In a high level panel meeting during Israel Cyber Week, Yigal Unna, the new chief executive director of the new Cyber Technologies Unit in the Israel National Cyber Directorate, and former head of the Sigint Cyber Division In Shin-Bet, found himself moderating between representatives of the US, UK and Singapore government intelligence agencies and the private sector, with each needing to share information while being wary of the other.
We don't trust you
Perhaps the most regretful about the State's inability to handle cyber on its own was David Koh, CEO of Singapore's Cyber Security Agency, who, referring to the difficulties of working with the private sector, commented: “We don't trust you.” He explained that while government had the monopoly on legal physical violence and had learned how to deal with this on a government to government basis, that monopoly does not exist in cyber. In fact the private sector, “has as much and more intelligence than us and it's a challenge for governments,” requiring a cultural change.
Hence the need for information sharing is clearly one brought about by necessity rather than any ideological shift. He described this need to build trust as particularly difficult for a small country, dealing with very large international commercial players, but because it is necessary, it's not insurmountable.
However, government must play a role and can't just leave it to the market because some things would not get fixed as there is no incentive, including aspects of the health sector, where government needs to step in and provide a ‘basic level of hygiene,” said Koh. Although viewed as a natural realm of government, Koh also expressed surprise that 20 Singaporean parliamentarians had something to say about cyber security when his government recently brought in ne legislation, indicating the widespread understanding that cyber-security did pose a national threat.
US facing legal constraints
Christopher Krebs, undersecretary at the National Protection & Programs Directorate in the US Department of Homeland Security had a more developed view of the need for cooperation but found difficulties coming from the private sector, where meetings had a CISO and their lawyer, concerned about anti-trust laws (avoiding collusion) and commercial issues when information was being shared. And because participation was voluntary, the government needed something of value to encourage participation. His suggestion was that this should be sharing of high level government intelligence, as well as offering companies trying to do the right thing some ‘deference' when the regulator steps in, as they surely will. Cooperation was also needed to help advise the government how to avoid creating negative incentives in its role as regulator.
NCSC to sell intelligence?
Ciaran Martin, CEO of the UK's National Cyber Security Center, agreed with Koh that there was a need for the state to step in and do the things that the private sector could not or would not do. This should include setting standards to reduce social harm on a larger scale, where possible creating automated cyber defences that would stop attacks such as the Mirai botnet. While cyber is not new, its not mature either, so it's not always clear what corporations want or need. Currently support for private sector companies facing cyber-attacks is provided free, but Martin said that he did not rule out selling elite intelligence in the future, with the NCSC also potentially taking on a regulatory role to improve cyber security in the private sector.
Different sensory capabilities
Adam Philpott, president EMEA, McAfee spoke up for the private sector, but admitted it was an arms race with so many vendors - 400 in Israel alone - all trying to be the silver bullet, but its not possible, so you do need to work with government and build trust
Dr. Hugh Thompson, chief technology officer, Symantec agreed there is a need to build trust but said there had already been a change with WannaCry, which was in everyone's interest to fix. “Previously we'd say to government, here's what we know - but there was nothing coming back,” but with Wannacry, government agencies were confirmining what they were seeing, allowing both sides to get the big picture. Thompson described the two sides as having, “different sensory capabilities,” so working with a “semi-common lexicon” helped by the time it came to NotPetya where there was a willingness to talk openly, share samples, and work together.
It's a war out there
Michal Braverman-Blumenstyk general manager Azure Cybersecurity Microsoft Israel commented, “It's a war out there,” a somewhat ironic comment given that during Cyber Week rockets were incoming from Gaza and Israeli warplanes heading in the opposite direction. She continued, “...without a coalition of industry and government we can't win that war. You don't trust us sometimes, and sometimes we don't trust you - we want to protect our customers and maintain privacy. Trust is tricky, but its a must, and we need the right technological infrastructure to be able to share what needs to be shared while also keeping some things private. It's now impossible to fight cyber without machine learning and big data, but we still want to be able to keep some data private.”
Unna asked the panelists what what wishes they might like to have granted in relation to cyber security.
Braverman-Blumenstyk wanted government to rebuild the right infrastructure for the internet, with clever regulation that did not stifle innovation.
Philpott wanted agreed rules for cyber-warfare to reduce incursions and dangerous tools getting into the hands of bad actors - with the money to fight cyber threats put on a par with expenditure on fighting crime or warfare.
Krebs wanted the threat demystified so that people understand and put into context what is truly important and critical, then focus assets on the truly critical threats.
Koh echoed Krebs, particularly calling for policy makers to understand priorities and for government and private sectors to truly trust and share with each other.
Thompson wanted empathy, each to sit in the other's shoes during say a WannaCry attack, and understand the need to protect customers and society.
Martin commented that trust is not binary. He wanted to see people do the basics of security themselves, making it easier for others to secure the internet from more serious threats, and for the vision of the Internet held by liberal democracies to be sustained, to maintain a free and open internet, because, “there are alternative models out there.”
In the summing up, it was noted how the financial sector now runs information sharing exercises because they realise that while they compete in some areas, when it comes to cyber they are on the same side. As to whether the Californian social media giants plus countries such as Russia and China could all work together to create common rules for the internet and cyber-space, it was conceded that there would be different groupings who shared different views, but there is international cooperation on fighting child exploitation and narcotics, and further such building blocks are needed to build trust. “We may not get a global compact, but groups with a similar mindset will agree, and others can decide, are you in or out,” said Krebs.
But we can't go back to the pre-Internet world, and regulators sho0ld not try to make it safer in ways that stop progress adds Braverman-Blumenstyk
Koh concluded that the government needs to educate to train cyber-common sense, so people can make an informed choice to accept risk or not. Because right now we have not equipped the next generation to face cyber threats in the way we teach them about physical threats.