The SolarWinds breach reminds us of just how broken the current state of national cyber defense remains. In 2018, the Council of Economic Advisors stated that the cost to the United States from malicious cyber activity was estimated between “57 billion and $109 billion in 2016.” In the case of SolarWinds, at least one estimate totals the cost to upwards of $100 billion. In other words, the increase in threats, continued loss of information, and the cost of mitigation are a testament for reform. For too long, information sharing has been the central strategy for national cyber defense. Unfortunately, information sharing is not a strategy, it is the natural outcome of shared command and control.

Command and control provide for the ability to make decisions and orchestrate effective actions across organizations. Until the public sector can reimagine a world of partnership with the private sector, specifically one that includes the systematically important critical infrastructure (SICI) leadership as equal in command and control, failure is inevitable. This article contends that it is time to build a strategy of shared cyber command and control, one that unleashes the private sector’s resources and innovation as an equal partner in the command and control of the national cyber defense.

Background

When the Internet technology company SolarWinds was compromised, it was an unwelcome announcement but no surprise. SolarWinds boasts customers worldwide, including military, federal service, telecommunications, and most of the Fortune 500. In other words, the SolarWinds clientele is representative of the global connectivity promoted by cyberspace. The sophistication, cleverness, and deep penetration of the espionage operation immediately indicated a state-sponsored campaign, again no surprise, especially given its client base. The public attribution points to the Russian government. Further, ongoing investigations currently estimate more than two hundred victims spread across the public and private sectors.

The SolarWinds breach is not unique from the perspective of the attacker. State-sponsored cyber operations follow an attack lifecycle and are characterized as advanced, persistent threats (APTs). That said, there are two items of note. First, the campaign victimized both public and private sector targets, and second, it was the private sector that provided the means and methods to shut the campaign down. In other words, the private sector provided for the defense of the common good. For too long, nefarious cyber actors have exploited the vulnerability created by traditional hierarchies that result in extended discovery time, poor communication, and delayed response. That said, it is time to reexamine the operating assumptions that form the basis for the current model.

The Current Model

The SolarWinds breach demonstrates that the current strategy of information sharing, through public-private partnerships, is not adequate to provide for the national cyber defense. The underlying assumptions that inform the current model provide insight into its ineffectiveness.  

The first assumption is that the public and private sectors have the same goals. Larry Clinton, president of the Internet Security Alliance, observed that the public and private sectors might not have the same interests. The private sector is concerned with profitability for its shareholders, which means that security is important, but not the objective. Conversely, the public sector maintains the mission of securing the homeland and is not a profit center. The similar but different goals can cause miscommunication and frustrations resulting in territorial gamesmanship. That said, information sharing has become a center of gravity for securing the Homeland since the publication of The 9/11 Commission Report, which credited the inability to share information as causal to the terrorist attacks on the World Trade Center towers in September 2001. As such, public-private partnerships have become a part of the national cyber defense landscape.

The assumption that information sharing is a panacea for cyber insecurity has not proven itself over the last two decades. Many reasons have contributed to the mixed results of information sharing. Partnerships are built on equity and trust. In the former’s case, the private sector maintains a trove of sensors that the public sector does not have access to, which means the private sector has more information to share. That said, the public sector has a culture of secrecy, the antithesis of trust. A partnership without equity is doomed to fail.

As to the latter, trust is the foundation of information sharing. On the one hand, the private sector desires anonymity since the information they disclose can impact its competitive advantage. On the other hand, the public sector has strict laws and regulations on disseminating classified information. In the case of trust, the public and private sectors are talking past each other, slowing the process in some cases, and stalling it altogether in others. Nevertheless, information sharing initiatives abound in the forms of public-private partnerships and information sharing consortiums.

Further, information sharing must provide the basis for action. Sharing information is not enough. The information must be the right information, at the right time, and to the correct audience for it to be effective. In other words, sharing everything creates problems. Sharing too much information means that most of the data is not relevant. Too much information consumes precious resources to determine its utility and reduces its importance through repetitive waste.

Information sharing under the best circumstances is difficult. However, the level of difficulty increases when sharing classified information. The assumption that the best information is classified generates not only an elitist view to access but hinders timely action. Classified information does provide significant advantages within the functions of intelligence and law enforcement; however, it is of little use in protecting the systems owned and operated by the private sector. The archaic rules and protocols make classified information neither timely nor useful in day-to-day cybersecurity operations. The vast stores of sensor data, a robust open-source collection capability, and data analytics combine to provide the basis for security operations at business speed.

The National Cyber Strategy of the United States of America states: “The Administration will clarify the roles and responsibilities of Federal agencies and the expectations on the private sector related to cybersecurity risk management and incident response.” That said, any reform has been slow to come. Currently, the national cyber defense model maintains the traditional roles of public and private sectors with a nod to sharing information. The problem is the reliance on antiquated organizational and hierarchical models that fail to account for the realities of cyberspace.

