Newport, RI—Over three dozen senior private sector executives gathered at the Pell Center on October 9, 2013 to participate in a six-hour, discussion-based cybersecurity table top exercise. The event marked the start of the Pell Center’s Rhode Island Corporate Cybersecurity Initiative, which aims to bring together senior leaders from various industries—defense, financial services, technology, health care, etc.—who can affect change and make Rhode Island’s corporate community a national model of cybersecurity leadership. Timed to coincide with the 10th anniversary of National Cybersecurity Awareness Month this October, the ongoing initiative will provide a forum where public and private sector leaders can discuss ways to make their companies—and thus Rhode Island—safe, secure, and resilient in the face of persistent cyber threats.
As part of this effort, the October 9 exercise offered local
business leaders an opportunity to work through scenarios involving real-world events impacting the security of companies’ networks and sensitive information. Participants worked together on a range of key and cutting-edge cybersecurity issues, including: incident response and prioritization, cyber espionage, insider threats, data leakage considerations, legal issues, and regulatory compliance. The exercise emphasized the importance of protecting cyber infrastructure, fostering employee awareness and training, cultivating information sharing, promoting business continuity and resiliency planning, and developing additional collaborative partnerships such the one initiated by the Pell Center.
In addition to the participatory exercise, private sector leaders were also able to hear from three remarkable guest speakers—Dr. Chris Demchak, Jim Lavoie, and Corporal John Alfred—who offered their insights and experiences on cybersecurity matters from the varying fields of academia, private sector and law enforcement. The speakers offered a wealth of information to the participants, laying the groundwork for a productive discussion on the topic and underscoring the importance of cybersecurity to Rhode Island and the region at large.
The first speaker, Dr. Chris Demchak—professor at the U.S. Naval War College and co-director of the Center for Cyber Conflict Studies—emphasized how cyberspace underpins critical systems for most societies worldwide. Cyberspace impacts everything from your social media feed to your car’s GPS to your ability to withdraw money from an ATM—in short, cyberspace is essential for many activities today, both domestically and internationally. Dr. Demchak noted that, given the growing scope and sophistication of cyber threats, industries that work with our critical infrastructure are in urgent need of multiple layers of resilience. A resilient cyber infrastructure requires “redundancy of knowledge, slack in time to respond, organizational discovery trial-and-error learning, collective sense making and rapid, collaborative response.” “Protecting cyber infrastructure,” she continued, “cannot be left to a company’s IT department.” Leaders of these organizations need to lead by example by “enforcing cyber hygiene, establishing and testing technological tools before a system is challenged, and building inter-organizational collaborations in order to respond quickly and creatively in an emergency.” She hailed the Pell Center’s initiative as an important effort to bring companies together to share knowledge.
Jim Lavoie—CEO of Rite Solutions Inc., a RI-based engineering and software development contractor—shared the story of his company’s fight in the cyber realm, a battle that many businesses may be losing. “There’s nothing really special about me or my company,” he said. “[The day we came under cyber-attack] wasn’t a special day, it wasn’t 9/11, it was just a day—a Thursday. I either have a lot of potential customers or people think I am special, so I got hacked,” he said. Without advance warning, the company’s network was bombarded with over 40,000 hits against its firewall from perhaps as many as 71 countries (Note: country codes can be spoofed) within a 24-hour period, he said. Lavoie discussed some of the company’s incident response measures after the breach had happened, but perhaps his final revelation was the most critical for those in attendance: “What I realized is that my weakest link was my most important asset—my employees” who needed additional training and tools to protect the company’s assets.
Corporal John Alfred, who leads the RI Cyber Disruption Team, praised Lavoie for his candor in discussing the matter. “Most people don’t do what you do,” he said. “Most people think, ‘I’m not going to be that guy.’” Corporal Alfred encouraged leaders in the room to find avenues for collaboration and information sharing, and offered an overview of the work carried out by his team to prevent and mitigate cyber threats to critical infrastructure across the state. Alfred’s point underscores what was likely the biggest take-away from the event: cybersecurity must be a shared responsibility and shared concern. Each of us has a role to play in safeguarding the networks we use in our daily lives, and we must work together to achieve that end.
Congressman Jim Langevin regretted missing the exercise, but sent his best wishes to those in attendance via Twitter along with a call for stronger cyber defenses and a decry for the current government shutdown, which has halted progress on various cybersecurity measures at a time when the country can least afford to be disrupted and disorganized.
— Jim Langevin (@jimlangevin) October 9, 2013
The exercise will be followed by an After-Action Report Workshop on November 13, 2013 to discuss lessons learned and identify areas of improvement in cyber resilience. The November workshop will assist organizations in prioritizing their cybersecurity improvement plans and in the cultivation of information-sharing and cooperation activities.
In addition to the November workshop, future Rhode Island Corporate Community Initiative events will include briefings on emerging cyber threats and responses, lectures with leading cybersecurity experts, training classes, working group meetings, and other boardroom cybersecurity exercises. The first world-renown expert that the Pell Center will host in November is Melissa Hathaway, top-rated American private sector cybersecurity expert and former ‘Cyber Czar’ in both the administrations of President George W. Bush and President Obama.