The Empire Club Presents
Governor Tom Ridge, Former U.S. Secretary of Homeland Security
with
Cyberterrorism: The Next Wave
November 15, 2016
Welcome Address, by Paul Fogolin, Vice President of the Ontario Retirement Communities Association and President of the Empire Club of Canada
Good afternoon once again, ladies and gentlemen. I hope you enjoyed your lunch today. From the One King West Hotel, again, in downtown Toronto, welcome, to the 113th season of the Empire Club of Canada. For those of you just joining us either through our webcast or our podcast, welcome, to the meeting.
Before our distinguished speaker is introduced today, it gives me great pleasure to introduce our Head Table Guests. We do have a fantastic Head Table here with us today. I would ask that each of the Head Table Guest rise as I call their name and, typically, at this point, we ask the audience to refrain from clapping, but we know nobody listens, so clap as much as you like as I announce the names.
Head Table
Distinguished Guest Speaker:
Governor Tom Ridge, Former Secretary of Homeland Security; Former Governor of Pennsylvania; and Chairman, Ridge Global
Guests:
Mr. Brian Jones Founder and Vice Chairman, Ridge Canada Cyber Solutions Mr. Greg Markell, President & CEO, Ridge Canada
Mr. Peter McFarlane, Managing Director, Toronto Head Office, Kroll
Mr. Sean Murphy, President, Lloyd’s Canada Inc.
Mr. Bill Nugent, Regional Managing Director, North America, Kroll
Mr. David Peterson, Chairman, Cassels Brock & Blackwell LLP; Chancellor, Emeritus, University of Toronto; and Former Premier of Ontario
Mr. Brian Reeve, Partner, Cassels Brock & Blackwell LLP
Ms. Verity Sylvester, Vice President, CMC+CO; Past President, Empire Club of Canada
Ms. Ilse Treurnicht, CEO, MaRS Discovery District; Director, Empire Club of Canada
Once again, my name is Paul Fogolin. In my day job, I am the Vice President of the Ontario Retirement Communities Association, and I am the President of the Empire Club of Canada. Ladies and gentlemen, your Head Table.
I would also like to take the time to point out that we have, I believe, two past presidents, in addition to Verity with us today: Mr. Peter Hermant and Mr. Noble Chummar.
Security is one of the foremost issues of our time. All across the globe and here in the west, people live their lives in some degree of fear. It is just a fact. And whether or not we agree with the degree of fear that people are living in, it is how people feel. When a Pew research poll was conducted earlier this year in the United States, they asked 2,000 Americans to list what they believe the top international threats to security to be. Number one was ISIS, which is no surprise. What might be surprising to you is that number two was the threat of nation-on-nation cyberterrorism. In particular, people are concerned about things like a digital raid to steal another government’s information or a large-scale attack on a nation’s electrical grid. Fully 72% of Americans believe that cyberterrorism is a legitimate threat. This beats out the fear of global economic downturn, the fear of the spread of infectious diseases and even the fear of climate change. That is significant!
It is hard to know where we truly stand. Is cyber- terrorism truly a great threat or perhaps is it something that is maybe a fad, hyped up by the media? Perhaps it is something bigger than that, a more existential threat, perhaps, even the greatest threat of our modern era.
Fortunately, today, we are privileged to have a guest speaker with us who has some answers, a man with a wealth of experience on matters of national security and the rapid rise of digital and cyberterrorism. He is here to help us make sense of this evolving danger and to better prepare for the challenges that lie ahead, both for government and for business, and not just in the United States, but also, here, at home, in Canada.
Following the tragic events of September 11th, 2001, Tom Ridge became the first Assistant to the President for Homeland Security, and, on January 24th of 2003, he became the first Secretary of the U.S. Department of Homeland Security. During his tenure at DHS, Secretary Ridge worked with close to 200,000 employees from a combined 22 agencies to create a single agency that facilitated exemplary security for American citizens. Perhaps, he is slightly to blame for lineups at airports, but folks, there is so much more to it than minor annoyances. DHS was concerned with the flow of people and goods; instituted layered security at air, land and seaports; developed a unified national response and recovery plan; protected critical infrastructure; integrated new technology; and improved information-sharing worldwide. Tom Ridge served as Secretary of this historic and critical institution until February 1st of 2005.
