In our last post, we summarized the discussion highlights from our keynote speakers at the second annual NTSC National CISO Policy Conference. In this post, we summarize two panel discussions and a “fireside chat” that covered cyber threat intelligence, data privacy and security, and the federal government’s role in cyber deterrence.
Like the keynotes, our panelist conversations spread into the audience of CISOs and senior technology executives who asked additional questions and offered unique insights. The depth and breadth of the panelists’ experiences meant that CISOs were engaging national cybersecurity experts from the public and private sector who are most in the know about critical issues—leading to actionable insights that CISOs took back to their companies.
Speaking earlier this year at the Billington INTERNATIONAL Cybersecurity Summit, Jeanette Manfra, DHS Assistant Secretary for Cybersecurity and Communications, said, “Identifying a threat in one area could lead to building defenses against it in all areas, but only if government is fully leveraging information sharing at the scale and speed that the internet enables.”
That’s the vision. But while the federal government and various ISACs have made significant progress with information sharing, the security community is traditionally not very good at sharing and collaborating—even though experience shows that the more we share and collaborate, the stronger we become when dealing with cyber adversaries.
The panelists started off by giving a bleak portrait of cybersecurity’s current state. We’ve made incremental improvements but little fundamental changes as an industry—especially with serious behavioral change. Essentially, we’re managing risk but not solving risk. Some observations included:
The federal government has improved its understanding of cyber threats, but efforts by the DHS, NSA, and US intelligence community are still maturing. Attribution of cyber threats to serious adversaries (such as nation states) has improved but we are seeing an increased attack surface through the IoT, increasing impact from individual and often indiscriminate events (such as WannaCry), and more sophisticated tools used by attackers. The media often talks about an impending “cyber 9/11,” but the panelists said it’s more likely that we’ll experience “death by 1,000 cuts.”
Both panelists and attendees brought up the topic of public-private sector trust and context around shared cyber threat intelligence. The federal government still needs feedback from the private sector to understand how best to share relevant cyber threat intelligence. For example, some organizations are interested in just technical indicators while others believe indicators are useless without additional context. Currently, interaction between the public and private sector is still often indirect, irregular, and full of distrust. It needs to move toward robust two-way information sharing but we currently lack an easy mechanism for private companies to receive information back in an operational way. Plus, the private sector is currently not often consuming and acting upon the information shared. Delays in security clearances (sometimes lasting over a year) don’t help when cyber threat intelligence is often highly classified and CISOs are unable to view the information.
Panelists and attendees ended optimistically on the note that both the federal government and private sector seem to be addressing lingering problems, slowly but surely, and all parties realize what’s at stake by the success—or failure—of effectively sharing cyber threat intelligence.
An extremely lively discussion erupted from our panelists and attendees about data privacy and security, especially so soon after the California Consumer Privacy Act of 2018 was passed. With GDPR also fresh in people’s minds from its enactment in May 2018, the panelists said it’s tough to talk about US data privacy and security in isolation from the rest of the world. Stronger compliance requirements in the EU are influencing more privacy laws in the US. California may signify the beginning of a federal and state data privacy law wave as we see more, not less, regulation and enforcement.
Some of the panelists argued that the wrong data privacy laws introduce a high cost for companies to comply and leads to less innovation. While the EU sees data privacy as a human right and took four years to develop GDPR, California’s law took seven days to develop (although the California law won’t take hold until January 2020) and seems to target for-profit businesses and consumer transactions. Fines also give the California law teeth at $7,500 per violation. The haste, lack of private sector input, and eagerness to punish companies associated with the California Consumer Privacy Act concerned many conference attendees.
Panelists called for better national information security standards, enforcement, audits, and mandated controls—thinking beyond just data breach notification legislation and legislative standards. GDPR has led the security industry to more holistically change its business models. How should businesses collect data? What is data? Where is it? Business considerations and operational questions are coming to the forefront as the US makes a stronger shift toward data privacy. The California law is a cautionary example of lawmakers needing to understand practical implications before passing legislation because of unintended consequences. In fact, legislators, regulators, customers, and internal employees all need more education about data privacy.
In the meantime, CISOs, CIOs, marketing, and legal all need to have a conversation together to sort out the consequences. One panelist humorously asked the CISOs, “Do you know your lawyer well?” This conversation got the NTSC members discussing how they need to involve more compliance and risk officers into future dialogue and discussion.
Other discussion threads included:
Current proposed legislation such as the Cyber Deterrence and Response Act of 2018, discussion around active cyber defense, and the shifting roles of the US military in cyberspace are all leading to many questions about our approach to cyber deterrence. General McLaughlin and Hancock began the fireside chat by talking about the difference between cyber deterrence versus traditional deterrence. For example, nuclear deterrence was established many decades ago and clearly established what was being deterred, how we were deterring it, and who was deterring it. Everyone in the military hates fighting a war, and it’s the same in cyberspace.
Like traditional deterrence, we want to deter cyber adversaries by:
Cyber deterrence is not anywhere near as established, although recent federal government efforts have been building up more offensive capabilities. US Cyber Command is creating greater capacity and adding thousands of people to help fight adversaries in cyberspace. We are shifting from a “doctrine of restraint” (a passive, reactive position based on Department of Defense guidance in 2015) to the equivalent in cyberspace of fighter squadrons warding off the enemy.
General McLaughlin and Hancock talked about Russia as an example of an adversary actively targeting our critical infrastructure, meddling in our elections, and possibly planting the seeds for a future cyberattack. Right now, Russia is benefiting from its cyberattacks and we’re not hitting back—a clear example of cyber deterrence not working. Russia and China are especially both making efforts to find out our vulnerabilities and beat us before we can even counterattack.
Cyber deterrence is not IT, and it’s not intelligence. Cyber deterrence is cyber warfare, and it requires a different set of skills. How do we mature these capabilities? Because most critical infrastructure is owned by the private sector, these companies are part of the federal government’s cyber deterrence plan whether they like it or not. What if a nation state takes over a dam? What if a nation state shuts down Wall Street’s electricity? What if a nation state installs malware into a water supply network?
CISOs need to ensure basic cyber hygiene, the ability to share cyber threat intelligence, and communication with the federal government to let them know if something is wrong. In today’s environment, you’re not just a business supporting critical infrastructure. You’re now supporting cyber deterrence.
When asked if the US and private sector are on track to properly secure systems from the attacks of adversaries, both General McLaughlin and Hancock said no. While the NSA, US Cyber Command, and DHS are doing all they can, they’re not currently on track to be successful. Our adversaries are not encumbered by the US Constitution. When Russian or Chinese leadership owns government assets directly, they can employ a mix of military and corporate resources to carry out cyber warfare. That’s their version of “public-private partnerships.”
Conversely, the US DoD can’t control corporations or spy on citizens without cause. Because private companies have rights that companies in Russia or China do not, we instead need to create a national plan that provides the cyber deterrence protection we need. Otherwise, while it probably won’t be a cyber 9/11 that gets us, we will instead experience death by 1,000 cuts.
Interested in participating in next year’s conference, joining our Board, or becoming an NTSC underwriter? Reach out to the NTSC at info@ntsc.org.