How Cyber Leaders Plan to Make Cyber Defense the New Offense

Cyber defense is the new offense, cyber leaders said at the Billington Cyber Summit Wednesday. The best defense relies on good communication — or communication that has consistent information-sharing and strong public-private partnerships.

“A good cyber offense has a good defense,” said Cyber National Mission Force Deputy to the Commander Holly Baroody during a panel Wednesday. “If we just wait and watch and respond, we’re going to be at a disadvantage. We take what we learn and figure out what infrastructure are they using, who are their operators? What operations and activities can we do to disrupt that? If we can disrupt that activity, we give ourselves the time and space to bolster our defenses while disrupting. We try very hard to make sure what we do is well-shared and coordinating across the community.”

Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA) Assistant Executive Director for Cybersecurity Eric Goldstein said he wants government and industry to “pivot from partnership to operational collaboration” to address the increasingly hostile cyber landscape.

“The place we need to be is where the government and private sector are co-equal partners,” he said during a panel at the summit Wednesday. “How do we ensure we’re investing in the right controls and practices as we’re moving forward? Let’s bring what we all have to the table and see if we can connect dots without the silos. Our view is, cyber defenders across the government and industry are executing the same mission, if we can do it at the same time together, we’ll be a lot more effective.”

Varying definitions of risk across different industry sectors are a hurdle to collaboration, standards and expectations around information-sharing. Netflix CISO Vitaly Gudanets said there are still too many information and data silos around cybersecurity risk and incidents.

“On the one hand, we’re moving in the right direction — Shields Up is a great example,” he said during a panel Wednesday. “The work on Log4j was great work, but those are pockets I think where it’s working well. I think the problem is we’re all from different sectors and we all think about risk differently.”

To dispel fears of accountability or retribution around cyber incident reporting in an effort for more effective collaboration, Department of Homeland Security Under Secretary for Strategy, Policy & Plans Rob Silvers noted the agency’s review board.

“The Cyber Safety Review Board is charged with reviewing the most significant cyber incidents, doing an authoritative fact finding into what happened, and then looking and finding lessons learned and recommendations for the community,” he said during the summit. “It’s not about accountability, there’s no punishment, it’s about transparency and sharing that with the community.”

Plus, engagement with industry and other partners earlier in the process could be more beneficial. The more information industry and government can share with each other, the faster cyber incidents can be addressed, and the fewer victims there will be.

“The board is something we in the industry really wanted to see,” said Yahoo CISO Sean Zadig. “We say no secret squirrels — if there’s useful information about an incident, we don’t want to hoard that, we want to share it. I think the board embodies that philosophy.”