Cyber news has traditionally been a relatively quiet affair. Some of the larger attacks, when they impact large corporations like Target or Home Depot, make headlines. For good reason, most organizations would rather keep a cyber attack on the down low. But then came WannaCry, Petya, and NotPetya — mega-viruses that swept so broadly they couldn’t help but make headlines.
They also shed light on some important weaknesses in coordination between the public and the private sectors. An increase in coordination across these sectors is, clearly, even more vital than ever before for the future of cyber protection.
How do you respond to a cyber attack? There’s actually no one answer to that question, since threat mitigation, when done well, is tailored to the needs of your organization. Institutional priorities vary, and the protocol for response should match. Even within the federal government, though, procedures vary. Unfortunately, that creates a situation where a private sector company, or even public infrastructure sector, may have trouble proceeding. Who do you even contact, the FBI or Department of Homeland Security? While the FBI and even the FCC play a role in coordinated cyber security efforts, DHS maintains the National Cybersecurity and Communications Integration Center.
The private sector has the unique ability to develop personalized response protocols and act on cyber threat intelligence to implement new strategies quickly, often with greater direct access to resources. Yet, when it comes to response or retaliation to threat, a private sector organization may find its hands tied–how do you respond with litigation when the threat may have come from across borders? The WannaCry and NotPetya viruses are thought to have been state-sponsored attacks. A private company has little opportunity to directly respond to such a threat.
Beyond just the coordination needed for threat reporting, litigation or retaliation, there is another point of important coordination needed, regarding communication. Other threats against an organization can be communicated across sectors very quickly. If your building is on fire, you call the fire department. If a facility is burglarized or physically threatened, the police can be reached. These are examples of quick communication between a private company and the public resources needed to help swiftly resolve them. Cyber threats needs a similar level of coordination.
The street runs both ways:
One of the biggest weaknesses revealed with the recent wave of ransomware viruses, however, was not just in coordination. They were far-reaching, in part, because of a lack of cyber security basics:
Much of the notification that occurred during WannaCry and NotPetya was done by the press. There was no equivalent of an alarm sounded that could have prevented hundreds of companies from infection. So even though the threat intelligence tools exist, available for both private and public sector entities, it falls to each individual organization to implement protocols to integrate those tools into their organizations.
The “leave it to the IT department” attitude of past years no longer works. If IT departments couldn’t get around to each computer to update against WannaCry, before the first widespread attack, how could they similarly train each employee against a cyber threat? It will take widespread public and private sector collaboration to prevent the next wave of major cyber attack.