Best known as the protectors of presidents, the US Secret Service (USSS) are often seen as the men and women in dark suits and impenetrable glasses running alongside limousines and walking two steps behind world leaders. But when the USSS was created in 1865, its mission was to safeguard America's financial payment systems from fraud, counterfeiting and exploitation. These days, technology is often the facilitator of these crimes, so understanding and using technology for the detection and prevention of computer crime has become an integral part of the USSS's mission.
In 1995, the New York Electronic Crimes Task Force (NYECTF), a division of the USSS, was developed specifically to help companies beef up their cybersecurity. It's worked so well in New York that the newly passed Patriot Act calls for the Secret Service to establish similar groups across the nation to prevent electronic crime. Groups are currently being formed in Boston, Charlotte, N.C., Chicago, Cleveland and Columbia, S.C. Bob Weaver, the assistant special agent in charge of the task force in New York City, has overseen the training of more than 20,000 individuals in security awareness, best practices and contingency planning for security crises. On September 11, Weaver and his team found themselves on the front line of a real-life security emergency when their offices at 7 World Trade Center came crashing down. Weaver's hard work at educating the corporate community about security paid off in spades when NYECTF members showed up in the days and hours that followed to work round-the-clock and rebuild his group. We talked with Weaver about weathering the attack, the effect it has had on corporate security, the renewed responsibilities CEOs face to provide security leadership, and how making friends with their peers could be the most important business decision CEOs make.
In the wake of September 11, is there a renewed sense of patriotism and responsibility that carries over to business? Do companies now have a larger responsibility to share information about security breaches? Weaver: The president has decided that homeland security is a Cabinet-rank position, and I would suggest that companies should take that into consideration. If significant portions of the critical infrastructure go down and it was preventable, then what have we achieved as a community? Have we failed or succeeded? Reach within your means to help support and coordinate what can affect you, your company and your community. Certainly the NYECTF could not have held up by itself, and I will freely admit to you that because [those companies] extended themselves beyond their obligations, we were better off.
If businesses partner with government and industry experts to share security information and fight breaches, how do they benefit? Well, I don't want to say that you become bulletproof, but you become stronger tenfold. [Business and government] run parallel to each other, and where there is common ground, value or mutually beneficial situations is where we need to come together.
What did your task force do to help companies deal with security risks? We created a no-strings-attached cyber- and physical security risk management survey that we give to companies for free. [To download a copy of the NYECTF security survey, go to the Helpful Links section of its site at www.ectaskforce.org.] We will help them with it, or they can do it on their own. When we're in our protection mode—for major events like the Olympics—we go to great lengths to protect the critical infrastructure of the community. We check the telecommunications, water, oil, gas, electricity, emergency services and transportation. All of these things are outlined in the survey. It also addresses cybersecurity issues: from just simply backing up data, to putting up firewalls, to updating viruses and monitoring systems.
What is the role of CEOs in their company's security? That's very important. I would say to the CEO that his or her senior executives need to be represented [in a cross-functional security committee] so that communication about security happens right at the top of the company. That way the CEO understands what stage the company is in regarding security planning and where it needs to be because this is a work in progress. None of this stuff is cast in stone. That's why senior executives have to be involved in the process—because it will be fluid, it will change, and it will evolve.
In most companies, cybersecurity is an IS issue, and physical security is a facility issue. Is this division of security the right approach? Some people call it enterprise protection planning; some people call it risk management. But I recommend to companies that directors of security, CIOs and CEOs consider that streamlining [cyber- and physical security] can provide them an extra level of fast-track communication when times get tough. Better coordination and communication between them is good business. In the corporate world, we're seeing an awakening in which those two components are coming closer together.
Has the mission of the New York Electronic Crimes Task Force changed given the emphasis on security? Our mission hasn't changed since September 11, but it has been rededicated. We're more highly motivated now. We know what it's like when a company goes down because we were down. We had our quarterly meeting recently, and at that meeting were 550 people. Almost 70 percent of those individuals were from corporations. That tells you the stakes are high. And these are very talented people who collaborate regularly.
How does the task force feed its member companies information about security issues? We've created a Listserv of the participating members of the task force and a running dialogue of current cases, current schemes to defraud, criminal enterprises and viruses. Carnegie Mellon is on the task force, and they run the computer emergency response team coordination centre, so we let them do the notifications. For more critical conversations, members can go offline and contact each other directly.
Did the attacks raise the bar on the level of security that companies should aim for? How does a company know when it has enough security? Well, imagine getting up from your desk right now, walking out the door and running for your life while everything you left behind is destroyed. Then tomorrow, go back to work. When you can stand up under that battle-tested environment and actually go to work the next day, then you'll know that you have a robust and redundant system that can come only from pre-incident planning [see "Plan for the Worst," below]. You cannot make that up as you go along—that would be like trying to change the tire on a car as you're driving down the road. You've got to set policies and procedures at the strategic, tactical and operational levels while protecting your information and your intellectual property. Companies that don't do this are risking everything every day.
