On December 7, six women leaders in government, private sector, and academia joined moderator Judith Germano, distinguished fellow at the Center for Cybersecurity (CCS) for an interdisciplinary discussion, “Critical Cybersecurity Updates: Digital Extortion; International Supply Chain Attacks; and Critical Infrastructure Risk.” The program was part of the Women Leaders in Cybersecurity event series, presented by CCS, a collaboration among NYU Law, NYU Tandon School of Engineering, and other NYU schools and departments.
Panelists discussed the evolution of ransomware, data breaching, and digital extortion, and how the Department of Justice’s new Civil Cyber-Fraud Initiative will focus on countering these threats. The participants included experts from a range of fields:
- Eun Young Choi, senior counsel to the deputy attorney general, U.S. Department of Justice;
- Edna Conway, vice president, security & risk officer, Azure Hardware Systems & Infrastructure, Microsoft;
- Deneen DeFiore, vice president, chief information security officer, United Airlines;
- Melissa Hathaway, president, Hathaway Global Strategies LLC;
- Micaela McMurrough, partner, Covington & Burling LLP; and
- Boyden Rohner, associate director for vulnerability management, Cybersecurity and Infrastructure Security Agency.
Watch the full discussion on video:
Selected remarks from this discussion:
Eun Young Choi: “The changing landscape is such that it’s hard to bucket actions into purely criminal or purely national security–related.… I think ransomware is a prime example… Oftentimes these are ransomware attacks are perpetrated by what we would call traditional criminal, transnational criminal organizations.… And those circumstances, they can still have a national security component because—as was evident from Colonial Pipeline, JBS foods, Kaseya—the impact of a ransomware attack can be upon a company that has a significant presence in a critical infrastructure sector. And in that aspect, you can see if a ransomware attack happens on our food supply, on the energy sector, on hospitals, that changes the nature of the threat.” (video 15:18)
Micaela McMurrough: “As a business, or as a company, as you contract with different organizations, you’re contracting them for their services—but to a certain extent, you’re also buying their risk.… You really have to manage this risk through time. You have to do some diligence upfront about the folks that you’re working with. You want get those contractual provisions in there in terms of your contracts to protect yourself, to have some measure of recourse, if things go wrong, but also more importantly perhaps to incentivize risk management in the course of performing the services. And then finally, you have to manage the contract, right? So even if you’ve done your diligence and even if you’ve got those great contractual provisions in there, this is not really a ‘set it and forget it’ environment. You have to keep up…” (video 29:18)
Boyden Rohner: “I’d like to adapt that Stephen Covey phrase that ‘culture eats strategy for breakfast’ to ‘technology is eaten by culture’ when it comes to implementing things. We’re seeing time after time when we go and do proactive security assessments on very mature, evolved organizations…they’re struggling with securing identity access management because they don’t have the right governance structures in place.” (video 56:36)
Posted January 28, 2022