As cybercriminals shift from stealing customer data to attacking critical infrastructure, a modern cybersecurity strategy calls for more public-private sector partnerships, say experts.
SAN FRANCISCO – As cyberthreats mount globally, experts point to key lessons learned from cyberattacks like the NotPetya malware and foreign influence in the 2016 elections.
While bad actors previously used the web to steal credit card information, now the goal is to destroy critical infrastructure, threatening safety, human life and key institutions.
“For years, the big issue was about theft of PII [personally identifiable information] and credit cards,” said Shawn Henry, former assistant director of the FBI, at an RSA 2018 conference panel on the U.S. cybersecurity posture in the face of increasing cyberthreats. “Now fast-forward within the last 12 months, it’s about the destruction of networks.”
Western societies have watched, sometimes helplessly, as malicious actors use new tools, such as social media platforms, to encourage religious war or to manipulate information, as in the 2016 elections.
Strategies of deterrence haven’t always succeeded because there is “limited cost and significant benefit” for attackers to infiltrate systems, said Jeffrey Tricoli, section chief with the FBI’s Senior Executive Service.
One lesson learned is that governments can get valuable intelligence about malicious actors from the private sector, where cyberthreats often begin.
“The private sector is a crime scene,” Henry declared.
Government, he argued, needs access to this information. The private sector’s networks house evidence that “would be valuable, in terms of future detection and future prevention,” Henry said. “If that intel could get into the hands of people who could action it, we’d see a lot of progress.”
Henry said that while public-private sector partnerships could yield information to deter these increasing cyberthreats, government policies for information sharing remain vague. “We need to hear what information the government wants specifically and the parameters under which this information will be shared,” Henry said.
Further, private companies are hesitant to let governments peer into their infrastructure, noted Emily Mossburg, an advisory principal at Deloitte and Touche, a consultancy. Companies worry about loss of reputation but also loss of control of key business assets, such as servers and data.
“Many organizations continue to be concerned about how much [information] they should share and where they will lose control of . . . an incident,” Mossburg said.
Tricoli also noted that companies lack an understanding of where their critical data resides and who has access to it. This confusion about their crown jewels only furthers their vulnerability.
“Malicious actors have a much keener sense of where the data value lies—more than the business owners,” Tricoli said.
Further, said John Carlin, partner and chair of the Global Risk and Crisis Management group at Morrison & Foerster LLP., companies are hesitant to share information with government entities if they believe that the information will later land them in trouble with those same agencies.
“Companies worry, ‘Will this be used against me in some type of civil or regulatory action?’” Carlin said.
Ultimately, Henry and others emphasized, companies need to be encouraged to share through anonymous networks. Anonymity enables them to disclose information without fear of public scrutiny or court action.
“We need better perspective so we can demonstrate where these attacks are coming from,” Henry said. “Absent that, this goes on indefinitely. ”
Centralizing accountability and responsibility is necessary, Henry said, to combat nefarious actors launching cyber attacks. In his view, government should, in fact, mimic the private sector in building a central authority.
“It’s no different from what we do in private sector,” Henry said. “The CISO might ultimately be the accountable executive in a company, but it’s a whole-of-company response. We have the CFO, general counsel, CMO, COO—there are a whole host of people who are all responsible for the integrity of the network, and they all bring resources to fight the fight.”
Ultimately, the panel emphasized, threats to the U.S. are global and require a collaborative, global response.
“The adversary is bringing [our counterparts in other countries] into the fight whether they want to be there or not,” Tricoli said. “We’re all in bed together.”
Henry agreed that the landscape for cyberthreats points the way forward. “The Internet is all connected—it’s a network,” Henry said. “At the end of the day, we’ve got to work with everybody.”
Lauren Horwitz is the managing editor of Cisco.com, where she covers the IT infrastructure market and develops content strategy. Previously, Horwitz was a senior executive editor in the Business Applications and Architecture group at TechTarget;, a senior editor at Cutter Consortium, an IT research firm; and an editor at the American Prospect, a political journal. She has received awards from American Society of Business Publication Editors (ASBPE), a min Best of the Web award and the Kimmerling Prize for best graduate paper for her editing work on the journal article "The Fluid Jurisprudence of Israel's Emergency Powers.”