Retired Gen. David Petraeus (left) and Gov. John Hickenlooper talk cybersecurity at the NCC’s first National Cyber Symposium at The Broadmoor hotel.
Retired Gen. David Petraeus (left) and Gov. John Hickenlooper talk cybersecurity at the NCC’s first National Cyber Symposium at The Broadmoor hotel.

Hundreds of tech experts gathered at The Broadmoor hotel Nov. 1-3 for the inaugural National Cyber Symposium.

The symposium is a landmark event for the nascent National Cybersecurity Center as it works to build what interim CEO Vance Brown calls “a great ecosystem for cyber, innovation and security,” bringing together industry, educational institutions, government, military, startups and think tanks.

“I really believe you’re going to look back 10 years from now and see this as a defining moment …” Brown said. “I call the NCC the nexus, the glue, the hub. … We have this amazing opportunity in Colorado Springs and Colorado to make not just a national impact but a global impact in terms of these ecosystems and how uniquely prepared we are to do this if we come together.”

Building better cybersecurity through collaboration was a theme that emerged repeatedly during the event. The other: Cyber breaches now pose an existential threat to business and government at all levels, and the pace of change means even the best minds in the business are already playing catch-up.

Former CIA Director Gen. David Petraeus and Gov. John Hickenlooper emphasized that point before a crowd of 420 at the keynote dinner Nov. 1.

“The big idea there is that we just can’t keep up with the developments [in cybersecurity threats],” Petraeus said. “We’re already behind. We don’t have even the concepts.”

- Advertisement -

Petraeus noted that at the dawn of the nuclear age, the so-called ‘Wizards of Armageddon’ had decades “to think out their intricate theories of deterrence.” By contrast, cyber risk “is leaping ahead so rapidly that we can’t even keep up with it conceptually, much less with legislation.”

Government and industry need to establish some concept of how to respond to a potential “cyber 1914,” in which a targeted cyber attack spirals into a global disaster, Petraeus said.

“We really have these very intricate ideas and plans for the nuclear age, and we just don’t have that for the cyber age,” he said.

Gov. Hickenlooper recalled speaking with President Barack Obama last year, when the president visited Colorado Springs to give the commencement address at the Air Force Academy.

“Afterwards I asked him what kept him awake at night, what was the thing he was most worried about, and he said flat out, ‘Cybersecurity,’” Hickenlooper said. “More than ISIS, more than North Korea — more than anything, cybersecurity was the thing that would wake him up.”

Petraeus said governments should be most worried about cyber attacks on the industrial control systems that run electrical grids and water systems.

“The big worry that I have … is the idea of extremists who are willing to blow themselves up on the battlefield and take us with them, conduct suicide attacks — what in the world would stop them from hitting the ‘send’ key if they ever got the cyber equivalent of a weapon of mass destruction?” he said. “In other words, the ability to shut down the electrical grid of the Northeast and keep it down. This [would be] the Hurricane Katrina, the Hurricane Sandy that just goes on and on and on, and the effects would be catastrophic. …

“All the different workarounds that would be required, you’re going to be in an absolute humanitarian catastrophe, so we’ve got to attack this problem of the vulnerability of [industrial control system] boxes.”

In an executive-level briefing on the cybersecurity landscape Nov. 2, William Blair & Company partner and co-group technology head Bhavan Suri said public and private companies also need a greater sense of urgency about cybersecurity.

“Ten years ago when we thought about a hacker we thought about the teenage kid that would try to deface a website. … The reality is the cybersecurity landscape is now dominated by nation-state actors, by for-profit criminal organizations and politically motivated activists that are leveraging the data that is out there,” Suri said. “A lot of this has now become a cottage industry. … You don’t need a Ph.D. in computer science to launch these attacks.”

With resources available on Wikipedia, YouTube and the Darknet, it’s easy and inexpensive to launch a cyber attack against a Fortune 500 company, he said.

“It’s relatively unsophisticated users, but they’re able to, on an asymmetric basis, leverage their skill set to impact a large number of individuals at a relatively low cost,” Suri said.

Statistics on the number and cost of attacks are “eye-popping,” he said.

“Everyone needs to take this seriously. … Hackers are finding new ways to monetize the threats, and there’s billions of dollars in damage being done.

“Executive management [thinks] of security as a tax on the organization and they don’t want to spend a lot of money, but they have to start thinking about security as being an enterprise-level risk,” Suri said. “This is no longer the world where we have the luxury of spending on IT or security because we want to — it’s become the situation where it can compromise the integrity of the entire organization and its mission.”

Petraeus said Colorado Springs has the big ideas and the building blocks to create “critical mass” of cybersecurity expertise, education and firms.

The next thing, he said, is to create an action plan for each sector of the cyber ecosystem — at city and state levels, for universities and the military.

“Then what happens is you just reach critical mass and the chain reaction sets off — then you’ve got something that’s really special,” Petraeus said. “Then it just becomes self-sustaining and people are just going to be banging on the door to Colorado Springs, to get their piece on the side of the Silicon Peak.”

Brown said building community through events like the National Cyber Symposium is essential to the NCC’s mission.

“This isn’t just an afterthought; this is going to be critical,” he said. “We’re just setting the table for the conversations we need to have. … I think where the real work and the real value occurs is not the setting of the table, but the conversations that are had in community and the relationships that are built.

“It’s like life — it’s the relationships, and I think people in IT and security feel very lonely. … It’s a scary and lonely job, the amount of risk they’re taking on [with] the lack of resources they’re getting. Then they come together in community and go, ‘Oh, I’m not crazy. We do need more. This is a big deal.’

“That brings people together, and that’s a great starting place.”