Last week's U.S. intelligence report tracing Russia's cyber-meddling with the 2016 presidential election is a timely reminder of the cybersecurity risks that the government and private companies face, said Tom Ridge, the nation's first secretary of Homeland Security.
"President-elect Trump is entering into a world fraught with hazards as never before," Ridge said in a telephone interview on Monday. "Russia is a reminder that cyberattacks are a permanent risk to individuals and countries and companies, and you must do all you can to understand the risk. It's a reminder of how serious and permanent the risk is. The risk continues to get deeper."
Ridge, who is also a former Republican governor of Pennsylvania, is chairman of Ridge Global, a Washington-based cyber protection advisory firm. He was named by President George W. Bush to head the Department of Homeland Security, which was created after the Sept. 11, 2001, attacks. He held the post from 2003 to 2005.
Ridge said President-elect Donald Trump needs to appreciate that cyberattacks affect not only national security but also the nation's economic security. Companies that control the nation's financial sector, energy resources, transportation and other vital infrastructure are just as vulnerable as federal agencies and political party emails, he noted.
"It's not just about securing government information, but about national security and economic security," Ridge explained. "One thing the next president needs to understand is that it's both. Time will tell if he's up to it."
Ridge said the Russian hacks "didn't influence the outcome of the election, but are a reminder to citizens and companies alike that we live in an interdependent world. People get excited about the digital forever that computing devices offer, but there are dangers, whether from Russia, China, Iran, North Korea, organized crime or a hacker. If you have something in the network such as personal information, then it's vulnerable and we need to protect it."
Nearly all the nation's vital infrastructure is under the control of the private sector, which is made up primarily of public companies, he added. "That means that CEOs and corporate boards, along with IT shops, have to be paying far more attention than ever before to cybersecurity. I call it the digital forevermore.
"The cyber actors are proliferating and some are owned by nation-states and some with the consent of nations, or it can be organized crime," he said.
Ridge Global has joined with the National Association of Corporate Directors (NACD) and Carnegie Mellon University to raise the level of cyber-risk awareness among CEOs and corporate boards of directors. Last September, they created the first NACD Cyber-Risk Oversight Program, a 20-hour online cyber-risk training package.
"Cybersecurity is the most significant governance challenge for the public and private sector," Ridge said. "It's not just the exclusive domain of the CIO and CTO and is now in the domain of the CEO and the corporate board."
"We're not trying to turn members of boards into technologists, but it will be a better way to understand the risks and broader implications of IT systems and how they impact all parts of business operations, from procurement to HR to supply chain, communications, mergers and intellectual property," he said.
Ridge said the training is intended to urge board members to make an attitude change in favor of greater scrutiny over cyber matters. "If your attitude hasn't changed about cybersecurity, then there's risk for your brand and reputation from a financial point of view," he added. "There's greater risk from SEC investigations over cyber and risk from litigation over cyber."
NACD, which has 17,000 members, recently surveyed more than 600 board directors and professionals and found only 19% believe their boards have a high level of understanding of cybersecurity risks. Also, 59% said they find it challenging to oversee cyber risk. The NACD and the Internet Security Alliance, a trade group, this week are issuing an update of a Cyber Security Handbook first issued in 2014 that has been endorsed by the Justice Department and the Department of Homeland Security.
Ridge also said that federal legislation to require companies to disclose computer hacks at the national level could be valuable to general counsels in large companies with operations in multiple states. Currently, there are disclosure laws in many states, but they are inconsistent. "General counsels in companies probably would like to see a uniform type of reporting, since disclosure varies from state to state," Ridge said.
Still, Ridge said that disclosure laws are "unfortunately at the tail end of the problem, after a company has been hacked. We're trying to minimize hacks. If companies rely on government to help them, that's misplaced confidence. Companies have the most significant responsibility."