Force Multipliers for an Endless War

There is nothing simple about cyber warfare, but, for the sake of argument, think of it as boiling down to two opposing sides.

On the offensive are those that break through defenses stealthily and opportunistically. The best organized and financed are often suspected to be linked to nation-states carrying out geopolitical motives.

On the other side are numerous institutional forces in protective mode: governments and their military and intelligence agencies; critical infrastructures, corporations and other private-sector targets; and an array of technologies – ranging from data encryption to anti-virus systems, and identity safeguards to predictive analytics – to keep the attackers at bay.

By now the defenders are detecting and blocking many assaults, but not all. A seemingly endless war rages on, for the most part not resulting in big news headlines – except for flare-ups like the mid-July exploitation of Twitter to hack into the accounts of prominent political figures and celebrities. Occurring while cyber experts and analysts were tracking a continuing surge in malicious activity that coincided with the spread of the coronavirus, the Twitter breach was yet another harsh and costly reminder that cybersecurity is too porous and brittle for comfort.

The reality set in years ago that no technology or tool or entity alone, nor even small groups acting in concert, could prevail against canny and resourceful adversaries unconstrained by budgets or propriety.

With the aim of marshaling significant defensive capabilities, an order from the White House in May 1998, known as Presidential Decision Directive 63 (PDD 63), put a spotlight on “critical infrastructure protection.” It listed ambitious five-year goals including “a reliable, interconnected, and secure information system infrastructure” and “ensuring the capability to protect critical infrastructures from intentional acts,” while “immediately establishing a national center [the National Infrastructure Protection Center (NIPC), now part pf the Department of Homeland Security] to warn of and respond to attacks.”

It's still a journey.

Layered Cyber Defense

Private Sector as Partner

That Clinton administration directive spoke primarily to federal government. However, the NIPC called for a collective response by “fusing” representatives from the Federal Bureau of Investigation, U.S. Secret Service, Intelligence Community, and the Departments of Defense, Energy and Transportation – a foreshadowing of post-9/11 mobilization – along with what was termed “an unprecedented attempt at information sharing among agencies in collaboration with the private sector.”

On top of that, said the PDD 63 fact sheet: “Information Sharing and Analysis Centers (ISACs) are encouraged to be set up by the private sector in cooperation with the federal government and modeled on the Centers for Disease Control and Prevention.”

ISACs took off and thrived. Today there are 24 critical infrastructure sectors represented in the National Council of ISACs including that of financial services, FS-ISAC. Founded in the U.S. in 1999, currently with 7,000 member institutions worldwide, FS-ISAC says it “leverages its Intelligence Exchange platform, resiliency resources and a trusted peer-to-peer network of experts to anticipate, mitigate and respond to cyber threats.”

But, to the extent that the sharing of intelligence, and public- and private-sector collaboration, have been effective, they have yet to stamp out the threats. Other groupings continue to form, not necessarily to displace the ISAC approach, but rather in hopes of assembling or enhancing the right combination of forces to meet the common objectives. This year, for example, has seen the creation of the Cyber Risk Institute (CRI) by major financial institutions and trade associations, and the multi-sector Coalition to Reduce Cyber Risk .

When the coalition, CR2 for short, announced its launch in March, Alex Niejelow, senior vice president, cybersecurity coordination and advocacy at Mastercard, articulated the widely endorsed principle: “Threats to cybersecurity evolve so quickly that we can no longer afford to address them company by company, sector by sector, and nation by nation. By using our collective resources and building upon our expertise as a diverse, cross-sector coalition, we can advance cybersecurity risk management, promote shared economic opportunity and innovation, and improve oversight and public policy objectives.”

The multiplicity of such alliances may raise a question about fragmentation – whether there could be too many organizations, too much cooperation to be optimally focused – even as governmental and regulatory bodies approve and encourage joint action and information sharing.

