Agency.