Kidnappings. Mass shootings. 9/11. NotPetya. The first three might not seem to have much in common with the fourth, but NotPetya was a “real crisis” that should have gotten much more attention and led to greater action, according to Shawn Henry, president and CSO of Crowdstrike Services.
Speaking to attendees of Advisen’s Cyber Risk Insights Conference in New York, Henry said that he was asked if he was “going to scare people” during his talk.
“If the truth scares people, so be it,” he said. Henry, formerly the executive assistant director of the FBI, said that he never expected his career in the private sector to include “real crises” like those he had encountered in the public sector, but NotPetya was a serious event, a “game-changer” that highlighted a risk that organizations and individuals don’t appear to be taking seriously.
“When do people start to take all this seriously? When they can’t charge their iPhone for three days,” said Henry. “If NotPetya doesn’t get people’s attention, I don’t know what will.”
Huge global organizations were brought to a halt during the June 27, 2017, malware attack that has since been attributed to Russia. In the Ukraine, Henry said, more than 10% of the computers were wiped out, with no access to the data and the loss of functionality of devices in their environment. Thousands of computers were destroyed, connected doors wouldn’t open because keycards no longer worked. The affected organizations weren’t all targets of the attack but were heavily impacted regardless.
“And that attack moved throughout the world,” he said. “We saw the physical impact of an electronic attack. They ceased to exist in separate worlds and intersected.”
He added, “The inability to operate, the digital equivalent of a bomb going off in a headquarters, was a real crisis.”
While not intending to be “dramatic,” Henry explained that seeing a major event requiring a crisis response in the private sector, like those he had worked on with the government “got his attention.”
To the insurance-oriented audience, he commented, “Your world is risk” and reminded attendees that many of the concepts, principles, and theories used in the physical world to manage risk can still apply in the digital world.
“The thing that bothers me is the lack of urgency,” said Henry. He advised the audience to assert leadership on cyber risk to raise awareness that without understanding and addressing the key problems, “this is something that could really hurt us long-term.”
“Our lack of engagement here doesn’t just impact our customers and our companies. It impacts future generations,” he said, calling upon the audience to “demonstrate leadership, step up, and question people.”
Editor Erin Ayers can be reached at firstname.lastname@example.org