Cyber – It’s a Team Sport
It’s been said that the commercial and public sector cybersecurity are too different to address in common. We’ve heard that national security-level cyber threats are beyond the concern of the private sector.
While that might have been true in the past – and I don’t believe it ever was true – we’ve come to a different realization.
First, sophisticated threats aren’t confined to one sector or another. StuxNet appears to have been targeted against Iran’s nuclear program; StuxNet itself was crafted, we read, as an exploit against a proprietary, commercial industrial control system, one in use in the critical infrastructures owned and operated largely by the private sector. Regardless of who crafted StuxNet, its sophistication, which included four zero-day components (i.e., cyber exploits not seen previously), is impressive. The current debate over Flame also appears to point to the possibility of state-sponsored capabilities used to generate very advanced malware. For the private sector, sadly, such malware can be used without any distinction against commercial or public sector targets.
Which bring us to our second point - that the US Government points to targeting of US firms (and, by logical extension, of the first of other industrialized countries) by the intelligence services of other governments. Read the 2011 report of the US National Counterintelligence Executive at: http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf. Among the report’s most salient findings:
“Economic espionage inflicts costs on companies that range from loss of unique intellectual property to outlays for remediation, but no reliable estimates of the monetary value of these costs exist. Many companies are unaware when their sensitive data is pilfered, and those that find out are often reluctant to report the loss, fearing potential damage to their reputation with investors, customers, and employees. Moreover, victims of trade secret theft use different methods to estimate their losses; some base estimates on the actual costs of developing the stolen information, while others project the loss of future revenues and profits. “
It’s clear: Our adversaries don’t distinguish between the public and private sectors.
Third, we know now that targeting critical infrastructure owned and operated by the private sector is a national security concern. In our country, and in many others, most infrastructure is not owned by the Government, even if it’s subject to government regulation. The security of our country depends in large part on our ability to sustain our critical infrastructures for financial services, energy, health care, transportation, communication, and other needs. Enhancing national security, or diminishing it, goes well beyond military systems. It extends to any critical infrastructure that depends on information technology.
Fourth, public-private partnerships to share information about incidents, threats, and mitigation is the subject of proposed legislation written in the recognition that threats common to the public and private sectors need common information and common approaches. While the Cyber Intelligence Sharing and Protection Act proposed by the House Intelligence Committee has raised civil liberties concerns, concerns I hope are addressed and resolved, the larger issue is that the public and private sectors must exchange threat and technical information to confront a global, pervasive, and dynamic cyber challenge. The rising level of activity in the various industry-specific Information Sharing and Analysis Centers, or ISACs, points to the realization that we cannot wait for legislation to take effective action to meet this challenge.
We shouldn’t wait, and we can’t. Our nation and our allies succeed when we bring together the best of what our public and private sectors offer. During WWII, industry mobilized its technologies and productive capacity in concert with the government to overwhelm our adversaries. Public-private information sharing has wiped out epidemics, established the technologies and standards that built a global information infrastructure, and presented us with a fabulous array of new technologies and services that can enrich our lives today and tomorrow. The cyber problem is tough, but it’s not too tough for us to manage. CSC’s approach, the Security Stack, helps us break down this daunting problem into an “architecture” of requirements, capabilities, and actions, consisting of levels that build, one on another. Such an approach allows us to take on each piece of the problem as we’re ready to do so. So, yes, we can get this right.
But, we’ll only do so if we work together.