By Paul B. Kurtz, CEO TruSTAR Technology and Member of Board of Directors, Cloud Security Alliance
“Change or die” is an old phrase computer programmers use to highlight the speed of change in a world of innovation. Its implications go beyond programming and underscore the precarious situation we find ourselves in today. The Washington Post’s Sept. 5 article on U.S. intelligence agencies’ investigation of a “broad covert Russian operation in the United States to sow public distrust in the upcoming presidential election and in U.S. political institutions” through cyber attacks is disturbing but should not be surprising. Russia, China, Iran, North Korea and non-state adversaries understand our dependence on cyber systems as an Achilles Heel of our economic and national security. What is more disturbing is the Federal government’s inability to help. The private sector must now rapidly expand its capabilities to work together to secure cyberspace. The Cloud Security Alliance is taking the lead.
Joshua Cooper Ramo in his book “The Seventh Sense” helps us better understand our traditional national security structure and how our levers of power and current strategy are of limited value in the networked world. Ramo states, “And while we know that effective foreign policy or politics or economics can’t be improvised, the speed of networks now outstrips the velocity of our decisions…” In cyberspace this means sanctions and indictments are necessary, but they take too long to apply to prevent the propagation of attacks. A military response to attacks leaves us waiting and wondering what, if anything will happen. Even if force is used, we can expect a very high threshold before action is initiated.
Russia’s alleged activities are particularly worrisome as they involve corruption of manipulation of systems and information. Typically we think of breaches, disruption, theft, but we do not think about how information can be surreptitiously corrupted or manipulated. Yes the Cold War brought us disinformation but not at Internet speed. Ramo states,
“Even though the connected age lets people around the world see crises and measure problems with unprecedented precision, our leaders can do almost nothing about them.”
The connected age brings good but also allows for mischief that traditional democratic institutions are ill suited to handle. Recall the New York Times Magazine’s June 2015 report on “The Agency,” which operates inside a nondescript building in St. Petersburg, Russia, with “an army of well-paid trolls” focused on causing havoc, including in the United States. Ramo continues,
“Many new challenges exhibit a worrying nonlinearity. Small forces produce massive effects. One radical teenager, a single misplaced commodity order, or a few bad lines of computer code can paralyze an entire system. The scale of whiplashing grows every day, because as the network itself grows it turns pin-drop noises into global avalanches.”
As government flails, companies continue to independently defend themselves spending more money on software, hardware and personnel. Adversaries remain steps ahead developing and sharing tools to defeat firewalls, anti-virus systems, authentication, and behavior-based detection systems. The costs of defending against attacks are going up, while at the same time the costs of conducting attacks are going down according to a recent reporting (See Graphic A).
With the ongoing investigation of Russia, we must assume that their intent extends beyond seeking to influence or unsettle our democratic institutions. We must also assume they are not the only adversary recognizing our acute vulnerabilities. There are other ways corruption or manipulation of data could cause uncertainty and panic. For example, witness the recent press in Bloomberg Businessweek over MedSec’s partnership with Muddy Waters to short sell St Jude Medical’s stock over a possible pacemaker vulnerability. It is unclear whether there really is an exploitable vulnerability but yet the stock has traded down.
All of these signs seem to be screaming, “we must change.” Change must be driven by the private sector as the traditional levers for government to protect us are limited and do not work in the networked age. The first step is beginning to work together — rather than independently — to defend ourselves. This is not a call for the private sector to take up cyber arms and attack others. Such a strategy is fraught with legal and technical challenges. Rather, this is a call for connective defense. A recent study showed that 39 percent of attacks could be thwarted through collaboration between companies. (See Graphic B.) The challenge for companies to date has been balancing market and reputation risks with a return on investment in exchanging incident data. The Cybersecurity Act of 2015 addressed legal challenges, but security and ROI on collaboration have remained elusive.
We can use the power of networking and technology to turn the tables and begin to stabilize cyberspace. The technology exists to exchange incident data securely between vetted parties. Anonymity and redaction allow vetted companies to exchange incident data without market risk or exposing personally identifiable information. This data is correlated providing immediate insight to users. Attack trends and exploits are tracked, and users can securely collaborate with each other. Indicators of compromise and supportive context can be downloaded from the platform by vetted members to help defend systems before an attack. In the wake of an attack, a company can enrich what they know about an incident and quickly understand whether others have experienced similar events and if mitigative measures are available. Incident exchange and collaboration are affordable and scalable.
Several companies have quietly started exchanging data already, including members of the Cloud Security Alliance that are using TruSTAR as the technology backbone of their exchange. As the private sector begins to collaborate, new avenues of protecting ourselves from adversaries will become clear, and the costs to adversaries will increase as risks of contagion are reduced. We can turn the tables, but we have to accept real change.