Cybersecurity: Partnering to Defend against the Digital Culprit

Combating these types of culprits – and neutralising their ability to infiltrate our digital defences -has taken on greater prominence, both in corporate boardrooms and with policymakers globally. But who are these rogue actors and what can be done to protect our technology systems and the security of our data against them?

This question is the focus of high-level discussions among corporate and political leaders in all parts of the world, and was most recently addressed in Washington DC at last month’s White House summit on cybersecurity and consumer protection in the US. The threat of cyberattacks has actually been around for more than two decades, steadily increasing as attackers’ motivation and the sophistication of the weapons and techniques used have evolved over time.

Initially sparked by so-called intellectual curiosity, these threats now include those from individuals or groups seeking fame by leaving their marks on public websites, fortune by stealing money, data and competitive information, or projection of force by launching targeted attacks to exploit an institution’s or nation’s previously unknown vulnerabilities. In addition, the costs today to launch these types of potentially impactful attacks can be significantly lower than what is required to protect against them, making cyberdefensive strategies particularly challenging.

In a white paper published last October, entitled
‘Cyber Risk: A Global Systemic Risk’
, the Depository Trust & Clearing Corporation (DTCC) noted that the systemic risks posed by cyberthreats can best be mitigated by “a truly coordinated approach that includes both private and public sectors across industries and national boundaries.” Critical to these partnerships is collaborative information sharing by industry participants, governments, academics and other private and public sector stakeholders.

The report went on to recommend that cybersecurity should be a non-competitive area similar to the model used among financial market infrastructures. This model fosters innovative solutions that can help organisations bolster their cyberdefence strategies by leveraging the capabilities and experience of a broader community. It also improves the collective response to a universe of cyberthreats that are apt to grow more sophisticated.

A Suite of Initiatives

In order to counter the threat of cyberattacks there are a number of sector-led cybersecurity initiatives, which have been forged with the objective of developing solutions that protect the resilience of critical infrastructure organisations, including financial services firms and others worldwide. Soltra Edge is a new cyberthreat information sharing platform established by Soltra, an organisation founded by DTCC in partnership with the US Financial Services Information Sharing and Analysis Center (FS-ISAC), which has users from the government as well as the financial services, healthcare, and control systems sectors.

Leveraging Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXXII) – two new industry standards developed by the US Department of Homeland Security (DHS), industry participants and the non-profit MITRE Corporation – Soltra Edge allows users to receive and send cyberthreat information machine-to-machine and dramatically reduce the effort and workload associated with managing and analysing threat intelligence.

The concept of information sharing and public-private partnership is clearly resonating and taking hold. In February, the Obama Administration issued an executive order,
‘Promoting Private Sector Cybersecurity Information Sharing’
, to advance voluntary cybersecurity information sharing between private companies, not-for-profits, federal departments and agencies and other entities. The executive order also calls for further development of “information sharing and analysis organisations” (ISAOs) in collaboration with DHS as a means of sharing information beyond sector-specific initiatives.

At the same time, members of industry across various sectors are becoming more vocal on the issue. On March 2, a coalition of more than 20 of the most prominent global corporations co-signed a letter to the US Congressional leadership urging immediate legislative action on cybersecurity and citing the need for urgent action “to help bolster our country’s cybersecurity defenses.” Signatories of the letter include corporate leaders across industries, including Lockheed Martin, Microsoft, and insurer AIG.

In Europe, the
‘Network and Information Security Directive’
was approved in March 2014, emerging as the first major effort to affect cybersecurity standards across the continent. Anticipated to be adopted sometime in 2015, the Directive takes a comprehensive approach involving a range of stakeholders. Among a broad set of proposals, Chapter IV of the Directive outlines requirements around information sharing and incident notification among operators of critical infrastructure, such as those in the energy, banking, health, transportation and financial services sectors.

While these types of public and private sector collaborations are demonstrating their benefits in this new world order, the idea of sharing a deep level of information may still be novel to some and can be faced with a degree of scepticism. Concerns about privacy, liability and the appropriate role of government need further discussion.

These issues should not hamper a collective push to move these initiatives forward and encourage closer collaboration and partnership. Neither a single government, industry nor company can solve this problem alone. A collaborative approach – based on open dialogue and trust – is essential to achieving real-time identification, detection and mitigation of emerging cyberthreats.


Related reading