Interview with Jody Westby, Global Cyber Risk, USA
Drawing upon a unique combination of more than twenty years of technical, legal, policy, and business experience, Jody Westby provides consulting and legal services to public and private sector clients around the world in the areas of privacy, security, outsourcing risk management, business continuity, and technology compliance issues. She also serves as Adjunct Distinguished Fellow for Carnegie Mellon CyLab. Prior to forming Global Cyber Risk, Ms. Westby served as senior managing director for PricewaterhouseCoopers (PwC), specializing in outsourcing and cyber security/privacy issues. Before that, she was president of The Work-IT Group; launched In-Q-Tel, an IT venture capital/solutions company for the CIA; served as director of domestic policy for the U.S. Chamber of Commerce; was senior fellow and director of IT studies for the Progress & Freedom Foundation; practiced law with two top-tier New York firms; and spent ten years in the computer industry specializing in database management systems.
OEB News Service: What issues you will address in your presentation "Countering Terrorism with Cyber Security"?
Jody Westby: The U.S. and other developed nations can no longer counter terrorism with traditional approaches of "hunt, capture, and kill." Terrorists have taken information and communication technologies (ICTs) and used them to recruit jihadists from around the globe, launder funds, train and spread propaganda about the jihadist movement, and conspire and communicate.
Terrorist cells exist in over sixty countries and have effectively taken local grievances and globalized them via their effective use of ICTs. The nature of the Internet and the present inability to track and trace cyber communications due to existing protocols has provided the perfect anonymous tool for terrorist activities. As countries have closed their borders, created barriers to entry, and closed in on known groups of terrorists, ICTs have provided the perfect vehicle for terrorists to operate under all the erected barriers and precautionary measures.
Moreover, since the U.S. and other developed nations have been so inept at utilizing the technologies they invented against their own enemies, the jihadist messages are "out there" in an unchallenged form and serve to perpetuate a "global truth" to those who are drawn to it. If the U.S. and other nations hope to turn the tide on terrorists, it must implement Internet Protocol (IP) version 6 that would enable the assignment of permanent IP addresses for every person and device and facilitate tracking and tracing of cyber communications, establish 24/7 response capabilities in the nearly 240 countries connected to the Internet, and improve the public-private sharing of information.
OEB: What are the most severe 'cyber crimes' and what makes them so serious for society?
JW: Well, the answer to this question can vary, but I would say that the most severe cybercrime is one that involves a direct attack on critical infrastructure, such as a communications or electricity grid. I do not mean Distributed Denial of Service Attacks, which have serious consequences through the denial of the network to users. I am referring to potential attacks against critical infrastructure that could have catastrophic consequences and potentially serious loss of life. We know that terrorists have studied plans for dams and other major utility grids and have considered approaches to cyber attacks against these networks.
We also know that the supervisory control and data acquisition (SCADA) systems that control most utility and manufacturing grids are highly vulnerable to security breaches. An attack that rendered major portions of the communications network inoperable in the dead of winter or other stressful times could cause serious loss of life and significant chaos in response capabilities. Add to that the interdependencies between communications and electrical grids, and it is a dynamic that most governments and private sector entities are unprepared for.
OEB: The Internet is becoming more and more pervasive in all areas of individual lives, societies, and the corporate world. Sabotage or terrorism via cyberspace may become a more serious threat as computer systems are becoming more and more complex and interdependent.
Enhancing security through deploying company-wide security solutions can be one way to protect sensitive data. What other means are there to protect organisations or businesses from cyber crime?
JW: Enterprise security programmes offer the best defense against internal and external threats. Technical solutions alone will not prevent cyber incidents. Neither will policies and procedures. It takes a blended approach of legal, technical, managerial, and operational considerations to develop an effective enterprise security program that actually works and has returning benefits to the organization. It also requires public-private sector cooperation, good business continuity and incident response plans, and consistent training to a variety of audiences.
It is so tempting to put a policy in a book, to institute some operational process, or to deploy a technical solution, but, in the end, it is the integrated program that links people, processes, policies, and procedures that is effective. This is where e-learning can play such a valuable role through delivery of a consistent message in a manner that can bridge oceans and time zones and convey the corporate culture. E-Learning really is an under-utilized tool that can convey cultural expectations, legal compliance requirements, managerial policies, and operational procedures in an inexpensive, consistent format that helps minimize liabilities and improves corporate governance.
OEB: Ms. Westby, thank you very much for your time.
More information about the “E-Learning for Defence and Security Forum” on Wednesday, November 29, 2006.
Jody Westby is also chairing the session SEC08 “E-Learning in the Medical Sector” on Thursday, November 30, from 11:45 – 13:15 hrs.
The interview was conducted by Beate Kleessen, OEB News Service.
Back
