In early 2017 I participated in a RAND conference that looked at deterrence in cyberspace (among other issues) as it applied to the U.S. – Japan alliance. During this conference I described deterrence in cyberspace as essential, unique and complex. I argued that due to these characteristics, one cannot simply apply historical models of deterrence, like the nuclear example, to cyberspace. Because cyberspace is one of the most unique and complex environments ever to exist, it is fundamentally a problem that is distributed among the private and public sectors within and between nations. Therefore, solutions associated with deterrence must be multi-faceted and include multi-party participation. They must use all instruments of national and international power in “whole of government,” “whole of nation” and even “whole of alliance” approaches. Since the private sector owns, operates and maintains the vast majority of the cyberspace environment, industry should be one of the most important participants. But it is too often overlooked as part of a cyber deterrence policy.
While most discussion about deterrence in cyberspace focuses on the role that governments play, this will be a three-part essay series focusing on the role of the private sector and how industry can contribute to governmental efforts in deterring cyber threats. In this first essay of the series I’ll discuss the growing role of the private sector in cyber threat intelligence and information sharing. In subsequent essays I’ll discuss the role of industry in the development of norms of responsible behavior in cyberspace, as well as industry’s role in research, development and implementation of technical solutions to defend more effectively against modern cyber threats and how these things support deterrence.
Component Elements of an Effective Cyber Deterrence Policy
Based on my previous experience in the U.S. military and government while working on the issue of deterrence in cyberspace, the basic components of an effective cyber deterrence policy include the following elements:
- A description of what types of activities the policy seeks to deter (not a detailed, exhaustive list which might encourage actions short of declared thresholds, but rather a description of the scale, scope and consequences of malicious cyber activities that could impact national/international security, national/international economic stability, serious public safety concerns or national/international level privacy and freedoms)
- Deterrence by denial (denying the adversary’s anticipated gain by making the effort too difficult – primarily through defense, resilience and reconstitution capabilities and processes)
- Deterrence by cost imposition (making the anticipated cost or punishment associated with an adversary’s efforts more painful than it is willing to accept in relation to the expected gain – primarily through economic, law enforcement and even military instruments of national power when other preferred measures are insufficient)
- Activities that support deterrence (these include diplomatic, informational, and intelligence instruments of national power, as well as research and development to shape the future of cybersecurity by planning for and investing in tools, techniques, and a workforce necessary to improve the resilience of the digital environment and provide new technological options for deterring malicious cyber activities)
It’s within the last component, activities that support deterrence, that I’ll focus my effort in describing where I believe that industry can become a much more effective partner to governments in contributing to deterrence in cyberspace. Specifically, this is where the private sector’s growing role in cyber threat intelligence and information sharing, in establishing norms of responsible behavior in the cyberspace environment, and in conducting research and development to implement technical solutions that more effectively defend against modern cyber threats can help. So, let’s tackle industry’s role in cyber threat intelligence and information sharing in this first essay of the series.
Activities that Support Deterrence: Private Sector Cyber Threat Intelligence and Information Sharing
While there is no shortage of intelligence sharing agreements between governments that can be improved upon to address the growing challenge posed by cyber threats, governments should facilitate and encourage the role that industry can play in cyber threat information and intelligence sharing. Exposure of the identity of malicious cyber actors and organizations, their capabilities, their techniques and indicators of compromise, and their playbooks has been a key factor in changing their behaviors, to include a deterrent effect.
For example, the U.S. implemented law enforcement actions to impose direct costs on both malicious cyber threat actors and organizations, as well as the states that protect or provide support to them. The U.S. indictment of five uniformed members of China’s People’s Liberation Army in 2014 for hacking six U.S. industry victim entities is an example of the use of public exposure coupled with the investigation and prosecution authorities of law enforcement. This type of law enforcement action demonstrates that there are consequences for conducting malicious cyber activities, and can contribute to deterrence through the imposition of costs.
Additionally, several of my former U.S. government colleagues have privately expressed to me their belief that the indictments and public exposure of these Chinese military members played a significant role in the ultimate outcome of the Obama – Xi agreement in the fall of 2015. This demonstrates deterrence by influencing foreign policy decision making and restricting certain types of malicious cyber activity. In this case, the agreement was to limit the cyber theft of intellectual property and trade secrets for profit.
