Piloting the Public-Private Problem

It seems that every week we are learning of another large company or high profile organization who’s networks have fallen victim to intrusions by advanced network threats.  Large defense integrators that make up only a fraction of the overall U.S. Defense Industrial Base (DIB), have been severely impacted by sophisticated threats over the past decade, just as severely as their public sector customers in which they support.  While it may appear that we are just now seeing that the threat has set their sights on segments of commercial industry, this apparent shift may actually be part of a new awareness that is just now being realized by a sector who has been blind to the true nature of a sophisticated adversary.

On June 16, 2011 in Paris France, Deputy Secretary of Defense William Lynn unveiled details of the “cyber-pilot” [1], a joint private and public sector initiative in which the Department of Defense and Intelligence Community will share cyber intelligence with both large integrators as well as large backbone Internet Service Providers (ISPs). Lynn stated “Although this pilot breaks new ground on several fronts, we have a long way to go, and a lot of work to do, before our critical infrastructure will be fully secure” [2]. After one considers some of the complex constraints associated with the legal and technical aspects of an initiative at this level, it ultimately marks a significant demonstration of national intent surrounding the establishment of a framework in which further relationships will be developed between both public and private sectors.  It is the intent and demonstration of a public/private relationship that sends a clear message to nation states that may seek to target critical civilian networks with military grade cyber warfare assets.

Commercial Industry has also played a role in setting a new tone since the 2010 “Aurora” incident, in which Google publicly accused China of being complicit in the exploitation of their networks. RSA, Lockheed Martin, L3 have all followed suit in emerging as part of a movement of private sector organizations who are no longer afraid to talk about the “dragon” in the room, unlike their public sector counterparts.  Time will certainly tell how international organizations like the International Monetary Fund, World Trade Organization and World Bank will respond to the exploitation of their networks, especially if a member nation is ever found to be responsible [3].  The public disclosure of cyber events has served the 24 hour news cycle well. In the years previous, many victim organizations have remained silent to the fact they have fallen victim to advanced threats.  Like scared children many organizations have been timid to stand up and deal with the schoolyard bully because they are afraid of the unknown, and how public knowledge of a network penetration will affect the organizational bottom line.  Recognizing and acknowledging the issue privately and publicly is the first step in dealing with this emerging threat area and should be encouraged whenever possible.

As more organizations ultimately begin to adopt Security Intelligence processes, and learn about sophisticated threats, why they are conducting exploitation operations, how to identify them, and how to assure secure business operations, they should also understand that falling victim to advanced cyber threats should no longer carry the shame and stigmas that it did nearly a decade ago.  When sophisticated cyber threats care enough to steal the very best, they send a clear message of their intent to use computer network exploitation as a diplomatic, economic and military force multiplier.  This very act underscores a significant national requirement of the aggressor.  It highlights a reliance, based from an inherit need which ultimately risks national reputation.  This risk is accepted in a greater effort to possess innovative, progressive ideas and technologies in which some nations are simply unable to generate organically. Countries that are complicit in allowing the exploitation of another nations private sector, in targeting civilian areas which have no apparent dual use or military applications are ultimately risking the long term opportunities that globalization offers.

While many large fortune 500 companies may “get it”, it’s also important for small to mid size companies to realize that they are not immune to this type of threat, and that while their role is limited, it is still of interest and plays an important role in impacting another nation states political, military or economic gain. Countries of which that do not have clear lines between their public and private sectors are seeking to utilize military grade cyber espionage as more than just a recognized tool of statecraft, but rather a tool in which another nation can strategically bleed an opponent into a submissive state through diplomatic, economic and military superiority [4]. In recent years numerous cyber initiatives between both the DoD and Defense Industrial Base (DIB) surrounding data and indicator sharing, have been woefully inadequate and have fallen short of providing near real time and actionable intelligence at “net speed” (whatever that is).  As industries and sectors co-mingle intelligence, capabilities and cultures a new common awareness will have to emerge.  This awareness, and the ability for both public and private sectors to begin effectively counter threats of this nature can only be achieved by first addressing and reforming the antiquated titles, authorities, and legal policies that do not scale against the current threat. These instruments simply serve as the tools that enable a nation to adequately defend itself from the onslaught of foreign threats that are actively operating from within our national infrastructure.