The Need for a 'Collective Defense'Former NSA Director and Others Stress Collaboration
Among the top issues being discussed at the RSA 2020 conference this week is the need for more cybersecurity collaboration between government agencies and the private sector.
Retired General Keith Alexander, the former director of the National Security Agency who is Co-CEO and president of IronNet Cybersecurity, advocates a “collective defense” approach.
Breaching private companies can create doorways into government networks as the two heavily rely on each other, he notes in an interview with Information Security Media Group. For example, Granicus, one of the largest IT service providers for U.S. federal and local government agencies, recently left a massive Elasticsearch database exposed to the internet (see: Service Provider to Government Left Database Exposed)
Alexander says private sector organizations need to share anonymized information on cybersecurity issues with the government so that further attacks can be prevented.
"In cyber, each company works by itself and shares what is important. But you don't get the whole picture so you don't see what's going on," Alexander says. A “collective defense” approach means the entire cybersecurity community would work together, he explains.
The Cybersecurity Information Sharing Act of 2015 provides a legal framework for government agencies and private sector organizations to voluntarily share cybersecurity information and other security data, Alexander points out.
But an audit published by the Office of the Inspector General of the Intelligence Community late last year found that federal agencies, especially units within the Department of Defense, still have plenty of work to do when it comes to sharing cybersecurity information and threat intelligence among themselves as well with the private sector (see: Cybersecurity Data Sharing: A Federal Progress Report)
Threats and cyber risks are increasing every year, and the number of network-connected devices is increasing exponentially, which means the workload for CISOs and security operations centers is doubling every year, Alexander says. Shifting to a “collective defense” approach could help manage the workload and hold down costs, he adds.
Energy Sector Makes Headway
The energy sector has made headway on collective defense as CEOs of major companies work together to protect the grid, Alexander says.
There have been advancements, in particular, in the operational technology environment, Sean Plankey, the principal deputy assistant secretary for cybersecurity, energy security and emergency response at the U.S. Department of Energy, tells ISMG.
Plankey says the DOE is working with the Department of Defense and Department of Homeland Security to break down the silos between the government and the private sector.
In the U.S., a large portion of the energy infrastructure is privately owned, so the DOE is continually working to integrate security across the sector while also encouraging private companies to share their data with the government, Plankey says.
DOE is also working to ensure that the supply chain for America's energy is resilient against an attack as many components in the industrial and energy sectors are manufactured overseas.
Battling Against 'Deepfakes'
In interviews at RSA 2020 on another hot topic, cybersecurity experts expressed concern about “deepfakes,” but they said that artificial intelligence and machine learning had advanced to the level where they can be used to detect them.
"The only good news is we are getting better with AI and machine learning to be able to spot these vulnerabilities before something bad can happen," former RSA Chairman Art Coviello, who is now a venture partner at Rally Ventures, tells ISMG.
Coviello adds, however, that the spread of disinformation via social media is a major threat. Although nation-states are now primarily responsible for disinformation campaigns, eventually companies may begin attacking each other with disinformation, he says.
CISOs and Boards
Coviello also tells ISMG that CISOs and board members need to work together to solve major issues. While many board members don't understand technology as well as they should, many CISOs fail to clearly describe security issues and the role technology can play, he adds.
Too many CISOs lack data on how their security infrastructures are working. "There is no authoritative source of data to measure the maturity and effectiveness of what they're doing,” Coviello adds. “As a result, it's almost impossible to report it up to the board.".