I’d like to applaud the Solarium staff and members for producing a comprehensive and well thought out strategy for the next generation of cybersecurity defense in the United States.
The recent Cyberspace Solarium Commission Report had some solid recommendations that I think will go far in helping industry deal with current situation in regards to the national (in)security of our cyber critical infrastructure. In particular, I’m a fan of three parts:
- 5.2.3 – Amending the Pen register Trap and Trace State to allow companies to engage in defensive measures to fully identify the attackers or infrastructure used. This will open up a new realm of defensive possibilities for organizations.
- 6.1.1 – Directing the DoD to create a Major Force Program for the UC Cyber Command, with appropriate budget.
- 6.1.4 Reassess and Amend Standing Rules of Engagement (SROE) and Standing Rules for Use of Force (SRUF) for U.S. Forces
Additionally, I like the overall strategy of formalizing a base set of security standards and reporting, then using private industry to enforce compliance, resulting in hardened target.
One area where I think we could do a lot more is in enablement of private industry to contribute to the overall security posture of the nation. The report alludes to it, but I think it stops short of what’s really needed to disrupt the equation and beef up the defenses where they’re needed the most – in the private sector.
In todays highly competitive business environment, many organizations skate a thin line between being in business….and not being in business. Maintaining profitability is critical to remaining in operation. Organizational leadership deals with many risks to profit that go far beyond cybersecurity….like competition, market sentiment, economics, supply chain risks, operational risks, regulatory risks, tax liabilities, weather, politics, and as we know today…even risks from global viral pandemics.
Leadership has their plates full with risks: part of their role is to balance these risks against the budgets they have to work with, and prioritize the investments into mitigating , insuring against, or assuming the risks.
Until recently, organizations have generally designed their cybersecurity posture with the threat actors in mind. Organizations allocated the necessary amount of budget to protect against some threat actors, but not others, depending on the criticality of the protected asset, and the motivations of the threat actors.
Most organizations have basic defenses against the threat actors that are the most common, and least complex to deal with. These include thrill-seekers, hacktivists, terrorists, and low-skill cyber-criminals. Some organizations have defenses against the more sophisticated threat actors including insider threats, and highly-skilled cyber-criminals. Very few organizations have defenses against nation-state threat actors. There are many reasons why this is so, but a few are:
- Defending against nation-state attacks is extremely expensive for private industry
- No matter how much you spend, the nation-state probably has more resources to overcome the benefits of the expenditures
- Nation-state actors can leverage attack-vectors that other threat actors can’t
- Private organizations depend on the government to protect them from nation-state actors
To make the matters even more complex, the capabilities and characteristics of the different threat actor groups are becoming intermingled, so that an unskilled hacker is able to access nation-state quality tools (various leaks of CIA and law enforcement tools), as well as nation-state actors using open-source industrialized hacking platforms. In other words, yesterday’s low-skilled hacker is today’s low skilled hacker with dangerous nation-state quality tools in his hands.
The report outlines a ‘Whole-of-nation Framework’ that includes citizens, the private sector, and government as part of the layered cyber deterrence strategy. The sections I mentioned previously go a long way to enabling private industry to take a larger role in national defense of cyberspace, but I’d like to ask our government to step up to the plate and actually make this happen.
More regulations and forcing companies to expose security incidents helps the government conduct cyber operations better, but it comes at a cost, paid for by the private sector. This cost is added into the budget that’s used to mitigate said risks, so the cost comes at the expense of the actual thing it’s meant to benefit. To me, this could end up being a zero-sum game.
Instead, before the government creates more government, before more regulations are rolled out, and before incident reporting requirements are enforced (4.7.1, 5.2.2), government can reduce or eliminate the impact by instituting the following recommendations:
- Financial incentives for the private sector to invest in cybersecurity. Not a research program that will bear fruit in ten years, or a standard, report, or other thought leadership. I think private industry has a grasp on what they could do if they had more money to spend on cybersecurity. There are great tools doing great things, pioneering startups with cutting edge technologies, and well-established companies with commoditized technologies. There’s no shortage of tools to buy. The private sector needs capital and financial incentive to jump into the national defense game.
- Tax breaks. National defense is paid for through taxes, if the private sector is sharing the burden by handling it’s own cyber defense against another nations army, and it’s part of our national defense strategy, the cost should be shared.
- Boots on the ground- As part of the third layer of the strategy, ‘Impose Costs’ should mean nations are being held accountable for nation-state level attacks, which are supposed to be treated as an act of war. By force, some of the operators or critical infrastructure supporting the cyber attacks should be held accountable, serving as a deterrent and putting a higher cost on running cyber operations against the U.S. I think the government can do more with using law enforcement measures and military options to enforce existing cybersecurity laws and international treaties.
- Take our gloves off- I’m not advocating to opening a wild west cyber shoot-out, but private industry has been legislated into a disadvantageous position of a pure ‘defense-only’ security posture. Private sector is being asked to do direct 1-on-1 cyber battle with the world most powerful cyber armies, but we’re only allowed to block, duck, and dodge. I think the changes in 5.2.3 are a decent step in that direction, but we need bigger steps.
In summary, I think the report moves the governments defense of civilization into modern times, but I feel we can do more. I’d really like to see organizations have more financial incentive to allocate more budget and resources to nation-state level cybersecurity defenses.