How Business Leaders Can Prepare for a Cyberattack

Michael Rogers, a Senior Fellow and Adjunct Professor within the Kellogg Public–Private Interface, is a retired four-star admiral in the U.S. Navy who served as a commander in the U.S. Cyber Command and director at the National Security Agency. In those roles, he helped develop cyber intelligence and technology policy. Since leaving the Navy, he has turned his expertise to helping companies and industries in the private sector cope with cybersecurity issues.

Rogers recently sat down with Sandeep Baliga, a professor of managerial economics and decision sciences at Kellogg, to discuss cybersecurity threats and how leaders can guide their teams through crises.

This conversation took place as part of a recent course on Leadership and Crisis Management at Kellogg. It has been edited for length and clarity.

Sandeep Baliga: In the modern world, all sorts of businesses and institutions are subject to cyberattack. So, please set the stage for us. What kinds of cyberattacks are companies dealing with?

Michael Rogers: In general, cyber-threat activity has a few primary purposes. The most active one is generating revenue. That’s what you see individual criminals doing, but also lone nations like North Korea that use cyber to rob banks, break into online gaming sites to steal money, and mine Bitcoin. These countries are no longer a part of the international financial structure, so they can no longer move money through SWIFT, the global messaging network that allows institutions to securely share information. They had to come up with a different way to get money, and one of the ways they decided on was, “Hey, we can steal it.”

The second purpose is stealing intellectual property. The Chinese government, for example, are interested in oil exploration in the South China Sea. So a huge part of their national strategy with respect to cyber is going after U.S. natural gas and petroleum extraction sites’ technologies.

Companies are the number-one targets for stealing intellectual property, but they are not alone. A lot of major universities around the United States and other parts of the world are starting to realize that nations including the Chinese, the Russians, the Iranians, and the North Koreans are pulling research and dissertations. They’re not doing it because they want to check your students’ grades! They think there’s potential value that can generate an advantage for them.

Third, criminal entities are locking down a company’s data and saying, “Hey look, you want access to this, you’re going to pay us tens of thousands of dollars.” To date, much of this activity has been directed at data, but you watch: it’s going to start going after operating technology, the automated systems that you put in line that enable you to remotely control manufacturing processes, or the movement of petroleum and natural gas across the nation.

Finally, cyber is being used as a weapon designed to achieve hardware or infrastructure impact. Traditionally, that was directed at nation states. But more and more, it is directed at companies. This last one means that companies have to think about risk more broadly. I have heard people say, “Yeah, but our company’s in the food industry. Why would anybody care about us?”

They might think they’re a food company, but to the rest of the world, they are an American food company associated in many ways with America’s lifestyle. That means they’re a potential target, above and beyond any intellectual property associated with food or food processing.

Baliga: So they’re going to attack you just because you’re American. What should American companies do to prepare for this event then?

Rogers: I tell boards to prepare the exact same way as in every other area of their business: prioritize, decide where you can take risk and where you can get the greatest return, and that’s what you focus on.

I suggest looking at cybersecurity from two very different perspectives. First, what are the most likely scenarios? If you can understand how to defend against those, you can deal with most cyberattacks.

The other perspective is a little more challenging: threats that are low probability, but if an opponent is successful, you’ve got massive problems. For example, the Department of Defense has to think about an attack on nuclear infrastructure. We assess this attack as low probability. However, if someone was able to attack successfully, think about the implications for our nation and around the world. So we have to commit a lot of resources toward defense, more than you might expect given the probability of it happening.

The way I frame the question is, “Tell me what processes, data, and infrastructure are most linked to your ability to execute whatever your mission is.” Because your answer to that question is exactly where you want to focus your efforts. In other areas, you can take a risk.

But having said that, when you do take that risk, leadership has to be prepared if it goes wrong in those areas.

Baliga: Let’s say that now you are in an actual crisis. What is the most important thing for a leader to do?

