The SolarWinds breach reminds us of just how broken the current state of national cyber defense remains. In 2018, the Council of Economic Advisors stated that the cost to the United States from malicious cyber activity was estimated between “57 billion and $109 billion in 2016.” In the case of SolarWinds, at least one estimate totals the cost to upwards of $100 billion. In other words, the increase in threats, continued loss of information, and the cost of mitigation are a testament for reform. For too long, information sharing has been the central strategy for national cyber defense. Unfortunately, information sharing is not a strategy, it is the natural outcome of shared command and control.
Command and control provide for the ability to make decisions and orchestrate effective actions across organizations. Until the public sector can reimagine a world of partnership with the private sector, specifically one that includes the systematically important critical infrastructure (SICI) leadership as equal in command and control, failure is inevitable. This article contends that it is time to build a strategy of shared cyber command and control, one that unleashes the private sector’s resources and innovation as an equal partner in the command and control of the national cyber defense.
When the Internet technology company SolarWinds was compromised, it was an unwelcome announcement but no surprise. SolarWinds boasts customers worldwide, including military, federal service, telecommunications, and most of the Fortune 500. In other words, the SolarWinds clientele is representative of the global connectivity promoted by cyberspace. The sophistication, cleverness, and deep penetration of the espionage operation immediately indicated a state-sponsored campaign, again no surprise, especially given its client base. The public attribution points to the Russian government. Further, ongoing investigations currently estimate more than two hundred victims spread across the public and private sectors.
The SolarWinds breach is not unique from the perspective of the attacker. State-sponsored cyber operations follow an attack lifecycle and are characterized as advanced, persistent threats (APTs). That said, there are two items of note. First, the campaign victimized both public and private sector targets, and second, it was the private sector that provided the means and methods to shut the campaign down. In other words, the private sector provided for the defense of the common good. For too long, nefarious cyber actors have exploited the vulnerability created by traditional hierarchies that result in extended discovery time, poor communication, and delayed response. That said, it is time to reexamine the operating assumptions that form the basis for the current model.
The Current Model
The SolarWinds breach demonstrates that the current strategy of information sharing, through public-private partnerships, is not adequate to provide for the national cyber defense. The underlying assumptions that inform the current model provide insight into its ineffectiveness.
The first assumption is that the public and private sectors have the same goals. Larry Clinton, president of the Internet Security Alliance, observed that the public and private sectors might not have the same interests. The private sector is concerned with profitability for its shareholders, which means that security is important, but not the objective. Conversely, the public sector maintains the mission of securing the homeland and is not a profit center. The similar but different goals can cause miscommunication and frustrations resulting in territorial gamesmanship. That said, information sharing has become a center of gravity for securing the Homeland since the publication of The 9/11 Commission Report, which credited the inability to share information as causal to the terrorist attacks on the World Trade Center towers in September 2001. As such, public-private partnerships have become a part of the national cyber defense landscape.
The assumption that information sharing is a panacea for cyber insecurity has not proven itself over the last two decades. Many reasons have contributed to the mixed results of information sharing. Partnerships are built on equity and trust. In the former’s case, the private sector maintains a trove of sensors that the public sector does not have access to, which means the private sector has more information to share. That said, the public sector has a culture of secrecy, the antithesis of trust. A partnership without equity is doomed to fail.
As to the latter, trust is the foundation of information sharing. On the one hand, the private sector desires anonymity since the information they disclose can impact its competitive advantage. On the other hand, the public sector has strict laws and regulations on disseminating classified information. In the case of trust, the public and private sectors are talking past each other, slowing the process in some cases, and stalling it altogether in others. Nevertheless, information sharing initiatives abound in the forms of public-private partnerships and information sharing consortiums.
Further, information sharing must provide the basis for action. Sharing information is not enough. The information must be the right information, at the right time, and to the correct audience for it to be effective. In other words, sharing everything creates problems. Sharing too much information means that most of the data is not relevant. Too much information consumes precious resources to determine its utility and reduces its importance through repetitive waste.
Information sharing under the best circumstances is difficult. However, the level of difficulty increases when sharing classified information. The assumption that the best information is classified generates not only an elitist view to access but hinders timely action. Classified information does provide significant advantages within the functions of intelligence and law enforcement; however, it is of little use in protecting the systems owned and operated by the private sector. The archaic rules and protocols make classified information neither timely nor useful in day-to-day cybersecurity operations. The vast stores of sensor data, a robust open-source collection capability, and data analytics combine to provide the basis for security operations at business speed.
The National Cyber Strategy of the United States of America states: “The Administration will clarify the roles and responsibilities of Federal agencies and the expectations on the private sector related to cybersecurity risk management and incident response.” That said, any reform has been slow to come. Currently, the national cyber defense model maintains the traditional roles of public and private sectors with a nod to sharing information. The problem is the reliance on antiquated organizational and hierarchical models that fail to account for the realities of cyberspace.
Cyberspace creates connections and dependencies, blurring the lines of separation between the public and private sectors. The public sector maintains the bulk of classified information systems, and the private sector owns most unclassified systems. That said, neither has been able to secure the information contained on them. In summary, the current state of national cyber defense is such that the public and private sectors maintain different goals; information sharing “is not bad, it’s broken”; classified information fails to meet the needs of the private sector in defending its networks; cyber actors heavily target both the public and private sectors; and protecting against data loss continues to fail. In other words, the conduct of national cyber-defense needs to be completely transformed.
The Way Forward
The national cyber defense depends on public-private partnerships working. The private sector expansion is anchored in the defend forward strategy, as outlined in the United States of America Cyberspace Solarium Commission. According to the commission, defending forward “posits that to disrupt and defeat ongoing adversary campaigns, the United States must proactively observe, pursue, and counter adversaries’ operations and impose costs short of armed conflict.” To this extent, the commission calls for many welcome revisions; However, without joint command, these only serve to slow the inevitable demise of achieving national cyber defense.
Joint command insists forces work together, thus closing the primary vulnerabilities stemming from inequitable information sharing and varying goals. By enabling joint command, a whole of nation approach is possible. The private sector can combine its access and data with the public sector’s intelligence and law enforcement functions to predict, prevent, deter, and respond to cyber events across the technical, tactical, operational, strategic, and political spheres. As a practical example, consider how these combined forces can solve the infamous “attribution problem.”
The lack of attribution continues to provide cover for nefarious cyber actors, creating a sense of helplessness within the victims. With its vast sensor networks, the private sector can add granularity at network speed to attribute groups and countries. The attribution of organizations and individuals takes longer, and the government is well suited for this half of the attribution equation. Nevertheless, the private sector’s involvement reduces response time. Thus, increased transparency will provide faster attribution and reduced response time while limiting the potential for politicization.
The second area that aligns with the defend forward strategy is in providing countermeasures. Software giant Microsoft demonstrated the art of the possible when confronting the SolarWinds attackers. According to former Microsoft employee Christopher Budd, “Microsoft flexed the muscle of its legal team and its control of the Windows operating system to nearly obliterate the actions of some of the most sophisticated offensive hackers out there.” In four days, Microsoft almost singlehandedly changed the risk calculus across the public and private sectors globally.