In a rare public appearance for the former director of the Federal Bureau of Investigation, Mueller said today that chief executives, in particular, must personally recognize “the depths of the challenges and how swiftly a cyber-attack can cut your reputation down.”
“Not anticipating — not knowing this arena” is dangerous, Mueller said. “Too few senior management know and understand that particular issue, and, secondly, are uncertain as to how you address it.”
Speaking at a cybersecurity conference organized by Bloomberg Government today in Washington, Mueller added that he made a similar mistake when the FBI upgraded its case management system.
“I didn’t ask the hard questions,” he said. “You delegate that and they tell you what’s going to happen is going to happen. It doesn’t happen. And you look back down and you reflect and say I delegated an area where I should have been personally involved.” After years-long delays, the system eventually became operational in 2012.”
Mueller, who served as FBI director from September 2001 through September of last year and is now a partner at the law firm WilmerHale, added that one reason chief executives must understand technology is so they can react quickly to breaches to protect their companies’ reputations. Too often, they are more worried about lawsuits than repairing their image.
“The litigation is not as important as the reputational damage, the degree that your — that somebody has products or — or sells things. And the reputational damage can way outweigh any considerations related to the inevitable litigation that will come down the pike,” he said.
He added that companies must be as concerned about internal threats as well as those posed by hackers overseas. Citing former contractor Edward Snowden’s collection and dissemination of computer files from the National Security Agency, Mueller said companies must address how to handle a “disgruntled employee who has admin rights and who is unhappy and who then can do the damage from within.”
One way to better confront cyber-threats, Mueller said, is to work on better collaboration between the federal government and private sector. He said the government is properly sharing information within its components.
However, he said, “the business community needs to do a better job coming up with vehicles for sharing intelligence amongst themselves, but also sharing that intelligence with the federal government.”
“If the legislation that is contemplated up on the Hill, which gives a safe harbor to companies providing information to the federal government relating to breaches and the like passes, that would be tremendously helpful,” he said.
Concerned that companies were not sharing enough of that information about hacking because they were worried about getting into trouble with antitrust enforcers, the Justice Department in April issued a statement that providing details about cyber-threats would not get them in trouble with regulators or prosecutors.
“They can protect their intellectual property and still turn over the information that’s necessary to determine what’s a piece of malware that was recently used,” Mueller said.