Meet IBM’s First Cybersecurity Counsel: It helps that he also has public-sector experience

Friday, October 6, 2017 - 16:36
IBM

Andrew Tannenbaum is the first chief cybersecurity counsel hired by International Business Machines Corporation (IBM). Before he was hired for this position, he spent a decade as a national security lawyer. He worked in Washington for the U.S. Department of Justice, first as a litigator handling national security cases, then as a legal and policy advisor on issues involving privacy, government surveillance, terrorism and detainees at Guantanamo Bay. In his later years at DOJ, he was one of the first lawyers in the National Security Division to cover cybersecurity. This experience led to a job at the National Security Agency (NSA) that was also focused on cybersecurity, which in turn segued to the position at IBM. We were eager to talk to Tannenbaum about the perspective he’s gained from working on cybersecurity in pioneering positions in both the public and private sectors. The interview has been edited for length and style.

What did you do during your year at the NSA?

Andrew Tannenbaum: I was brought in as a deputy general counsel. At the time it was a newly created deputy role focused on cybersecurity, which reflected the importance of cyber as an issue in the government and across the national security landscape. The NSA had two sides of the house – the surveillance side, which is focused on accessing the systems of foreign adversaries for intelligence purposes, and the flip side of information assurance, which is the protection of U.S. national security systems against intrusions by foreign adversaries. Those two operational issues previously had fallen under one deputy general counsel, but because cyber had become such an issue, they broke it out into a separate role. And that’s the role I stepped into.

Were you primarily focused on protecting the government from attacks?

Tannenbaum: We were focused on protecting both the government and the private sector – namely the critical infrastructure. We were still in the early stages of figuring out how the government was going to interact with the private sector in defending against this threat, so there were all sorts of new and interesting legal issues to consider. When you’re talking about inward facing threats to the government, it’s a lot easier to share threat intelligence, classified information, with internal government agencies and control the process as needed to protect sensitive systems. But when you look outward to the private sector, what’s the government’s role in helping protect companies and private infrastructure? This was one of the major issues we were grappling with back then — and to some extent still are. 

The laws in this area were somewhat outdated. They had not been written with the cyber threat in mind, and they didn’t address the need to share classified information at such scope and speed. Privacy issues were also implicated, issues that we’ve heard a lot about in recent years with respect to surveillance. But scanning packets of IP traffic and logs for technical signs of malware and other threats is not the same as reading a person’s emails to understand what they are up to. The privacy laws needed to be refreshed to account for widely accepted methods of cyber defense, and we began working on that as well.    

You did this from 2011 to 2012, and that seems like ages ago, but the same kinds of issues are obviously still with us today. Did you spend a lot of time actually talking to companies about ways you might be able to cooperate and vice versa?

Tannenbaum: We did. There were a number of different government groups trying to coordinate with companies, and some of them were led by the Department of Homeland Security (DHS). As an intelligence agency, the NSA wasn’t normally in a position of being out front in the public and speaking with companies. That fell more to DHS and the FBI. But those agencies would loop in the NSA to help them coordinate with the private sector, because there was so much technical expertise and skill at the NSA.

When you took this job and started to sink your teeth into it, did you have a sense early on that this was going to become the focus of your career at least for a substantial stint?

Tannenbaum: Yes. It was such a fascinating issue. And it brought together a lot of different elements I had worked on before in the government, whether it was as a litigator representing the NSA, or advising on surveillance, privacy, and technology issues. It was new, the threat wasn’t going away, and there was so much work to be done.

In those days, 8, 9, 10 years ago, there was a lot that was known inside the government about the cyber threat that took a little while to gain public awareness. From that vantage point, you could see how important this was going to be for some time.  For example, we were very concerned about the cyber threat evolving from the theft of data to the physical destruction or manipulation of systems and infrastructure. Today we are seeing more and more destructive attacks. The recent WannaCry and Petya outbreaks showed how ransomware could be used in a highly destructive manner, shutting down corporate operations, including commerce and the shipment of goods. This is a problem that unfortunately is going to get worse, and we are going to need lots of skilled people to help address it.      

What made you decide to move on, and what options were you considering at that point?

