How public-private cooperation in cybersecurity needs to evolve
By Amit Roy Choudhury
US move to coordinate cyber response between the government and private sector can be a model for the future.
A worrying trend noticed around the world, including Singapore, is that in many attacks, cybercriminals operate with the covert encouragement and support of foreign governments. The US has been at the receiving end of a series of high-profile and successful cyberattacks over the past year or so.
Last December, SolarWinds, a major information technology company, with a huge client base, was found to have been subjected to a highly sophisticated cyberattack over months. This spread to clients, like Microsoft and cybersecurity firm FireEye, apart from US government departments.
In May, the Colonial Pipeline was hit by a ransomware attack that shut down piped gas supply to the US East Coast. The attack has been considered a national security threat by the US government. In July, another major ransomware attack happened on software developer Kaseya by ransomware group REvil, and from that, it spread to thousands of computers.
Interestingly, these attacks came at a time when the US President, Joe Biden, publicly declared that cybersecurity and prevention of attacks on critical infrastructure would be a major area of focus for his Administration.
A coordinated strategy
It has long been understood that cyber-defence is not something that can be just left to the government. There has to be a public-private partnership to develop a coordinated strategy.
This is because cyber-attacks are no longer just a technology challenge. Hacking or malicious code started out at the turn of this millennium as talented but misguided people would release a virus to infect as many computers as possible. The objective was often as simple as having the bragging rights of having done so.
Over the past decade, hacking has morphed into a much more sinister activity where criminal gangs use malicious code for monetary gain. As more information is stored online, the criminal enterprise has morphed yet again. There is clandestine collaboration between criminals and gangs, often with state backing.
They indulge in industrial espionage and sometimes attacks with the sole aim of crippling an adversary’s critical infrastructure. The Colonial Pipeline incident is a good example of this.
Every government understands that in the next shooting war, the cyber domain will be as hotly contested as land, air and sea domains.
Governments usually have a broad view of potential threats through law enforcement and intelligence capabilities, but they tend to see things through a national security lens rather than from a commercial risk perspective. Companies, on the other hand, have a far better understanding of sector-specific risk and have better access to cybersecurity talent.
Governments and companies have different sources of information, insight, and intelligence. Pooling them would create a clearer and more coherent picture of cyberthreats. This is why a public-private partnership is required for a coordinated response.
Working things out
The theory is simple but actual cooperation has been harder to achieve. This is due to a number of factors.
Many companies, particularly public-listed ones, have shown a greater commitment to their shareholders in the context of cyber-attacks than to overall government policy. There is a reluctance among many organisations in reporting a breach or a ransomware attack due to fear that making public such information could adversely affect stock market valuations. In case of ransomware attacks, many companies have quietly paid up in order to unlock their data.
While such an approach can probably preserve shareholder value, it does a disservice to the overall countrywide strategy against cyberattacks because information sharing is an important part of cyber-defence. This is one of the reasons that the Cyber Security Agency (CSA) of Singapore has mandated that critical infrastructure companies must immediately inform the agency in the event of a breach.
Governments on their part are often not able to move fast enough with legislation to keep up with changing technology and newer methods of attacks and intrusions. At times, public officials have also been noted to be unmindful of the real privacy needs of publicly traded companies in cases of cyber-attacks.
The penny dropped
In this context, August 2021 could potentially be the month when the penny dropped in cybersecurity coordination. At a US cybersecurity conference organised by the Biden Administration-led White House, the US government announced a slew of new measures and rules to tighten cybersecurity.
More importantly, private sector CEOs, who attended the meeting, announced initiatives worth more than US$30 billion over the next few years to bolster cyber-defence across the full spectrum, including technology and manpower.
While most of the initiatives were aimed to shore up the US industry’s cyber-defences, considering the size and importance of the market and its international linkages, it will have a positive domino effect on the global digital economy.
Why this matters
To understand why this is a big deal, let’s first look at some of the commitments made by the private sector in which big numbers were involved.
Google announced that it would invest more than US$10 billion to strengthen cybersecurity over the next five years. It also pledged to train 100,000 people in IT support, data analytics, and other technical fields.
Microsoft announced it would spend US$20 billion over the next five years to build advanced security tools and also spend US$150 million to help government organisations upgrade security.
IBM has given a commitment to training 150,000 people in cybersecurity skills while Amazon Web Services will give account holders free multi-factor authentication devices to better secure their data.
It’s not only the technology companies. Insurance providers, computer coding societies as well as educational institutions pledged support for the government to develop a coordinated response to cyber-attacks.
It bears repeating that the public and private sectors need to work together to protect against sophisticated cyberattacks and also share information and resources as quickly as possible. The private sector needs to keep government agencies in the loop about what kind of tools and tactics hackers could be used against government agencies.
The knowledge base that exists in the private sector about technology developments is, in most cases, not available in the government and so a seamless exchange of information is desirable. The strategy to be followed after an attack, either successful or thwarted, must be a concerted one on the part of every stakeholder. A country’s network, like that of an organisation’s, is only as strong as the weakest link.
Filling the talent gap
Governments, companies, and other institutions around the world face a shortage of cybersecurity professionals. It is estimated that the shortage is more than three million – nearly as many as the estimated 3.5 million people currently working in the field.
As the World Economic Forum argues, there is a need for cyber education that caters to market needs. There is labour capacity that could be marshalled in cybersecurity, the WEF says. The challenge is twofold: attracting more people to retrain in cybersecurity, and ensuring that curricula enable students and trainees to keep pace with fast-changing threats.
Closer public-private cooperation can help not only in crafting a coordinated response to cyberattacks but also in training future cybersecurity professionals. However, the partnership has to be between two equals. It can’t be one in which the Government has to take the lead and the private sector follows. Each needs to do a good job of what they are best in. Hopefully, the US example will work in this manner and the rest of the world can replicate this model in order to build a better cyber future for all.
Amit Roy Choudhury, a media consultant, and senior journalist writes about technology for GovInsider.