Cyberattacks are in the news. All kinds of organizations — ranging from Target Corp., Yahoo Inc., Sony Pictures Entertainment, and Bangladesh Bank to the Democratic National Committee in the United States — have fallen victim to them in recent years. To gain a better understanding of cybersecurity threats — and what executives should do to better protect their companies — MIT Sloan Management Review sought out cybersecurity expert Stuart E. Madnick.
Madnick has been studying computer security for a long time. He coauthored his first book on the subject in 1979 and today is the director of MIT’s Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC)³, a consortium that brings together academic researchers, companies, and government experts. Madnick, who is the John Norris Maguire (1960) Professor of Information Technologies in the MIT Sloan School of Management and a professor of engineering systems at the MIT School of Engineering, spoke about trends in cybersecurity recently with MIT Sloan Management Review editorial director Martha E. Mangelsdorf. What follows is an edited and condensed version of their conversation.
MIT Sloan Management Review: Why did the MIT cybersecurity consortium you lead choose to focus on the nation’s critical infrastructure?
Madnick: Much of the attention about cybersecurity has been focused on things like stealing credit cards — which is important, and we don’t neglect that. But surprisingly little attention has been paid to cyberattacks on critical infrastructure. You don’t hear much about the Turkish pipeline explosion or the German steel mill meltdown. You may have heard a little bit about the cyberattack on the Ukrainian power grid that happened around Christmas in 2015. Generally, these events involving attacks on infrastructure do not get much attention; they’re not quite as sexy as movie stars’ emails being revealed. But they have the potential to have far bigger impact.
Our feeling is that we need to increase the attention we pay to cybersecurity for important infrastructure. It doesn’t mean we’re going to ignore everything else, but there are some things that are particularly unique to those kind of attacks.
Think about preparedness.