A New Cold War Begins and the Private Sector is on the Front Line

The escalation underway between Russia and the United States in cyberspace is a far cry from where we were two years ago with North Korea’s attack on Sony Pictures. The private sector should take note and buckle up — now. The players may be super powers, but the battle takes place on networks that are owned and operated by the private sector. The weaponry is code delivered quietly and instantaneously with little distinction between government and civilian targets. Adversaries can cloak and deny activities making attribution difficult. The private sector is on the front line, and it is very much in question whether the government can defend us in a timely way.

While the Russian attacks did not affect our critical infrastructure, we must assume that these systems will be targets for disruption, corruption, and destruction by Moscow or other adversaries. It would be naïve to think otherwise. We know that information networks supporting our power, transport, health and finance infrastructures are vulnerable.

Our traditional national security tools are ill-suited for cyberspace, including economic sanctions, criminal investigation, and the use of physical military force. Joshua Cooper Ramo in his book The Seventh Sense states that networks will “enforce, whether we like it or not, a complete change in the apparatus of power, politics, economics, and military power.” Sadly, the age of cyber warfare is here to stay. The inability of the government to protect us underscores the urgency of the private sector to work together. This is not a call for the private sector to arm-up with cyber weapons. Rather it is a call to pull a page from what our adversaries do every day: actively exchange information about exploits and vulnerabilities.

Adversaries — whether nation states, cyber mercenaries, or criminal organizations — have efficiency on their side. They reuse vulnerabilities, malicious code and attack infrastructure against multiple targets. The bandwidth costs of conducting a large-scale attack fell 90% between 2010 and 2015, and will continue to decline by 30–40% per year according to Help Net Security.

Meanwhile, the economics of an individual company seeking to defend itself make little sense. The costs for companies to defend against attacks has increased over 20 percent in the last two years, and the average economic damage inflicted by a successful attack has increased nearly 25 percent since 2013 according to a 2016 study by the Ponemon Institute.

Last year the Congress passed the Cyber Security Act to clear liability and anti-trust concerns associated with exchanging incident data between companies to defend against cyber-attacks. There remains reluctance among companies to work together because of market and reputation risk as well as little value to operators charged with securing networks. Private sector companies like TruSTAR Technology have responded with new, cost-effective technology to enable companies to exchange data without attribution within secure communities giving operators immediate insight into attacks underway. The non-profit Cloud Security Alliance started such a community this summer, and an active exchange is now building.

Similarly, CyberUSA, a private sector-led, non-profit network of states is focused on working together to secure cyberspace. Since the October 2016 announcement, organizations in seven states — Maryland, Massachusetts, California, Texas, South Carolina, Colorado, and Louisiana — already committed to ramping up secure exchanges in early 2017. Moreover, another 13 states already have reached out to join this new network. Such exchanges do not represent a Balkanization of the Internet, but rather the formation of secure communities where vetted participants exchange data about incidents and can collaborate to solve common attacks. For example, if one participant receives a ransomware attack, notice can be sent immediately to all other participants. Central to the CyberUSA initiative is the recognition of the importance of working with government, while also understanding government’s limitation to defend us effectively. This initiative has taken a new urgency in the face of the most recent revelations about Russia.

You may remember Donald Rumsfeld’s now infamous characterization of threats as known-knowns, known-unknowns, and unknown-unknowns. In cyberspace, we have too many “unknown-knowns.” In other words, companies remain unaware of attacks that were used successfully against others. CyberUSA and other exchange initiatives understand that these unknown-knowns in cyberspace are no longer acceptable. Participating companies and their information security professionals understand that they must begin to collaborate and exchange information at least as effectively as our cyber opponents.

Find out more today at www.trustar.co.