The key to making cyberspace safe is giving defense-oriented security professionals “leverage over attackers at the lowest cost and the greatest scale”, according to a new report released Thursday by the New York Cyber Task Force (NYCTF).
Comprised of principals from major firms – Goldman Sachs, JP Morgan, PwC, McKinsey, and more – the NYCTF came together one year ago to identify “frictionless areas” for private sector cybersecurity improvements, explained Merit Janow, Dean of Columbia University’s School of International and Public Affairs (SIPA) and a Co-Chair of the NYCTF.
“It was important for us to have New York in the title,” said Jason Healey, Senior Research Scholar at Columbia University’s School of International and Public Affairs and executive director of the report. “When talking about cybersecurity, Washington D.C. can get caught up in pessimistic views, and Silicon Valley can get caught up in techno enthusiasm. New York had a unique voice here, when talking about balancing risk and reward.”
“New York is also the frontline of our nation’s cyber defense,” added Greg Rattray, managing director of global cyber partnerships and government strategy for JPMorgan Chase and a Co-Chair of the NYCTF. According to Rattray, the policy challenges associated with cyber can be tricky – sometimes firms find themselves operating in countries associated with security concerns, which drove the report’s very practical recommendations.
It’s not just the make-up of the members, though, that makes this report unique, although task force principal Ed Amoroso – CEO of TAG Cyber and former Chief Security Officer at AT&T – highlighted that the principals actually wrote the entire report themselves.
In contrast to other cybersecurity regulation suggestions, the report, titled “Leverage: Getting to a Defensible Cyberspace,” recommends that leverage become an explicit end goal, not just an implied strategy.
“The goal is to gain cumulative leverage, not just tilt the scale a little bit,” said Rattray. “In aggregate, it is definitely possible to get to a place where the defenders can make it consistently hard for attackers.”
In identifying methods to attain this leverage, the report analyzed more than one hundred important defensive cyber innovations from the past fifty years, including technological, operational, and policy-driven initiatives.
“There is so much frustration in the field about finding what will give us the most payoff,” said Healey. “We looked at these innovations and noticed that they all follow this curve – first they’re new and amazing, then they become stale, and eventually turn into declining assets.”
Several task force principals highlighted that many of the most beneficial ideas, like organizational best practices, are actually free – free and distributable across industries.
According to Phil Venables, Chief Operational Risk Officer at Goldman Sachs and a Co-Chair of the NYTCF, many professions – like medicine and engineering – have better means to share their professional practices, though he notes that security is catching up.
Still, the report cautions that firms must not overly rely on lists of practices.
“It you approach it as ‘these are the three things businesses should do to get leverage,’ then good luck,” said Amoroso. “Our approach shows that you need infrastructural cooperation across the entire cyber ecosystem to tip the balance to the defenders. One company can’t do this. You won’t find three tips.”
“We’ve never been able to checklist an adversary out of a system,” noted Neal Pollard, Partner for National Cyber Incident Readiness at PwC and a NYCTF principal.
Venables added, “While checklists can take care of the basics, and show that best practices have been adhered to, they can’t always cover all the risks of specific situations.”
With these compliance properties in mind, the report provided a series of policy recommendations for Silicon Valley and D.C. audiences. Rattray explained that these policies sought to include initiatives that incite public confidence in firms, deal with deterrence, and create obligations in the cyber ecosystem.
Multifactor authentication, one of the policy innovations highlighted in the report, is one such resource.
Just this week, Deloitte confirmed that a hacker had breached its email servers by gaining access to an employee email account that did not use two-factor authentication. This low-level security enterprise is easily accessible and free online.
The task force’s argument is not that protecting this one account with free multi-factor authentication would have prevented the intrusion, as the attacker would have simply attempted to access other emails. Rather, their argument is that widespread use of multi-factor authentication – in combination with other methods – would have, at low cost, significantly deterred the attacker, and perhaps given the network defenders more time to respond to an intrusion.
Still, the report does not suggest that the financial sector will ever achieve an entirely defensible cyberspace. Even the most innovative initiatives can cause uncertain balances in the ecosystem, like automation, which Healey theorizes could benefit either the defense or offense.