As Cyberthreats Get Stronger, People and Networking Are Key to Survival

Don’t put technology first, an expert warns; get the right people, and make sure they're trained and skilled in knowing what to look for.

by Ed Waters Jr., McClatchy News Service / April 15, 2014

Cyberattacks like the one on Target and computer “bugs” such as Heartbleed will continue to plague businesses and individuals, said an expert Monday night.

Thomas Harrington, managing director and CIO at Citigroup, said the key is having knowledgeable people on a business’s information technology staff and networking.

Harrington, who was an associate deputy director at the Federal Bureau of Investigation, where he served for 28 years, addressed the BB&T Community Business Forum at the Mount St. Mary’s University Frederick campus.

Harrington said the FBI, recognized for its outstanding work in criminal investigations and intelligence, was transformed after the 9/11 attacks.

“President Bush asked Robert Mueller (the FBI director) what could be done to make sure that didn’t happen again,” Harrington said. The bureau, while still part of the traditional law enforcement community in hunting down criminals, expanded to include those breaking the laws via cyberspace.

Harrington said there are four major groups using computer technology for the wrong reasons: the criminal element, nation-states (other countries or groups trying to steal data), activists and insider elements. While all are using cybertechnology for ill gain, each must be approached differently.

“Today it is not just stealing information, it’s become destructive,” Harrington said. He related how in one instance cybercriminals had encoded the medical records at a hospital, then contacted the hospital demanding a ransom to remove the encoding.

“This was a threat to the life of patients, surgeries delayed, patients moved to other hospitals,” Harrington said. It turned out an information technology employee at the hospital hadn’t gotten a raise he thought he deserved and took revenge on his employer.

“Don’t put technology first. You can buy all the latest technology, but if you don’t have the right people to use it, it is a waste of money. Get the right people, trained, skilled in knowing what to look for in potential problems,” Harrington said.

Harrington said some of the best people in the field come from government defense contractors. “They have been dealing with keeping their information secure for years. They have the experience,” Harrington said.

Sharing information is important. He and other Citigroup employees travel the world to learn what problems and solutions other businesses and government agencies have developed. He urged local business owners to do the same and meet and talk about problems, whether they experienced them or how to prevent them.

In the case of Target, when the company’s credit card system was hacked and numbers were stolen, it was law enforcement watching criminals using technology that tracked it to the retailer.

Heartbleed, which was designed to be used to secure information but had a flaw in it that allowed information to be accessed improperly, is a major problem, Harrington said. In Canada, the government shut down its tax department websites for fear that information could be stolen. Harrington said “patches” are being made to fix the problem, but it could be a long time before a total picture emerges of the damage done by Heartbleed.

Harrington must address not only cybersecurity for Citigroup, but also emergency management and money-laundering schemes. The company does $6 trillion in wire transfers a day, making money laundering a major problem.

“If the board of your company is not discussing cybercrimes, they are being negligent,” Harrington said. “Cyberproblems are here to stay, and they are getting more complex and sophisticated.”

©2014 The Frederick News-Post (Frederick, Md.)