Perhaps surprising to some, private sector cybersecurity companies played a prominent role in the public exposure of every major headline-grabbing breach over the past five years. Based on my experience in the private sector cybersecurity industry over the past year and a half, this trend is only going to increase. I think this is a positive development, because I believe that government intelligence capabilities simply cannot keep up with everything that is required to combat the explosion of cyber threats. Industry involvement is a must, but the partnership between governments and industry must be done carefully and correctly.
Governments can encourage and strengthen what is already happening with industry cyber threat intelligence gathering and sharing efforts by integrating this into policy and implementation planning. To improve the effectiveness of the partnership with industry, governments should leverage some important lessons the U.S. has learned as a result of its experience over the past several years. These lessons include clarifying exactly what information is shared, developing standardized methods and formats for information sharing, and employing automated platform capabilities to share this information quickly and distribute security controls to the network enterprise that stop cyber threats before they successfully accomplish their intended purpose. This contributes to deterrence because the cost of doing business successfully for cyber threat actors and organization has just gone up.
Keys to Success
Deciding exactly what information to share is the first key to success. This is important because some misinformed parties tend to conflate cyber threat information with surveillance and encryption issues, which are currently very heated and divisive. In my view, these are very different issues. In cybersecurity, security doesn’t compete with or detract from privacy or civil liberties. Security is the necessary ingredient in ensuring both privacy and civil liberties in a digital age.
We must be very clear that cyber threat information sharing is not about exposing personally identifiable information (PII), protected health information (PHI), intellectual property (IP), or personal/corporate content of communications. It is about sharing cyber threat indicators of compromise and contextual information that relates directly to a cybersecurity purpose. This includes cyber threat actors and organizations, malicious code and techniques, information infrastructure transmission and collection points, communication control channels employed by cyber threats and where these elements are located, the general categories of targets that cyber threats are attempting to penetrate, and the techniques that cyber threats execute on endpoint devices to hijack their intended function. This is the type of information that should be acceptable within privacy parameters because it is solely focused on sharing indicators of compromise and the contextual information necessary for the cybersecurity community to successfully defend against these threats.
Finally, we must evolve from legacy manual methods of information sharing, such as spreadsheets and pdf files. We must also evolve from confusing ad hoc methods, consisting of more than three hundred varying formats with inconsistent fields of information. Effective sharing requires a streamlined procedure that is standardized. This means that there is a single recognized and accepted standard for information fields about the threat, consistent with the specific threat indicators of compromise and contextual information previously outlined. It also means that the sharing must be automated through the employment of a platform that can translate the standardized threat information into the security controls that can automatically be deployed to the network and stop the threat before it successfully accomplished its intended purpose. This is the only way to level the current playing field between offense and defense and give the cybersecurity community a fighting chance to outmaneuver the adversary. It is also like taking a page from the attacker playbook because they employ automation and effectively use information sharing procedures of their own.
How This Can Work
Industry has an increasingly important role to play in the deterrence of modern cyber threats. By contributing to governmental efforts in exposing appropriate cyber threat intelligence, private sector information sharing programs and organizations can raise the cost of doing business for cyber threats. This can be done responsibly, without posing risk to privacy or civil liberty concerns.
A magnificent example of the private sector’s contribution is the Cyber Threat Alliance (CTA). The CTA is a non-profit organization headed by President Obama’s former Cyber Czar, Michael Daniel. The CTA consists of more than a dozen cybersecurity companies. While all of these companies are competitors, each CEO from the participating companies has decided to treat cyber threat intelligence as a public good instead of a commercial commodity.
The founding members of the CTA are Palo Alto Networks, Symantec, McAfee, Fortinet, Checkpoint and Cisco. The CTA has two rules: You must share cyber threat intelligence daily, and you must consume the shared intelligence to protect your customer base. The CTA has created a platform to share information in a standardized and automated format, protect privacy and civil liberties, consume the shared intelligence, and automatically push the resulting security controls into the information environment to protect their clients.
The CTA provides a practical example of how industry can play a vital role in deterring cyber threats in the digital age. If your cybersecurity vendor isn’t a member of the CTA, perhaps you should ask them to join…because a cyber threat seen by any one of the CTA members means that the clients of all the CTA members are then protected against that threat.
In my next essay of this series I’ll discuss the need for a greater industry role in the development and implementation of norms of responsible behavior in cyberspace.