As long as adversaries can spend $1 on a campaign and force us to spend $10 to protect ourselves, enterprises will lose the war on cybercrime. In the Cold War, the US bled the Soviets dry through a military buildup and Reagan's Star Wars initiative. The Russians and others are now using a similar strategy to financially drain the US public and private sectors in cyberspace.
As the news cycle is inundated with alerts about attacks against our critical infrastructure, cities, and universities, the US Cyber Command has responded with a new "Command Vision." The document provides a sobering read. My attention was drawn to one quote in particular:
Adversaries continuously operate against us below the threshold of armed conflict. In this "new normal," our adversaries are extending their influence without resorting to physical aggression. They provoke and intimidate our citizens and enterprises without fear of legal or military consequences.
While Command Vision sets objectives for the military to regain ground, it is clear that the private sector is also in the crosshairs. State-sponsored and criminal organizations have realized there is little chance of real legal or financial consequences for the foreseeable future. Russia, Iran, and North Korea have found our Achilles' heel. Even worse, they've identified our cyber infrastructure as a vulnerability that is cheap to exploit and makes billions.
But what is the Achilles' heel of cybercriminals? It's that they're lazy. They use advanced persistent infrastructure and tend to reuse tactics, techniques, and procedures over and over again.
Rather than building taller silos of data that become even bigger targets for criminals, US public and private sectors must similarly seek to expand their reach with limited resources. By unifying around common means of intelligence exchange and collaboration, US companies can increase their visibility into events in real-time while keeping costs low. Without effective methods to exchange cyber intelligence, enterprises play victim to attackers' strengths, continuing to build and protect larger data troves with common, single points of failure. As Command Vision states, "We should not wait until an adversary is in our networks or on our systems to act with unified responses across agencies regardless of sector or geography." The same applies to the private sector.
Since 1998, when President Bill Clinton signed Presidential Decision Directive 63, we have been on a quest to fuse data and collaborate. In 2015, Congress enabled organizations to work with each other more easily through the passage of the Cybersecurity Act. In May 2017, President Donald Trump called out the importance of information sharing in his Executive Order on Strengthening the Cyber Security of the Federal Government and Critical Infrastructure. Only now, with the growing frequency and severity of attacks, is the government and the private sector beginning to understand the requirement of collaboration. The Department of Homeland Security has begun to make more detailed information available to the private sector through their Critical Information Sharing Collaboration Program (CISCP), and TruSTAR has seen our customers eagerly participate in these efforts. This is a start, but far more work is necessary.
Enterprises and sharing organizations like the Columbus Collaboratory, the Cloud Security Alliance, and CyberUSA are starting to connect through common collaboration platforms to enable parties to exchange data about suspicious events while retaining control over their data. Sector-based organizations are adopting such technology as well, including the IT and retail sectors. These platforms go beyond threat intelligence and fuse disparate data sets related to fraud and physical security events. Shared technology infrastructure enables companies to work from the inside out, streamlining workflows and creating collaborative bonds within an organization first and moving on to supply chain partners, peers, and entire sectors such as IT and retail.
Joshua Cooper Ramo, in his book The Seventh Sense, notes that government's ability to help secure the Internet will be limited given the light speed of the Internet versus the pace of government's ability to act. Stopping the madness begins with the private sector today.
Paul Kurtz will be headlining Dark Reading's Cybersecurity Crash Course, May 1, at Interop ITX. Check out the agenda here.Related Content:
- 6 Steps for Sharing Threat Intelligence
- Stripping the Attacker Naked
- Active Cyber Defense Is an Opportunity, Not a Threat