In a July report on the need for standardization and collaboration in the fintech sector, the World Economic Forum's FinTech Cybersecurity Consortium said that the volume of industry-driven initiatives is creating “‘noise’ . . . The sector needs a mutually understood and widely accepted base level of cybersecurity controls. Clarity at the base level of security will support effective protection of business and client assets across the wider supply chain.” That would facilitate commercial partnerships “and, in turn, incentivize good cyber hygiene and cybersecurity techniques among the least-resourced companies, improving cyber resilience systemwide.”

Bipartisan Statement

Attempting to lay out yet another definitive strategy, if not the last word, for U.S. cyber defense, the Cyberspace Solarium Commission (CSC) published a 174-page report in March, fulfilling a provision in the National Defense Authorization Act for fiscal year 2019. Co-chaired by Senator Angus King, Independent of Maine, and Representative Michael Gallagher, Republican of Wisconsin, the CSC consisted of several other Congress members of both parties, cyber policy veterans, and a corporate CEO (Tom Fanning of Southern Co.).

The panel combined a “layered cyber deterrence” strategy (see illustration above) with an adaptation of the ”defend forward” military concept, which “requires the United States to have the capability and capacity for sustained engagement in cyberspace to impose costs on adversaries for engaging in malicious cyber activity.” And it drafted more than 80 recommendations, organized under six “pillars.”

Much like 1998's PDD 63, the messaging is preponderantly directed toward government, as in “Reform the U.S. Government's Structure and Organization for Cyberspace” (pillar 1) and “Preserve and Employ the Military Instrument of National Power” (pillar 6). But, under pillar 5, titled “Operationalize Cybersecurity Collaboration with the Private Sector,” the report says: “Unlike in other physical domains, in cyberspace the government is often not the primary actor. Instead, it must support and enable the private sector. The government must build and communicate a better understanding of threats, with the specific aim of informing private-sector security operations, directing government operational efforts to counter malicious cyber activities, and ensuring better common situational awareness for collaborative action with the private sector.

“Further,” the CSC continues, “while recognizing that private-sector entities have primary responsibility for the defense and security of their networks, the U.S. government must bring to bear its unique authorities, resources, and intelligence capabilities to support these actors in their defensive efforts.”

Echoing terminology used in financial institution oversight, CSC says, “Congress should codify the concept of ‘systemically important critical infrastructure,’ whereby entities responsible for systems and assets that underpin national critical functions are ensured the full support of the U.S. government and shoulder additional security requirements befitting their unique status and importance.”

Another recommendation: “Congress should establish and fund a Joint Collaborative Environment, a common and interoperable environment for sharing and fusing threat information, insights, and other relevant data across the federal government and between the public and private sectors.”

Expecting More

“The report makes clear that everyone – from government to private-sector companies to Congress itself – needs to make meaningful changes,” Representative Jim Langevin, Democrat of Rhode Island and a CSC member, said at a July 17 House Homeland Security subcommittee hearing, as efforts were underway to insert CSC recommendations into the next National Defense Authorization Act.

“We need to expect more from government,” Langevin said, including “closer coordination across agencies, stronger collaboration with critical infrastructure, and, critically, a greater emphasis on planning . . . We also need to expect more from the private sector. We need companies to truly accept the risks they take in cyberspace by accepting the consequences of failing to protect their data and networks.

“We also need technology companies – what the report calls ‘cybersecurity enablers’ – to do more to make the secure choice the default choice. Too often, we see a rush to be first to market, not secure to market. Too often, we see entities like ISPs [internet service providers] not protecting their small and medium-sized customers because they don't believe it's their job.”

Langevin added that “where the public and private intersect, at the nexus of critical infrastructure . . . we need to ensure the private sector is doing its part to protect itself while acknowledging that they can't go it alone.”

Closer Integration

Bringing ISACs into the discussion, CSC calls for an executive branch review that would include recommending “procedures and criteria for increasing and expanding the participation and integration of public- and private-sector personnel into U.S. government cyber defense and security efforts. This review should identify continuing limitations or hurdles in the security clearance program for private-sector partners and in integrating private-sector partners into a CISA [Cybersecurity and Infrastructure Security Agency] integrated cyber center, including integrating private-sector organizations like information sharing and analysis centers (ISACs) and the Financial Systemic Analysis and Resilience Center (FSARC),” which is an FS-ISAC offshoot.