Prior to the events of September 11th, Tom Ridge was twice elected as Governor of the State of Pennsylvania. He served as the state’s 43rd governor from 1995 until 2001. Governor Ridge graduated from Harvard with honours. After his first year of law school at Penn State, he was drafted into the U.S. Army, where he served as an infantry staff sergeant in Vietnam. He earned the Bronze Star for Valor, the Combat Infantryman Badge and the Vietnam Cross of Gallantry. Once he returned to Pennsylvania, he earned his law degree and, later, became one of the first Vietnam combat veterans elected to the U.S. House of Representatives, where he would serve for six terms.
He is currently Chairman of the United States Chamber of Commerce’s National Security Task Force. He is also the co-founder of Ridge Canada. He provides clients with solutions to cybersecurity, international security and risk management issues.
Ladies and gentlemen, we are tremendously privileged to have Governor Ridge with us today. Join me in welcoming him to our podium.
Governor Tom Ridge
Thank you very much, Mr. President, for your very gracious introduction, and thank you very much for your very warm reception.
I am burdened down by the history of the legacy of the speakers who have appeared before the Empire Club since 1903, and I will proceed notwithstanding that you have had people like Gandhi and Winston Churchill and many other luminaries. It is a great pleasure to have the chance to really have a conversation with you about something that your president and I thought might be of interest to you and the business community and to the government as well, and that is really business in the, what I call, ‘digital forevermore’.
A couple of initial thoughts: I have had a great life in public service and will always be grateful for the opportunities to serve my country, but if you look closely at my résumé, you would probably say, “The guy can’t hold a job.” I bounced around a couple. I have enjoyed the privilege of serving everyone from, when you think about it, as sergeant in Vietnam to a cabinet secretary. For those of you here who have been in public service, you understand, and I understand your mentality. It is about service. I am privileged to have done that. I am now, however, a private citizen, and I suspect we will have a little Q&A after all this, and the questions may not just be on the digital part of the world, so I look forward to the Q&A period as well.
This audience should know—and I said this earlier today—I am not going to replicate the speech, but the first country that recognized my new position as Assistant to the President for Homeland Security and actually sent an emissary to meet with me, was Canada. I have not forgotten that. I also have not forgotten that the individual who was sent to me was a man that I think Canadians admire as a political leader and as a businessman: John Manley.
John and I had the privilege of working on what we thought was a document of potential significance, a smart border accord, because we understood going in that the relationship, the commitment to democratic values, the economic relationship, was very, very important, and we needed to build a smart border. I was honoured to work with him on that.
I am honoured to have been born in the city of the Stanley Cup champions: Thank you very much, Pittsburgh, Pennsylvania! I am here to thank you for two great goal tenders, six or seven members of the team. We have got a guy on our team you may or may not know, but he is really good: Sidney Crosby. He is really good. As I said to the audience before, on a clear day in Erie County, where I live, on a beautiful, summer day, I can look from an elevation and see Long Point, Canada.
I am delighted to be with you for many, many reasons. I am grateful for the invitation and glad to be with my friends from Ridge Canada. I like that. I like being associated with you guys in this country, so I appreciate that very much.
The vantage point I have had in government is I try to distill to audiences what I think some of the most pressing 21st century challenges are which effect really dramatic changes in the global scene. The first is the scourge of terrorism. We are not going to talk about that, but this is a permanent condition from now on. It is a global scourge. It will move around the countries a little bit, but we should not be breathless about it. We ought to accept that, and some other time we can talk about that.
The other permanent change in how the world lives and operates and functions, which is both positive and potentially negative, is what I call the ‘digital forevermore’. We are as hyper-connected today, but by 2020, there will be 50 million devices connected to the Internet. Think about that for a moment. How many times do you rely on the Internet during the day, and you just take it for granted it is there? It is like turning on the light. As users, as consumers, as business leaders, as government officials, we are all connected. That is really important to note, and that is really why I wanted to focus my remarks around what I call the digital forevermore.
