Liveblogging OnDC: Lt. General Minihan (ret.)
Speaker: Lt. General Minihan (retired)
He was in intelligence for years. Usually in that role, no one is happy with you. Usually you get phone calls between midnight and 6 am. (I believe he ran the NSA previously.)
Now he is Managing Director of Paladin Capital. He is going to talk about Cyber Security.
[Note: All of the following is paraphrased....]
In the iceberg there are two risks. The tip of the iceberg is the threat most people talk about. It’s like amateur hacking and stuff. But the structured threat is to our system operations and survival, not just performance. Rogue nations, professional intelligence operations, criminals. They’ve been there for 20 years. Not amateur.
The domain of cyber is where we all live, work and play. Our competitors are in the lower part of the iceburg. We are competiting against real international criminal operations, real nationstates, and they have all the facilities of global intelligence operations at their disposal. This is what we are talking about in the public-private partnership.
The critical sharing is dual use in the reverse sense. In the cold war, the dual use was the govt had it and might share with private industry. When I directed NSA, the private sector owned 90% of our infrastructure. For my predecessors, it was the reverse.
So vulnerabilities are now shared by private and government. There has to be a policy framework for dual use, where we can deploy transformational infrastructure. What the building codes and standards? How do we certify that it’s working? How do we share it back and forth? You may have some customers that are more risk averse than cost sensitive.
I’m a minority in this, in this town, but I believe the govt has to start sharing classified information with private industry. As you understood the risks in the 20th century, until you have access to classified information, you will not understand the risks we face.
I like to separate trust from security. In this town, trust is the higher thing than security. It’s bridged by assurance. I need to trust in the face of a natural disaster or terrorist attack, I can deal with it. I’m more risk averse than cost sensitive.
Incident response needs to be active not passive. I’m expecting to play soccer not football. While you may have something that I consider to be on the defense of my network, I’m thinking that all the technologies you provide me are going to be useful for defense but also for attacking those who attack me. I’m a compliance-oriented customer. I’m enforcing through activity the cessation of attacks on me. These are some of the ways a government customer will think about things.
I knew what to do, when I was in school, what to do if the nation was under attack. We have to get to that same condition around Cyber in the 21st century. Even in grade school, when I used to get under my desk, as part of the alerting system. We ceded responsibility for national security to the national government. Most of us grew up not worrying too much about our individual responsibility. As you’ve transitioned to the 21st century and as you think about Cyber, we have to reseed back into this audience individual responsibility for understanding our vulnerabilities. There is a business opportunity here.
The record will reflect that I’m 36 seconds away from being done.