Pogo infamously stated in a 1970 cartoon “we have met the enemy and he is us.” As cybersecurity professionals, we recognize that humans are the weakest link when it comes to securing our businesses. We ask employees to not open suspicious attachments or click on suspicious links; to use strong, unique passwords; to follow rules and work with us to secure our companies. Through training, teamwork, and cooperation we build internal cybersecurity. Why, then, can we not do the same externally, enabling teamwork and cooperation between companies?
A team approach that ensures that all businesses, regardless of their internal resources, are able to share cybersecurity best practices, education, innovations, information, and intelligence with one another will establish a stronger cybersecurity ecosystem.
External Sharing Models Exist But Aren’t Enough
For millennia, businesses competed with one another, focused on growing their products and services at the expense of competitors. Competition drove innovation. Friendly (and not-so-friendly) rivalries abounded with artisans and merchants forming guilds to protect their operations, establish boundaries, and share knowledge. Today, professional cybersecurity organizations replicate guilds, providing a forum for mutual support and cooperation, enabling members to learn from one another in trusted, less-competitive environments. Alliances and consortiums build further on these opportunities, sharing cybersecurity information, intelligence, best practices, and theories among cooperating businesses. State-run cybersecurity task forces, like those in Michigan, Ohio, and Wisconsin, provide incident response support to smaller government agencies and/or critical infrastructure, furthering the development of small agencies. However, like the guild concept, membership in consortiums and alliances are limited to entities with the maturity to dedicate resources, while task forces are only able to provide mutual support operations to entities that meet certain criteria.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides four Implementation Tiers that support the concept that information sharing is the purview of more sophisticated and greater resourced organizations. The Tiers are designed to provide context on how an organization views, responds, and manages risks. Tier 1 organizations are described in part as those that do not understand their place within the cyber ecosystem and do not share or receive information, while Tier 4 organizations share and receive information, incorporating it into their cybersecurity efforts on a near real-time basis. Rather than a maturity model, the Tiers strive to help organizations understand their cybersecurity models in the context of organizational objectives and resources. But once again, information sharing and mutual support are limited to larger, more mature organizations with the resources to dedicate to these efforts.
The Sliding Scale of Cybersecurity directly acknowledges that intelligence has a high cost compared to its return value as data collection, exploitation, and sharing for intelligence purposes can require specialized tools, dedicated personnel, and time to implement.
On the surface, these approaches of promoting intelligence sharing and cooperation among those with the resources and knowledge to make use of the opportunities make sense as it takes resources to parse and interpret. However, this approach leaves the Small and Medium Businesses (SMBs) without the skills or resources to support information and intelligence sharing endangered by what they do not know. After all, not enough information can be just as dangerous as too much information.
Cybersecurity Is Critical for SMBs
There are 31.7 million small businesses in the United States, accounting for over 99% of all U.S. businesses and employing 48.75% of all U.S. employees as of March 2021. The statistics are similar around the world: over 99% of all businesses in the United Kingdom, Australia, and Europe are small businesses for a total of more than 305 million small businesses worldwide. These are the CSF Tier 1 companies for whom cybersecurity is a challenge as they lack the resources and skills for effective implementation, to say nothing of incorporating intelligence or contributing to the broader ecosystem. However, these small businesses form the basis of large sections of the supply chain and economy, making their cybersecurity critical.
With $4.2 billion in losses reported to the Federal Bureau of Investigation (FBI) in 2020 and a belief that only 20% or fewer of all victims report cybercrimes, it is possible that the U.S. loss to cybercrime is $21 billion or more. The impacts of a cybercrime can be staggering for SMBs, some of whom face losses from which they can never recover. Technologies and knowledge that would help prevent the incidents, including phishing training, anti-malware programs, and regular patching, are out of reach as SMB owners focus on day-to-day business needs without the time to learn and implement cybersecurity.