If you take a look at the early ‘50s when they were beginning to build this little system, it was from our Department of Defense to multiple research universities. Fast forward to November of 2016: What an incredible digital ecosystem that we all have! It is interesting: The basic characteristics of the Internet and the system have not changed. It was designed to be an open system. That is good. It cannot be secured. That is bad. The ubiquity of the Internet is its strength. The ubiquity of the Internet is its weakness. There is so much promise in the Internet. I mean, if you are running a company, it improves your efficiency; it improves the supply chain, outreach and access to customers. Your suppliers, your profitability goes up. What is the peril? Well, if you have intellectual property and somebody else is interested, they might be able to access it through the Internet. If you have personal identification information of employees or customers, somebody might access it. We have got this extraordinary ecosystem that has enormous promise. Agriculture will be improved. Healthcare will be improved. Environment can be improved. The list goes on and on and on. That is the promise. I just think that it is important for countries to pay a little bit more attention—and companies—to the peril of operating in the digital forevermore.
The actors are well known to all of us, are they not? I mean, China has got my dossier. I was one of the 22 million people who had all kinds of personal information with the Office of Personnel Management. It is part of geopolitics these days as well. They have got a lot of trade secrets. They have got a lot of IP from some of our defenses. Organized crime has a lot of personal identification information they sell. There is a dark web. They sell it. They can use it, steal your identity, file a false tax return, do this, do that. There are all kinds of uses for that information, whether you believe it or not.
You have the hackers. Who are the hackers? Well, you have got the nation states. You have got organized crime. Sometimes it is known and encouraged by the country; sometimes they cannot do anything about it, and they are indifferent, but it is out there. The primary culprits are China, Russia, Iran, and there are others because once you build that capacity inside your government, if you choose to use it to affect geopolitics, you can. We did with Stuxnet in Iran. Remember we set up the centrifuges, so we slowed down the Iranian nuclear program. We did not eliminate it. We slowed it down. Well, before that, Russia had used it, and China has used it, so the notion that somehow countries do not use access to critical infrastructure as part of their game plan, their game planning, their war planning, is wrong. Russia and China both in published materials, talk about that dimension of war.
When I was a soldier, it was air, land and sea. Then, we put somebody in space. Space became the fourth dimension of war. And five is the digital space. Should we be breathless about it? No, I say do not; it is just a reality. Accept it as it is. That is the point of the conversation I am having with you.
We know who the actors are. What do they hope to achieve? Espionage, economic espionage—it really undermines and has undermined. And it probably put some companies out of business. You have got very strict IP; you better protect it. When you are looking at your own enterprise, you do not have to necessarily protect the whole thing, but if you have got some crown jewels there, you better make sure you have got a series of digital things you do to protect that IP. Of course, countries use it to spy. Espionage has been very much a part of the global community we work in.
I was over in China about a year a half ago, speaking to a cybersecurity conference, which is almost an oxymoron over there. When it was all over, I was invited to speak to the Minister of Information Security. I think that was the right title. I am very respectful. We are having this wonderful conversation. In the course of the conversation, he allowed that how pleasant the dialogue was between us. He said, “This is a very friendly conversation. Friends drink tea and enemies shoot at one another.” I said, “Well, Minister, I have done both.” We proceeded along the conversation, and then I got this straight-faced, inscrutable look, talking about all the false accusations that we are spying on you in America. I said, respectfully, to the minister, “We teach the history of one of your great military strategists, Sun Tzu, in our service academies. Sun Tzu, a millennium ago, said, ‘It’s the enlightened ruler and a brilliant general that gets as much information as they can to secure advantage on the battlefield.’” While we were having a conversation about cybersecurity, I said, “Let us just admit this: We were looking over your digital shoulder; you are looking over our digital shoulder, and let us talk about some other things,” which we did. We should not be so naïve to think that countries are not doing it all the time to each other. We are.
