{"id":28734,"date":"2017-05-02T13:00:18","date_gmt":"2017-05-02T20:00:18","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=28734"},"modified":"2017-05-01T14:35:20","modified_gmt":"2017-05-01T21:35:20","slug":"cso-deterrence-cyberspace-greater-role-industry-part-one-three-part-essay-series","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2017\/05\/cso-deterrence-cyberspace-greater-role-industry-part-one-three-part-essay-series\/","title":{"rendered":"Deterrence in Cyberspace: A Greater Role for Industry (Part One of a Three Part Essay Series)"},"content":{"rendered":"<p class=\"p1\"><span class=\"s1\">In early 2017 I participated in a RAND conference that looked at deterrence in cyberspace (among other issues) as it applied to the U.S. \u2013 Japan alliance. During this conference I described deterrence in cyberspace as essential, unique and complex.\u00a0 I argued that due to these characteristics, one cannot simply apply historical models of deterrence, like the nuclear example, to cyberspace.\u00a0 Because cyberspace is one of the most unique and complex environments ever to exist, it is fundamentally a problem that is distributed among the private and public sectors within and between nations.\u00a0 Therefore, solutions associated with deterrence must be multi-faceted and include multi-party participation.\u00a0 They must use all instruments of national and international power in \u201cwhole of government,\u201d \u201cwhole of nation\u201d and even \u201cwhole of alliance\u201d approaches.\u00a0 Since the private sector owns, operates and maintains the vast majority of the cyberspace environment, industry should be one of the most important participants. But it is too often overlooked.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">While most discussion about deterrence in cyberspace focuses on the role that governments play, this will be a three-part essay series focusing on the role of the private sector and how industry can contribute to governmental efforts in deterring cyber threats.\u00a0 In this first essay of the series I\u2019ll discuss the growing role of the private sector in cyber threat intelligence and information sharing.\u00a0 In subsequent essays I\u2019ll discuss the role of industry in the development of norms of responsible behavior in cyberspace, as well as industry\u2019s role in research, development and implementation of technical solutions to defend more effectively against modern cyber threats and how these things support deterrence.<\/span><\/p>\n<h3 class=\"p1\"><span class=\"s1\"><b>Component Elements of an Effective Cyber Deterrence Policy<\/b><\/span><\/h3>\n<p class=\"p1\"><span class=\"s1\">Based on my previous experience in the U.S. military and government while working on the issue of deterrence in cyberspace, the basic components of an effective cyber deterrence policy include the following elements:<\/span><\/p>\n<ul class=\"ul1\">\n<li class=\"li2\"><span class=\"s1\">A description of what types of activities the policy seeks to deter (not a detailed, exhaustive list which might encourage actions short of declared thresholds, but rather a description of the scale, scope and consequences of malicious cyber activities that could impact national\/international security, national\/international economic stability, serious public safety concerns or national\/international level privacy and freedoms)<\/span><\/li>\n<li class=\"li2\"><span class=\"s1\">Deterrence by denial (denying the adversary\u2019s anticipated gain by making the effort too difficult - primarily through defense, resilience and reconstitution capabilities and processes)<\/span><\/li>\n<li class=\"li2\"><span class=\"s1\">Deterrence by cost imposition (making the anticipated cost or punishment associated with an adversary\u2019s efforts more painful than it is willing to accept in relation to the expected gain - primarily through economic, law enforcement and even military instruments of national power when other preferred measures are insufficient)<\/span><\/li>\n<li class=\"li2\"><span class=\"s1\">Activities that support deterrence (these include diplomatic, informational, and intelligence instruments of national power, as well as research and development to shape the future of cybersecurity by planning for and investing in tools, techniques, and a workforce necessary to improve the resilience of the digital environment and provide new technological options for deterring malicious cyber activities)<\/span><\/li>\n<\/ul>\n<p class=\"p1\"><span class=\"s1\">It\u2019s within the last component, activities that support deterrence, that I\u2019ll focus my effort in describing where I believe that industry can become a much more effective partner to governments in contributing to deterrence in cyberspace. Specifically, this is where the private sector\u2019s growing role in cyber threat intelligence and information sharing, in establishing norms of responsible behavior in the cyberspace environment, and in conducting research and development to implement technical solutions that more effectively defend against modern cyber threats can help.\u00a0 So, let\u2019s tackle industry\u2019s role in cyber threat intelligence and information sharing in this first essay of the series.<\/span><\/p>\n<h3 class=\"p1\"><span class=\"s1\"><b>Activities that Support Deterrence: Private Sector Cyber Threat Intelligence and Information Sharing<\/b><\/span><\/h3>\n<p class=\"p1\"><span class=\"s1\">While there is no shortage of intelligence sharing agreements between governments that can be improved upon to address the growing challenge posed by cyber threats, governments should facilitate and encourage the role that industry can play in cyber threat information and intelligence sharing.