Balboni: Halt, who hacks there?

Michael Balboni, a former state senator and former New York State deputy secretary for public safety, is managing partner for Bluewater International, a management consulting agency.

At the World Economic Forum in Davos, Switzerland, last week, Secretary of Homeland Security Janet Napolitano unveiled the Obama administration's National Strategy for Global Supply Chain Security. Its goal is to facilitate legitimate trade and travel, protect transportation systems from attacks and disruptions, and build a more resilient global supply chain -- while preventing terrorists from exploiting that chain to transport explosives or attack transportation systems.

The emphasis on explosives and physical attacks is certainly appropriate, particularly given the cartridge bombs that were shipped in the fall of 2010. But there's another threat that should be addressed to ensure the safety of the supply chain: cyber security.

The supply chain means more than just the infrastructure that moves goods to consumers -- ships, trucks and airplanes. It's also about customer lists, inventory data and shipping instructions. Just as blowing up cargo airliners can disrupt the flow of goods and shake the confidence of shippers and businesses, hacking into the computers of a multinational corporation can achieve the same result.

Just ask the folks at Citibank, Sony's PlayStation Network or Zappos.com whether global hackers affected their supply-chain integrity.

Attacks on Sony led to the theft of data from 77 million customers. At Citibank, hackers may have stolen up to $2.7 million from about 3,400 accounts in May of last year, after 360,000 accounts were compromised. At Zappos, a hacking attack exposed the names, email addresses, addresses, phone numbers and partial credit card numbers of its 24 million customers. These companies recovered, but such breaches have the ability to stop business in its tracks.

Government has been warning of the risks of malware, botnets, phishing scams and worms for a long time. In fact, I introduced a cybersecurity bill in the New York State Senate almost a decade ago. Congress and the White House have targeted the issue. Shortly after he took office, President Barack Obama established a new White House Office of Cybersecurity. But, as Napolitano's announcement illustrates, there is still an unwarranted separation in the administration's approaches to ensuring physical security and combating cyber threats.

Cyber security can be broken into three broad areas of concern: Outside threats, system failures and internal risks. Each presents different challenges, and addressing one doesn't eliminate the risks of the other two.

Outside threats are attacks from hackers, which can come from anywhere in the world and take on a variety of forms. In addition to well-known attacks, such as viruses that are designed to take over a system or steal information, other strikes focus on creating fraudulent sites and interactions that trick legitimate users into sending Social Security numbers, bank account information and even money.

We must share, globally, information on these attacks, to help with defenses, recovery and hacker prosecution. Such a data clearing house would have to be independent, secure and trustworthy. Companies are very leery of sharing information about the attacks they've suffered, for fear of losing market confidence. Yet, this is crucial information if companies in the cyber supply chain are to secure their networks. Not having this information would be similar to failing to have doctor's offices report on what diseases they are seeing in the community. House Homeland Security Committee Chairman Rep. Peter King (R-Seaford) and Rep. Dan Lungren (R-Calif.), a member of the committee, are exploring just this type of approach.

Then there are system failures, which are the result of neglecting to implement patches or fixes to vulnerabilities embedded in software before it is sold. It's sort of like selling tires that have bubbles in their treads, which could cause a blowout down the road. The ongoing management and control of such software weaknesses is paramount. A major step in securing our cyber infrastructure would be to establish an independent agency to review, test and certify software, and to establish a baseline for software assurance that's much like the fire-safety rating we now have for electrical appliances. Securing these vulnerabilities will help to close the back door of an unsuspecting consumer to keep out an exploitive hacker.

Finally, internal risks from human factors can undo the most expensive and sophisticated security safeguards. The motivation for this insider threat can be malicious -- think of those feeding documents to WikiLeaks -- but in many cases the breeches result from a lack of understanding of basic security principles and the methods used to compromise information. Many of the current problems come from poorly trained workers following lackluster security protocols. Given the liability and exposure that a company in the cyber supply chain faces, it is essential for global corporate leaders to ensure that their workplaces are cyber-secure.

It will take a dedicated and coordinated commitment by world governments and corporate leadership to address these different threats. A good first step would be to require a cyber audit for all businesses dealing with sensitive information -- whether governmental or consumer in nature. This way, they could see where the problems exist before they start spending money to fix them.

The goal of these efforts should be to place the responsibility and the benefit clearly where it belongs: on the private sector, which controls 85 percent of the cyber infrastructure. The president must inspire a global call to arms and awareness of the threat, and government's role should be to provide guidance and standards for cyber compliance. Security officials should also stop thinking of physical and cyber threats separately. Both could dramatically degrade our economic infrastructure, as well as our global supply chain security.