The government needs to get out of the way of the private sector sharing cyber threat information. So says Jason Healey, the director of the Cyber Statecraft Initiative for the Atlantic Council.
Instead of all of these small scale efforts, Healy said industries from telecommunications to finance to energy need to lead the efforts. The government, meanwhile, should provide incentives such as funding to promote cyber threat and vulnerability sharing within and among sectors.”I’m not convinced if they are doing what they ought to, the government is going to be the right answer, especially this month of all months to say the government is going to come in and save us is, I think, the folly as the shutdown has showed us that the government is going to be able to do this,” he said. “I’d find the parts that are working and help them do better. A lot of these groups that are making the biggest difference, it’s people doing this as a side job, and just like we saved the financial services information sharing and analysis center (FSISAC) with a $2 million grant, a lot of these groups with a $100,000 or $500,000 could really start improving a lot of security and start to clamp down on these attacks without having to argue about authorities or having to argue about Title 10 or Title 50 or any of the other things that ties D.C. up in knots.”
Healey, who worked in the White House, for the Air Force and with Goldman Sachs, said when he was part of the financial services ISAC in the early 2000s, the Treasury Department gave them a $2 million grant to improve the cybersecurity of banks across the country. He said that little bit of money made a huge difference for large institutions and small alike — 13,000 in all.
“It’s the companies that are in the front lines and the best sharing and the best sharing tends to happen between companies in the same sector, and to a large degree you don’t have to have the government get involved in that,” he said. “The ISACs do a pretty good job sharing among each other.”
He said the traditional mindset of the industry telling the government about its problems and the government coming back with an answer is not working. He said it’s one of the reasons why cyber problems of today are the same as those of yesterday.
“We realized that in Washington, D.C. and when you travel the world talking about cybersecurity, we are really ignorant about anything that happened more than two or three years ago,” he said. “There’s this feeling that it’s all new because most of us only got into the field in the last couple of years. We went all the way back to early cyber conflicts of 1986, and if you look at what they went through, it would feel familiar to us today.”
The book focuses on eight cyber conflicts since 1986, including some well-known ones such as Buckshot Yankee, a 2008 attack that gained access through a USB flash drive and led the creation of the U.S. Cyber Command, and other lesser known ones such as 1986’s Cuckoo’s Egg, in which the KGB paid German hackers to steal information from the United States on the Star Wars program.
Healey said his goal is to help cyber defenses stay ahead of and be better than cyber offenses. He said throughout history, defense usually has been better than offense during military conflicts, and every time the offense adjusted to gain the upper hand, the defense responded in kind.
“It’s tough to get defense better than offense if you are working at the end points,” he said. “So if you think about it as a goal, and you could say, ‘what are the ways you could put out X amount of effort and get 100 or 1000 times X effort on coming out?’ It means you have to really work at scale. A lot of our cyber policies are not working at scale. We say, ‘let’s work at DHS and we will one company at a time,’ and that’s never going to get to a point where we are ahead of this.”
He said this goes back to the need to turn information sharing on its head and be led by the private sector so they can bring the scale of their resources to bear.