\u00a0 Exposure of the identity of malicious cyber actors and organizations, their capabilities, their techniques and indicators of compromise, and their playbooks has been a key factor in changing their behaviors, to include a deterrent effect.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">For example, the U.S. implemented law enforcement actions to impose direct costs on both malicious cyber threat actors and organizations, as well as the states that protect or provide support to them.\u00a0 The U.S. indictment of five uniformed members of China\u2019s People\u2019s Liberation Army in 2014 for hacking six U.S. industry victim entities is an example of the use of public exposure coupled with the investigation and prosecution authorities of law enforcement. This type of law enforcement action demonstrates that there are consequences for conducting malicious cyber activities, and can contribute to deterrence through the imposition of costs.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">Additionally, several of my former U.S. government colleagues have privately expressed to me their belief that the indictments and public exposure of these Chinese military members played a significant role in the ultimate outcome of the Obama \u2013 Xi agreement in the fall of 2015.\u00a0 This demonstrates deterrence by influencing foreign policy decision making and restricting certain types of malicious cyber activity. In this case, the agreement was to limit the cyber theft of intellectual property and trade secrets for profit.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">Perhaps surprising to some, private sector cybersecurity companies played a prominent role in \u00a0the public exposure of every major headline-grabbing breach over the past five years.\u00a0 Based on my experience in the private sector cybersecurity industry over the past year and a half, this trend is only going to increase.\u00a0 I think this is a positive development, because I believe that government intelligence capabilities simply cannot keep up with everything that is required to combat the explosion of cyber threats.\u00a0 Industry involvement is a must, but the partnership between governments and industry must be done carefully and correctly.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">Governments can encourage and strengthen what is already happening with industry cyber threat intelligence gathering and sharing efforts by integrating this into policy and implementation planning.\u00a0 To improve the effectiveness of the partnership with industry, governments should leverage some important lessons the U.S. has learned as a result of its experience over the past several years.\u00a0 These lessons include clarifying exactly what information is shared, developing standardized methods and formats for information sharing, and employing automated platform capabilities to share this information quickly and distribute security controls to the network enterprise that stop cyber threats before they successfully accomplish their intended purpose.\u00a0 This contributes to deterrence because the cost of doing business successfully for cyber threat actors and organization has just gone up.<\/span><\/p>\n<h3 class=\"p1\"><span class=\"s1\"><b>Keys to Success<\/b><\/span><\/h3>\n<p class=\"p1\"><span class=\"s1\">Deciding exactly what information to share is the first key to success.\u00a0 This is important because some misinformed parties tend to conflate cyber threat information with surveillance and encryption issues, which are currently very heated and divisive.\u00a0 In my view, these are very different issues.\u00a0 In cybersecurity, security doesn\u2019t compete with or detract from privacy or civil liberties.\u00a0 Security is the necessary ingredient in ensuring both privacy and civil liberties in a digital age.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">We must be very clear that cyber threat information sharing is not about exposing personally identifiable information (PII), protected health information (PHI), intellectual property (IP), or personal\/corporate content of communications.\u00a0 It is about sharing cyber threat indicators of compromise and contextual information that relates directly to a cybersecurity purpose.\u00a0 This includes cyber threat actors and organizations, malicious code and techniques, information infrastructure transmission and collection points, communication control channels employed by cyber threats and where these elements are located, the general categories of targets that cyber threats are attempting to penetrate, and the techniques that cyber threats execute on endpoint devices to hijack their intended function.\u00a0 This is the type of information that should be acceptable within privacy parameters because it is solely focused on sharing indicators of compromise and the contextual information necessary for the cybersecurity community to successfully defend against these threats.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">Finally, we must evolve from legacy manual methods of information sharing, such as spreadsheets and pdf files.\u00a0 We must also evolve from confusing ad hoc methods, consisting of more than three hundred varying formats with inconsistent fields of information.