On the modern battlefield, commanders and others share information in real time to gain a common, accurate view of what’s happening so forces can react quickly to whatever occurs.
The fight against cyber criminals should be no different.
When it comes to identifying attackers’ constantly changing tactics and the best defense strategies, information is power.
But, alas, this too often is not the case today. The public and private sectors have lacked formal mechanisms for quickly sharing threat information, hampering the extensive and seamless collaboration needed to address a cybersecurity problem that keeps worsening.
Global cybercrime costs are growing 15 percent annually and are projected to reach $10.5 trillion by 2025, according to research firm Cybersecurity Ventures. If it were measured as a country, cybercrime would be the world’s third largest economy after the United States and China.
Ransomware attacks, designed to cripple organizations by locking up their computer systems until they pay cryptocurrency, are especially on the rise. The Cybersecurity and Infrastructure Security Agency (CISA) reported that 14 of the nation’s 16 critical infrastructure sectors experienced ransomware attacks last year.
As everything has gone digital, companies and government agencies must face a disturbing reality: All it takes is one person in an organization to have a bad day — whether it’s Bob in the finance department who is fooled by a phishing email into clicking on malware or Betsy in IT who fat fingers a command while configuring a network device — to expose their enterprises to hackers. In cyber defense, you are always subject to the weakest link in your chain.
It is tempting to believe that technology alone can solve the entire cybersecurity issue, but while solutions for protection and post-attack recovery are potent and invaluable, they’re only one part of the puzzle.
A greater flow of threat intelligence and breach reporting through formal processes also is needed to win a war in which malicious actors are constantly coming up with new tricks. We need cybersecurity leaders and peers in both the public and private sectors to keep up with the bad guys by constantly collaborating, coordinating, and liaising with each other.
After all, businesses and government are deeply interconnected in trying to meet the cybersecurity challenge. For proof of that, one needs to look no further than the SolarWinds hack, in which attackers believed to be directed by the Russian intelligence service acquired sensitive government information by targeting companies with government contracts.
Unless corporate and government security experts become more intentional and systematic in learning from one another in real or near-real time about the latest threats, critical information will too often remain siloed. The world can no longer afford that. Cyber defense has to be a team effort.
Fortunately, there are signs of progress. In mid-March, President Biden signed the Strengthening American Cybersecurity Act, which requires businesses considered “critical infrastructure” to report cybersecurity incidents to a federal agency within 72 hours and any ransomware payment within 24 hours.
While implementation specifics are still being worked out by CISA, the law will add to the nation’s collective knowledge about cyberattacks by creating a record, for all to see, of vulnerabilities exploited, defenses that were in place, types of information compromised, and, if known, any information about the attackers.
In addition, President Biden’s Executive Order on Improving the Nation’s Cybersecurity, issued in May 2021, includes actions designed to remove barriers to threat information sharing between the public and private sectors.
The order directed CISA to work with the Office of Management and Budget to recommend contract language that makes sharing critical data easier and established a Cyber Safety Review Board, co-chaired by government and private sector leads, to convene after a major cyber incident, analyze what happened, and make recommendations for improving security.
These measures are a helpful start, but anybody who has moved from the public to the private sector — as I did in May when I left my position as acting chief information security officer (CISO) at the CIA for a similar role at cybersecurity company Rubrik — is well aware of the need for a more substantive threat-intelligence-sharing partnership.
But how? Here are a few ideas:
1 – CISOs often talk informally with each other about what’s happening, but their insights stay within the group. That wastes an opportunity to inform others and leads to isolation of time-sensitive knowledge. There needs to be a way to promulgate threat intelligence and best practices to a wider audience.
For example, my company in June named Chris Krebs, the first director of CISA, to create and lead a strategic CISO advisory board to help private and public sector organizations tackle the growth of ransomware and other cyberattacks. It’s an example of how valuable it can be for companies from across the cybersecurity industry, along with key government stakeholders, to jointly act as information clearinghouses and go-to authorities on the latest threats and ways to mitigate them.
2 – A company could sponsor a network of cybersecurity leaders and authorities, similar to Gartner’s Peer Connect, which describes itself as “the world’s most influential network of business leaders” and “a community of your peers to discuss key issues and to inform your critical business decisions.”
3 – Anyone can visit the State Department website and learn about threats in any country, from armed combat to crime to disease, before deciding whether to travel there. The Department of Homeland Security maintains the National Terrorist Advisory System, which provides timely, detailed information about terrorist threats. Perhaps CISA can do something similar on the cybersecurity front.
The nation’s cybersecurity posture would benefit greatly from such open lanes of communication. We need those on the front lines to be constantly learning from each other. With a more collaborative approach, cyber criminals will be facing a defense that’s greater than the sum of its parts.
Michael Mestrovich is chief information security officer at zero trust data security company Rubrik and former acting CISO at the Central Intelligence Agency.