How the government can help businesses fight cyber attacks

When a criminal robs a store, the police visit the scene, conduct an investigation and try to bring the perpetrator to justice. What happens when a criminal breaches that same store’s server and makes off with its customer’s credit-card numbers? I’d argue that the response to the physical crime would be much greater and effective than how the cyber crime would be handled, although cyber attacks have the potential to cause more damage than robberies.

Blame cyber criminals, not nation-states, for attacks

While nation-states are typically blamed for breaches, the culprits are usually cyber criminals who are using nation-state techniques and procedures. Companies likely claim infiltration by nation-state attackers because it provides them with some cover from lawsuits and preserves business deals and partnerships. (Yahoo is using this tactic with little success.) The reasoning could look like this: how could our organization protect itself from attackers who have the support and resources of a major government? We’re simply outgunned.

That logic is sound. Companies are outmatched. They’re facing adversaries who were trained by nation-state actors and use similar tools. But this logic is also a cop out: Businesses are responsible for protecting their data.

The questions I’ve been asking lately are how governments, and particularly the U.S. government, can provide the private sector with better protection and help businesses fight cyber crime. The answer lies in a two-pronged approach with companies handling the bulk of the defensive efforts, while the government occasionally lends a hand in areas such as threat intelligence and post-breach forensics.

I realize that the U.S. government isn’t regarded as being at the forefront of information security or for working efficiently. Indeed, governments may lack current technology and move slowly, but that doesn’t mean there isn’t a role for the public sector in protecting private companies.

And judging by a survey Cybereason conducted (pdf) on how information security factors into November’s election, I’m not the only one who feels this way. Of the 515 registered voters we polled, 75 percent said dealing with cyber risk requires a partnership between the public and private sectors.

Move beyond protecting infrastructure

The U.S. government is already moving somewhat in this direction, judging by the creation of the Cyber Mission Force. Viewed as the U.S.’ first troops dedicated to protecting military computer networks from attacks and initiating offensive operations, this group, which reached operational capacity in September and will eventually include 5,000 members, will also help protect the country’s critical infrastructure.

Defending critical infrastructure such as power grids, nuclear power plants and utility providers seems obvious. Damaging infrastructure, which often has poor security, could have a massive and devastating impact on thousands of people, if not more. If people don’t have electricity, water or natural gas, they can’t live.

Apply a broader definition to critical networks

This same logic should be applied to the computer networks of banks, credit-card companies, internet service providers and healthcare organizations. People panicked last week when a DDoS attack prevented them from using sites such as Twitter and Netflix. Imagine the hysteria that would ensue if an even larger DDoS attack prevented them from accessing the SaaS applications they use to complete their jobs. In other words, many businesses provide services that could be classified as critical. Unfortunately, the Cyber Mission Force lacks a team that focuses on protecting the private sector from attacks, at least for now.

The private sector can’t do it alone

Companies need help if they’re going to face adversaries who use nation-state attack techniques. And both the public and private sectors would benefit greatly from collaborating on information security. The government would learn about the unique issues the private sector faces, such as dealing with a remote workforce that doesn’t necessarily follow corporate security policies or the shortage of security talent. The private sector gains access to detailed threat information and help figuring out how to harden their networks.

Adversaries aren’t going to decrease the intensity of their attacks or become less ambitious with whom and what they target. In the past few months, we’ve seen two of the largest DDoS attacks to date, as well as hacks targeting a U.S. presidential candidate. With the U.S. government’s help, companies could have the edge they need to fend off the next round of attacks.