In the last few years, the lines between cyber criminals and nation-states have become increasingly blurry and it has become obvious that the private sector is not capable of handling cyber threats on its own, Chris Inglis, former deputy director of the National Security Agency, told the crowd at World Cyber Security Congress this week.
The WannaCry and NotPetya attacks – generally attributed to North Korea and Russia – have shown that an organization doesn’t even have to be the target to become a victim.
These and previous attacks targeting election systems (US), electric grids (Ukraine), and other critical infrastructure (UK NHS), should also be taken as evidence that there’s a larger game afoot: a contest of wills and a competition for strategic leverage fought by nation-states in cyberspace.
Collaboration between governments and the private sector
These attacks are largely aimed at undermining the trust users have in those critical systems and, as such, are attacks on the confidence and the psychology of a nation, Inglis noted.
This new reality will force the private sector to view the government as a partner in this battle and seek its assistance, especially because the government has the authority to impose consequences on adversaries and can take collective actions against nations-states and entities that act like nation-states.
At the same time and with the same goal in mind (safety of the nation/society and citizens), the government must also continue its work as regulator, to curb the apetites of those that might want to put the pursuit of profit before the need of imbuing software and hardware with resilience and robustness that will help defend critical services.
Inglis is of the opinion that the role of partner and defender must be a government’s primary obligation and that it should use a very light but necessary touch when it comes to applying regulation.
But it’s obvious that cooperation between the private sector and the government in fending off cyber attacks is crucial in this day and age, he says. They need to figure out how to collaborate effectively, to complement each other’s efforts and not duplicate them. Finding a balance between the need for privacy and confidentiality (on both sides) and the need for sharing is difficult, but mechanisms to reconcile those needs do exist.
Most organizations have generally accepted that prevention and security is impossible, and they have turned our efforts towards assuring the defensibility of our data and core operations.
They have accepted that reacting to threats is no longer enough, and that constant situational awareness to detect problems in their incipient phase is needed – particularly to minimize the danger of insider threats. Also, that defense supported by data analytics and artificial intelligence is no longer just an option but a neccessity, and so is sharing at machine speed.
When it comes to strategy, though, it is firstly important to make plans. “In the absence of strategy nothing is strategic,” Inglis pointed out, so planning must be done at the individual level, corporate level, and government level.
Secondly, we know that we can’t defend everything against all perils, so we need to prioritize. Then we need to imbue hardware, software, protocols, procedures, and human capabilities with sufficient robustness and resilience to withstand some degree of attack. We also have to build a defensible system and we then actively defend it.
But while imposing consequences on adversaries for passing those barriers should be a viable option for discouraging future attacks, there is no sense in imposing them if we haven’t first ensured that our own infrastructure is somewhat robust and resilient against the imposition of consequences.
The same goes for taking the fight to the adversary, Inglis noted. “We’ve no business taking the fight to the adversary if we haven’t first defended our own town.”