Most companies that have a hand in building, operating, and maintaining our nation’s critical infrastructure know the promises of digital transformation: greater efficiency, better customer experiences, and innovative business models (e.g., digital services). Most are on board with the fact that securing critical infrastructure must go hand in hand with running it. Cybersecurity is now a business strategy.
Despite working hard to secure the nation’s critical infrastructure, many remain reluctant to share attack information with each other — let alone the only entity that legally can fight back against nation-state cyber attacks: the government. In the financial sector, for instance, the idea of sharing cyber incident information makes many C-suite stakeholders shudder. It’s understandable to think that information sharing may cause big bank A to give up its competitive edge to big bank B: “their data breach and loss of reputation are our gain.”
Fortunately, this view of cyber threat information sharing is starting to erode. The Texas Bankers Association, for instance, is a model for taking on a new perspective about threat sharing and its role in enabling sectors to defend together as one. This Collective Defense approach, where community and large banks band together to rally around the same threat to mitigate it quickly, echoes what the National Cyber Director Chris Inglis has said, “You must beat all of us to beat one of us.” To do this, “We must ‘crowdsource’ our ability to identify and stop transgressors in much the same way they crowdsource their exploitation of us” (p. 8).
Now, we must fast-track a mind shift about what threat sharing really means in cyber. Signed into law this March 15, the Cyber Incident Reporting for Critical Infrastructure Act requires the reporting (to CISA) of certain cyber incidents within 72 hours and/or the reporting within 24 hours of a ransomware payout. Although this law is an important milestone in recognizing the importance of threat sharing in cybersecurity, much more needs to be done.
In cyber, “incipient” should be the focus not “incident.”
The major shortcoming in this new law is this: the focus is on reporting “incidents” instead of exchanging information related to “incipient” threats. Wouldn’t you rather prevent an incident — or at least detect it very early in the intrusion cycle before there is business impact or destruction — instead of after the fact?
Exchanging actionable threat intelligence during an attack's incipient stage is the only way to proactively defend our critical infrastructure against nation-state threats, especially as the threat of a Russian-backed cyber attack looms. Destructive cyber attacks require the same level of defense as other forms of alternative warfare to stave off threats well before adversaries reach their endgame.
By working together to build a real-time “cyber radar picture,” private companies can be real agents of change in defending critical infrastructure alongside the public sector. Creating a public-private partnership for shared defense, as highlighted in the March 2020 Solarium Commission Report, and as called for recently by senior cyber administration officials, is one of the key steps. Because we can anonymize this threat-related information, we also can share it with the government for true Collective Defense.
The energy sector: a pioneer of Collective Defense
This is work that the energy sector, led by companies such as Southern Company, has helped to pioneer. Energy companies have extended their concept of "mutual aid" -- where they come together to help restore power during major events -- to the cyber realm. Collective Defense allows them to exchange real-time threat information with the government at network speed, so the government can deflect the “cyber missiles.”
Let me be clear: Threat intelligence exchange, as enabled in IronNet’s Collective Defense platform, is based on anonymized data. I have worked for the past eight years with elite data scientists and cyber analysts to make the exchange of anonymized threat intelligence (based on metadata) possible, while complying with the Cyber Information Sharing Act of 2015.
Getting on board with the concept of exchanging threat information in real time between and across sectors is long overdue. We must come together now to secure our nation.