This month on The Adversary Manifesto we’ve been talking a lot about National Cyber Security Awareness Month (NCSAM). While for those of us at CrowdStrike every day of every month is focused on cyber security, we know that for our customers, thinking about cyber security is only one of a number of key activities they must be fully engaged with, so we take our responsibility as a partner very seriously. We also embrace our broader shared responsibility to help secure the internet at a global level. Public-private partnerships are one of the keys to reducing cyber risks, especially cyber risks to our nation’s critical infrastructure.
Earlier this year, I had an opportunity to weigh in at a Senate Homeland Security and Government Affairs Committee hearing , “Strengthening Public-Private Partnerships to Reduce Cyber Risks to Our Nation’s Critical Infrastructure.” If you’re interested, you can read my full testimony, but here is a summary of my views on partnerships with Federal agencies to increase security and resiliency, including the Cybersecurity Framework.
The remarks I delivered at that hearing were based on my experiences over the past 15 years, during which my career was dedicated to reducing the security risks associated with emerging technologies.
Fifteen years of lessons-learned have led me to a number of conclusions.
- I have found that the most promising joint government/industry outcomes have been and likely will remain at the strategic level rather than at the tactical level. This includes, for example, the sharing and co-development of risk management plans and security best practices, as well as conducting joint incident response training exercises. Still, tactical efforts when planned and executed jointly and internationally by the government and the private sector show great promise. In the Spring of this year, CrowdStrike joined a formidable coalition that disrupted the most sophisticated botnet the FBI and its allies ever tackled, GameOver Zeus. Check out the FBI’s press release to learn more. These types of coordinated efforts are well worth replicating.
- The Cybersecurity Framework is a great example of such an effort, prepared by NIST after having worked with over 3,000 individuals and organizations on standards, best practices, and guidelines. I applaud NIST’s efforts, and I recommend that every corporate officer and director read the Framework and consider applying its straightforward approach to cybersecurity enterprise risk management.
- While the government often warns the private sector about ongoing or imminent cyber intrusions, more must be done in partnership with the private sector to focus on raising the costs to the attackers.
- It’s time for the government and industry to join forces to develop and implement technologies and policies that focus less on the vulnerability mitigation aspects relating to information assurance, and more on the threat mitigation aspects of hacker detection, attribution, and punitive response necessary to achieve sustained security.
- The government and private sector must work together to envision, and then drive, strategically effective international standards, and multilateral relationships that better position threat deterrent models for the long term. Yet, since 1997, our government has taken concerted actions to privatize and reduce U.S. governance of the Internet. As a result, despite the right aspirational language in the President’s 2011 International Strategy for Cyberspace (PDF), it is not evident how “the United States will ensure that the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits.” To date, the inescapable truth is that the risks associated with attacking and exploiting U.S. networks have been negligible, and the private sector has been left largely on its own – under the threat of government regulation and class action lawsuits– to defend itself against all enemies.
- In my opinion, what needs to happen to best protect the US against cyber attacks is a reassessment of our public/private cyber partnerships. The government needs to shift the focus away from vulnerability mitigation to threat deterrence. In particular, we would do well to consider how we have successfully reduced security risks in other settings and then try to apply those concepts here. In the physical world, threat reduction – achieved primarily through threat deterrence – has been our predominant approach, and it has been largely successful. In physical security– whether describing the safety of nations, businesses, or individuals — safety is most often achieved because potential aggressors are deterred out of fear they will be brought to justice and actual aggressors ultimately are brought to justice. By way of contrast, our physical safety is not primarily reliant upon missile defense shields, fortresses, and body armor.
There is no doubt that cyber threats present considerable risk to our economic and national security interests, and that these threats continue to grow at an alarming rate. Despite billions of dollars of investment in cybersecurity defensive efforts, and the prospect of spending billions of dollars more, many experts see no hope on the horizon that the overall cyber threat against our country will level off, no less begin to decline. It is my opinion that this downward spiral is not inevitable and that we can improve our security considerably. However, I also believe that improving our security posture requires that to a certain extent we reconsider, rather than simply redouble, the nature of our current efforts.