The ISAC model works for “companies in a similar problem space,” Sean Catlett, chief information security officer of Reddit, previously of Fidelity Investments, Barclays and Bank of America, said in an online interview in March.

“This has been the model for many industries – to have trade groups establish sharing mechanisms,” Catlett noted. But he made a distinction between intelligence and information.

“This gets a lot harder,” he said, “because intelligence in the information security world, to some, means the latest and greatest indicators of compromise. This becomes highly specific and targeted, and the variability of maturity of different programs across the globe means varying degrees of ability to detect, different regulations on what's allowed to be shared, and different risk appetites for what should be shared.”

For all of its intuitively recognizable benefits, cyber information sharing in the private sector raised legal and liability issues that caused hesitancy in some quarters and that the Cybersecurity Information Sharing Act of 2015 was designed to assuage.

Financial Industry Interconnections

Because of its longevity, perceived effectiveness and inclusiveness, with banks of all sizes and nonbank institutions, FS-ISAC served as an early and influential example for other critical-sector ISACs, such as aviation, electricity, health and IT. FS-ISAC has also launched subsidiaries Financial Data Exchange and Sheltered Harbor, in addition to FSARC, and is well connected out of practical necessity – and through overlapping memberships – with the likes of the Financial Services Sector Coordinating Council (FSSCC), the Bank Policy Institute (BPI) and its BITS technology policy division, and the new, BPI-led Cyber Risk Institute.

FSSCC joins in the collaboration chorus, stating on its website that since 2002 it “has built and maintained relationships with the U.S. Treasury and Homeland Security Departments, all the federal financial regulatory agencies (e.g., Federal Deposit Insurance Corporation, Federal Reserve Board of Governors, Office of Comptroller of the Currency, Securities and Exchange Commission) and law enforcement agencies (e.g., Federal Bureau of Investigation, U.S. Secret Service).” FSSCC and Treasury “have developed a strong public-private partnership with the shared goal of maintaining a robust and resilient financial services sector.”

Cyber Risk Institute, “working to protect the global economy by enhancing cybersecurity and resiliency through standardization,” is home to “the Profile,” a cyber risk assessment benchmark.

“The financial services industry's success with the underlying [Profile] model compelled BPI to launch CRI as a proactive effort to fortify the financial system and make CRI's resources available to all,” said BPI executive vice president and BITS president Chris Feeney. A BPI/BITS offering in a similar vein is the Quantum Risk Calculator, to help those “haunted” by the potential consequences of quantum computing – there are fears that it will bring about intractable cyber-insecurity – to build strategies to manage them.

As of May, at CRI's launch, the Profile tool was already “in use by upwards of 100 firms on four continents and experiencing substantial growth in adoption, with member contributions resulting in version enhancements every 2-3 years,” said CRI founder and managing director Josh Magri, who, while a BPI/BITS senior vice president, co-led the Profile initiative with FSSCC.

“Optimizing the compliance process means that those professionals can devote more time to keeping our global economy safe from potentially devastating cyberattacks – a solution that equips the institution, benefits the regulatory community by allowing more firm-to-firm comparison, and serves the consumer,” Magri added.

The U.S. Commodity Futures Trading Commission, in a July 16 statement, said it welcomes the use of standardized tools like the Profile and the National Institute of Standards and Technology's Cybersecurity Framework, without endorsing any one. The agency views them in the context of “collaborative approaches to advance and support cyber preparedness and enhance the efficiency and effectiveness of its system safeguards oversight.” 

Converging Vulnerabilities

If ever there was a time for bulked-up cyber defenses, 2020 is the year. The U.S. presidential election in the fall is raising alarms about potentially more and worse disinformation, and other “meddling” and collateral damage, than was detected in 2016 and 2018. The July Twitter hack could have been a shot across the bow, although the incident was attributed to teenage hackers who broke into the network by social engineering, or getting an employee to divulge a security key.

