“All for One and One for All”

… So chanted the Three Musketeers.

One of my main issues with cybersecurity risk management is that organizations seek to secure their own systems, data and networks, hoping that attackers will move on and attack more vulnerable victims. I have heard this notion explicitly stated by senior cybersecurity professionals from major financial institutions. This view is also expressed in the new book “The Fifth Domain” by Richard A. Clarke and Robert K. Knake. They note that large financial institutions invest hundreds of millions of dollars annually and hire hundreds, if not thousands, of security staff, to protect themselves, whereas smaller institutions don’t have the means and/or the inclination to invest enough in cybersecurity and are therefore so much more vulnerable to attacks. Clarke and Knake repeat the old joke about one hunter only needing to outrun a second hunter rather than having to escape an attacking bear. This approach might address the concerns of larger organizations optimizing their own defenses, but is it optimal globally? I think not. Indeed, from society’s perspective, such an approach is really selfish and potentially self-defeating, especially as a significant attack vector into larger organizations is through weaker business partners.

There are strong reasons to believe that cooperation is better than competition when it comes to cybersecurity risk mitigation. My personal involvement in establishing the FS-ISAC (Financial Services Information Sharing and Analysis Center) some twenty years ago was motivated by a belief that financial institutions would all benefit by sharing information about threats, exploits, incidents, and protective measures. Initially the FS-ISAC was considered an exclusive club benefitting only 50 or 60 of the largest U.S. banks. I was happy when the U.S. Treasury Department encouraged membership by smaller institutions by kicking in $2 million, so that there are currently some 7,000 member institutions. However, such expansion of cooperation of potetnial victims against cyberattackers is relatively rare.

So, it was pleasing to see that NATO is going forward with a cooperative approach to defending NATO members. In an August 27, 2019 article, “NATO will defend itself,” by NATO Secretary General Jens Stoltenberg, available at https://www.prospectmagazine.co.uk/world/nato-will-defend-itself , Stoltenberg asserts that “A serious cyberattack could trigger Article 5, where an attack against one ally is treated as an attack against all.” That’s good as far a it goes, but, in reality, such a response should extend to all like-minded countries, not just NATO. And perhaps even adversaries should be included … just saying.

The ISAC movement in the U.S. has gone viral ,.. see https://www.nationalisacs.org/member-isacs And there is a fair number of ISACs showing up in Europe, India and Canada … see https://en.wikipedia.org/wiki/Information_Sharing_and_Analysis_Centerhttps://en.wikipedia.org/wiki/Information_Sharing_and_Analysis_Center and doubtless other regions and countries, too. ENISA (European Union Agency for Network and Information Security) has published an excellent report “Information Sharing and Analysis Centres (ISACs) – Cooperative Models,” which describes the extensive efforts throughout Europe, including the UK as of when the report was published in 2017.

Such international cooperation should include all countries to be fully effective, although we know that adversaries would not join together with us in such an effort. Be that as it may, we are all in the same boat with regard to the Internet, and all-out hostilities will only sink everyone. We can only hope that countries agree to collaborate to fend off potential catastrophic meltdowns as might occur if a worldwide cyberwar were to come to pass. We’re all musketeers in this together and should recognize the need to protect one another in order for all to survive.

Post a Comment

Your email is never published nor shared. Required fields are marked *