Frankly, the fact that we used it as an attempt to affect policy, vis-à-vis Iran—it is not like America had done it first because Russia and others have been doing it. But it is part of the game we play. You have got espionage; you have got theft; you have got disruption. We know who the actors are. We know what the threats are.
What do we do when it comes to the business community? And this is not just Canadian business; I have said it to American businesses and businesses elsewhere: There is an old mindset, an old attitude, towards cybersecurity. One understands that you are vulnerable internally—not in terms of malfeasance by one of your employees; it just may be gross negligence. A couple of years ago, a company did a survey and found one of the groups most susceptible to the phishing are the CEOs and the executives in the companies. You have got that internal threat. It is interconnected to your suppliers and your customer base and everything else. You have third-party threats, so be mindful of that and understand if you have information of value inside your operation, in your enterprise, that may be of value to somebody else, and you better think about how you are going to protect it.
I think the mentality of the CEO used to be, really, “I’ve got a Chief Information Security Officer; I have a Chief Technology Officer; I’m going to let him or her take care of it.” The new paradigm says, “Mr. President, Mr. Board of Directors, ultimately, you’re going to be accountable if you’re publicly trading. You’ve got shareholders; you’ve got employees; you’ve got people in the neighbourhood; you’ve got suppliers.” It used to be, “We’ll take care of it if something happens.” We are in a reactive mode: “If something happens, we will figure out how to do it.”
No, I think you are better in the pre-emptive mode, and you better lay out a strategy, a broader strategy. You might need some consulting. You may need monitoring. You need far more than firewalls. They are a thing of the past. They may be a part of the strategy. You probably need to think about getting some kind of vulnerability assessment, some kind of cyber insurance. You better be prepared, particularly, to accept the notion that if something occurs in Canada and in the United States, you are going to have to talk to regulators. You are going to have to talk to the media. You may have to talk to your shareholders. You may have to talk to your investors, so all this you better have at the ready and pray you never need it. You have got to change that mindset from, “We’ll wait until it happens and figure it out,” to, “It will happen, and when it does, this is what we’re going to do.” It has got to be an enterprise-wide effort.
A couple of final thoughts, and then I am sure you are much more interested in asking questions.
In the 20th century in Canada and in the United States, William Deming came up with something called ‘total quality management’. It was an attitude to how you run your business. It was the governance group; the management; it was the employees; it was supply chain. Everybody that interacted within that enterprise had to take on that notion that every step on the way, we had to think about quality performance in order to have a quality service or a quality product because if there was a defect anyway along the way, we were not going to achieve what we want, and that is increased sales and a solid reputation in the marketplace.
I think the new mindset in the 21st century ought to take that mindset and start thinking about resiliency, resiliency inside the enterprise. Be as ready as you can. Understand the risks. Be as ready as you can, but, if something happens, you also have to be able to recover quickly and continue to do business.
Here is an interesting area where I think the governments and the private sector can cooperate. Just like getting information on a battlefield, if you are engaged in digital conflict, you would be best served—governments and companies would be best served—if they exchange information about breaches, the nature of the breaches, precursors to breaches, code and malware. They just would.
Finally, last year in the States, we convinced Congress—and President Obama signed it—to create a legal, safe harbour. For all the lawyers in the room understandably concerned about private business, and about telling the government that they have been breached and about the nature of the breach and about the regulatory hammer coming down on them, we created a safe harbour so you can share that information. We are going to encourage you to share it. We are going to encourage the executive branch, pursuant to President Obama’s executive order, to share that information down to the private sector. That is a real, that’s a collaboration.
I say to the private sector—and I say this respectfully thinking of your government and mine—governments move at glacial-like speed. Actually, there are probably glaciers that move faster. When it comes to technology changes, hackers move faster than government. Technology changes more quickly than government. Never expect the government can be smart enough to be prescribe enough to tell you everything to do at all times in order to reduce your risk of a cyber-attack because it cannot. It is really not its function. Where the government can help is to help you build standards, share information. But you are really on your own. That is why I think if you are thinking of 21st century digital risk in this extraordinary, powerful ecosystem, you better think about what the risk is, how it relates to you, what technology you have, whether you are doing vulnerability assessments, whether you are monitoring, whether you are prepared for some economic loss with cyber insurance, whether you have a response and recovery. That is what you need to do. I think the companies that are prepared to do that, in time, will not only survive, they will flourish.
