Using the ‘good guy’ community to mitigate and minimize threats of cyber breach
Unity of effort is defined as the process — some would call it art — of “harmonizing efforts among multiple organizations working toward a similar objective” (Wikipedia). It has broad implications as a collective, all-in commitment among disparate organizations to do whatever it takes to win within legal and reasonable parameters. It means setting aside myopic agendas and priorities for as long as it takes to enable maximizing and synergizing capabilities to achieve sustained dominance of the (in this case) cyber battlefield.
Until private sector companies and their respective host governments — let’s call these the collective ‘good guy’ cyber community — fully achieve a unity of effort state of play, we will continue to fall short on maximizing our full capabilities to vanquish the cyber ‘bad guys.’
We will never entirely be rid of the cyber breach threat, be it from nation state actors or cyber criminals. The clear objective then is to mitigate and minimize the threat vector to a point where the cyber bad guys deem digital intrusion too cumbersome, too costly, and/or too lethal from an exposure standpoint. Steady success here will not be achieved until the CISO community is aligned and unleashed. Arguably, CISO alignment has been effectively achieved; the CISO community is probably the most anti peer competitor cadre of corporate officers that exists. As for taking off the proverbial leash, that can only happen with a government green light. Notwithstanding the latest best security software, CISOs are in effect flying blind until then, which has considerable implications.
Real time breach information sharing is key here and would bring a significant force multiplier effect in lessening the challenges CISOs confront daily. Learning from breach activity in virtual real time exponentially upticks effectiveness to positively respond in kind.
There are, of course, current practical challenges to achieving wider real time breach information sharing, principally with regard to a) privacy laws and regulations and b) information overload once the curtain is pulled.
On the regulatory front, five years ago in A Call For A National Cyber CounterInsurgency, and later in 2017 in A Call For A National Cyber Skunk Works, I challenged our cyber ecosystem to look to and replicate the “failure is not an option” spirit of Skunk Works, Lockheed Martin’s secretive and now infamous research, design, and development unit. This was a private company breaking ground with the full support and sponsorship of its host government, which in turn stayed out of the way. The playbook on the old order of doing business was thrown out. This can be looked to as an historical unity of effort alignment model for the private sector cyber community, supported by their host governments, to combat the bad guys.
Regarding clean information sharing, a practical operating model is IronNet’s IronDome. Participant companies sign on to effectively make real time breach activity visible to all other subscriber companies under the ‘dome’. While IronDome may not be a magic fix on a bigger and broader level, it represents a valid operational starting point.
Progress is being made, but more needs to be done. Sadly, it’s not simply a case of if we have to take such measures but rather when. It is better to take meaningful action now versus reacting from a position of greater transnational weakness post WannaCry / Petya part deux. Incidentally, I’d submit the swift collective global response to mitigate WannaCry as an excellent ad hoc unity of effort case study on the cyber historical landscape.
Only when we are able to deliberately and measurably lift the lid on real time breach information sharing can we take a dynamic leap forward on mitigating the digital onslaught from the bad guys. It’s unity of effort that gets us there. Until we as the global cyber good guy community embrace unity of effort as our collective state of play, we will continue to roll marbles up the cyber threat hill.
By embracing unity of effort, we can collectively meet and beat this ongoing and pernicious threat to our collective digital security posture. It is unity of effort that will give the good guys the decided advantage to win the day.
About the author:
Stephen Spagnuolo is a Director at the Baltimore office and leads cyber, digital security, risk focus areas, and client engagements. He has earned a recognized track record of delivering leadership talent and corporate development solutions with a principal focus on cyber security and operational risk across technology, financial services, and other industry sectors, ranging from early stage/startup to emerging growth to mid and large global corporates, banks, and consultancies.