There’s no shortage of ideas, plans and actions for arming government agencies against cyber attacks. Similarly, but perhaps with greater vigor, businesses are traversing any and every possible solution and approach toward the same. With few exceptions, neither is on the same page on how they think about defense let alone how to do it.
Could some of the government’s strategies work for business? Certainly, but given the arm’s length distance between government and business not many of those blueprints see the public light of day. Calls for a unified, national cyber strategy? You gotta be kidding. But that may be changing.
U.S. cyber intelligence officials are reportedly mulling new ways to gird up for an expected escalation of nation state security attacks. One potential solution may come from the U.K.’s National Cyber Security Center (NCSC), according to a Financial Times (FT) report. The NCSC is a two-year old, public facing facility backed by the Government Communications Headquarters arm. The facility offers advice and support for the public and private sector to manage incidents, protect critical infrastructure and offer guidelines to defend against cyber threats.
Think of the U.S. National Security Agency doing public outreach. “The U.K. example is interesting,” a U.S. intelligence official told the FT, calling out the U.K.’s initiative to develop a national cyber strategy across each of the intelligence agencies. The U.S., the official reportedly said, has “not yet done any of this.”
Given that cyber attacks launched by China, Iran, North Korea and Russia cost the U.S. upwards of $109 billion in 2016, security experts may have to consider reconsidering. You can see why they might kick the national security platform idea around a bit. The NCSC is an amalgamation of a number of the U.K.’s security wings, including IT security, cyber assessment, emergency response and infrastructure protection. As a case in point, when the NCSC began operations, it announced plans to work with the Bank of England on cyber security for financial institutions. Such collaboration in the U.S. “wouldn’t be tolerated as much,” a U.S. intelligence official reportedly said.
Bracing for what U.S. cyber security pros say will be an intense spike in the frequency, intensity and sophistication of cyber attacks in the near future will require more than documents and policy statements. “Something horrible has to happen to fix it,” Rick Ledgett, former deputy director of the NSA who left the agency last year after four decades, told the FT. “The U.S. should follow the U.K. model...The problem is the U.S. is bigger and more complex and there isn’t a unity of focus,” he said.
Right now there’s no consensus among U.S. cyber security officials on how to best structure and coordinate the multitude of defenses, ranging from the Department of Homeland Services, the NSA, and the Department of Defense to the FBI and other agencies. It’s not an issue peculiar to the U.S.
“Every country is grappling with this and trying to work out how to do this coherently,” Robert Hannigan, a former director of GCHQ who helped set up the NCSC, told the FT. “There are often too many players in cyber and a lack of clarity over who is responsible for what.”
Would a national cyber security platform and strategy across the public and private sectors cover some of that ground in the U.S.? It’s an iffy proposition. There’s no denying the private sector’s reluctance to work with government spying agencies on cyber defenses -- and with good cause. Still, there may be room for both to play together nicely. “Government has an important role in cyber but can’t do everything and shouldn’t try,” said Hannigan. “It has to enable industry to tackle the vulnerabilities out in the wider economy.”
It’s not like there are no examples in the U.S. of government working with the private sector to establish cyber policies. Here’s one: Late last year, the feds released the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework to help employers identify, recruit and develop cyber security talent. U.S. intelligence honchos may be thinking we need more of the same just under one roof.