Is America’s working definition of “national security” too narrow for the digital age?

Yes, observes retired Admiral Michael Rogers, who served as a top White House cybersecurity advisor under both Presidents Obama and Trump.

Related: The golden age of cyber espionage

The United States, at present, operates with a “nebulous” definition of what constitutes a cyber attack that rises to the level of threatening national security, asserts Rogers, who was commander, U.S. Cyber Command, as well as director, National Security Agency, and chief, Central Security Service, from March 2014 until he retired from military service in May 2018.

“National security in the digital age, to me, is the confluence of the traditional ways we used to look at security issues as a nation-state, as well as taking into consideration how economic-competitiveness and long-term economic viability play in,” Rogers told an audience of cybersecurity executives, invited to attend the grand opening of Infosys’ state-of-the art Cyber Defense Center in Indianapolis earlier this week.

Rogers made his remarks as part of a panel discussion on securing digital transformation moderated by Infosys CISO Vishal Salvi. It was a wide-ranging, eye-opening discussion. Here are a few key takeaways I came away with:

Rising cyber exposures

Enterprises today are engaged in a struggle to balance security and agility. Leveraging cloud services and IoT systems to streamline workloads makes a ton of sense. Yet cyber exposures are multiplying. Compliance penalties, lawsuits, loss of intellectual property, theft of customer personal data and loss of reputation — due to poor cyber defenses — are now getting board level attention.

While more companies are making cybersecurity a high priority, the devil is in the details, and many are struggling. A full appreciation of the depth and breadth of daily attacks has escaped many senior executives. And political leaders aren’t anywhere near close to containing the problem. The result has been that criminal syndicates and nation state threat actors operate with impunity – and cyber exposures are rising.

The top criminal hacking rings today are comprised of hundreds of full-time, highly-skilled hackers, targeting organizations that may have, at best, a handful of security professionals focusing on preserving network integrity. Financial institutions will always be a big target and continue to get heavily breached. Local governments and small businesses, meanwhile, continue to get targeted for crippling ransomware extortion attacks and business email compromise campaigns.

A big shift in the past five years, Rogers pointed out, is that America’s nation-state adversaries have begun hacking for geo-political strategic advantage – and even to fund their treasuries.

As a top White House cybersecurity advisor, Rogers was in the thick of detecting and responding to Russian interference with the 2016 presidential election, as well as Russia’s deployment of the devastating NotPetya ransomware worm. And he was privy to intelligence reports detailing how North Korea hacks into banks, gambling sites and crypto currency exchanges to fund its regime. “I watched the North Koreans pay attention to all of that and I’m thinking, ‘So you’re using cyber to raise money because you’re being isolated economically by a global community,’ ” Rogers said.

With cyber attacks intensifying and a systemic reversal a long way off, the burden for mitigating cyber risks in the digital age has come to lie with company decision makers and individual employees. At a fundamental level, it comes down to more rigorously practicing cyber hygiene.

Improved cyber policies and practices are in dire need and can clearly make a big difference. At the same time, the attack surface of business networks is expansive – and growing. Migration to cloud services and deeper reliance on IoT systems are accelerating. In such a complex and dynamic business environment, threat actors never stop probing and are finding endless ripe attack vectors.

Technology solutions

The encouraging news is that, on the technology side of things, machine learning and data analytics are increasingly being brought to bear to bear – to help automate and speed up the detection and remediation of malicious network traffic. This struck me as I roamed the vendor exhibits halls at RSA 2020 last week in San Francisco, and, again, this week at Infosys’ ribbon-cutting event in Indianapolis.

The panelists, in fact, spoke after the audience members took a tour of Infosys’ seventh Cyber Defense Center, which essentially functions as state-of-the-art security operations center finely-tuned to continually monitor and protect multiple enterprise networks. Infosys is a global digital services and consulting firm, headquartered in Bengalura, India; it’s shares are traded on the New York Stock Exchange, and it reported 2019 revenue of $11.8 billion. Infosys operates six other defense centers in India, Europe and Australia.

Instead of setting up and staffing an on-premises SOC, a company could choose to route its daily network traffic through one of Infosys’ CDCs. These facilities are staffed by teams of security analysts who are entirely dedicated to correlating threat reports from more than 100 open source threat intel feeds, as well as top proprietary threat intel sources, such as Recorded Future, iSIGHT Partners, TELUS Security Labs and FS-ISAC, Salvi told me, as we strolled through the Indianapolis facility.

“Think of it as a platform which collects threat feeds from all of these open source and commercial sources, articulates it, and then gives you actionable intelligence,” Salvi said.

Another core service churning away in these defense centers is the continual monitoring, measuring and tweaking of key network performance measures, as well as key risk indicators. These continual health checks, if you will, are based on cybersecurity frameworks developed and promoted by the likes of the National Institute of Standards and Technology (NIST) and the International Standards Organizations (ISO.)

Together these core services can help a company stay on top of malicious probes and breaches that can, and still will occur. By leveraging automation and freeing up humans to concentrate on intuitive tasks, mitigation happens more quickly and pervasively, and compliance requirements get readily met, Salvi said.

Societal values

Back to the panel discussion. Rogers said he had low expectations for government to lead the way in getting the public and private sectors to collaborate on making the Internet acceptably safe. He also said that he does not subscribe to the notion, espoused by some in Silicon Valley, that an engineering silver bullet will eventually come along to take care of things.

“I don’t want a world that’s purely defined by engineering,” Rogers said. “I want a world that recognizes the challenges and the benefits of technology – and that also recognizes that this technology needs to be applied within a framework that reflects the values, the norms, the structures and the legal frameworks of the societies in which it gets used.”

Board-level awareness is now in place. Compliance drivers, like Europe’s GDPR and California’s CCPA, are stirring the pot. Withering attacks by criminals and nation states continue. Technological solutions are at hand. And progressive companies are taking steps to promote cyber hygiene as a cultural value. A lot of work still needs to be done. Even so, I came away from my visit to Indianapolis encouraged that things are moving in a positive direction. I’ll keep watch.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-former-nsa-director-says-cybersecurity-solutions-need-to-reflect-societal-values/