“The Obvious Thing to do for a Decade…”
“Cyberattacks now exceed the danger of physical attacks […] this has forced us to rethink homeland security,” US Department of Homeland Security (DHS) Secretary Kirstjen Nielsen announced during the Cybersecurity Summit in New York City on 31 July. Part of the response to that challenge, announced at the time, was a DHS initiative to create a National Risk Management Centre – a centralised facility to which government agencies and industry can turn for cybersecurity advice and solutions. “This was an obvious thing to do for a decade but it didn’t happen,” commented AT&T’s Chief Executive, John Donovan, when the initiative was announced.
Obvious it may have been and a belated initiative it may arguably be – but will it have any more success than previous attempts at information sharing? The Cybersecurity Information Sharing Act (CISA) – enshrined in law in 2015 – has not yet been enacted by the Department of Defense, according to a report published on 13 November by the DoD Inspector General’s Office on 13 November – largely because the Department’s Chief Information Officer failed to promulgate a policy mandating its implementation. “As a result,” the report concludes, “the DoD limited its ability to gain a more complete understanding of cybersecurity threats.”
According to the report, none of the relevant DoD components – the National Security Agency (NSA), the Defense Information Systems Agency (DISA), the Cybercrime Center at the Pentagon or US Cyber Command – implemented the full suite of information sharing activities mandated by CISA. The fact that entire sections focused on the NSA were redacted has prompted some informed speculation that the Agency’s errors or omissions verged on the egregious.
In conversations with cyber professionals on both sides of the Atlantic in recent months, MONCh has become aware that the issues of internecine strife, inter-agency rivalry and plain old-fashioned bureaucratic turf wars are raising significant hurdles in the path of those who seek to develop and implement comprehensive cyber defences. That is not a new phenomenon: agencies responsible for different aspects of warfare have been squabbling since the Pharoahs. But the contrast between relatively petty internal struggles and the abject failure to keep up with better coordinated adversaries is stark. And shaming.
The Pentagon is committed to “streamlining its public-private information-sharing mecanisms” and that is all to the good. Because at the moment, according to DHS Undersecretary Chris Krebs earlier this year, just six companies are sharing their cyberthreat information with government. Six. The Internal Revenue Service estimates that, excluding shell companies and the like, there are currently 22 million active businesses in the USA … .
“We have to establish a value proposition for an organisation to share into the system,” Krebs told reporters in July. Surely, the ‘value proposition’ is at least the financial equivalent of having to rebuild a business from scratch after a successful attack!
Never, in MONCh’s opinion, has there been a starker illustration of the fact that defence is an insurance policy. So how do we convince people to pay the premiums?