Cyberspace creates connections and dependencies, blurring the lines of separation between the public and private sectors. The public sector maintains the bulk of classified information systems, and the private sector owns most unclassified systems. That said, neither has been able to secure the information contained on them. In summary, the current state of national cyber defense is such that the public and private sectors maintain different goals; information sharing “is not bad, it’s broken”; classified information fails to meet the needs of the private sector in defending its networks; cyber actors heavily target both the public and private sectors; and protecting against data loss continues to fail. In other words, the conduct of national cyber-defense needs to be completely transformed.

The Way Forward

The national cyber defense depends on public-private partnerships working. The private sector expansion is anchored in the defend forward strategy, as outlined in the United States of America Cyberspace Solarium Commission. According to the commission, defending forward “posits that to disrupt and defeat ongoing adversary campaigns, the United States must proactively observe, pursue, and counter adversaries’ operations and impose costs short of armed conflict.” To this extent, the commission calls for many welcome revisions; However, without joint command, these only serve to slow the inevitable demise of achieving national cyber defense.

Joint command insists forces work together, thus closing the primary vulnerabilities stemming from inequitable information sharing and varying goals. By enabling joint command, a whole of nation approach is possible. The private sector can combine its access and data with the public sector’s intelligence and law enforcement functions to predict, prevent, deter, and respond to cyber events across the technical, tactical, operational, strategic, and political spheres. As a practical example, consider how these combined forces can solve the infamous “attribution problem.”

The lack of attribution continues to provide cover for nefarious cyber actors, creating a sense of helplessness within the victims. With its vast sensor networks, the private sector can add granularity at network speed to attribute groups and countries. The attribution of organizations and individuals takes longer, and the government is well suited for this half of the attribution equation. Nevertheless, the private sector’s involvement reduces response time. Thus, increased transparency will provide faster attribution and reduced response time while limiting the potential for politicization.

The second area that aligns with the defend forward strategy is in providing countermeasures. Software giant Microsoft demonstrated the art of the possible when confronting the SolarWinds attackers. According to former Microsoft employee Christopher Budd, “Microsoft flexed the muscle of its legal team and its control of the Windows operating system to nearly obliterate the actions of some of the most sophisticated offensive hackers out there.” In four days, Microsoft almost singlehandedly changed the risk calculus across the public and private sectors globally.

Security company FireEye provides another example highlighting the private sector’s speed during a breach of its networks. On December 8, 2020, FireEye publicly announced it was the victim of a nation-state cyberattack. The attackers stole three hundred of the company’s tools used to find weaknesses in security systems. FireEye immediately released the countermeasures for their tools to the public. Thus, preventing further victimization and significantly reducing the risk to its customers and the broader global community.

Microsoft and FireEye brought speed, transparency, and decisive actions to bear, helping both the public and private sectors. The companies utilized their unique positions as global leaders to access the broadest audience to mitigate the risks. These examples highlight the private sector’s power, as the public sector lacked access, knowledge, reach, and operational mobility to assume the leadership role. In these cases, without the private sector taking the led, the losses stemming from these incidents would continue to mount.

The role of the private sector in protecting the homeland remains hotly debated. Opponents claim that increasing the private sector’s role in national cyber defense will interfere with diplomatic and political initiatives causing instability. The detractors often cite that the private sector could derail negotiations and cause an escalation that ultimately leads to war. That said, it is more likely that the United States would assume a stronger political and diplomatic bargaining position through a more robust national cyber defense. Further, the private sector’s elevation would increase transparency between the government and its constituents, increasing public trust. A united front sends a strong message to adversaries seeking to take advantage of the disjointed interactions that define the current responses.

Conclusion

It is time to build a strategy of shared cyber command and control, one that unleashes the private sector’s resources and innovation as an equal partner in the command and control of the national cyber defense. Current public-private partnerships fail to adequately account for cyberspace’s new realities, resulting in systemic losses in the national competitive advantage. The recent breach of SolarWinds highlights the power of the private sector in helping to secure cyberspace. Indeed, SolarWinds have ushered in the winds of change.

It is time for the reformation of the public-private partnership. The current cyber crisis demands that we turn away from the past, embrace the present, and build the future by establishing a joint cyber command of public-private leadership. As such, this article is a “call to arms.” By breaking free from the traditional model that has been left behind by technology and leveraging the private sector’s power through a command leadership role in national cyber defense, the United States can improve its defensive posture and inflict a cost on its adversaries. In the end, the business of national cyber defense must include the businesses and its leadership.

Al Lewis is a doctoral candidate in Strategic Intelligence in the School of Security and Global Studies at the American Military University. He oversees the Cybersecurity Operations Center of Boeing. Before that, he served as a Special Agent in the Secret Service.

Image: Reuters.