As a Nation, we cannot effectively expand the competitive space to mitigate near-peer competitors from executing large-scale cyber intelligence or attack operations without a “whole-of-society” approach to cyber risk. The recent SolarWinds supply chain compromise — potentially impacting at least 18,000 organizations — has made this clear. We must move beyond simple cyber threat information sharing and take a more real-time, collaborative approach to cyber risk by leveraging the collective authorities, visibility, expertise, and expert capabilities of our entire society: government, academia, and industry.
Many organizations leverage some form of cyber risk analysis to inform their overall risk posture, determine where and how to invest in technology, and how to prioritize resource allocation. Unfortunately, many efforts to identify and mitigate cyber risk are often siloed to the organization doing the analysis and/or the company to which it was outsourced. This makes sense at a tactical level, given the risk posture is often different depending upon the organization. However, this exercise should be a team sport at the strategic level. As a society, we must leverage our collective strengths to identify and minimize cyber risk together to counter the likes of China and Russia. Using the components that make up cyber risk provides a framework for this approach.
Threat
A cyber threat — an adversary that has the capability and intent to do harm — is the first and most critical component of cyber risk. From a nation-state perspective, this is broadly referred to as an “Advanced Persistent Threat.” The problem is that most of academia and industry cannot outwardly address the threat other than by attributing through cyber threat intelligence, seeking to publicly shame through public reporting, impacting adversary attack infrastructure, and providing support to law enforcement. Although these are valuable response options in their own right, they are not enough to result in a desired end state long term.
The government, however, has all elements of national power available to counter the threat directly. For a few basic examples:
- The Treasury Department can impose economic sanctions.
- The Department of Defense can conduct cyberspace effects operations to counter malicious cyber activity.
- The Department of Justice can charge malicious actors internationally.
- The Department of Homeland Security can share information relative to the actor to illuminate new connections.
Increasing public-private partnerships, like what currently exists in parts of the critical infrastructure sector, would give government and industry important synergies and insights to help manage these nation-state threats.
Vulnerability
Cyber vulnerabilities exist in every network across the public and private sectors, from misconfigurations to the absence of encryption to malicious insiders and manufactured software vulnerabilities — the threat landscape is growing every day. With the sudden transition to remote work due to the pandemic, malicious actors have capitalized on this new opportunity to target victims on networks that sacrificed security for speed, making increased data security more critical than ever. So, where is the “center of excellence” for addressing the vulnerability component of cyber risk? Everywhere.
Unlike response options against the adversary, the government does not have a clear upper hand in identifying and remediating vulnerabilities — industry and academia do. FireEye, a private cybersecurity firm, identified the catastrophic SolarWinds hack that affected government agencies and the private sector. Although federal agencies such as DHS and CISA can lead government responses and share information and recommendations, when it comes to cyber vulnerabilities, it is the private sector and academia that must lead.
Consequence
The reality is that vulnerabilities seem to be omnipresent and will inevitably be exploited by a nefarious actor. Their ROI is too high not to. While we must get it right 100% of the time, bad actors only must get it right once to gain entry. Organizations should assume they have been compromised and must prepare for breaches and be ready to execute a plan to mitigate damage. At this point in the cyber risk equation, if an organization assumes the adversary threat could not be deterred or stopped, the vulnerability cannot be remediated and is going to be exploited. The focus must be on minimizing the consequence (read: impact) of the inevitable. This requires government, industry, and academia to pivot their collective focus to resilience and work together to implement zero trust concepts into cybersecurity strategies, regularly back up critical data, embed secure out-of-band end-to-end-encrypted (E2EE) collaboration capabilities, and regularly share threat information that could warn of an impending attack.
In the case of the SolarWinds breach, the adversary is likely still in victim networks, monitoring their actions and mitigation plans, giving them access to mission-critical information, and observing countermeasures. Having a compliant E2EE collaboration platform that organizations can use to communicate and collaborate between government, industry, and academia is imperative.
Being able to freely discuss a breach, remediation efforts, and even early preparation for a future compromise with outside partners and without operational security concerns is a key means by which we can tactically offset competitors like China and Russia in cyberspace. Effectively expanding the competitive space under the auspice of Great Power Competition to minimize strategic cyber risk will require a whole-of-society approach that combines the strengths of government, the private sector, and academia.