Here's the issue: pushing out a patch doesn't fix the vulnerability. The companies have to apply that patch to their systems. Companies that don't do that or don't have the people to implement those patches - that's the real risk. So, if everyone had patched their systems in March, this wouldn't have spread within companies. Companies would still get hit by the phishing attack if they opened up a phishing email, but they wouldn't get hit by the lateral movement, which is causing the most damage.
Kelly: Are U.S. companies prepared for something like this and will it get worse before it gets better?
Alexander: The companies that I work with have CISOs, solid IT and cyber personnel, and I think really understand the importance of patching. That doesn't mean that somebody won't answer a phishing email. I suspect that this attack will spread much wider on Monday.
Kelly: Do you believe that overall, there is enough of an understanding among C-suites and in board rooms, of the risks and implications of something like this? Are their heads in the right place? How much heavy lifting is still required?
Alexander: Up front, most of the boards and C-Suites I talk to understand the risks and are increasingly focusing on this specific issue. Larger companies can afford the IT and cyber expertise they need. But small and midsize companies cannot, and that's a real problem. The solution is to come up with comprehensive cybersecurity solutions for all companies, including small and midsize companies, that can protect them from attacks like this. What this also really gets to is the need for a public-private partnership, a relationship between government and industry that works so that when industry starts to get hit by something like this, they can quickly share information with other companies and with the government about where its coming from and the government can help take steps to mitigate the threat. I think that's what we have to do. It's part of the strategy everybody sees, it's just something we haven't implemented yet, and we have to get on with that.
Kelly: It's been so difficult to get comprehensive movement in Washington on a public-private partnership when it comes to cyber though.
Alexander: The Executive Order came out last week from the White House, and that's a critical step forward. We've had hearings in Congress on cybersecurity, and they understand the magnitude of these specific issues. They recognize they've got to take action. I think people are busy addressing other important issues. I think they understand the importance of the issue, it's just everything seems to be a priority and nothings a priority and the consequence is, you're going to get caught flat-footed. You're going to have increasingly significant attacks in cyber space, so we have to get out in front of it.
I do think the people they have in the White House, Tom Bossert and Rob Joyce, are really good. The President has put quality people in these positions and they've already been meeting with both the public and private sectors, and I think that's a step in the right direction. We've got to do a lot more.
Kelly: What advice are you offering in this situation, to U.S. businesses?
Alexander: Two things: I think one they should ensure they have the patch implemented first. They should be working 24/7 to get that done. The second thing is that they should train their people on how to identify phishing emails. It is really important to apply patches, train your people, get good cyber capabilities. We also need to develop the right relationships between government and industry so security experts can see where the attacks are coming from and they can work together to stop them. Both the government and industry have proper roles to play here, and, especially if the attack comes from overseas, that's where the government must come in.