Rogers: I find the most difficult thing, in my experience, is when you’re in the middle of a crisis, your stakeholders generally want you to deal with things immediately. They aren’t interested in you saying, “Hey, give me a year or two to make this investment or get us where we need to be.” They need you to address the situation now.

That means you’re going to have to address substandard or poor performers right away. You might otherwise put up with people who are inexperienced or poorly trained because you view them as a long-term investment. But in a crisis, you have to be willing to say, “Okay, step aside, Johnson,” even if just temporarily. That is hard culturally for a lot of people, because it is also important to treat men and women with respect, and let them train and become more experienced over time. But as a leader, you’ve got to be willing to not be popular.

Baliga: So even if you have to replace these people in a crisis, you still have a continuing relationship with them. How do you navigate that?

Rogers: I always tell them, “This is as much my fault as yours, because I failed to put you in the right spot. And I want to apologize for that. I am not trying to embarrass or undercut you.”

In probably 95 percent of the scenarios, I would also say, “Do not interpret this as me not believing in you or you not having a viable future with our organization. We just find ourselves in an extraordinary situation and need to deliver quickly.”

But this brings me to an important point. Whatever organization you lead, one of the questions you always need to ask yourself is whether your day-to-day decision-making structure is the same as what you are going to use in a crisis. To immediately revert to a totally different structure in times of crisis is something I find very confusing. Your partners outside the organization certainly won’t understand this. They’re used to dealing with a particular person on this issue, and suddenly you’ve got a whole new team, and a whole new structure?

That means when you’re putting people in jobs, you just don’t think about their day-to-day activities. Make sure that the people on your team have the experience that you need in a crisis.

Baliga: The crisis situation that you describe is one where there’s a hierarchy and there’s an authority figure who then looks at a subordinate and says, “Look, I’m going to use my authority to replace you with somebody else.” Are there reverse situations where you bring decision-making down to lower tiers in the hierarchy and allow them to take control and make decisions?

Rogers: Absolutely. In the military, leaders would build cross-functional teams that would include a lot of different disciplines, different demographics, and different levels of experience.

We would tell the team, “Here’s the problem, and here are your mission priorities. Come back and give us a sense of your plan, how you want to organize yourself, and what resources you need. Talk to me about timelines, and let me get a sense for what things are beyond your control.”

Nothing helps energize organizations like a clear sense of ownership of the process.

Baliga: I’d like to ask you a question about a very unique leadership problem now. When you became director of the National Security Association in 2014 [shortly after Edward Snowden’s release of highly classified information and subsequent criticism], you inherited an organization that had been through an ordeal. What did you do to recover and rebuild from that experience?

Rogers: It was an interesting challenge. From the perspective of the workforce at the NSA, they never did anything illegal. There were three independent reviews directed by President Obama in the aftermath, and all three came back and said, “You were fully compliant with the law.” So the questions left for us were: How are we going to continue to comply with the law? How will we continue to generate insights that help defend our nation?

My comment to the team was, “Guys, I get it that we feel vindicated internally. But we have to acknowledge that we are dealing with perception, and right now the perception is that we are engaged in activities that are not necessarily in accordance with the visions of our citizens. And so we have to ask ourselves what do we need to do differently?”

We felt we needed to talk more about what we are doing and why. Not so much how—when you start to talk about how very publicly, criminal entities and terrorist groups who watch and read American media change their behavior. But we did have to figure out how to talk more about the what and the why.

Baliga: It’s interesting that you had to bridge that gap between being transparent and being an intelligence organization and not compromising your mission.

Rogers: Yes, and the challenge was cultural. We’d never done this before. And I’d say, “I understand that, and there’s nothing wrong with you having that concern, but on the other hand, we have to be willing to do things differently. And we are doing this for mission execution, because if we lose the confidence of the citizens that we serve, we are going to lose some of the legal underpinning that’s been granted to us. That’s part of the challenge of living in a Democratic society. So, think about your real mission.”