Cyber strategies that work are not based on what you can prevent an attack but what to do after you have been attacked and what the damage was. As such, assume that you will be attacked and that the attack is successful. Effective information sharing is more important than ever as cybersecurity threats evolve in complexity and sophistication. We all know that it is impossible to win the fight against bad actors on our own. The latest and greatest tool, whatever it may be this week, is just one piece of the puzzle that must be put together to create a truly effective cybersecurity position.
It is important to not only focus on what you can do to stop an attack but also on what to do after you have been attacked and how severe it was. As such, assume that you will be attacked and that the attack is successful.
Why it is important to disclose security information
Information sharing is not new. The Clinton Administration established Presidential Decision Directive-63 (PDD-63) to establish Information Sharing and Analysis Centers around critical infrastructure like nuclear power, energy, and financial services.
These organizations share critical cyber-threat information between the government, private sector and other partners in these critical infrastructure areas. Executive Order 13691, issued by the Obama Administration in 2015, directed the Department of Homeland Security (DHS) to create Information Sharing and Analysis Organizations. ISAOs are different from ISACs in the fact that they can be formed around specific industry segments, communities or other interests. Information sharing is intended to foster collaboration between the government and private sectors to improve cybersecurity resilience for all.
Let’s fast forward to today, and let us take a look the SolarWinds event which came to light at 2020. This is what I call an “event”, because it doesn’t accurately reflect the gravity of the event if it is called a hack or breach. It is becoming clearer that this was a foreign intelligence gathering operation conducted exclusively in cyberspace as more information comes to light almost daily. Although we still don’t know the motive for the attack, we do know that it was an extensive information gathering operation, with targets in the federal government and academia as well as the private sector. The outcome may not be known for many years.
This was something that no one tool could prevent. This is a new level of sophistication and persistence that we have never seen before. Although it was a hacking attack on the software supply chain in a way not seen before, there may be other avenues of penetration. Technology alone was not enough to stop this kind of sophisticated activity.
What if one or more organizations were comfortable sharing anomalies they saw on their networks? We don’t know how many victims might have been exposed to suspicious activity on their networks. However, we do know that cyber-shaming is a common fear among organizations around the globe.
Cyber-shaming is the negative consequence of a cybersecurity event being made public. Think about the reputational damage that companies like Target and Equifax have suffered from having cybersecurity events (hacks, breaches, or insider threats) made public. Instead of being praised for letting others know about these events, they are often cyber-shamed for not having sufficient security to prevent them from happening.
It’s time to get over the fear of admitting that you’ve been hacked
This notion of cyber-shaming dates back to 2009 when I testified for CompTIA before the U.S. House Subcommittee on Oversight and Reform on the topic information security and updates of the Federal Information Security Modernization Act. After our opening statements, the panel was able to interact with members of the subcommittee during an interactive Q&A. A member from Southern California, made a strong statement, asking, “Do you mean that you tell me in today’s day in age, the greatest country in the world, we can’t come up with technology for security risks?” I replied, “Mr. With all due respect Congressman, there is no technology that can get between your finger, the enter key on the keyboard, and that is why the individual computer user is often the last defense against cyber-attacks.