Private business must take the initiative in addressing cyber threats and not wait for government, according to Howard Schmidt, the former White House cyber security co-ordinator for the Obama administration.
“We did not get where we are today by waiting around for government; we have the private sector to thank for driving the evolution of the internet,” Howard Schmidt told Computer Weekly.
For example, business has demanded and deployed multiple technologies to combat phishing so that now relatively few attacks reach corporate email users, said Schmidt.
“It is not correct to say that the private sector has not responded to cyber threats, because private companies have acted,” he said.
However, that is not to say government does not have a role to play, said Schmidt, because there are two important things they can do.
“First, in exercising legal authority to investigate criminal activity and protect citizens, they can gather valuable information on cyber threats and techniques, which they can share with corporates,” Schmidt said.
Read more about advanced persistent threats (APTs)
- AT&T takes APTs seriously
- Conducting APT detection when Elirks, other backdoors hide traffic
- APTs: Are they really a concern for all businesses?
- Half of UK networks vulnerable to APTs
- Hardening the network against targeted APT attacks
- Surviving cyber war: Preparing for APTs, Stuxnet malware-style attacks
- Boost advanced persistent threat (APT) security levels in six steps
- Ranum chat: APT attacks and malware evolution
- Advanced persistent threat (APT) defense; best practices
Second, said Schmidt, government intelligence agencies – such as the UK’s GCHQ – also have a great deal of information about sources of attacks and attack methods that can be shared with business.
However, he said in his experience, much of this information is often considered as “classified” unnecessarily. Consequently it takes weeks and even months before it can be shared.
While at the White House, Schmidt campaigned for changes that would enable cyber attack information to be declassified and shared faster, particularly when critical infrastructure is involved.
All governments need to review and revise any legislation that get in the way of sharing useful information about cyber crime with industries, sectors or individual companies affected.
“In one US case in 2011, it took 102 days from when an attack was reported to share the information with the private sector, which is unconscionable,” said Schmidt.
There are added restrictions, he said, on sharing information about cyber attacks received by an intelligence agency in another country.
Schmidt believes all governments should be giving urgent attention to setting up mechanisms for making such information “actionable, timely and viable.”
“Although some progress has been made, it is not fast enough. We cannot wait for governments. Private industry has to make a start in sharing the cyber attack information it holds,” said Schmidt.
“It is incumbent on every CEO, industry sector and supply chain member to find ways to share this important information.”
On the topic of cyber warfare, Schmidt believes it should be all about defence. “Everyone has an indisputable right to defend their networks,” he said.
However, he cautions against cyber weapons and state-sponsored malware, which he describes as “foolhardy” because both these things can be picked up and used against the country of origin.
“With state-sponsored malware, everyone – including industry – is in the crosshairs of such government action and could end up as collateral damage,” said Schmidt.
For this reason, no businesses can ignore the existence of state-sponsored and other invisible, yet persistent threats designed to get into networks to steal information.
“Businesses need to be concerned. They cannot afford to sit back and say government must do something. It is up to them to do what they can to protect their key data assets,” he said.
All organisations can start with simple things that will greatly reduce the likelihood of becoming victims of persistent threats.
For example, it is a good idea to allow only digitally signed emails to reach employees and to automate strong authentication processes instead of leaving it up to employees, said Howard Schmidt.