Efforts to secure the supply chain are a critical first step in supporting SMBs, as many are a part of that chain. However, current efforts have focused on securing the supply chain from the perspective of a sophisticated organization following the NIST CSF and in response to major compromises, such as the SolarWinds (2020) and Microsoft Exchange (2021) incidents. While very necessary, these efforts do not bring cybersecurity within reach of SMBs and, instead, place greater pressure on SMBs to follow cybersecurity best practices in order to protect their more sophisticated customers. What is now required is the reverse: to ensure that teamwork and mutual support work both ways, with sophisticated, mature organizations supporting their less mature counterparts.
A New Approach – Neighbors Helping Neighbors
As with physical security and the Neighborhood Watch model, teamwork and mutual support are key. More mature companies have an opportunity to share their expertise, assisting neighbors with small improvements, including simply understanding off-the-shelf security implementations.
This process needs to start with internal legal support to allow for broader cooperation efforts by more mature companies. We need to move past the calls of lawyers and insurance providers requiring threat intelligence and indicators of attack and compromise to remain internal. This information is of great value to the broader community and can often be shared without causing harm or exposing the vulnerabilities or potentially profitable innovations of a company.
As the saying goes, it is easier to establish contacts left of boom, instead of in the middle of an incident. Cybersecurity experts at larger companies need to apply this internally to build relationships that allow them to convince legal departments that sharing information externally will strengthen the ecosystem, which helps the company. This way, when an incident occurs or a contract needs to be signed, there can be greater support to ensure sharing is considered and approved.
Secondly, the collection, exploitation, creation, and sharing of cyber threat intelligence is unlikely to be simplified to the point where all SMBs can easily participate. Especially when SMBs continue to struggle with basic best practices, such as applying patches and updates. However, large companies often include volunteer programs that encourage supporting local charities. Extending these volunteer efforts to allow employees to work with SMBs to automate best practices, including updates, patches, and the incorporation of trusted indicator feeds would go far toward improving the cyber ecosystem.
Internal cybersecurity training sessions often consist of non-company-specific education and training to encourage cybersecurity best practices among staff to reduce cyber threat actor exploitation of employees. So, if the opportunity exists to include members of the supply chain, neighbors, or SMBs in the same sector, why not do so?
This is even more possible in the current virtual environment where expanding attendance is often easier. Amazon just took this step, announcing that the Amazon Security Awareness training provided to employees will be freely available on the internet beginning in October 2021. Access to training modules are a great first step and can only be complemented by professionals who help SMBs understand which modules to use or by allowing external entities into formerly internal live training sessions. Expanding trainings to include the supply chain and SMB neighbors will strengthen our collective cybersecurity by ensuring SMBs are less likely to be used as platforms for attacks, as spam distribution centers, or sources of sensitive information about their more sophisticated partners.
With cooperation expanding among companies, there are sure to be new innovations in cybersecurity as experts have the opportunity to study new problems and new networks. Questions from those with less knowledge of the principles and theories will spark new ideas and understandings. And the chance to configure software and hardware from scratch brings the opportunity to see changes and features in a new light. Almost any mentor will tell you they learn as much from their mentees as the mentees learn from them and the same benefits can hold true for cybersecurity mentors and mentees.
Establishing an Ecosystem of Teamwork
Teamwork, mutual support, and cooperation through threat intelligence, indicators of attack and compromise, response assistance, education opportunities, homogeneous policies and shared standards, and the innovation of new defenses will create a more secure environment for everyone. To achieve this ecosystem, we as a community must acknowledge that cybersecurity is a one-for-all and all-for-one endeavor. With that understanding, it should be easier to work with lawyers and insurance providers to allow cybersecurity professionals the leeway to cooperate with one another, even among competitors. This provides the opportunity to support our neighbors and SMBs with education, technical support, and threat intelligence inclusion, and to use our expertise to advance innovation across the cybersecurity ecosystem. Through teamwork and cooperation, we establish stronger cybersecurity for all.
Stacey A. Wright