Tannenbaum: It was a great job and a hard one to leave, but at that point I had spent a decade in government. I was always oriented toward public service and I loved every minute of it, but I felt it was a good time to transition to the private sector and gain a new set of experiences. And for family reasons we wanted to move back to New York. I was very much interested in finding a role like the one I had at the NSA – an in-house legal job in an organization where you could really partner with the technical and security experts and work with them at an operational level to help protect the organization and the country.

That’s why IBM was so appealing. Here you have this incredible company with this amazing 100-plus year history in technology with so much technical expertise and research and development, on the cutting edge of so many technologies.  It also sees cybersecurity from every vantage point possible as a provider to clients all over the world, many of which are large enterprises in critical infrastructure sectors like banking and health care. Then you throw in new technologies like Watson, cognitive computing and blockchain. Not unlike the government, there is a real sense of mission and belief that you are part of an effort to help protect the world from cyber threats.   

IBM had never had a chief cybersecurity counsel before. Were they looking for one, or did you convince them that they should be?

Tannenbaum: They hadn’t posted or advertised that they were looking for one, but when I came to them and pitched the role, they were immediately receptive. I think they had been thinking along those lines, so the timing worked out very nicely. I give IBM and our general counsel at the time [Robert Weber] a ton of credit in recognizing the importance of this issue early on. They were really on the leading edge of thinking about cybersecurity as its own legal focus, its own in-house practice. That was not common five years ago, and I think IBM was one of the first companies to really build out that kind of practice. Since then we have grown it to include seven lawyers globally who are dedicated to cybersecurity, making it probably one of the largest in-house cybersecurity legal groups in the country.

Do you have any idea how many similar positions are out there, let’s say in the Fortune 500? Any guess what percentage of companies have created a position like the one you occupy?

Tannenbaum: I haven’t done a formal survey or tally, so I couldn’t come up with a number off the top of my head. I do know there is a small but growing community of in-house cyber lawyers, and we tend to either run into each other or talk on occasion. There’s definitely a number of them out there. It is more common, though, for corporate in-house lawyers to have cyber as one piece of their portfolio with other aspects too, whether it’s privacy, intellectual property or something else.   

So what exactly do you do?

Tannenbaum: One of my main roles is advising our chief information security officer (CISO), who is the operational owner of the IBM corporate cybersecurity program. That includes everything from the overall governance model for how to manage cyber risk as a corporation, as well as the company’s policies, tools, employee training, and incident response process. We also have to keep track of the developing laws and regulations all over the world. Cyber is still a relatively new area of law in its formative stages. There are new developments all the time not only in the U.S., but also Europe and Asia and elsewhere. We look at those evolving requirements, but we also have to think beyond specific statutes and regulations and ask questions like, How would the Federal Trade Commission (FTC) think of this issue? Under what circumstances do they take enforcement actions against companies for poor security? What do the courts consider to be reasonable security practices? What are international best practices? And then we have to translate all that into: What should our company’s policies, practices and operations look like?

If they’re going to make a move to enhance their security, do you think that companies that are not as large as yours would likely hire a chief information security officer and not a chief cyber security counsel?

Tannenbaum: They are definitely two separate roles. The CISO is responsible for the operational aspects of securing the company. Most companies will want and need a CISO as their first and most important security hire. In fact, recent laws and regulations have actually been requiring companies to have a CISO responsible for a comprehensive security program. We saw this with the new cybersecurity regulation issued by the New York State Department of Financial Services. If you’re just starting out and figuring out how to secure your company’s assets, the most important thing you should do is to hire a strong CISO and give that CISO the resources, authority and tools to be able to successfully execute that mission.

And your role adds what?

Tannenbaum: It’s the other side of the coin, which is managing the legal risk. All of these cyber threats are creating risks to organizations, and the CISO is dealing with that risk from an operational perspective. The general counsel and the legal team look at the same risk and see, obviously, potential lawsuits, potential actions by regulators, costs in terms of what those types of actions will incur – financially but also reputationally, which is a very significant risk for many companies. Lawyers are also good at asking probing questions and thinking several steps down the road, which is a skill set that can help a company prepare for a range of possible outcomes. You’re really working as partners, the legal team and the CISO, to manage the same risk, but one brings a set of technical skills and responsibilities and the other brings legal skills and responsibilities. If that partnership works well, it can be a very effective combination for significantly lowering your cyber risk.  

