… So chanted the Three
One of my main issues with
cybersecurity risk management is that organizations seek to secure their own
systems, data and networks, hoping that attackers will move on and attack more
vulnerable victims. I have heard this notion explicitly stated by senior
cybersecurity professionals from major financial institutions. This view is
also expressed in the new book “The Fifth Domain” by Richard A. Clarke and Robert
K. Knake. They note that large financial institutions invest hundreds of
millions of dollars annually and hire hundreds, if not thousands, of security
staff, to protect themselves, whereas smaller institutions don’t have the means
and/or the inclination to invest enough in cybersecurity and are therefore so
much more vulnerable to attacks. Clarke and Knake repeat the old joke about one
hunter only needing to outrun a second hunter rather than having to escape an
attacking bear. This approach might address the concerns of larger
organizations optimizing their own defenses, but is it optimal globally? I
think not. Indeed, from society’s perspective, such an approach is really
selfish and potentially self-defeating, especially as a significant attack
vector into larger organizations is through weaker business partners.
There are strong reasons
to believe that cooperation is better than competition when it comes to
cybersecurity risk mitigation. My personal involvement in establishing the
FS-ISAC (Financial Services Information Sharing and Analysis Center) some
twenty years ago was motivated by a belief that financial institutions would
all benefit by sharing information about threats, exploits, incidents, and
protective measures. Initially the FS-ISAC was considered an exclusive club
benefitting only 50 or 60 of the largest U.S. banks. I was happy when the U.S.
Treasury Department encouraged membership by smaller institutions by kicking in
$2 million, so that there are currently some 7,000 member institutions.
However, such expansion of cooperation of potetnial victims against
cyberattackers is relatively rare.
So, it was pleasing to
see that NATO is going forward with a cooperative approach to defending NATO
members. In an August 27, 2019 article, “NATO will defend itself,” by NATO
Secretary General Jens Stoltenberg, available at https://www.prospectmagazine.co.uk/world/nato-will-defend-itself
, Stoltenberg asserts that “A serious cyberattack could trigger Article 5,
where an attack against one ally is treated as an attack against all.” That’s
good as far a it goes, but, in reality, such a response should extend to all like-minded
countries, not just NATO. And perhaps even adversaries should be included …
The ISAC movement in the U.S.
has gone viral ,.. see https://www.nationalisacs.org/member-isacs
And there is a fair number of ISACs showing up in Europe, India and Canada …
and doubtless other regions and countries, too. ENISA (European Union Agency
for Network and Information Security) has published an excellent report “Information
Sharing and Analysis Centres (ISACs) – Cooperative Models,” which describes the
extensive efforts throughout Europe, including the UK as of when the report was
published in 2017.
cooperation should include all countries to be fully effective, although we
know that adversaries would not join together with us in such an effort. Be
that as it may, we are all in the same boat with regard to the Internet, and all-out
hostilities will only sink everyone. We can only hope that countries agree to collaborate
to fend off potential catastrophic meltdowns as might occur if a worldwide
cyberwar were to come to pass. We’re all musketeers in this together and should
recognize the need to protect one another in order for all to survive.
*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2019/09/09/all-for-one-and-one-for-all/