“It doesn't take much imagination to see what chaos one could sow with such access on Election Day if a bad actor was pushing out disinformation,” said Representative Langevin.

A New York Times article on July 16 contemplated exactly that, observing, “Since 2016, thousands of pages of federal investigative reports have been published on what went wrong in the presidential election that year, and a congressional Cyberspace Solarium Commission has produced long lists of recommendations of how private enterprise and the government can work together. But then there are days like [July 15], when it seems as if all the studies were insufficient.”

“Our adversaries have noticed the broader attack surface” due to working from home and other weak links in IT security, Langevin said, pointing out that the day after the Twitter breach, the Cybersecurity and Infrastructure Security Agency “in conjunction with allies in the U.K. and Canada announced that Russian operatives are targeting health care organizations doing research on the virus.”

The pandemic-fueled rise in fraud, identity theft, ransomware and other crime has been the subject of repeated cybersecurity and regulatory-agency alerts.

A July 7 advisory from the U.S. Treasury's Financial Crimes Enforcement Network, for example, called attention to “potential indicators of imposter scams and money mule schemes, which are two forms of consumer fraud observed during the COVID-19 pandemic.”

Three days later, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations issued an alert citing “an apparent increase in sophistication of ransomware attacks on SEC registrants.”

In a May webinar, Oliver Wyman partners Paul Mee and Rico Brandenburg substantiated the “nefarious opportunism” of bad actors with data from Carbon Black: On March 1, when the first COVID-19 death in the U.S. was announced, attacks exceeded the baseline number by 60%. Ten days later, when the World Health Organization declared it a pandemic, there was a 22% spike.

The pandemic aside, cyber attacks are not abating. VMware, Carbon Black's parent, released results of a threat survey, conducted in March, in which 92% of U.S. respondents said attack volumes had increased in the last 12 months, 97% suffered a security breach over that period, and 84% said the attacks had gotten more sophisticated.

“Organizations are now anticipating more attacks than ever, even with increased spending on security,” said Deepak Patel, security evangelist of application security company PerimeterX, commenting on the CyberEdge 2020 Cyberthreat Defense Report. Based on responses from 1,200 IT security decision-makers and practitioners, it found that a record 81% of respondents' networks were breached last year; a record 62% were compromised by ransomware, and most paid the ransom; and 13% of a typical enterprise IT budget is spent on security.

According to the third annual Deloitte/FS-ISAC cybersecurity survey, also using pre-pandemic responses, financial institutions spent an average 10.9% of IT budgets on cybersecurity, up from 10.1% a year earlier, and $2,700 per full-time employee, compared with $2,300.

From Cyber to Systemic

“The risks of attack multiply with our increased dependence on digitalization: more people accessing financial services online and more financial sector employees working remotely. This is what happened during Europe's national lockdowns,” European Commission executive vice president Valdis Dombrovskis said in a June speech.

“After the pandemic began, we saw usage of finance mobile apps in Europe shoot up by 72% in just one week, due to social distancing and lockdown restrictions,” Dombrovskis added. “At the same time, attacks on financial institutions have risen by 38% and account for more than half of all attacks observed during that period.

“As the European Systemic Risk Board has pointed out, cyber risk is a source of systemic risks to the financial system that could have serious negative consequences for the real economy. One cyber incident can evolve into a systemic cyber crisis.”

The EC official is not alone in making the cyber-to-systemic risk connection.

“We at the New York Fed and others around the world have connected those dots,” Federal Reserve Bank of New York president John Williams said recently. (A New York Fed staff report this year sought “to understand the risk presented by cyber attacks to the U.S. financial system” by way of wholesale payments, and “to quantify how a cyber attack may be amplified through the system.” See also A Cyber Threat to Financial Stability.)

“Cyber incidents pose a threat to the stability of the global financial system,” the Financial Stability Board said with the April release of a consultative document on cyber incident response and recovery. “In recent years, there have been a number of major cyber incidents that have significantly impacted financial institutions and the ecosystems in which they operate. A major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.”