How do you use IBM’s technology to advance your work?

Tannenbaum: We’re very fortunate to have such incredible capabilities in-house at IBM. Most companies, if they have a breach or a suspicious security incident that needs to be investigated, have to get outside help. They have to hire forensic experts. They have to hire outside counsel. We are very fortunate that we have in-house experts that can conduct those types of investigations globally with our forensic analysts, with our incident response managers, with our legal team.

We also have the IBM security business, and we’re able to benefit internally from the expertise and tools that they use to help protect IBM clients all over the world. Watson is a great example. That’s a technology that is being used in every sector, whether to help find treatments and cures for disease like cancer or to help make cities safer and more efficient, through crunching tons of data and applying cognitive technology to obtain insights that humans cannot achieve at the same volume and speed.

For instance, about 60,000 cybersecurity blogs are written every month. Plus thousands of other reports and articles and social media posts, all of which, together, could be very useful in helping a security analyst better understand cyber threats. Our security business has trained Watson to read all of those blogs and scour all of that information, which no human could possibly do at that scale. As a result, our security analysts are gaining insights that might not have been apparent before because they were hidden in a sea of data.

Can you imagine a day when you report to Watson?

Tannenbaum: [Laughing] No. One thing we always say is that the idea behind Watson is not to replace people. It’s to make people smarter and faster. You still need the human expertise, whether it’s a doctor, a security expert or a lawyer. They still need to perform those functions. Watson will just make them better at their jobs.

Next time we have a telephone call, maybe we can conference in Watson and see what his side of the story is. How does IBM decide whom to share information about breaches with and when to do it?

Tannenbaum: We’ve always been a strong proponent of information sharing. Battling this type of threat, with the pace of evolving technology and techniques and the sheer volume of malware that’s created every day, you need to have the best data plugged into your systems in real time as fast as possible. We’ve advocated for laws that will improve the ability, quality and speed of sharing – we were very supportive of the efforts in Congress to pass the Cybersecurity Information Sharing Act (CISA) two years ago. And we’ve tried to set our own example by both making an enormous amount of threat data that IBM gathers public through our X-Force Exchange (exchange.xforce.ibmcloud.com). We also work with other private sector and government entities to help foster the sharing of information.

What’s the X-Force Exchange?

Tannenbaum: It’s a portal that our security business runs. We put over 700 terabytes of threat data on it when we first released it a couple of years ago, and we’ve been updating it on a daily or even hourly basis since then. Other organizations can sign up for the portal, can get access to the data, do research on it, search for different types of malware. It’s our way of making that data available to help protect companies.

Talk about issues that make it tricky to decide what to share with the government. It seems to me that you’re in a particularly interesting position because you have the government perspective from your tech days working for the government, and you’ve had a chance to sit on the other side now for a while now too.

Tannenbaum: Having both perspectives is helpful because there has been some distrust between the private sector and the government over information sharing and privacy, particularly after the Snowden disclosures. “If I share information, is the government going to come after me? Is it going to demand that we provide more information? Is it in some way a back door for the government to conduct surveillance of our employees or our clients?” But in reality, when you share cyber threat data, you are sharing technical data about a piece of malware, about a technique used by a bad actor, about an IP address that a bad actor is using as part of their command and control.

In those types of cases, the U.S. government is not looking to read your employees’ emails or look at your intellectual property. That was part of the discussion around the legislation I just mentioned – especially when efforts to pass that law stalled for a bit after the Snowden disclosures. Before Snowden, CISA was viewed as a necessary update to privacy laws that would allow the sharing of technical threat data. But after Snowden, it became a debate about, “Well, isn’t this just the government conducting surveillance another way and getting data to the NSA?” While that was an important issue to address and clarify, CISA was never intended to serve any surveillance function. That just wasn’t the case, and we worked to help make sure the law was narrowly written to authorize only the sharing of technical threat data.

