The former head of U.S. Cyber Command explains why any company can be a target
Unless you are completely unplugged from global technology, your organization has had to contend with the rise in cyberattacks. Whether you are protecting your employees’ identities, ensuring the safety of your company’s intellectual property, or defending your nation’s security, a lot is at stake. Understanding the threats and knowing how to respond to cyber emergencies is critical to any organization’s operations.
Michael Rogers, a Senior Fellow and Adjunct Professor within the Kellogg Public–Private Interface, is a retired four-star admiral in the U.S. Navy who served as a commander in the U.S. Cyber Command and director at the National Security Agency. In those roles, he helped develop cyber intelligence and technology policy. Since leaving the Navy, he has turned his expertise to helping companies and industries in the private sector cope with cybersecurity issues.
Rogers recently sat down with Sandeep Baliga, a professor of managerial economics and decision sciences at Kellogg, to discuss cybersecurity threats and how leaders can guide their teams through crises.
This conversation took place as part of a recent course on Leadership and Crisis Management at Kellogg. It has been edited for length and clarity.
Sandeep Baliga: In the modern world, all sorts of businesses and institutions are subject to cyberattack. So, please set the stage for us. What kinds of cyberattacks are companies dealing with?
Michael Rogers: In general, cyber-threat activity has a few primary purposes. The most active one is generating revenue. That’s what you see individual criminals doing, but also lone nations like North Korea that use cyber to rob banks, break into online gaming sites to steal money, and mine Bitcoin. These countries are no longer a part of the international financial structure, so they can no longer move money through SWIFT, the global messaging network that allows institutions to securely share information. They had to come up with a different way to get money, and one of the ways they decided on was, “Hey, we can steal it.”
The second purpose is stealing intellectual property. The Chinese government, for example, are interested in oil exploration in the South China Sea. So a huge part of their national strategy with respect to cyber is going after U.S. natural gas and petroleum extraction sites’ technologies.
Companies are the number-one targets for stealing intellectual property, but they are not alone. A lot of major universities around the United States and other parts of the world are starting to realize that nations including the Chinese, the Russians, the Iranians, and the North Koreans are pulling research and dissertations. They’re not doing it because they want to check your students’ grades! They think there’s potential value that can generate an advantage for them.
Third, criminal entities are locking down a company’s data and saying, “Hey look, you want access to this, you’re going to pay us tens of thousands of dollars.” To date, much of this activity has been directed at data, but you watch: it’s going to start going after operating technology, the automated systems that you put in line that enable you to remotely control manufacturing processes, or the movement of petroleum and natural gas across the nation.
Finally, cyber is being used as a weapon designed to achieve hardware or infrastructure impact. Traditionally, that was directed at nation states. But more and more, it is directed at companies. This last one means that companies have to think about risk more broadly. I have heard people say, “Yeah, but our company’s in the food industry. Why would anybody care about us?”
They might think they’re a food company, but to the rest of the world, they are an American food company associated in many ways with America’s lifestyle. That means they’re a potential target, above and beyond any intellectual property associated with food or food processing.
Baliga: So they’re going to attack you just because you’re American. What should American companies do to prepare for this event then?
Rogers: I tell boards to prepare the exact same way as in every other area of their business: prioritize, decide where you can take risk and where you can get the greatest return, and that’s what you focus on.
I suggest looking at cybersecurity from two very different perspectives. First, what are the most likely scenarios? If you can understand how to defend against those, you can deal with most cyberattacks.
The other perspective is a little more challenging: threats that are low probability, but if an opponent is successful, you’ve got massive problems. For example, the Department of Defense has to think about an attack on nuclear infrastructure. We assess this attack as low probability. However, if someone was able to attack successfully, think about the implications for our nation and around the world. So we have to commit a lot of resources toward defense, more than you might expect given the probability of it happening.
The way I frame the question is, “Tell me what processes, data, and infrastructure are most linked to your ability to execute whatever your mission is.” Because your answer to that question is exactly where you want to focus your efforts. In other areas, you can take a risk.
But having said that, when you do take that risk, leadership has to be prepared if it goes wrong in those areas.
Baliga: Let’s say that now you are in an actual crisis. What is the most important thing for a leader to do?
Rogers: I find the most difficult thing, in my experience, is when you’re in the middle of a crisis, your stakeholders generally want you to deal with things immediately. They aren’t interested in you saying, “Hey, give me a year or two to make this investment or get us where we need to be.” They need you to address the situation now.
That means you’re going to have to address substandard or poor performers right away. You might otherwise put up with people who are inexperienced or poorly trained because you view them as a long-term investment. But in a crisis, you have to be willing to say, “Okay, step aside, Johnson,” even if just temporarily. That is hard culturally for a lot of people, because it is also important to treat men and women with respect, and let them train and become more experienced over time. But as a leader, you’ve got to be willing to not be popular.
“ When you’re in the middle of a crisis, your stakeholders generally want you to deal with things immediately. They aren’t interested in you saying, ‘Hey, give me a year or two to make this investment or get us where we need to be.’ They need you to address the situation now.
— Michael Rogers
[This article has been republished, with permission, from Kellogg Insight, the faculty research & ideas magazine of Kellogg School of Management at Northwestern University]