Why foreign actors are a big cyber-threat for business

OT and IT need to merge, says RedSeal CEO Ray Rothrock, in order to protect your company from cyberattacks.

Why foreign actors are a big cyber-threat for business

Protect your company from cyber attacks, RedSeal CEO Ray Rothrock tells TechRepublic's Dan Patterson, by merging OT and IT. The following is an edited transcript of the interview.

Ray Rothrock: In the near term, clearly the grid is an obvious place. We've gone, the DCI, they've gone through this analysis about the interconnectedness of our physical world, and how the OT, they call it the operational technology, touches the IT technology. The threats come in on the IT side of the equation, and they touch the OT side of the equation. In fact, I think, all of our intelligence agencies just reported the Russians have planted software in our grid so I worry about the lights going out.

Imagine the lights going out. Imagine the lights going out in New York City.

Dan Patterson: I've been to Ukraine, I kind of know.

Ray Rothrock: You know there. You've been there, done that. But imagine how devastating that could be. It's "I don't think, I don't believe they want to bring us down but they may want to extract some money." They may want to get you to change your policies. It's more the blackmail element of impacting our operational world, I think, that's much more threatening than stopping the water flowing or stopping the electricity flowing. It's like, I can do that. I can make you hurt.

Dan Patterson: And we hear about this all the time, but you were saying or affirming that these threats are real. That there is software within our power grid. I think if we talk to the security community, they might be the same thing but I want to clarify.

Ray Rothrock: Yeah, that's true. My guys in Washington who work with all these agencies, we get a lot of information. I'm not saying anything out of school that I can't. But there's real threats, real software out there. Fact, the military just put up thing called a CPT which is a cyber protection team. These are now the firemen. They go into a situation, and deal with a threat. If they detect something these guys are called in immediately and it's a good use of our tax dollars.

Dan Patterson: And I know business and government are a little "oil-and-water" at some points, but do you have a good policy prescription, or at least recommendation for businesses cooperating with government in terms of the national defense?

Ray Rothrock: You're on your own would be my answer. Look, the government...

SEE: Vendor management: How to build effective relationships (free PDF) (TechRepublic)

The government has a mission and it's this Constitutional mission to protect us. If we're attacked physically or cyber. They have a requirement to respond. I was disappointed when we didn't respond on the Sony attack, because the data's very clear. But that's,"you don't want to get into politics." But, in business, we have, it's mostly still grudge issue. It's a grudge they call it. It's like "I'm going to do the minimum." Okay. So therefore, government ought to have some minimums. A good place to start is The Securities and Exchange Commission.We have to report out executive compensation, we have to report out audit reports, we have to have a nomination and governance committee on a public company that takes care of transitions of the board and how it's run. Why don't we have an audit on the cyber side? I don't think it's hard to do. We've got some of it in place now, but doesn't have any teeth.

Now, if that compliance element came to pass, there'd be an instant job-market for probably half a million people, or something to already, there's a million-people deficit. There'd be a need for skills and what we're trying train and all that. It'd be an instant job market. The government's role should be to set policy just like this building has a certificate of compliance, your network and your business, if you're going to handle people's data, if you're going to do commerce on the internet, digital world, you have to have a certificate of compliance. And there should be some minimums there. NIST has terrific standards on all this. This is another conversation that's going on. A lot of companies are adopting NIST 800, different elements of it. That's very important.

We're getting there but government's role is to make us comply because this building would not be safe otherwise.

Also see