The last comment I will share with you is related to that. I was not necessarily a very good science student. That is probably why I ended up in the infantry. They would never put me in the core of engineers. I remember reading On the Origin of Species. I think that what he talked about in terms of the survival of the fittest has been misinterpreted over the years. If you read it, he did not really say that it is the strongest, the biggest and the fastest that survives. He said it is the species that adapts to change that survives. I think business has to be a lot more Darwinian: If you are going to succeed in the digital world, you have to adapt to that change. You may not like it, but it exists. You do not have to be breathless about it because you can manage that risk. It can be managed. It is a business risk. If you bring that mentality that there is a digital risk, like you bring it to supply chain risk, like you may bring it to the currency exchange risk, and you build resiliency in your enterprise, I think you are going to be fine. I think you are going to be fine. That is what I think the message should be: Accept the reality as it is and just simply manage the risk before it manages you. Businesses do it all the time. Just bring the same mindset of the risk of a digital attack as you do to all the other potential risks, and you will flourish. Hopefully, you will do more than survive. You will be a profitable enterprise that you want to be.
I think that concludes my remarks. I appreciate you not nodding to sleep during the course of time. It was a great lunch. Loved the dessert. There are no calories in the dessert, ladies. I tried it. It is really good. I am happy to have any Q&A that you want. Thank you very much.
Questions & Answers
Q: We had this election last week, the small election that some people may have heard of. I am interested in your perspective, as best as you can surmise, in a President Trump Administration fast forward to three, four years: Is United States safer from cyberterrorism, or are they more at risk?
TR: I think there is a growing awareness within our business community of many of the elements that I talked to you about, about the need to understand the vulnerabilities, manage the risk, identify those critical pieces of their intellectual property, a network and system that needs to be protected by layering multiple defenses. The risk for cyber insurance is getting better in terms of building a response and recovery, so I think there is momentum notwithstanding government. Like I said before, if business waits on government to help them eliminate the risk, it will get there. It is slow. It is just not going to work that effectively.
What has happened is President Obama, in 2013, signed an executive order that said three things: One, we are going to have the National Institute of Standards and Technology (NIST) work for almost a year with our private businesses. We are trying to try to build a blueprint, an operational blueprint, to help them come up with basically a program how you identify the risk, how you manage that risk, and how you prepare to build that redundancy, that resiliency in the system.
The second thing that the executive order did was say to the federal government, “You, federal agencies, ought to be sharing information down either to those critical infrastructures.” This is around critical infrastructure protection, energy, telecom, banking— the kind of enterprises that private companies own but that the Government of Canada or the Government of the United States needs in order to operate and to function. I said we need more information sharing and it was an initiative to encourage that.
The third thing that is really precious to me and to you, to Canada and the U.S.—so much so I also put an oversight board on it—is to make sure that as we go down that path we do not infringe on the privacy and civil liberties of our countries. I think that is really important.
None of us realize—you probably have no idea how much Google knows about you. I mean, you have no idea how much the private sector knows about you. One example—and it is a long-winded answer that I gave at a commencement speech at a law school a couple of years ago. A gift that I received from one of the graduates were four fascinating books. I love them. You know what? I did not pick them out. I filled out a form with basic information about me and generic likes and dislikes. Every quarter, for a year, I got a new novel. If I had have gone through Barnes & Noble or a bookstore, I would not have selected those books. They were terrific. Broken, was one of them. I do not know if you read the book. I am saying there is a lot of information out there about you. If you take that information that the private sector has, and if you ever put it in the hands of government, and you put it together, it is a treasure trove of only a dark imagination can take you down the wrong street. I think the fact is that with democracy, while we want to balance security, we have to balance it against privacy. That requires vigilance of you and me and everybody else privileged to live in a democratic country.