European Infrastructures Sharing

Framing cyber threats as “a serious risk to the stability of the European and global financial system,” one ecosystem group, consisting of “Europe's largest and most important financial infrastructures, members of the Euro Cyber Resilience Board for pan-European Financial Infrastructures (ECRB),” came together in February with a Cyber Information and Intelligence Sharing Initiative.

“This is the first time that major financial infrastructures [including exchange operators and central banks], Europol and the European Union Agency for Cybersecurity have jointly taken steps against cyber risk,” said European Central Bank executive board member and ECRB chair Fabio Panetta. “We hope this will be an inspiring model for other jurisdictions to tackle one of the biggest threats of our time. Cyber criminals are increasingly stealing money, and therefore sharing information will help us to prevent attacks and ultimately protect people's money.”

Panetta said that information and intelligence sharing within a trusted community “allows financial infrastructures to leverage the collective knowledge, experience and capabilities of that community to address the threats they may face. It enables them to make informed decisions about their defensive capabilities, threat detection techniques and mitigation strategies. By sharing cyber information and intelligence, financial infrastructures act in the public interest to support the safe and sound operation of the financial system as a whole.”

Gaps to Close

“The realities of 2020 make clear that a comprehensive, whole-of-nation approach to cybersecurity is a necessity, but we do not yet have one,” Representative Langevin lamented. “We lack a clear leader in the White House whose mission it is to focus on cybersecurity. We lack clear understanding of roles and responsibilities, both within government and between government and the private sector. We lack clear metrics to measure our progress.”

The congressman holds out hope for “the end state we desire in the Solarium report – a state where we are resilient enough to deter our adversaries and agile enough to push back when they insist on testing our defenses. That end state is in reach,” but not without a lot of work by the many interested and affected parties.

On the front lines, optimism is hard to come by. At the RSA Conference in San Francisco in March, one of the biggest gatherings of cybersecurity professionals, in a survey conducted by machine-identity-protection vendor Venafi, 88% said the world is in a permanent state of cyber war, with 90% saying that digital infrastructure is most vulnerable to damage. Industries undergoing digital transformation were regarded as most exposed.

A study conducted by Frost & Sullivan for Germany-based vulnerability management software company Greenbone Networks painted a less than rosy picture of cyber resilience of critical-infrastructure entities – in finance, energy, health care, telecommunications and other sectors – in major industrialized economies.

“Only 36% of the organizations surveyed were highly cyber resilient” based on best practices and other defined criteria, the Greenbone report said, though the U.S. scored highest, and well above average, at 50%. “Across all the countries surveyed, financial and telecoms organizations (46%) were best equipped against cyberattacks. They were followed by the water (36%), health (34%) and energy (32%) sectors.”

Manageability of, and recoverability from, cyber attacks was seen as only partly a function of company revenue and IT budget, and more a matter of “good business practices in place across the board and a thorough understanding of mission-critical digital assets and business processes for both information security and operating personnel.”

Big and Bigger Targets

“Cyber costs are higher for larger firms and for incidents that affect several organizations at once,” concludes The Drivers of Risk, a Bank for International Settlements working paper published in May. “The financial sector incurs a larger number of cyber attacks but suffers lower costs, on average, because of its greater investment in IT security.”

The study also finds that “cyber incidents are becoming more sophisticated and their costs difficult to quantify.” Cloud computing services tend to come at lower costs, with the added attraction of state-of the-art security. But, the BIS paper warns, “as cloud providers become systemically important, cloud dependence is likely to increase tail risks.” What's more, “the market for cloud services is highly concentrated, and there are warnings about increased homogeneity and the greater risk of single points of failure.”

There may just be no safe havens.

Fighting the wars since the 1990s while with Microsoft and other companies, and currently as president and chief security officer of HighSide, which has a remote-work security solution, Aaron Turner says the reality is inescapable: “The cyber world will, if anything, get more hostile.”