Director of the newly created White House Office of the National Cyber Director (ONCD), Chris Inglis, explains using Jeff Moss’ analogy of race cars with powerful brakes why we should care about cyberspace. According to Moss--the name behind the Black Hat and DEF CON computer security conferences--race cars have bigger brakes so that they can go faster, but it’s more about the car than it is about the brakes.
“We care about cyber, or perhaps the more technical term, digital infrastructure, [or] the internet, not for its own sake [but] because it delivers functions that we care about as individuals, as businesses, as societies… Many businesses plan and deliver their business outcomes across the internet, and societies increasingly deliver critical functions using the internet… So cyber is important not for its own sake, but because of what it does for us,” says Inglis.
Treat cyberspace as you would other critical infrastructures
While a lot of focus is placed on the technology that powers activities in cyberspace (defined by the US National Institute of Standards and Technology as the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form), Inglis highlights the human angle and the choices of individuals in shaping cyberspace either by choosing diligence or complacency.
At the same time, specifying the roles and responsibilities involved makes up a critical part of maintaining cyberspace, which ought to be managed with the same attitude accorded to maintain aviation, power, water, rail, or road infrastructures, for example.
“If we get the roles and responsibilities right in cyberspace, if we get the people skills right in cyberspace, if we get the technology right in cyberspace, we will have dealt with all three of the really important pieces.”
Cyberspace is technology and people and roles and responsibilities
To attain this level of resilience in cyberspace where all three parts align, Inglis underlines the role of investments and the collective defence of international players to potential threats in a proactive rather than reactive manner.
The ONCD—which is in charge of developing US cybersecurity strategy and, by extension, its national security strategy--targets four principal outcomes including federal cohesion, ensuring current and future resilience by design, aligning resources and fostering public private collaboration, explains the agency’s principal deputy Kemba Walden.
Read also
Luxembourg recently opened the Luxembourg House of Cybersecurity in an effort to establish itself as a leader in the open cybersecurity data market and serve as the reference hub for cyber-resilience in Luxembourg.
Public-Private Partnerships: a defence mechanism
Cyber incidents topped the Allianz Risk Barometer this year with 44% of respondents--made up of 2,650 risk management experts from 89 countries and territories--ranking it as the most important business risk for 2022 and beyond.
“Public private partnerships are not just nice to have. They are the solution to protecting critical infrastructure worldwide,” says the head of the NSA's Cyber Collaboration Center, Morgan Adamski.
The fact that global attacks went up by 28% in the third quarter of this year compared to same period in 2021, according to Check Point Research, shows that the advocates of threats and other cyber criminals are not relenting in their efforts in cyber espionage and sabotage attacks.
The Microsoft 365 Defender Threat Intelligence Team had specified that the median time for an attacker to move laterally within a corporate network if a device is compromised is a mere one hour, 42 minutes. Hence, prioritising PPPs in cybersecurity cannot be overemphasised and the main players should move faster.
“No one person, no one organisation, no one nation can defend itself alone in a space that is uniformly shared by a collection of nations. Cyberspace typically does not respect the boundaries that physical geography has set up, and therefore we need to make sure that we're building resilience across those boundaries and defending the resilience of that infrastructure,” explains Inglis. “You will have to beat all of us to beat one of us once we align our aspirations and our actions,” adds Walden, stressing that this responsibility falls on everyone in the ecosystem.
We're not going to stop because nation state and cyber mercenary attacks are not stopping.
Make it harder for cyber criminals and state actors by securing the basics
In the same Microsoft report, over 80% of ransomware attacks can be traced to common configuration errors in software and devices. General manager and associate general counsel of Microsoft's Digital Security Unit, Cristin Flynn Goodwin talks about two main yet simple approaches that enterprises can use to protect themselves.
“First, talk about security basics, security hygiene, multi-factor authentication, patching, because it matters. It's the low hanging fruit that all cybercriminals and all nation states [actors] are taking advantage of. Why spend money on a big fancy Tom Cruise type Mission Impossible attack when you can just walk in the back door because it's unlocked.”
Utilising reliable and trusted networks will be another crucial strategy. “If 99% of the time the patch [software updates that address vulnerabilities] was available, there's 1% of the time when it wasn't and it's a new issue.” This is where already established relationships can help with a swift, targeted, and timely response to figure out the scope of the attack, stresses Goodwin.
The ability of states to act proactively and promote best practices by imposing sanctions across the board when individuals and entities carry out cyber-attacks will prove to be effective, but remains the biggest challenge, says Goodwin.
“I think the hard part here is that criminals are taking advantage of the systems where they know that if they sit in a particular country, they're less likely to be extradited. If they're leveraging technology in a third country where it's less likely to be seized, [then], that's harder.”
This article summarises some essential points from a number of statements delivered by high-level US experts and briefers during a cybersecurity virtual reporting tour organised by the Foreign Press Centers, Bureau of Global Public Affairs, U.S. Department of State.