To what degree have you found most companies and CEOs willing to seek help and share information? From my experience, all of that is based on trust and confidence. It's very difficult to call up a stranger and tell him about the crown jewels. If you have a preexisting relationship, that becomes a very important component when times are tough. If you look at Secret Service credentials, they tell you that the agent in front of you is worthy of trust and confidence. It's not about controlling or dictating partnerships, it's about caring about what's in companies' best interests.
Is trust a stumbling block when companies are competitors and you're trying to foster an open discussion about security? Companies usually come to us as a referral from an existing member. We don't have memorandums of understanding or nondisclosure agreements. We don't sign any paperwork. We believe that there are policies and procedures in place now—criminal laws and civil laws—that protect both of us. If I have to ask you to sign a 35-page document before I can talk to you, maybe we can't do business.
Because there's not going to be complete honesty there? Having different objectives doesn't mean we can't be completely honest. But I would suggest to you that this group is the last place on earth that you'd want to come to destroy your reputation, end your professional career or steal intellectual property. You'll have just announced to the world—100 to 200 of the top high-speed companies—that you cannot be trusted, that you may be a crook or a thief.
In testimony before Congress last October you mentioned the Secret Service recognises that information sharing between law enforcement and the private sector must shift. What kind of relationship do you hope to build between the two groups? The way that we conduct business is the shift I'm referring to where relationships and partnerships are the watchwords and the high watermarks that we need to be at. Firemen do it right. They don't really want to be at your house to put out a fire. Instead they go to great lengths to educate with regard to fire prevention. But if you need them, call, and they'll be there. I think that's a good lesson for all of us. We believe in crime prevention; we believe in cybercrime prevention—and the best way to do that is to share information.
What happened to your group after losing your offices at 7 World Trade Center? For a long time it was our job to take care of the [business] community, and we never thought the community would have to take care of us, but that's what happened on September 11. We had total catastrophic failure. Everything was destroyed—from tables and chairs to vehicles, computers and phones. We lost all of our information at that location. Our data is backed up and stored at a remote location, so that was all recoverable, but no hard copy or hard drive data was recovered from 7 World Trade. Yet we were able to rebuild within 48 hours, and in seven days we were twice as strong with robust and redundant wireless communications and computer network capabilities. I attribute that to the partnerships we had formed with the companies in the NYECTF.
They rebuilt us from the ground up. I'm not just talking about regular people showing up. I'm talking about presidents, CEOs and CIOs showing up to help us. When it's 2 or 3 o'clock in the morning and the CEO or CIO of a company is connecting computers and building firewalls, it's inspirational.
All the companies that came to your rescue were members of the NYECTF. Had you contracted with any of them ahead of time, or were they coming strictly out of friendship? They're participating members of the task force, but they gave back to us of their own volition. We can't require the private sector to do anything unless mandated by law. They came without being called.
How important is it for companies to have those kinds of relationships with service providers before tragedy strikes? If you want to talk about due diligence, best practices and risk management, companies should have a contingency plan in effect. And if that involves third-party contractors, coalitions or alliances that they have set up, I think it's a very smart thing to do. Equipment, resources and contingency plans are important because if they're not in place, you risk everything. So I would say to any company—small, medium, large or global—have a plan in effect to fall back on.
Are there lessons that you learned from your experience? Nothing replaces well-trained people. But the events aren't always going to be catastrophic. We sit down and have debriefings to discuss what we could do better every time [a security breach] happens. It's a powerful way to take lessons learned and turn them into action items. On September 11 we had a relocation plan, a contingency plan, an evacuation plan, a communications plan and a network plan. These things need to be up and running in a time-sensitive way. That's where the companies stepped in to help us. That's the difference between being operational in 48 hours and 48 days.
Plan for the Worst
Also called contingency planning, pre-incident planning is the creation of an action plan that will be put into motion when a security breach occurs. Here's what it should include.
·The members of the incident response team: names, titles, around-the-clock contact information and their roles in the event of a security breach. The team should include representatives from IS, each business unit, public relations, legal, marketing, communications and human resources.
·The contact information for vendors contracted to help during a security emergency and an outline of the roles they'll assume.
·A plan for how and when employees, customers and strategic partners will be informed of the problem.
·A definition of the situations in which the authorities should be notified along with information on how to reach a preestablished contact at the relevant agencies.
·Escalation procedures that lay out actions the company should take if an attack turns out to be protracted or especially damaging. —Daintry Duffy