On Day 2 of the Institute for Supply Management’s 103rd annual conference, ISM CEO, Tom Derry, hosted a panel on the topic of cyber security, globalization, and supply chain risk management. The panelists were Keith Alexander and John Brennan – two big names in cyber security, intelligence, and national security.
Alexander is a retired four-star general who served in the US Army for 40 years, most recently as the Director of the National Security Agency (NSA) between 2005 and 2014 and the first Commander to lead US Cyber Command. He retired from military and government service in 2014 and is now Founder and CEO of IronNet CyberSecurity. Brennan is a career-long intelligence professional, having served as a Near East and South Asia analyst at the Central Intelligence Agency (CIA) for 25 years before leaving in 2005 to become CEO of The Analysis Corporation (TAC). But he returned to government service in 2009 to become Assistant to the President for Homeland Security until 2013, when he was appointed to be the sixth director of the CIA, serving until January 2017. Brennan is now a senior intelligence and national security analyst for NBC and MSNBC.
It is telling that for the third time in four years, ISM invited former military and intelligence leaders to speak at its annual conference (Robert Gates, former Director of Central Intelligence and Secretary of Defense spoke in 2015, while Gen. Colin Powell, former Chairman of the Joint Chiefs of Staff, National Security Advisor, and Secretary of State, spoke in 2017). The world is getting scarier and more dangerous every year, and it is a world in which supply management professionals need to lead and execute their own missions. There are myriad threats out there, from terrorism, piracy, and regional instability, to the threat of trade wars, currency wars, and actual wars between nations, to malignant cyber actors that are almost always a few steps ahead of the good guys.
And as cyber/IT security threats infiltrate organizations via their supply base, Chief Procurement Officers (CPOs) and their lieutenants have been increasingly on point to manage what used to be inherently and exclusively the responsibility of the Chief Information Officer or Chief Information Security Officer. So, who better to talk about the ever-evolving cyber security threat landscape than two experienced intelligence professionals?
Cyber Security: Not Just for Digital Warriors
Let’s be clear: it has been and remains the government’s job to protect this country from cyber threats. And while agencies like the CIA, FBI, and NSA have done a remarkable job collaborating with each other and allied nations to minimize acts of terrorism at home and abroad, Gen. Alexander concedes that “our approach to cyber security has to be changed.” Private enterprises need to get more engaged and become more proactive because the problem is much more pervasive than many business leaders realize.
“There are two types of companies,” he said, “those that have been hacked and know it, and those that have been hacked and don’t know it.” If every company is getting hacked, Gen. Alexander surmised, then the country’s collective cyber security strategy must be failing. “This is where public-private partnership is so important,” he said. “We need to take another step.”
Gen. Alexander argued that “industry has a responsibility, up to a certain level, to ensure that they are protected.” And they need to be able to share with government agencies, like the FBI and Department of Homeland Security (DHS), threat intelligence in real time in order for government and industry to have a common understanding of the threats and have adequate time to respond to prevent an attack. Government agencies cannot do it all because they cannot see it all; at least not until attacks have occurred. At that point, they are “relegated to incident response,” which exposes an unsettling truth: “that companies [can] get hacked, and a nation-state like North Korea [can] take them down,” he said. “We need to be out in front of that.”
This threat is especially grave for companies that are part of a country’s critical infrastructure and are necessary for the continuity of government. If their networks are breached, then personal and proprietary data can be stolen, operations can be halted, and they can even be weaponized. This vulnerability has spurred public-private sector partnerships, like the FBI’s Infragard and DHS’s Critical Infrastructure Sector Partnerships, which help government and industry partners build a common threat landscape and response plan. But that’s not enough, argued Gen. Alexander.
Help Me to Help You
As NSA Director, Gen. Alexander went before Congress and testified that corporate partners need what amounts to liability protection before they can work with the government. Corporations, like Equifax, have become subjects of class-action lawsuits for failing to adequately secure consumer data and promptly inform those affected. And they can be penalized significantly by governments, particularly in the European Union where the General Data Protections Requirement (GDPR) is about to become law. As Gen. Alexander said, “They’re not the bad guys. If they’ve been attacked, they’ve been attacked by the bad guys.” The government also needs to “incentivize” industrial participation in order to “neutralize” the cost of building an effective cyber security partnership program.
Brennan echoed Gen. Alexander’s assessment. Dealing with cyber security issues in this era of automation, artificial intelligence (AI), and the Internet of Things is “much more challenging,” he said, “by a number of times and for a number of reasons.” First, “this environment is not owned or operated by the government – 85% of it is owned by the private sector,” he said, adding that there is no consensus on what the government’s role is in terms of monitoring, detecting, preventing, and responding to hackers seeking intellectual property (IP) rights and sensitive information. Also, a lot of countries, like China, have fostered a culture of stealing and replicating IP, as well as infiltrating the financial sector. The only way for government and industry to counter these threats, Mr. Brennan said, is to work together.
A Growing Challenge
Today’s digital domain, he said, is accelerating globalization. And there are consequences for global supply chains, particularly since companies can reach trading partners around the globe that are based in Country A but manufacture their goods in Country B. “This ecosystem…is so interconnected and becoming more so. You’re not going to be able to stop globalization,” Brennan said, “but you need to be able to manage it in a way that is going to protect your interests, whether they are national security or business interests.”
Achieving supply chain cyber security is doable, he said. But establishing the proper rules of engagement is difficult. “Technically, we can do it. But the question is, ‘how do you do it while protecting civil liberties and at the same time ensuring the security of this nation?’” For Gen. Alexander, protecting data while preserving civil liberties and privacy is not an “either or” – “we can have both” he said.
But the exponential growth of devices, applications, and data compounds the problem. “If you just look at the number of applications for iPhones and Androids in 2010,” Gen. Alexander said, “there were 170,000. In 2018, we’re up to over 6 million.” Indeed, “technology is doubling every two years. The amount of data is increasing so quickly.” Organizations have become overwhelmed with data and have lacked the tools to manage it all and derive value from it. The solutions, Gen. Alexander believes, lies within more machine learning-enabled systems and AI – a familiar theme here on CPO Rising.
Directors Brennan and Alexander had so much more to say during their nearly hour-long discussion with Tom Derry. Stay tuned to CPO Rising for Part II of this discussion, which will cover industrial espionage, corporate theft, and the quintessential state sponsor of cyber crime, the People’s Republic of China.
RELATED ARTICLES
ISM 2017 Round-Up: Top Five Highlights from Orlando
David Cameron Keynotes ISM’s Annual Conference in Orlando
ISM 2017 Conference To Tackle Global Issues, Uncertainty
ISM at 100: Robert Gates on Global Stability and Supply Risk
ISM at 100: The Hidden Risks Lurking Within Supplier Relationships
Tagged in: Chief Procurement Officer, CPO, Events, Innovation, People, Process, Solution Providers, Strategy, Supply Risk, Technology
