Several years ago, I had the wonderful honor to host Ash Carter, Secretary of Defense, and Martin Dempsey, Chairman of the Joint Chiefs, in my office to discuss cyber security. These two great men – experienced, knowledgeable, confident – had the good sense to publicly make their rounds among the cyber security experts in our country to gain insights into the best means for cyber attack prevention, detection, and response. I was so impressed with their willingness to listen and absorb guidance in an area that both would admit was not their specialty.
During the discussion, I remember sharing my view that cyber attacks are such different animals than anything our country has experienced from adversaries in the past. I shared my views on the comparatively low cost to perform a cyber attack, the difficulty in establishing attribution on the Internet, and the challenges of establishing cooperation between industry and government. But one topic that sticks out in my mind was the question of how to respond to a nation state cyber attack, should it produce observable degradation to our nation’s critical infrastructure.
Given the awkward situation we currently have with Russia having quite obviouslyhacked our recent Presidential campaign, I thought it prudent to share my views on the best way to deal with this situation. I fully understand the need to stick with our great American belief that unacceptable actions from our adversaries deserve strong consequences. But with cyber security, I think this important goal must be achieved differently than in normal military discourse. As such, I would offer the following recommendations for our nation’s new leadership:
1. Demand Full Silence. I believe our leaders need to impose CIA-like silence in all matters related to our cyber incident response strategy. Russia already knows that we have intense offensive capability, so our President gains us no advantage by talking tough about potential hack-backs. If our nation’s leaders really want to weaken Russia and other nation states on matters related to cyber response, then they should go completely dark. This might hurt CNN’s ratings, but it will help America.
2. Impose Greater Discretion. I believe that anyone in a position of authority in government and industry must self-impose a strict policy of discretion in all electronic communications. If a statement would play poorly in the New York Times, then it shouldn’t be in email. And if sensitive information must be transmitted electronically, then it should be encrypted. This is hardly unreasonable, given that we demand similar vigilance from our teens on Instagram.
3. Build Our Defense. I believe that our nation’s focus in cyber security must shift from launching offensive attacks to improving defensive posture. And if you actually ask CISOs what they need to do this, here is what they’ll say: No more redundant compliance frameworks. No more heavy fines from government. No more public embarrassment after hacks. No more legal liability from APTs. No more painful budget cuts. No more CISOs getting fired after hacks. No more clueless auditors whining about cloud migration. These are all reasonable requests that deserve immediate attention across our nation.
The reader will note that I do not include the familiar suggestion to use our cyber offensive capability to hack Russia back, perhaps to embarrass Vladimir Putin. First of all, one doubts the degree to which that individual might actually become embarrassed. But second, and more importantly, our nation is in a seriously weak position to engage in a prolonged war of cyber retribution – and everyone on the planet knows this. It is absolutely no secret that our nation's cyber defenses across government and industry are porous and need immediate strengthening. This must be President-Elect Trump’s number one priority in cyber security.
If you agree with this proposed national response strategy of silence, discretion, and defense, then the good news is that you are aligned with the vast majority of business environments. Company public relations teams already know to be quiet about defensive posture. And most business employees already know not to tap crude, embarrassing nonsense into email. And business CISOs know that defense works much, much better than offense. These are effective, non-controversial strategies, and they will eventually pay dividends as long as we in business continue to improve.
Now we just need to convince our government.