Q: Governor, thank you for coming. My name is Stewart Tate. Fascinating: I was reading your bio before I came to refresh my memory of what you have accomplished in your life, and I wanted to go back to bed and pout for a while because I am far, far from that
With the U.S. election that just happened, with the election and allegations that Russia was influencing, you have Assange, and you have Snowden. Are guys like Assange and Snowden criminals? Are they canaries in the coalmine warning us of dangers ahead? If Russia is not punished for what they have done or alleged to have done, what is to stop China or Iran in four years’ time to influence an election again in the United States of America? There has to be, I would think, a dire penalty to those countries, economically, because it is almost like it is constant warfare now, from what you are saying, in that fifth dimension, so there has to be casualties in that battle. How are these countries deterred from doing this again? .
PF: To repeat the question, for those who may not have heard, the first, I believe, was the question about Julian Assange and Edward Snowden. Do you consider them criminals?
TR: The answer is yes, no amnesty. They are. Next question.
PR: Okay, that was easy. The other one was about what Russia and the tampering and the hacking. If they are not punished, does it send the wrong message to China and other countries?
TR: First of all, you have no idea the damage that Snowden did to my country. Believe it or not, no pardon. If he wants to live in Russia for the rest of his life, I am perfectly content. May he live there forever. Very good question. Very good question.
Let us talk about physical warfare and cyber warfare because they are able and have done both.
One, they challenge is confronting a nation state that engages in cyber warfare. We have that technology. Technically, we can attribute the attack to them, but how do you hold them accountable unless you do the same thing? I suspect that we have offensive capabilities, and I am not going to project what we may be doing privately. That is not necessarily out for the world to see. I remember when North Korea hacked into Sony. If I had been president, I would have loved to have my kick people come in and say, “Here’s what we’ve got to do.” They hacked into Sony. Who cares? It was a stupid move anyway, in my point of view, but they hacked into an American company. When a leader opens up his laptop, and he clicks it, what I want you do is to have him see first thing the American flag waving and “The Star-Spangled Banner” behind. We know who you are. We know where you are. We know how to get to you, so knock it off.
The physical side is much more difficult. I do not know where this administration is going to go with Russia, but I am going to give you Tom Ridge’s impression of Putin in Russia, and I do not pretend to be a foreign policy expert, but I did just come back from a week in Ukraine. They have got a war going on over there. They are not just in Crimea; they are up in the eastern section of Ukraine. They have got separatists. They have literally built World War I trenches in part of their place to build part of their defensive system. Here is what is going on when I take a look at Russia. The first time a country has invaded another country, a sovereign since World War II, NATO and the U.S., condemned it. I just do not think that made much of an impression. We had the opportunity congressionally authorized $500 million worth of lethal weapons to Russia. President Obama did not sign. It is there. The law exists, but we have not sent it to them. By the way, they said, “We don’t want your soldiers. Just send us the weapons. We’ll defend ourselves.” You have got that going on in Ukraine.
You saw how they were playing around a little bit in our election—cabinet and democrats. By the way, we work with a company that the Republican National Committee had on its website. There was one party that was hacked and there was one party that was not hacked. If you are worried about that, give me a call. I will put you in the space with this company. Another story. Look what he is doing in Syria. If you look at Ukraine and Syria, he has really exacerbated the tensions and the problems, and, yet, he finds himself masterfully inside trying to negotiate a settlement to problems he has created. I will bet it will be private, but his intelligence community—he will be playing around in the German and the French elections next year. A little disruption, a little chaos. I think we need to accept who he is. He is a wily, capable, strategist of evil. I do not know how you could possibly trust this guy. He runs a very repressive government. I am not saying you have got to go to work. We are not talking about military action, but we are talking about the western world standing up to blatant aggression, and we have not done it.
Madeleine Albright, former Secretary of State, wrote a beautiful book about when she was from birth to like 11 or 12 years old, but during the period when Russians were saying, “We’ve got to go into Czechoslovakia because they’re intimidating and repressing German-speaking people,” Neville Chamberlain said, “We don’t want to get in the war. We don’t want to