During our second annual NTSC National CISO Policy Conference, three leading experts in cybersecurity presented keynotes about cyber deterrence, multicloud (and its policy implications), and the Department of Homeland Security’s relationship with the private sector. Each keynote presentation was followed by vigorous discussion from CISOs and senior technology executives who attended from across the United States—building upon the important points shared by each speaker.
The discussions among the keynote speakers, CISOs, and senior technology executives showcased the NTSC’s important mission of bringing the public and private sector into productive dialogue with each other. These candid conversations matter to CISOs and lead to action items (facilitated by the NTSC) that impact national cybersecurity standards.
After many major cybersecurity breaches and ransomware attacks over the last few years, companies are getting angry and considering ways to fight back. Many want to “hack back”—and proposed bills such as Tom Graves’s (R-Georgia) Active Cyber Defense Certainty Act (ACDC) and Ted Yoho’s (R-Florida) Cyber Deterrence and Response Act show Congressional interest pointing in the direction of that anger.
However, hacking back is very risky and makes the efficacy of these bills problematic, despite the urge to act against cyber adversaries. Plus, business executives and CISOs have received many conflicting signals about the legality of cyber deterrence. In other words, how do companies protect information aggressively without breaking the law?
Geoff Hancock focused his talk on the private sector CISO and discussed how a change in active cyber defense policy needs to occur within companies. To start, CISOs need to develop a clearer understanding of the difference between hacking back and active cyber defense—with the aim of finding the right middle ground. Establishing some definitions to help frame the discussion, Hancock clarified that:
Graphic from Into the Gray Zone: The Private Sector and. Active Defense Against Cyber Threats, Center for Cyber & Homeland Security, The George Washington University
In other words, an active cyber defense strategy serves as a more practical middle ground between hacking back and passive defense. Companies struggling to set up an active cyber defense strategy need to assess their maturity for such a program and change their mental perspective about the way they approach defending information. When CISOs asked if active cyber defense is just another form of passive defense, Hancock said that active cyber defense skills—both technical and policy skills—are not typical in a traditional passive defense posture. An active cyber defense program requires that a company formulate a clear cyber deterrence strategy and develop strong cyber threat intelligence sharing.
CISOs pointed out they can’t do this alone and need help from the DHS and US Cyber Command. Problems requesting important information from DHS (such as targets and motives), delays receiving access to classified information, and the slow declassification of information may inhibit the success of active cyber defense programs. Hancock recommended starting an active cyber defense program with a company’s most important data and using that initial foray to start educating security teams sooner rather than later. And as Rick Driggers mentioned in his keynote (see below), DHS is working to improve cyber threat intelligence sharing that will help a company’s active cyber defense efforts.
As a rapidly evolving area of cloud computing that businesses are quickly embracing, multicloud also creates implications for cybersecurity laws, policies, and regulations that may affect this technological adoption. While multicloud may mitigate business risks and offer more agility for organizations, many cybersecurity questions emerge around the use of multiple cloud vendors, an organization’s security posture, and governance.
Today, it’s nearly impossible for businesses to operate using just one public cloud. Instead, we see more and more multicloud architectures. However, organizations try to “contain complexity” with multicloud when workloads are managed per environment, visibility and control stops at the boundaries between the cloud environments, and operations are domain- or vendor-centric. To engineer simplicity (rather than contain complexity) within the multicloud requires the following four qualities:
Koley said these same four qualities are applied to utilities such as water or electricity, making them reliable. Multicloud must become as reliable as a utility. He then talked about the key points of connecting, orchestrating, monitoring, and securing a multicloud.
One of the key points Koley emphasized is that organizations need deep and wide visibility into their overall multicloud infrastructure. This is where AI and machine learning (ML) can be leveraged to figure out patterns from complex data sets across the multicloud. Humans are no longer reliable enough to monitor cloud infrastructure for security issues.
For example, organizations are notorious for taking way too long to address security vulnerabilities and apply patches—at best taking weeks, and at worst taking months. However, AI can be used to carry out simple policies such as applying critical patches within a day.
Another key policy problem with multicloud is different cloud platforms not talking to each other. When a threat is detected, it’s important to enforce security as close to the threat as possible. However, if different systems can’t talk to each other, then it’s difficult to detect a threat. Koley noted that security teams and policy teams often don’t contain the same people, and so these teams need to collaborate more in the context of a multicloud environment. He urged technical and legal teams to converge as AI software understands and enforces policy, leading to simplicity with security policy in the multicloud despite the complexity of the architecture.
CISOs asked about rebellion from IT and information security teams who don’t want their jobs replaced by software. Koley mentioned that software can replace boring work and free teams up for more exciting work. But more importantly, without visibility across all multicloud infrastructure, you can’t secure it. And different, inconsistent security policies for each cloud platform will lead to security and liability issues. Human beings simply can’t apply consistent policies across multicloud. Software needs to do it. Koley noted that as new clouds quickly come along, software can keep up where people cannot.
Continuing the dialogue begun back in February at the NTSC’s Northeast Regional CISO Policy Roundtable, Rick Driggers gave updates about the DHS’s progress across the last six months along with an overview for CISOs not familiar with the progress made over the last few years. Driggers sincerely asked the private sector CISOs in the room to help improve the public-private partnership. Quite simply, the federal government can’t do it alone.
In March, DHS released its new cybersecurity strategy that included five pillars and seven goals:
Pillar I: Risk Identification
Pillar II: Vulnerability Reduction
Pillar III: Threat Reduction
Pillar IV: Consequence Mitigation
Pillar V: Enable Cybersecurity Outcomes
Driggers talked about current and future improvements to the DHS’s cyber threat intelligence sharing that help inform private companies about active and potential threats. The DHS also continues to provide proactive assistance to the private sector (such as vulnerability assessments and incident response teams) and they are focusing on some initiatives of interest to CISOs such as addressing supply chain risks.
Of course, Driggers addressed the elephant in the room—AIS—and acknowledges that DHS has been receiving lots of feedback to help improve AIS as they plan to update to AIS 2.0 and STIX 2.1. These updates will allow DHS further opportunities for upgrades and improvements to how AIS works. DHS is aiming for feedback at machine speed, more relevant indicators with more context, and better confidence metrics.
DHS continues to struggle with very few organizations signing up—although the public reporting that only six private companies have signed up for AIS is more complicated (e.g. many private companies share threat information through ISACs). However, even the best spin on private sector participation still shows AIS has a long way to go before it becomes truly impactful. The reality is that not a lot of companies are sharing threat indicators. DHS wants to receive more cyber threat information from the private sector because private companies have visibility into global threats that DHS lacks.
The reasons for lack of participation were brought up by CISOs.
However, Driggers made an excellent point about why private sector companies need to eventually come on board to AIS no matter the difficulties. Even if a private company isn’t considered critical infrastructure, the threat indicators they share can actually help critical infrastructure and, thus, national security. Utility companies or healthcare organizations that need DHS’s help, as a result, benefit from the private sector sharing threat indicators through AIS. Critical infrastructure benefits when private companies share information.
Many of these keynote talks interwove nicely with our panel discussions, which you can read about in our follow-up post.