In today’s highly interconnected, digital environment, where sensitive and critical information can be accessed and shared worldwide in a matter of seconds, cyber threats have emerged as a clear and present danger to the world economy and a nation’s security. Combating these types of culprits-- and neutralizing their ability to infiltrate our digital defenses -- has taken on greater prominence both in corporate boardrooms and with policy makers globally.
But who are these rogue actors and what can be done to protect our technology systems and the security of our data against them?
This question is the focus of high-level discussions among corporate and political leaders in all parts of the world, and was most recently addressed at last month’s White House Summit on Cybersecurity and Consumer Protection in the U.S. The threat of cyber attacks has actually been around for more than two decades, steadily rising as attackers’ motivation and the sophistication of the weapons and techniques used have evolved over time. Initially sparked by so-called intellectual curiosity, these threats now include those seeking fame by leaving their marks on public websites, fortune by stealing money, data and competitive information, or projection of force by launching targeted attacks to exploit an institution’s or nation’s previously unknown vulnerabilities. In addition, the costs today to launch these types of potentially impactful attacks can be significantly lower than what is required to protect against them, making cyber defensive strategies particularly challenging.
In its October white paper, “Cyber Risk: A Global Systemic Risk”, The Depository Trust & Clearing Corporation (DTCC) noted that the systemic risks posed by cyber threats can best be mitigated by “a truly coordinated approach that includes both private and public sectors across industries and national boundaries.” Critical to these partnerships is collaborative information sharing by industry participants, governments, academics and other private and public sector stakeholders.
The report went on to recommend that cybersecurity should be a non-competitive area similar to the model used among financial market infrastructures. This model fosters innovative solutions that can help organizations bolster their cyber defense strategies by leveraging the capabilities and experience of a broader community. It also improves the collective response to a universe of cyber threats that are apt to grow more sophisticated.
In order to counter the threat of cyber attacks, there are a number of sector-led cybersecurity initiatives which have been forged with the objective of developing solutions that protect the resilience of critical infrastructure organizations, including financial services firms and others worldwide. Soltra Edge, is a new cyber threat information sharing platform established by Soltra, an organization founded by DTCC in partnership with Financial Services Information Sharing and Analysis Center (FS-ISAC), which has users from the Government, Financial Services, Healthcare, and the Control Systems sectors.
Leveraging STIX (Structured Threat Information eXpression) and TAXXII (Trusted Automated eXchange of Indicator Information) -- two new industry standards developed by the U.S. Department of Homeland Security (DHS), industry participants and MITRE -- Soltra Edge allows users to receive and send cyber threat information machine-to-machine and dramatically reduce the effort and workload associated with managing and analyzing threat intelligence.
The concept of information sharing and public-private partnership is clearly resonating and taking hold. In February, the Obama Administration issued an Executive Order, "Promoting Private Sector Cybersecurity Information Sharing," to advance voluntary cybersecurity information sharing between private companies, non-for-profits, federal departments and agencies and other entities. The Executive Order also calls for further development of "information sharing and analysis organizations" (ISAOs) in collaboration with DHS as a means of sharing information beyond sector-specific initiatives.
At the same time, members of industry from various sectors are also becoming more vocal on the issue. On March 2, a coalition of more than 20 of the most prominent global corporations co-signed a letter to the U.S. Congressional leadership urging immediate legislative action on cybersecurity, citing the need for urgent action “to help bolster our country’s cybersecurity defenses.” Signators of the letter include corporate leaders across industries including Lockheed Martin, Microsoft, and AIG.
In Europe, The Network and Information Security Directive was approved in March 2014, emerging as the first major effort to affect cybersecurity standards across the continent. Anticipated to be adopted sometime in 2015, the Directive takes a comprehensive approach involving a range of stakeholders. Among a broad set of proposals, Chapter IV of the Directive outlines requirements around information sharing and incident notification among operators of critical infrastructure such as those in the energy, banking, health, transportation and financial services sectors.
While these types of public and private sector collaborations are demonstrating their benefits in this new world order, the idea of sharing a deep level of information may still be novel to some and can be faced with a degree of skepticism. Concerns about privacy, liability and the appropriate role of government need further discussion.
These issues should not hamper a collective push to move these initiatives forward and encourage closer collaboration and partnership. Neither a single government, industry or company can solve this problem alone. A collaborative approach based on open dialogue and trust is essential to achieving real-time identification, detection and mitigation of emerging cyber threats.
Mark Clancy is CEO of Soltra and Managing Director, Technology Risk Management, DTCC
Article first appeared in gtnews, 13 March 2015