There was also the Apple versus the FBI face-off about sharing information that would allow the FBI to unlock an iPhone that was owned by the terrorist who committed those atrocities in California. Where does IBM stand on that issue?

Tannenbaum: That’s a difficult issue. Sometimes people say the encryption debate pits security against privacy, but it really pits one security interest against another – the security interest of the government and of law enforcement in preventing crimes or terrorist attacks, on one hand, versus the security interest of strong encryption, which is necessary these days to protect data and protect systems. IBM is sympathetic to both of those interests. We certainly understand the law enforcement perspective, but we are also adamantly against efforts to weaken encryption or to create back doors in technology products or software, which could be used not only by the good guys but also by the bad guys to cause more damage. It’s a difficult problem, a 21st century challenge, and we’ll need the best minds to figure it out.

How about deciding when to share and how to share information about breaches with your customers? Is that still as tricky as it seems?

Tannenbaum: For a service provider like IBM, notification is going to be governed either by law or contract. We have agreements with our customers on what they want to be notified about and when. Certainly with any major security issue or breach, you’re going to want to notify them right away. But there is a range of other events – thousands of failed attempts by hackers, suspicious activity that may turn out to be nothing serious but requires further investigation and routine activities on our part to clean up systems and malware. And that’s a discussion we have with a customer at the outset. But if we’re talking an actual confirmed breach or a serious incident, that’s something the customer expects to be notified about as quickly as possible.

How about with competitors in your industry? Are there reasons why you would want to share information? Are there also limits or complications that make this a difficult issue to grapple with?

Tannenbaum: My own view is that sharing cyber threat data should never be a competitive issue. You should never be rooting for a competitor to get hacked and taken advantage of by a criminal group. This is an issue that government, industry and academia should work on together, including competitors. That’s always been our posture.

How widely do you think that attitude prevails?

Tannenbaum: Pretty widely. Everybody has their own proprietary technology or data or intellectual property, but I would hope that most companies and organizations feel the same way. Nobody likes being on the end of a major breach, and none of us should ever wish a cyberattack on anyone else.

We’ve seen plenty of attacks originate from other parts of the world. There are new laws in China. There’s a new privacy regime rolling out in Europe. You have a global team, but how does one person with six additional lawyers deal with the multiplicity of threats and issues all over the world?

Tannenbaum: Again, we are lucky at IBM, because we can leverage not only our cyber legal team, but also teams of IBM lawyers who provide legal advice to the business in countries all over the world. With the law in China, for example, we have a Chinese legal team that helps us translate it, understand it, and advise the company on how to deal with it.

There is quite an evolving mixture of laws to follow. Here in the U.S., state laws for some time have focused on breach notification. But that legal focus has been expanding in recent years to require more preventive security risk management. In places like Europe, there’s a significant focus on privacy and all of the steps that entities need to take to make sure their consumers and employees have their personal information protected, including when data is sent across borders. You have other places in the world where the focus is on data localization, meaning they want to keep their citizens’ data, their corporate data, within their own countries and potentially even give a competitive advantage to technology companies that are domestic. By the way, hackers don't care about lines on maps, so we don't believe that mandating local data storage through public policy actually makes that data any more secure.

And there are other countries where governments want to control the flow of data in a way that will maximize their ability to conduct surveillance (without any of the civil liberty protections enshrined in U.S. law). So you’re absolutely right. It’s a constantly moving legal landscape that is still somewhat immature. If you’re going to do business with data around the world, you’ve got to have legal advice, whether in-house or from outside counsel, in those countries as the laws develop.

At what point should a general counsel say, “Maybe it’s time to hire a cybersecurity counselor”?

Tannenbaum: If your company’s business depends on the security or privacy of data – your own intellectual property, sensitive regulated data, the personal data of customers – you need legal guidance about your obligations to protect and secure your systems. In this day and age, many companies will fall into this category. Ideally, you have an in-house cyber lawyer who really understands the business and works every day with the CISO. If you do, it puts you on a more proactive and preventive footing, which is where you want to be. If you don’t have a cyber lawyer, you definitely want to engage outside counsel. But do it proactively. Don’t wait until something goes wrong.