We live today in a world beset by cyber risk. It’s all around us — whether it’s potential election manipulation by a nation-state adversary like Russia, China, or Iran; a ransomware attack by a criminal group to gain financial advantage; or the theft of intellectual property, identity information, or digital cash — we have all become fairly accustomed to the idea that the systems on which we spend so much of our lives may be vulnerable to major exploitation.
And yet most of us haven’t fundamentally changed how we live our lives online. To the contrary, we still continue to put our most sensitive information on systems that might be pwned and rely ever more on connected devices, not just laptops, tablets, and smartphones, but the dozens of smart speakers, environmental controls, and alarm system components that line every room of our houses (and workplaces, at least before the COVID pandemic).
To be fair, this is likely as it should be. The productivity benefits that have been achieved with the significant move to an online environment have been massive. They have yielded hugely positive outcomes across the globe to support positive outcomes: from cities where they make getting from point A to point B much more efficient and ensure that services can be delivered at speed and scale … to rural areas where they support better crop yields, provide the latest in education opportunities, and permit the remittance of money without the need for a massive banking infrastructure. There have been social benefits, too, such as connecting parents with children, creating stronger intergenerational bonds, and perhaps keeping some of the human connection alive for all of us in an era of social distancing.
And while there’s also certainly been a darker side to this technological revolution — including the hardening and radicalization of viewpoints as a result of being surrounded online by massive networks of people that share likeminded perspectives, the bullying (or worse, exploitation) at scale of vulnerable populations, and the permitting of access into our homes, workplaces, and personal lives of all manner of potentially nefarious actors, from governments to criminals — we tend to believe that the benefits have outweighed the costs. And although it’s somewhat harder to see in an era where we hear so much negative news, whether about our governments or our private sector companies, we’re almost certainly right that technology continues to have the power to raise up our societies and our people to a higher standard of living and to increase economic and social opportunity worldwide.
The question then becomes, of course, what we ought be doing to better protect ourselves, our families, and our economic opportunities online. It virtually goes without saying that everyone ought take the most basic steps like using two-factor authentication where appropriate, working hard to identify potential phishing attacks, and being more skeptical (and critical) consumers of the information that comes into our hands online, particularly in the heat of a hotly-contested election campaign and a global pandemic (as IronNet's General (Ret.) Keith Alexander explains in his recent blog post).
A paradigm shift toward Collective Defense
But there’s an even bigger change in mindset that we ought make this month. It’s a paradigm shift that many have been talking about for years and which the Cyberspace Solarium Commission highlighted in its pathbreaking report issued earlier this year. It’s the idea that we need to create a new “social contract of shared responsibility” in cyberspace. We must recognize that we cannot effectively defend ourselves standing alone in the cyber arena. To do so — as we have for the better part of the last four decades—is to ensure failure.
Today, unlike in nearly any other domain where major threat actors organize themselves to come after us — whether a nation seeking to conduct a physical attack on a neighboring country or a criminal gang marauding a local neighborhood — in cyberspace we expect each person, each company large and small, and each local or state government to defend itself against any and all attackers. This makes little sense.
The idea that one organization — whose principal mission is almost certainly not cybersecurity — could effectively combat a major actor with virtually unlimited resources is not just incorrect; it runs counter to the way societies have organized themselves for thousands of years.
Since the days when our ancestors realized that sorting ourselves into communities could best protect us from the vagaries of the natural environment, to the present era where we (reasonably) expect our government to protect us against physical attacks by other nations, we’ve always thought that working with our neighbors and colleagues and creating sustainable public institutions to protect our communities was the best approach to combat opponents that we couldn’t manage on our own.
And yet even though we haven’t done so effectively to date, we ought take the same approach in cyberspace, adopting a collective defense approach to cybersecurity. We must work with one another — company with company, industry with industry, state with state, locality with locality, and each of these with one another — to create networks of defensive capability. Frankly, we must do a better job of mimicking our adversaries, who absolutely organize themselves online to conduct sustained campaigns of attacks against us.
And we must bridge the public-private sector divide in order to truly be most effective. This is so even in a time where shared confidence between governments, industry, and the public is substantially lower than it ought be. Indeed, creating a strong commitment to sustained collaboration is perhaps more important when trust is lacking than when it is strong.
As the Commission put it, in order to leverage the “unique comparative advantages” that governments and private sector actors bring to the fight, we need to create “truly shared situational awareness” in order to provide for the common defense when it comes to the cyber domain.
So this October, as we gird ourselves for the coming weeks of debate, discussion, and potential divisiveness around the next election, it might be worthwhile to think of the challenges we share in the cyber domain rather than the issues that that divide us. After all, cybersecurity awareness doesn’t just mean knowing who and what is coming after you; it means taking action. Perhaps this year we ought contemplate how we might make our society — not just ourselves — that much more defensible.
IronNet Cybersecurity. The mission continues.