Posted 1 Juli 2021

Effective cybersecurity policy must balance risk with threat

Laurent Halimi blog profile image

By Laurent Halimi

According to Christopher Roberti, senior vice president of cyber, intelligence and supply chain security policy for the U.S. Chamber of Commerce, it is "really important that we, as a nation, comprehensively tackle the issues of cybersecurity."

"We have to really put in the time now, and put in the planning about the devious things our adversaries are going to come after and defend against them, and do it in a way that's broader than the five or six major exercises that happen each year," Roberti said.

Speaking as part of a panel during the 2021 AFPM Annual Meeting, Roberti emphasized the need for increased incident reporting and breach reporting.

"We recognize that particularly after SolarWinds -- a highly sophisticated cyberattack perpetrated on an American software company in late 2020 -- and the Microsoft Exchange Server operations that there's a greater calling on both sides of the [political] aisle for increased reporting," he said, adding that a data breach may be "a little easier to tackle."

A "federal law with preemption" that prosecutes cybercrime is Roberti's legislative preference to address cyber threats.

"We don't want to see 30 or 50 or 20 conflicting state schemas," he said. "We're engaging with several members of Congress [to determine] the right balance on data breaches, [including] what kind of protections we are going to see in terms of liability and how the information will be held confidential."

Will Hurd, a former U.S. representative for the state of Texas and former CIA officer, said that throughout his 20 years of being associated with national security apparatuses, there has been considerable discussion about "black swans."

"These are unique events that are unlikely to happen," Hurd said. "But the only thing I've ever heard about black swans is they actually happen, especially when it comes to cybersecurity. We have to be prepared for those crazy events because they're going to happen."

Matching the response to the threat

Derrick Morgan, senior vice president of federal and regulatory affairs for AFPM, acknowledged the inevitability that cyberattacks will occur, but security response plans must be reasonable.

"In these things, there is always a balance," Morgan said. "For example, you can reduce accidents on the road if you reduce the speed limit to 5 miles per hour, but then it would take forever to get anywhere. So you've got to balance convenience and protection."

Christopher Lukas, chief information security officer for Chevron U.S.A. Inc., accentuated the importance of partnerships and the business side of cybersecurity.

"We often talk about them as separate, but it's [essential to] understand those business priorities and really understand risk tolerance," he said, adding that it is key that industry leaders determine how much risk they are willing to accept. "The days of 'gold plating' all security programs are over. From a cost perspective, it's really about taking a risk-based approach and understanding risk tolerance and that business impact and making sure you're investing in the right places against a threat."

Another important area, Lukas said, is understanding risk and the threat to organizations.

"It's different from organization to organization," he explained. "We spend a lot of time working on business partnerships and making sure security is part of the discussion early on, especially when it comes to digital innovation. We want to rapidly develop and deploy the technology, and we want to do that in a way that's secure from the beginning."

Lukas also noted that better understanding of cybersecurity threats requires ongoing "tough conversations" among all sectors.

"We're all in this together," Lukas explained. "We want what is right, and it's going to take a public-private partnership to make this happen in a true attempt to go beyond just information-sharing. We really need to work together."

Effective cybersecurity policy must balance risk with threat