\u00a0 Effective sharing requires a streamlined procedure that is standardized.\u00a0 This means that there is a single recognized and accepted standard for information fields about the threat, consistent with the specific threat indicators of compromise and contextual information previously outlined.\u00a0 It also means that the sharing must be automated through the employment of a platform that can translate the standardized threat information into the security controls that can automatically be deployed to the network and stop the threat before it successfully accomplished its intended purpose.\u00a0 This is the only way to level the current playing field between offense and defense and give the cybersecurity community a fighting chance to outmaneuver the adversary.\u00a0 It is also like taking a page from the attacker playbook because they employ automation and effectively use information sharing procedures of their own.<\/span><\/p>\n<h3 class=\"p1\"><span class=\"s1\">How This Can Work<\/span><\/h3>\n<p class=\"p1\"><span class=\"s1\">Industry has an increasingly important role to play in the deterrence of modern cyber threats.\u00a0 By contributing to governmental efforts in exposing appropriate cyber threat intelligence, private sector information sharing programs and organizations can raise the cost of doing business for cyber threats.\u00a0 This can be done responsibly, without posing risk to privacy or civil liberty concerns.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">A magnificent example of the private sector\u2019s contribution is the <a href=\"https:\/\/cyberthreatalliance.org\/\" rel=\"nofollow,noopener\" ><span class=\"s2\">Cyber Threat Alliance (CTA). <\/span><\/a>\u00a0The CTA is a non-profit organization headed by President Obama\u2019s former Cyber Czar, Michael Daniel.\u00a0 The CTA consists of more than a dozen cybersecurity companies.\u00a0 While all of these companies are competitors, each CEO from the participating companies has decided to treat cyber threat intelligence as a public good instead of a commercial commodity.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">The founding members of the CTA are Palo Alto Networks, Symantec, McAfee, Fortinet, Checkpoint and Cisco.\u00a0 The CTA has two rules:\u00a0 You must share cyber threat intelligence daily, and you must consume the shared intelligence to protect your customer base.\u00a0 The CTA has created a platform to share information in a standardized and automated format, protect privacy and civil liberties, consume the shared intelligence, and automatically push the resulting security controls into the information environment to protect their clients.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">The CTA provides a practical example of how industry can play a vital role in deterring cyber threats in the digital age.\u00a0 If your cybersecurity vendor isn\u2019t a member of the CTA, perhaps you should ask them to join\u2026because a cyber threat seen by any one of the CTA members means that the clients of all the CTA members are then protected against that threat.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">In my next essay of this series I\u2019ll discuss the need for a greater industry role in the development and implementation of norms of responsible behavior in cyberspace.<\/span><\/p>\n<hr \/>\n<div class=\"quizz-container\" data-width=\"100%\" data-iframe-title=\"QUIZ: What Kind of Ignite Guardian Are You?\" data-height=\"auto\" data-quiz=\"385597\"><\/div>\n<p><script src=\"\/\/dcc4iyjchzom0.cloudfront.net\/widget\/loader.js\" async><\/script><\/p>\n<p class=\"p2\"><span class=\"s2\"><a href=\"http:\/\/go.paloaltonetworks.com\/ignite2017\"><b>Register for Ignite \u201917 Security Conference <\/b><\/a><br \/>\n<i>Vancouver, BC June 12\u201315, 2017<\/i><\/span><\/p>\n<p class=\"p2\"><span class=\"s2\">Ignite \u201917 Security Conference is a live, four-day conference designed for today\u2019s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the <a href=\"http:\/\/www.paloaltonetworksignite.com\/\" rel=\"nofollow,noopener\" ><span class=\"s3\">Ignite website<\/span><\/a> for more information on tracks, workshops and marquee sessions.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Palo Alto Networks VP and Federal CSO John Davis examines how the private sector can contribute to governmental efforts in deterring cyber threats. <\/p>\n","protected":false},"author":152,"featured_media":20190,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1766],"tags":[387,662,123,3642],"coauthors":[1503],"class_list":["post-28734","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cso-perspective","tag-cso","tag-cyber-threat-alliance","tag-government2","tag-rand"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/09\/CSO-web-banner-650x300.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/28734","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/152"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=28734"}],"version-history":[{"count":1,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/28734\/revisions"}],"predecessor-version":[{"id":28737,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/28734\/revisions\/28737"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/20190"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=28734"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=28734"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=28734"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=28734"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}