Andrew is the CEO and co-founder of Illumio, a cybersecurity leader in end-to-end segmentation, network security and zero trust.
The United States, which spent approximately $714 billion on national defense last year, has long been heralded for its military prowess. Adversaries know our strength on the battlefield, but as rising ransomware attacks show (e.g., JBS, Colonial Pipeline, Microsoft Exchange, SolarWinds, etc.), we’re increasingly vulnerable in cyberspace.
These recent attacks underscore a larger trend: the shifting tides of traditional warfare. Wars have historically been fought over land, air or sea, but increasingly, they are now moving to cyberspace. And the unfortunate reality is, the United States is, for once, behind the curve. We’re losing this battle. We need to be more resilient — here’s how.
A Case For Cyber Rules Of Engagement
In order to combat the ongoing scourge of nation-state-backed cyber threats, and this new age of warfare, there need to be rules of engagement (ROE). Operating without a set of standards is no longer an acceptable model when recent attacks have impacted governments, businesses and everyday citizens on a massive scale — and they’ll continue to do so. But creating and orchestrating a global guide to cyberwarfare is much easier said than done.
The power of traditional weapons often lies in deterrence (e.g., the power of nuclear weapons is in having them, not using them). When it comes to cyberweapons, currently there’s no deterrence power. No one knows who has what, and often, it’s not immediately clear when an incident begins or occurs. When a cyberattack happens, attribution is nearly impossible. Unlike physical warfare, it’s tough to be certain who’s attacking you in cyberspace.
Progress on developing ROE has been slow thus far, but we are seeing some encouraging signs of progress. For instance, ransomware attacks could now be considered weapons of mass destruction. Having leadership acknowledge that ransomware should be classified as a weapon of mass destruction is an important step forward. However, we must create formal ROE to address the catastrophic impact of breaches and stop nation-state attacks from escalating.
NATO’s Evolution: Technology Alliances
In the future, we will see the evolution of traditional military alliances (like NATO) to address cybersecurity as well. We will form partnerships and treaties with other global leaders to combat the growing threat of attacks in cyberspace. Failure to establish an international cyber alliance will further silo policies, technologies and responses in the face of global crises. With an international cyber alliance, we’ll be more resilient and better positioned to deter and respond to attacks, making our world more secure.
An international cyber alliance does not currently exist; however, the Biden Administration has made its stance on cybersecurity clear by guiding and supporting the private sector’s approach to cybersecurity and improving the security posture of its own federal agencies. This guidance would be a solid foundation on which to build a global cyber alliance. Additionally, President Biden recently announced Chris Inglis as his pick for national cybersecurity director. Time will tell how quickly we can start building out and implementing a plan for how the U.S. will work with global allies to address the critical state of international cybersecurity, but there is a hopeful sense of urgency we have not seen before.
As the world works to address today’s security concerns and vulnerabilities, we have already begun to see small but important changes in the U.S. One example of this is President Biden’s recent Executive Order. The Executive Order makes breach disclosure between the private and public sectors easier. Information sharing about cyber threats is critical for our collective security — and one day it will include our global allies.
Making sure we have the right cybersecurity policies and appropriate funding at home is equally as important as our global partnerships. President Biden’s Executive Order is a step in the right direction. This is the first time in U.S. history that the federal government acknowledged that we cannot stop all security incidents — breaches happen. The Executive Order calls on federal agencies to implement a zero trust framework, specifically segmentation, to mitigate attacks and limit their impact.
While President Biden’s Executive Order is a meaningful first step in shoring up our cybersecurity policies, we need further action to ensure we are all secure and resilient to breaches. For example, it’s best practice for organizations to alert the FBI when they’ve been hit with a ransomware attack. When key industries don’t disclose breaches, there can be even more catastrophic consequences. We need more formal breach notification legislation that pushes organizations to disclose when they’ve been attacked in a timely manner so we can take a more comprehensive approach to responding.
Thankfully, there’s more to come. Shortly after President Biden signed the Executive Order, members of Congress opened up about how they’re ready for “round two” and want to implement additional cyber legislation as soon as possible. This Executive Order put a stake in the ground when it comes to cybersecurity, and it’s just the beginning.
What You Can Do Now
While we wait for the rules of engagement to be defined, international technology alliances to be formed and updated legislation to be passed, organizations should focus on implementing the right tools into their security infrastructure. The Biden Administration, per its NSC memo following the JBS attack, recently recommended the private sector implement zero trust segmentation (also known as micro-segmentation).
Zero trust segmentation stops breaches from spreading by separating large flat networks into distinct segments and compartments. By segmenting our networks and compartmentalizing crown jewels, we are able to keep the most important assets safe even when an attacker is inside the network. I expect these types of post-intrusion solutions will increasingly be mandated by the federal government (for public and private sector adoption), supporting a more realistic and robust cybersecurity posture going forward.
In cybersecurity, “success” is about resilience, not absolute guarantees against breaches and attacks. The future of a successful cybersecurity strategy is not siloed; rather, it is one where policies, alliances and tools converge to form a resilient and safe future.