Putting aside political discord or controversies (and certainly this year has offered plenty of both), the 2016 election has made history—not to mention provided a major sense of validation—for those of us working in the information security realm.
Never before can I remember two presidential candidates standing on a debate stage, asked to explain how they plan to protect the United States from cyberattacks. The mere inclusion of cybersecurity in such a critical discussion demonstrates a growing awareness and urgency—not only among politicians, but among their constituents.
It’s no wonder—and some might say long-overdue. With multiple high-profile federal data breaches in recent years (including some allegedly targeting the election itself), cybersecurity has evolved from a relatively obscure issue to a major component of our national dialogue.
This couldn’t happen at a better time. Not only has the cyber landscape grown more threatening, but federal budgets are growing accordingly, and we have better tools for protecting ourselves than ever before. But even the greatest technology accomplishes nothing unless the people using it are ready to put it to maximum use. And this is where we have work to do.
Why do hackers win?
The internet all but shut down on Oct. 21, when a large-scale denial-of-service attack targeted Dyn, one of the world’s largest internet infrastructure companies. The attack—which has yet to be fully resolved—temporarily brought some of the world’s biggest digital brands to their knees, including Twitter, Spotify, Netflix and PayPal.
While the culprit remains unidentified, we do know this: It wasn’t just one lone hacker with too much time on his or her hands.
The most devastating, highest-profile data breaches are rarely—if ever—the work of one individual. Instead, these attacks result from massive collaboration between groups of adept, committed hackers who share a common (and malicious) goal.
So how can a group of individuals spread across the globe, working behind their personal computers, with no real budget, successfully take down organizations and governments with millions—sometimes billions—of dollars to spend on cybersecurity?
With all of our resources, these groups have weapons that federal agencies often struggle with: communication and collaboration.
United we conquer, divided we’re hacked.
Whether it’s a rival nation or an independent group of hackers spread from Seattle to Moscow, our enemies talk to each other. They recognize they can’t carry out their plans alone. Instead of worrying about bureaucracy or organizational swim lanes, they divide and conquer as a unit. And if we want to defend ourselves from them, we have to do the same.
Data breaches, after all, affect more than just the targeted agency. In addition to millions of American citizens, these attacks often affect other agencies as well. Last year’s hack of the Office of Personnel Management (OPM), for instance, exposed the personal data of an estimated 21.5 million federal employees—including military and intelligence personnel.
The hackers who perpetrated the attack understood this. While they directed their exploits toward the OPM, their greater target was the U.S. government as an entity.
If federal agencies hope to prevent or fight such breaches in the future, each one must recognize and truly appreciate that the ramifications of these attacks extend far beyond their own walls. They have to shift away from a siloed, agency-by-agency approach to a collaborative, interagency partnership—one that tackles cyber defense comprehensively and with a deeper understanding of their peer-agencies’ strengths, their resources, their vulnerabilities and how their missions affect one another.
So, let’s talk.
A conversation can change everything.
In the mid-1830s, two men—a British candlemaker and an Irish soapmaker—met when they emigrated to Cincinnati, Ohio, from the United Kingdom and married sisters. Over time, their father-in-law noticed that the two men were competing for the same raw materials and suggested that they instead become business partners.
By the 1850s, while the rest of the nation was facing a recession, the two men had 80 employees and $1 million in sales (that’s approximately $30 million in 2016). What started from a conversation with their father-in-law grew into Proctor & Gamble, the Fortune 500 company that supplies millions of Americans with toothpaste, shampoo, dish detergent, diapers and countless other products.
In 2017, the federal government is expected to spend an estimated $19 billion on cybersecurity. Meanwhile, with security intelligence solutions like Cisco Stealthwatch and IBM’s QRadar, we have never had better technology for defending ourselves against would-be attackers. If two men can accomplish so much with only $8,000 and their knowledge of soap and candle wax, how much more could be accomplished with the resources we have today?
A lot. But only if we do what William Proctor and James Gamble did—and what our enemies are doing as well.
We have to talk—not only within organizational walls, but to other agencies, along with industry experts and manufacturers. These are the people who can look at another organization with fresh, objective eyes and provide insights into vulnerabilities and needs to which an insider has become blind. They’re also the ones who can offer resources and skills we might otherwise lack. It’s not enough for one agency to simply invest in stronger firewalls or security intelligence platforms. There have to be conversations at every level—from the end user to CIOs and so on. After all, if a successful cyberattack takes a coordinated and collaborative approach, so does a successful cyberdefense.
Mike Greaney is CEO of Force 3.