On April 21, we aired the webinar, An Inside Look at the Cyberspace Solarium Commission (CSC) Report, featuring Congressman Mike Gallagher (R-WI), co-chair of the CSC, and IronNet SVP and Solarium Commission Red Team member Jamil Jaffer.
Watch the on-demand webinar to hear the full conversation about why a Collective Defense approach is a key recommendation from the Commission for bolstering the nation's cybersecurity defenses.
Your questions, answered
Viewers submitted several questions that Jamil and Congressman Gallagher ran out of time to answer, so we’re posting those here. NOTE: We took some liberty with clarifying abbreviations or unclear language in questions. Also, all questions answered below were answered by representatives of IronNet Cybersecurity, not by Congressman Gallagher, and represent the views of only those individuals and not the Congressman.
If a [cyber] problem is too small for a federal response, any thought for a local/state National Guard regional response capability wearing the state/federal hat?
Getting the National Guard involved is critical, both to help states with defensive measures ahead of time and to build relationships and train with the private sector at the state and local level prior to a crisis. The National Guard plays an important role supporting state governors in times of crisis as well as serving as a supplement to DoD forces when called into the service of the United States. Having the National Guard train and prepare for these missions, and having them work with state and federal agencies and the private sector ahead of time ensures we can be more resilient and can expand the idea of collective defense across national, state and local lines.
Excellent discussion on threats and the governmental awareness and structure that can combat attacks and misinformation. I'm fascinated by Finland's experiences and the fact that Harvard hired Finnish government execs to help them in their cyber campaign work. Are we collaborating with countries like Finland who have been “attacked” with hundreds of misinformation campaigns?
Thank you for a GREAT call!"
The United States regularly collaborates with allies, like Finland, on a range of issues, including cyberattacks and cyber-enabled misinformation campaigns. Our allies across the globe are often under attack by the very attackers that also target the United States, whether for disinformation operations or for other types of cyber activities, including intelligence collection and more offensive operations. In many ways, our allies in regions like the Middle East, East Asia, and Central and Eastern Europe are very much on the front lines of cyber warfare against American adversaries like Iran, China, North Korea and Russia. For example, in Asia, our allies including Japan, Singapore, and Taiwan are under constant threat from Chinese cyber activity, including intelligence collection, intellectual property theft, and longer-term operations. Likewise, in Central and Eastern Europe, we know the Russians use cyber as a key tool to conduct covert and overt disinformation campaigns, as well as using cyber capabilities alongside more traditional attack measures, as we've seen in Georgia, Estonia, and Ukraine. And actors like North Korea and Iran have likewise been known to use cyber directly and through proxies to threaten the U.S. and its allies in the Middle East and, at times, more broadly.
Leveraging our alliance relationship with nations in these areas can be hugely beneficial to both sides. For example, the United States can help provide the best-in-class technologies across a range of cybersecurity disciplines from the American private sector to our allies. In addition, the United States can share actionable intelligence with our allies so they are better protected ahead of an expected attack. And finally, these allies can provide the United States with early insights into the tactics, techniques and procedures used by these key threat actors. This intelligence sharing can also enable broader collaboration amongst allies to stop attacks before they cause real damage. Engaging in strong collective defense efforts across international borders to support our allies can redound to the interest of all nations in the alliance.
The [Solarium] report has a large volume of actions and seems unable to get to success in implementation. Legislation can force it, but agree we need the galvanizing of all industry, government, etc. What is the most important recommendation to really get in place and working?
In our view, the most important recommendations of the report are those that discuss a collective defense approach — and how we must fundamentally change our national cyber construct from defending as individual companies, agencies, states, and localities to a broader approach where companies and industries and governments of all levels can work together, and share actionable threat information with one another in real time. We need to defend the same way that these threat actors are attacking — together, as a nation. A collective defense approach allows us to capitalize on the combined resources of multiple entities and to collaborate in real-time to create a more effective defensive capability.
Since the intelligence community takes their [intelligence] collection priorities and funding from the President and the NIPF [National Intelligence Priorities and Framework], if we're inviting commercial companies to this, will they share in the cost for their priorities?
The idea of the private sector providing intelligence requirements to the government is certainly a novel concept. However, it is worth noting that we are in a novel environment, where the private sector is on the front lines of nation-state cyber attacks, and is expected to defend itself, largely acting alone. One key role government can play in this scenario is to identify specific threats and threat actors and share actionable threat intelligence with the private sector, in real time. The government can only collect such intelligence, however, if it can see the attacks targeting the private sector. As a result, both sides need to be willing to rely on the others’ information and to build systems and processes now, ahead of an attack, to be able to respond rapidly.
Should DoD's CMMC [Cybersecurity Maturity Model Certification] initiative be expanded throughout the federal government?
Yes, but it might be helpful to let the DoD work out the kinks in the program before it is expanded. Specifically, there is an open question around the burden of security costs on small businesses. Though we would like all companies in the country to achieve at least level 1, the reality is that the costs of certification alone could be excessive for the smallest companies. There are multiple ways to work around this but it is unclear how this will pan out since the assessments haven’t begun yet.
What are your thoughts on CMMC and its ability to help fortify the public sector?
I think it will definitely help. The big defense contractors are already doing many of the things the CMMC requires. It is in their supply chains where I think we’ll see the most impact. Larger companies are going to have to pay more attention to their subcontractors because the level of the contract delivery team can be determined by the most insecure subcontractor. The fact that the program requires Third Party Assessment Organizations and includes spot checks will make it very difficult for an organization to turn this into a paper drill like we saw with the NIST 800-171 requirement from a couple of years ago, when contractors could self-certify based on subjective standards and have a laundry list of open items indefinitely.