国产黑料吃瓜泄密入口

Perspective

Why Businesses and Government Must Fight Cyber Threats Together

Both sides are vulnerable, and the job is too big for either to handle alone.

This article was originally published in the听听on May 3, 2021.

The recent hack of network management company SolarWinds, which enabled bad actors to compromise a range of US government agencies and major corporations, has revealed a troubling truth: Business and government expose each other to significant cyber-risks because they are interconnected and rely on the same network of software vendors. That鈥檚 why the strategic response must involve more intense collaboration. Simply put, the threat of cyberattacks is too big a job for either government or business to tackle alone.

听to the US Federal Bureau of Investigation more than tripled last year during the pandemic last year while the average payment by victims of听听jumped 43 percent in the first quarter of 2021 from the preceding quarter. Attacks on the听听are growing exponentially and the burgeoning听听(IoT) and听听technology offer more vulnerabilities to exploit.

Governments have a broad view of potential threats through law enforcement and intelligence capabilities, but they tend to see things through a national security lens rather than commercial risk. Companies have firm- and sector-specific risk information and often enjoy better access to cybersecurity talent, but they can鈥檛 easily take an economy-wide view and may find themselves overwhelmed by state sponsored attackers.

What鈥檚 needed is for both sides to pool their resources for a more concerted defense. Some of that is already happening. The United States鈥 Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services, and the FBI warned in October 2020 that 鈥渕alicious cyber actors鈥 were targeting healthcare and public health institutions to make听听and disrupt health services. But such efforts tend to be the exception and can come too late. Both sides need to intensify their collaboration and make it more proactive.

Senior officials recognize more needs to be done. FBI Director Christopher Wray called recently for government and the private sector to collaborate in organized fight against cyber conspirators rather than parrying each individual attack. Chris Inglis, a former top National Security Administration official who President Biden has nominated to become the country鈥檚 first听, could make public-private collaboration a key element of the nation鈥檚 cyber strategy.

Here are four ways that government and business can join forces in the battle for cybersecurity.

Share Threat Intelligence

Align Cyber Education with Market Needs

Governments, companies, and other institutions around the world face a shortage of cybersecurity professionals听estimated at more than three million 鈥 nearly as many as the estimated 3.5 million people currently working in the field. Arguably there is labor capacity that could be marshalled here. The challenge however is twofold: Attracting more people to retrain in cybersecurity and ensuring that curricula enable students and trainees to keep pace with fast-changing threats.

The US government鈥檚 National Initiative for Cybersecurity Education recently revised its听听for developing talent so schools can provide more-relevant instruction and companies can be sure that graduates have the necessary competencies. The UK鈥檚 National Cyber Security Centre created听, which offers everything from university financial assistance and apprenticeships to summer programs to attract young people to the field.听

The Cybersecurity Workforce Alliance, which was founded by major financial institutions, the City University of New York (CUNY), and workforce development specialist iQ4, boasts over 2,700 members from industry, academia, and government, and aims to provide internships to more than 10,000 US students through 2022. The New York City Economic Development Corp. has teamed up with local businesses and universities to create cyber degree programs and an accelerator to foster the growth of startups in the space. More such efforts are needed, though, to plug the cyber talent gap.

Sharpen Incident-response Capabilities

Even the best cyber defense is likely to be cracked. That鈥檚 why effective organizations have well-rehearsed plans in place to deal with attackers.

Several nations provide forums where government and business collaborate in response to cyberattacks. In the US, CISA鈥檚听听defines cyber defense as a 鈥渟hared responsibility鈥 of individuals, the private sector, and government, spells out the roles government departments will play in responding to attacks, and commits federal officials to safeguarding the privacy and intellectual property of companies. The UK鈥檚 National Cyber Security Centre, an arm of the GCHQ intelligence agency,听听and sets out which private-sector cyber specialists it will collaborate with.听

Such plans should include real training exercises, not just role-playing discussions. The financial sector provides a good example here. The Securities Industry and Financial Markets Association has been conducting cybersecurity exercises since 2011. The latest听听exercise, in November 2019, brought together more than 150 financial firms and 50 regulatory bodies across 19 countries to practice responding to a simulated ransomware attack on systemically important institutions and a financial markets utility. The key takeaways: the industry should create a directory of key players and personnel, and strengthen cross-border sharing of information among firms, trade associations, and regulators like central banks.

More such exercises need to be done. Threat factors vary by commercial sector and the more governments can learn about what matters and to whom, the better prepared officials will be to gather valuable threat intelligence.

Build Security by Design

, such as falling for a phishing attack and downloading malware, is involved in 95 percent of successful cyberattacks. We can鈥檛 eliminate that vulnerability, but we should be able to reduce it by building better security into technology devices in the first place 鈥 something many tech firms overlook or ignore in the rush to bring new products and services to market.

Australia鈥檚 eSafety Commissioner, the world鈥檚 first government agency devoted to increasing public awareness and education about cyber risks, convened representatives of industry, government, consumer advocates, and non-profits in 2019 to agree on a听听for increasing the inherent safety of online services. Prime among them is the idea that safety should never be the sole responsibility of the consumer, and that companies mitigate risk factors for all users before releasing services to the public. In December, the US adopted legislation requiring the government to set higher standards for the security of听听诲别惫颈肠别蝉.

Other nations should follow those leads. The ultimate goal would be the cyber equivalent of the British Standards Institution鈥檚听, a designation showing that everything from electrical appliances to mobile devices meet safety standards.

As technology鈥檚 role in society increases, cybersecurity will become an ever-greater challenge. Governments and the private sector have a shared interest and responsibility to face that threat together.听

Governments and companies have different sources of information, insight, and intelligence. Pooling them in a timely manner will create a clearer and more current picture of cyber threats. Some exchanges are already taking place. The United Kingdom鈥檚 National Cyber Security Center operates a听听with industry while CISA has听听with US operators of critical infrastructure. Europol, the European Union鈥檚 law enforcement agency, has taken the concept a step further by creating a听听where public and private entities can share decryption tools to recover from ransomware attacks without paying off thieves.听

Such initiatives are valuable, but听isn鈥檛 yet consistent enough or timely enough. Corporate executives often feel that they provide data as needed but government counterparts don鈥檛 reciprocate. Intelligence services frequently don鈥檛 want to disclose potential threats for fear of inundating companies with potential risks or revealing tradecraft secrets. And certain corporations may worry that disclosing cyber-related events could open their controls or cyber risk management to unwelcome scrutiny, onerous regulation, or penalties.

Both sides can build trust and deepen the cooperation. The recently announced Nationwide Cybersecurity Center collaboration听with Google to provide cyber training to US state legislators and their staff represents the kind of initiative we need to see more of.