"The threats in cyberspace are as bad as it's ever been."
Not exactly the most comforting words coming from Gen. Keith Alexander — the former director of the NSA who served under presidents George W. Bush and Barack Obama. Alexander, at PYMNTS' Innovation Project 2016 last week at Harvard, gave a sobering reality check about the cybersecurity threats that could become an even scarier reality in the click of a button.
And we were pretty scared last year, at Innovation Project 2015, when Alexander first said that cyberattacks will get progressively worse before they get better. He spoke of how the U.S. as a whole, which includes the private and public sectors, both needed to reach across the aisle for the greater good of all businesses and citizens to tackle cybersecurity and information sharing – together and setting politics aside.
“We aren’t where we need to be today,” Alexander said in March 2015. “Nobody is meeting the standard. If even the best companies are making mistakes, we are not in the right place. … If nobody can pass the standard, we have to come up with a way to make cybersecurity more successful. If everybody is doing everything and getting nothing then we are in the wrong place.”
One year later, in March 2016?
"We are way behind," Alexander told the crowd of innovators. "We have to up our game."
Alexander's comments are as timely as ever, with new data released this week, following a White House audit, showing that the U.S. government suffered from 77,000 cyber incidents in fiscal year 2015, which represents a 10 percent spike over the prior year.
The retired four-star general lays the blame at the feet of the public and private sectors who haven’t worked diligently enough to create and implement a unified strategy. And because no one can truly keep up with the pace at which innovation across all sectors is occurring, securing those innovations is a challenge.
"It is amazing to see what's going on in this area," Alexander said. “Next year when you're here, half of the technology will be outdated. It's moving that fast. It's doubling every two years," he added.
And we can thank innovators and new technologies for that.
"The amount of unique information we create this year will be more than the last 5,000 years combined," Alexander said. "We are training students for jobs that don't exist using technology that hasn't been created to solve problems we don't even know are problems. ... The threats are out there. And they are continuing to evolve."
That's about how everyone probably feels once Alexander takes center stage and begins rattling off the big reasons why cyberthreats and cybersecurity should rise to the top of so many priority lists.
"The threats in cyberspace are as bad as it's ever been," he said. “And this time it's not just about cyber warfare and energy hacking concerns. It's bleeding into the financial sector, too.”
Case in point: the $101 million Bangladesh cyber heist.
But the threats to the U.S. financial ecosystem, Alexander says, go much deeper than that and extend well beyond cyber gangs out to cause trouble.
"Iran does have capability to go after both the energy sector and the financial sector, and have demonstrated both. We need to be concerned about that. I believe that's the greatest threat to us," Alexander said, pointing toward the example of a wiper virus — a virus that wipes all info out of the system completely.
Gone, all gone.
Timed to coincide with the toppling of the energy grid, over a weekend, designed to throw the bankers off track. System malfunction equals problems with the power outage. Only days later, will bankers discover the damage – damage that is at that point irrecoverable.
"There are so many issues coming out of this area that will impact our nation and our allies and we're not ready for it. And this technology is not going to slow down," he said. "What you now have is an ecosystem where attacking it might not be a brute force against a token, but it will go against that financial sector, in full force."
Alexander moderated a panel of payments innovators who dove into the complex subject of "protecting payments at the edge."
Or as one panelist put it: "Payments isn't about moving money. It's about authentication, authentication, authentication." Forter CEO Michael Reitblat followed up those remarks with a harsh reality that everyone across the payments, tech and security ecosystems must face: "It has never been easier to steal an identity than today."
"There is an awful lot that is good in this technology. And it's things that we want to push. And then there are a lot of threats and issues that we've got to solve. We're way behind in that. And those that wish us harm will attack us in this area. This is an area that we all together need to collaborate on if we are going to solve it," Alexander said.
And then there's the current biggest concern on the payments docket: how fraud is shifting. Or, as overheard at Innovation Project's panel on the subject: "Fraud is going to shift to traditional forms of payments, which we aren't going to protect." That's things like checks and prepaid, of course.
The buzzwords that came out of these fraud conversations? Identity, big data and how to harness that data with analytics. A debate ensued about two-factor authentication and the value of such security measures, with it boiling down to one question: how to balance consumer authentication without a frictionless commerce experience.
Securing identity should be at top of mind — all, of course, while keeping consumer privacy in mind.
"This is a tough issue, not only for our country but for the world. We need both – we need security and we need privacy," Alexander said during a debate that ensued about the Apple vs. FBI encryption security debate.
But interestingly enough, when it came to a conversation about security, even one panelist said that security isn't just about protection, but also trust, saying "security is not the holy grail; the important thing is increasing trust." But as fraud shifts online, as well to ACH and checks, the panel agreed that there needs to be more accurate, quick methods to identify people.
One problem in the industry that was identified was a lack of standardization, which many during the conference noted hurts scalability and ubiquity. And the lack of security and preparedness, of course, created greater fraud losses. And fraud creates friction — no matter if you're talking the financial institution, merchant or consumer perspective.
And so the vicious cycle continues.
But what's really top of mind of those in this space? Cybercrime – however it happens – nation states or organized cybercrime ring.
That's enough to keep anyone up at night.