2011 was a watershed year for cyber attacks. RSA was hit in March, Lockheed Martin in May, and Lulzsec went on their rampage through Sony, Fox, PBS, Nintendo and even the CIA. It was also the year that the U.S. Government proposed a new approach to dealing with cyber threats that received little attention at the time, but has come to revolutionize how we tackle this problem today.
When we think about U.S. Government efforts in cybersecurity today, we often conflate these with ongoing efforts to reform the National Security Agency’s surveillance authorities. But we have long taken an approach to this problem that is more collaborative than confrontational. The Department of Homeland Security and MITRE’s 2011 Enabling Distributed Security in Cyberspace was the first official document to call for building an “ecosystem” in cybersecurity today. Rather than focus on the security of individual organizations, the proposed idea was that we should work as a community to address threats as they arose. By inoculating the community to these threats, we would only have to suffer the disease once before we all grew stronger.
DHS noted later that several principals defined achieving a secure ecosystem:
- Understanding of IT risks,
- Use of best practices,
- Validated identities,
- Interoperable technology, and
- Machine-to-machine threat information sharing.
To be honest, these principals were fantasies in 2011. Risks were poorly understood as low-level defacement by groups such as Anonymous received the same attention as incidents like the RSA breach. Best practices were spread out over a range of competing technical standards that were meaningless to some industries and unpractical to others. Personal identifying information was scattered around every online vendor or cat video website you could visit. Security technology was a bolt-on model, not designed to intelligently manage itself or grow to new threats. And information sharing, not to mention machine-to-machine interaction, was largely done quietly in personal trust groups to stay out of the weary gaze of company lawyers who probably would not have approved.
I’d like to say that in 2015 the landscape is vastly different, but we have been too slow to achieve the vision of a secure cyber ecosystem. We have some of the principals in place here and there, but have yet to achieve the critical mass necessary to drain the swamp of low-level cyber threats and enable us to focus our energy on fighting the actual diseases.
Many of these goals, such as better understanding risks and following best practices, are finally getting some traction, but they require long-term cultural changes that will be realized over time. We can hope that one day, writing unsecure code will be as scorned as smoking at a daycare center, but today we have an opportunity to make big strides in interoperability and peer information sharing.
The “theory” goes like this. As Moore’s Law drives down the cost of computing power, cyber attacks will rise in number. And since the threat is asymmetric, an attacker only has to be right once to breach your system and cost you money, time and reputation. But automated technology that is natively integrated can change the economics of this fight.
Much of the cyber threat we face today is noise that can confound and distract human users. Automation helps clear away this noise and focuses humans on the most significant threats. Integrated systems that were built to work together can also be linked to information sharing repositories, like our WildFire Threat Intelligence Cloud. Large threat data sets makes them significantly more powerful as they learn to take action from attacks observed against other partners, building an almost biological response.
Beyond the new technology available to us today, our best chance of building this ecosystem is in the growing and enthusiastic response from members of commercial industries who are joining threat information sharing and analysis organizations. A recent Presidential Executive Order and guidance from the U.S. Department of Justice have given new life to these efforts. Even companies not in the security space, like Nike and Safeway, are joining together in groups like the Retail Cyber Intelligence Sharing Center. If we can link these trusted communities together to share cyber threat information in real time using standardized methods, the ability of everyone to detect and prevent cyberattacks strengthens exponentially. You can see an example of how Palo Alto Networks is proactively taking action by following the work we do sharing threat information with other major security vendors as part of the Cyber Threat Alliance.
The trust inherent in information sharing can be hard to earn, but we have to be willing to take action and drive collaboration when we can. Cultural changes required for the wide adoption of best practices and risk mitigation strategies will come slowly. However, we have an opportunity today to accelerate our ability to clear the weeds and strengthen our cyber ecosystem. By building bridges to increase information sharing and investing in the best technology available, we can keep humans focused on the endgame of, “a healthy, resilient – and fundamentally more secure – cyber ecosystem of the future.” We have already waited long enough.
 Enabling Distributed Security in Cyberspace, Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action, U.S. Department of Homeland Security, 2011, http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf