Last week, I had the pleasure of briefing members of the U.S. Senate’s Homeland Security and Government Affairs Committee to provide Cisco’s perspective on the roles for the private sector and government in protecting the nation’s digital infrastructure. I focused my remarks on a much-publicized recent cybersecurity attack since it’s a great example of how the public and private sectors can and should work together.
The important lessons we can draw from this recent attack are that:
- Government and industry both have distinct, but important, roles to play in preparing for and responding to cyber-attacks;
- Effective communication between our roles is essential; and
- We all need to maintain vigilance because the attackers never sleep and their sophistication is only limited by software and imagination.
Last month, Cisco’s Talos threat intelligence team made headlines globally publishing a report on a state-sponsored attack dubbed “Sea Turtle.” This attack, which was impossible to detect, enabled the theft of login credentials and other sensitive data. It was so successful, like many other attacks, because we continue to rely on passwords, which users frequently reuse.
The response to the Sea Turtle attack demonstrated the power of the public-private partnership so central to cybersecurity in our country. First, it was a positive development that the private sector was able to quickly detect both attacks and raise awareness. Second, the US government set a positive example by issuing a Binding Operational Directive to federal agencies, and providing concrete, usable advice to the general public about the importance of MFA.
Today, MFA can frustrate attempts by hackers to reuse stolen passwords. Longer term, we need to pivot away from a reliance on these passwords and build a more “zero trust” environment that will continuously authenticate users and devices. Fortunately, MFA is again part of this longer-term approach.
This attack and many others exploits trust in ways that we should all view as highly troubling, but can be prevented through wider use of technologies, such as multifactor authentication. I’m a student of history and I know how powerful the public/private partnerships can be to drive innovation. It’s how the Internet was created and it’s certainly how it can be protected. Effective communication between the private and public sector can also drive actionable information to the public in time for harms to be mitigated while we develop longer term solutions, together, to the problem of ongoing cyber threats.