Before entering the private sector as a cybersecurity executive, I spent more than 29 years in the military, serving as an Officer in the U.S. Air Force. Military strategy was my focus for more than a decade, but I didn’t connect it to my interest in the cyber domain until after a revealing conversation with a 4-star general.
The general, who was responsible for the physical defense of the United States, asked me: “Why don’t we work well with cyber command? Why don’t we have a more holistic strategy to combine the skills and capabilities of kinetic [physical] forces and cyber forces?”
In short, this general had a valid complaint: National cyber strategies were lacking real teeth to properly defend the nation.
While in the military, I received extensive training in formal strategy and led combat operations. I learned important theories behind how and why sound strategy was essential for military advantage. But this conversation was my “ah-ha” moment where I came to understand the benefit of what I now call collective defense as it relates to the virtual domain. During my military career, it meant promoting and enabling collaboration between military and cyber forces of all U.S. government entities—and ensuring the rank-and-file created and carried out a comprehensive strategy. That strategy of collective defense is equally applicable—and maybe even more necessary—in the private sector.
Why the private sector needs a collective defense
As the Chief Information Security Officer (CISO) of a financial institution, I am confident that if we encounter a robbery, law enforcement will be there in a heartbeat. But in the virtual domain, that is not the case – we are left to defend our respective firms on our own. In the battle against virtual threats, we witnessed the disintermediation of traditional law enforcement responses to a cybercrime in the private sector. Cyber threats can engage directly with private corporate networks without law enforcement being able to deter or stop those threats.
Governments and regulatory agencies impose a number of rules and requirements on private sector firms related to their cybersecurity, especially in financial services, but also in an increasing number of markets. Unfortunately, for many of those organizations, cyber regulations are placed on the private sector without government help to defend private companies. Also, when it comes to combating cybercrime, especially those originating overseas, corporations often are left without enough help, or the right kind of help.
For example, private sector companies often receive unclassified information a little too late, or the information is too generalized for CISOs to properly use. As a result, security leaders in the private sector need to look elsewhere to find actionable, timely information. Additionally, law enforcement—which today is far more willing and able to take on a cyber investigative role—still struggles to go after criminals because of jurisdictional and capacity hurdles. Occasionally, they may get an indictment, but it rarely seems to lead to extradition, prosecution, and conviction. Therefore, there are very few consequences imposed upon malicious cyber actors, which also accounts for their continued growth in sophistication and competence year after year.
We now see cybercrime has become commoditized. Cyber incursions happen more often than in the past, so much so that it has become “cybercrime as a service.” The hackers’ bar to entry is very low, leading to more threats and more sophisticated attacks. Clearly, no single corporation—not even large, well-resourced ones—can contend with the sheer scale of today’s cybercrime without help from security firms and colleagues in the public sector. Where can corporations turn?
Now is the time for leaders to emerge
If private sector organizations hope to have a chance at staying ahead of attackers in today’s landscape, a thought leader is needed to serve as a catalyst for action and bring together the private and public sectors to marshal their resources, talents, and experience against the attackers. That leader may be a company in the cybersecurity space, an industry organization, or a government agency. The issue is less about the affiliation of the group or person taking the lead, and more about acting as a galvanizing force for ideas and action.
It will take a leader to sponsor the kinds of blunt conversations required now—ones that put aside blame, focus on the problem, and provide a range of possible solutions. Unless we bring together the right leaders from the private and public sectors to form a framework for collective defense, all of us—the public and private sector alike—will be forced to muddle along with the status quo, which is simply not acceptable.
What a collective defense can accomplish
In our organization, as is the case with countless others, we model collective defense at a micro level by bringing together a group of highly committed cybersecurity professionals and supporting them with budgets and executive sponsorship. We also seek guidance from responsible and committed board members to assemble the right cybersecurity program. It’s a good beginning, but unfortunately, we can only go so far when we go it alone.
Building a collective defense answers the challenge of resource and human constraints; we go further when we go together. Through collective defense, we can create the framework and methodology for analyzing threats and developing solutions by surfacing and sharing relevant, contextualized, real-time information. In a collective defense we are aided tremendously by the fact that we all collect more security information than ever. In fact, there are numerous security giants on the private side that have a unique view into what’s happening across the cyber threat landscape. Many large cyber security organizations can see in real time across numerous private firms as cyber campaigns propagate. Working together with one goal in mind—providing better security for our industry—enables public sector entities, financial services companies, and technology leaders to provide collective, proactive steps to spot and defend against an ever-growing litany of threats.
In a collective defense, many firms can share threat information, indicators of compromise/attack, and tactics in near real-time to quickly harden their respective defenses against emerging cyber threats. Unlike existing threat-sharing organizations that pass overly generalized information too late, collective defenses work together to actively defend against an ongoing attack. Collective defenses are active partnerships to help each other understand and defend against the cyber threat in real-time.
Overcoming barriers to building a collective defense
In the financial services sector, we’ve started to see some early work on building a collective defense, as has been the case in other industries. But none of this action has scaled yet. That’s the key, and admittedly, it’s a tough thing to do.
In the private sector, we’re understandably zealous about trying to protect our competitive edge, and we often have an innate fear of sharing information with our competitors. The cyber threat is one we all have to battle. We must make companies comfortable enough to be part of this collective and to enthusiastically participate in this collaborative problem-solving. There also are legal and regulatory challenges in bringing together industry players—some of whom may not always be comfortable sharing information. Collective defenses would not have their regulatory agencies in the room, and there must be an agreement that any activities or information sharing between participating firms would not be passed to regulators.
That’s where the thought leader I mentioned comes in. A strong leader, or a few leaders, need to step forward with the clout and confidence to cajole and reason with people till they are comfortable being honest and open in sharing information about what they’re seeing, what they’ve seen work, and what they’ve learned doesn’t work.
Some companies have hesitated to step into that leadership void, saying they believe it’s the U.S. government’s role to do that. Regardless of what you may believe, it doesn’t absolve us in the private sector from stepping forward anyway; our cybersecurity defenses need more fortification than ever before.
Taking the first steps to build a collective defense
How does a company get started in order to be part of a collective defense? Here are four concrete actions to advance your cause:
First, obtain your executive leadership and board’s backing. They are not only providing strategic vision and insight, but they ultimately give the thumbs-up or thumbs-down to external engagements and spending initiatives.
Second, examine your lineup of technology providers and identify the one or two that are truly partners, offering ideas and sharing best practices rather than just putting a purchase order in front of you to sign. Your major cyber security providers have a wide view of cyber threats across their technology and the firms they support. Consequently, they are a major asset in the collective.
Third, talk to your colleagues at other major companies in your sector. I believe they will embrace this concept of collective defense and join in. Their participation will swell your group’s size and influence—remember, there’s strength in numbers. Your firm may not be the first to see the emerging cyber-attack, but others in your collective might. The greater the number of participating firms, the greater the number of “sensors” the collective has to alert of a new, propagating attack.
Finally, don’t overlook the smaller players in your market. Get the word out to them about collective defense, and how it allows smaller organizations with fewer resources to become much more efficient with their own cyber defenses. A smaller partner in the collective will greatly appreciate the type of threat information that can help them to prioritize their defensive actions.
In the end, you’ll all be part of an important conversation on the growing cyber threats we all face. But even more importantly, you’ll be doing something tangible about combating them.
Ron Banks is Chief Information Security Officer at Texas Capital Bank.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the views and opinions of Texas Capital Bank.