Much like extreme weather, cyberattacks require international monitoring and cooperation
With hurricanes intensifying, it’s not hard to imagine this scenario: it’s early October and the Weather Channel is extensively covering a hurricane that’s going to hit the East Coast of the United States in five days. Right now, it’s just a tropical storm somewhere near Cuba. How do we know? Over 100 years ago the international community decided that it was beneficial for all —countries, regions and hemispheres—to share weather-related information and technology to prepare for and tackle potential risks. Even during the most frigid years of the Cold War, the U.S.S.R. and the United States reported weather patterns to each other and the rest of the world.
This is a remarkable example of sustained international cooperation for the greater good, in the interest of making the right decisions about public safety, agriculture, civilian safety, transport and insurance.
What does this have to do with cybersecurity? Everything.
Cyberattacks can sometimesappear to come almost out of nowhere, devastating businesses and crippling all levels of government. But, like extreme weather events, there are warning signs —if one knows where to look for them and whom to inform about any suspicious occurrence. Suspicious activity at an airport in Germany three weeks ago can turn into a full-scale ransomware issue at JFK tomorrow—grounding planes, tanking stock prices and, in a worst case scenario, costing lives. These kinds of cyber challenges will drive the problems of the 21st century.
To protect people and help businesses, executive boards and the global community need to adjust to the new cyber-driven reality; and to take good decisions, executives and the global community need to have accurate and timely data.
Coming from two different perspectives, from the tech industry and international policy, it is clear to us that cyber information sharing between businesses, governments and across borders is the right solution. It can be as effective as the exchange of meteorological information today.
Unlike data about dangerous weather patterns, cyber data, and the lessons and predictions we can gather from it, are not widely shared. In fact, information hoarding is the norm.
This siloed approach to cyber data may eventually be deadly. That is why over 20 years ago, the U.S. started forming Information Sharing and Analysis Centers (ISACS) to facilitate information sharing for critical infrastructure, like finance, oil and gas and the defense industrial base. ISACS are non-profit organizations that collect, analyze and disseminate actionable cyber threat information among members, providing tools to mitigate risks and enhance resilience.
WHAT WE NEED TO DO
We need to start exporting the weather tracking and reporting model to everything. The goal should be to work towards an international coalition or organization dedicated to sharing cyber intelligence, like the ones we use for weather. But the first step towards that system is for businesses, from engineers to boards, to realize that intel sharing is in their best interest, and in everyone's.
If this is to be viable for companies and public institutions, governments first need to address the fear of retaliation. Regulators should provide enough wiggle room and not be too quick on the trigger when an attack is reported. Some form of safe harbor or legal immunity should be provided. Otherwise, if companies are punished for sharing intel and breach-related data, there is little to no incentive to actually share that data.
Hacker summer camp, the trio of security conferences in Vegas (Black Hat, DEFCON and BSides) just introduced the world to yet another new Microsoft vulnerability, this time leaving unpatched users open to attack. It surely resembles the feeling of coastal cities deep in hurricane season. Companies have been thinking about the second half of 2019 planning, and decisions on 2020 budgets are around the corner. Trust, and its deficit, play a larger role than ever in a company's reputation and success.
A World Economic Forum study makes it clear that customers want secure systems that protect them and their information not only from any current vulnerability but also from any future mutations. The research suggests that 93 percent of executives would pay an average 22 percent more for devices with better security. It’s not just about the latest tech. It’s about how secure that tech is. Boards that prioritize cybersecurity have an opportunity to differentiate their company and the board itself in the field.
Cybersecurity can be a business enabler, but it will only be lip service if not supported by strategic investment in culture, staff and technology.
No system in the world is completely airtight. Connectivity is permeating deeper into our businesses and lives every day. 5G, IoT and cloud adoption have become integral to every competitive business. No matter how much is spent on the latest security tool, being connected to the internet is a risk. If you live on the East Coast, a hurricane eventually will make a landfall near your home. The goal is to prepare—build stronger structures, buy flood insurance, have evacuation plans. But most importantly, to save lives, information that allows you to predict timing and damage needs to be shared.
For cyber incidents that same message holds true. Invest in systems that collect, analyze and warn of threats and organizations that can develop best practices and emergency response plans for when the inevitable does happen. Run regular simulations. Constantly update plans and systems because the threat is always evolving. Most importantly, share the lessons far and wide. Weather doesn’t recognize borders; neither do cyberattacks.
Information sharing is everyone's responsibility. Engineers need to report and follow warnings. Above all, boards need to accept and foster a cybersecurity culture. Customers need to demand security.
Governments need to be more open. Every single one of us needs to care. If we continue as is, holding information close to our chests, the first death by cyber incident will happen. It’s only a matter of time. The international community has come together to make the world safer in the past. We can do it again.