Recently, a private-sector partner opined that it would be nice if the millions of dollars he was putting into defense wasn’t defeated by a $500 tool easily rented online. It doesn’t matter whether you’re from a government agency, a contractor, or a retailer – no one seems to be immune to this problem.
But there are some relatively simple steps that we can take to make those investments more effective against the $500 tool. Just as a neighborhood bands together to raise its collective safety, we can work as a community to strengthen our collective defenses to make it harder for those who wish to cause harm.
First, we can broaden how we think about cybersecurity to make our defenses more effective. The Cybersecurity Framework issued earlier this year helps us do that. The Framework’s greatest strength is that it is deeply rooted in how businesses actually manage risk in the real world. In taking a risk management approach, the Framework recognizes that no organization can or will spend unlimited amounts on cybersecurity. Instead, it enables a business to make decisions about how to prioritize and optimize its cybersecurity investments.
We want to hear from the community, so the National Institute of Standards and Technology (NIST) recently issued a Request for Information to gather experiences on use of the Framework, with a comment period that goes until October 10. I encourage you to send us your thoughts. Please go here to submit comments.
Next, we can talk with each other more. Clearly, we’ve been discussing information sharing for some time, but what I am talking about goes beyond the broad concepts to build on the day-to-day sharing that already occurs. Collectively, we need to understand what the government can do and we need to understand what the private sector can do. Then, based on that understanding, we can decide what actions we might want to take in certain situations; for example, what concrete actions both the government and private sector might take to defeat a distributed denial of service attack. From that understanding would flow the information requirements to take those actions, and it would define who needs to provide what kind of information to whom on what timeline.
In going through this process, we will certainly identify barriers to sharing the information we need. But such a process will give us a better idea about how to knock down those barriers. To get to this level of detail, we need more trusted groups around functions, topics, regions, and industries. While we can do a lot under current law, there will be some barriers we cannot overcome under existing authorities. We again urge Congress to move forward on cybersecurity legislation that protects our nation as well as our privacy and civil liberties.
Finally, we can build our capacity to jointly respond and recover from significant incidents. Many have argued that cyberspace has no borders. I would argue that this is not entirely correct. There are borders and boundaries throughout cyberspace – everywhere a network or a router touches in fact. And we are creating more borders every day. Everyone “lives” and operates at the border. Therefore, unlike the physical world, we cannot just assign the role of border security to the federal government. Cybersecurity is an inherently shared function. Therefore, we must build on our understanding of each of our capabilities and authorities to develop a collaborative approach to effectively responding to and recovering from significant incidents before they escalate.
We can make it harder for the bad actors, and we can make the millions invested in defense more effective at defeating cheap hacking tools. But to do so, we must work together to create new and better versions of trusted networks that can adapt rapidly based on the threat we jointly face. Working through the Department of Homeland Security and the other lead federal agencies, we are working to create exactly these kinds of partnerships with our private-sector partners. Some companies and sectors are already moving in this direction and I appreciate their forward-leaning efforts. Over the coming months, we will look to deepen these nascent partnerships and expand our efforts more broadly.