BLUF – Public sector concepts of how organisations help mitigate systemic risk – in this example, cyber defence for their sector – are difficult to convey. Since organisational interpretations of the concept vary, complementary implementation challenges abound; usually ending with highly glossed fanfare, masking minimal results. Here is the first set of considerations for organisations to become part of the solution.
In a sector-based executive meeting, White House Cyber Director Chris Inglis expressed interest in creating a system where a bad actor needed to ‘beat all of us to beat one of us.’ Sounds complicated on the surface, but not necessarily. Difficult, yes. Challenging tradition and current interpretations of cyber, absolutely.
Underlying is a simple concept of community – deeper than we’ve allowed in the private sector. Let’s go ahead and unpack some changes required to start.
Ecosystems – Looking at the wall in the image above, what you have is a community of bricks held together. Written previously as continental/ island or archipelago ecosystems, we can use the wall for a different interpretation. Every organisation is a stone. Notice the different shapes of stones – akin to different business purposes or interpretations of cyber strategy/ resource allocation/ areas of importance.
Imagine your organisation as one of the stones. Below your stone is all your vendors (and their vendors) contributing to your stone holding its place. Your stone provisions support in holding all your clients in their respective places. Holding the stones soundly requires mortar, providing connection and filling-in between stones. Mortar between organisations in cyber is often thin to non-existent, largely due to the perception cyber is business in nature. From this mindset the return on investment seen for collective sharing is negligible at best in the immediate/ visible term (another post to follow).
Mortar between an organisation and its vendors often is a bit thicker from a contractual standpoint. Some clients (and regulators) ask for understanding where an organisation stands in regards to corrective actions, forming a bond between the organisations. However the bond has no reciprocation and only serves the asking client – similar to a magnet and metal. You take away the magnet and the metal no longer has connection (I tried making a connection to the wall analogy. Can think of building related examples, though wall references elude me).
Where we have better mortar is with the information-sharing groups serving their respective sectors. There is often good communication between near-peer organisations, creating a strong horizontal bond. On occasion, we have data transferred between separate-sector ISACs, though more general observations and not related to relationships between organisations. Is it better than nothing? Absolutely. Will it keep the infrastructure intact against an impact? No, but it may limit the damage. Is there more to do? Aye.
We need to strengthen the mortar. A wall’s purpose is to keep things out.
Collective activities – When I worked in the military intel community, it was a variety of different organisations looking in different places to find the various pieces of a puzzle where we had lost the box with the picture. Whilst there were some overlap and lanes-of-the-road was a constant struggle, it worked for the diversity and trust in sharing information.
In the private sector, we have independent, miniature versions of this – in every organisation that can afford the cost to build and execute on findings. Smaller to medium sized businesses simply haven’t the budget or staff to allocate to intel, which means no one looks outside their borders.
Intel is one part we could use public sector constructs and recreate its original design. It would mean different organisations look for different things and share their depth across a wider network. Requiring organisations to develop depth in research and analysis into an area not directly related to their business is where the challenge lies, as it puts the good of the sector in enough standing to contribute resources – as the organisation would own that area. The shift in trust and accountability would be tectonic, as it means organisations would be accountable to one another, responsible for putting their section of the puzzle together. Each organisation (working with others internally and externally) analyses what the pieces of the puzzle look like overall and interpret the findings for their organisation. This would be independent of the organisation’s contribution to their intelligence community. There are many other areas we could build in a similar manner. Stop creating organisationally-independent cyber microcosmic-systems to combat a macro-threat.
What it comes to is a shift in culture, where we reach far across our ecosystems – horizontal/ upstream/ downstream – to connect one another whilst digging deep within our organisations to contribute to the whole.
Director Inglis touched on this concept looking for something akin to what was described here – however it was said in a recent meeting on the subject: we can’t force them to do things.
There lies the trouble: It’s not a them issue. It’s an issue for us.
Time for it to be us.