Watching But Not Waiting: Vigilance, Diligence, and Resilience on Cybersecurity
Debora A. Plunkett
Principal, Plunkett Associated LLC
In the past year, the cybersecurity landscape has been rich with new partnerships, timely security guidance and remediations, and collaboration across all sectors. Simultaneously, we have seen a continued uptick in intrusions, attacks, supply chain breaches, ransomware demands, and public disclosures.
In fact, while it could be said that we are in a static state as it relates to the use of novel, more sophisticated and lethal cyber tools, the volume, and impact of the use of cyber tools continues to grow exponentially.
While cyber has played a role in geopolitical conflicts as evidenced by the Russia-Ukraine war, it has been minimally employed in advancing large-scale strategic objectives. One might conclude that we are in a static state in cybersecurity, but now is no time to let our guard down. Well-resourced and capable malicious actors are still worth watching carefully. We must remain not only vigilant, but determined and resilient, as the use of cyber capabilities to satisfy a myriad of objectives continues apace.
In the mid-2000s, when cyber intrusions were first accelerating in pace and intensity, a frequently used formula for conveying the impact and potential for cyber attacks to be successful was that 85% of attacks were the result of exploiting known vulnerabilities for which there were existing known solutions. The message then, was that if we would only invest in applying these solutions, we could then spend scarce resources in not only addressing new mitigations for classes of vulnerabilities, but also in developing and delivering solutions to the remaining 15% of the attacks—the novel, more sophisticated and seldom, if ever, seen exploits with no know solutions.
Fast forward to today.
While it remains true that most attacks today are exploiting known weaknesses (largely enabled by humans), there have been more novel attack strategies that have presented new challenges to cyber defenders. These include supply chain breaches which have opened the door for more pervasive, widespread, and impactful attacks. Also included are the uptick in the investment in discovering and deploying zero-day exploits, with China emerging as one nation state with significant investments and stated intentions in this area.
The security community’s response to the continued growth in the volume of attacks has been to collaborate more, partner across sectors, speak transparently about risks and emerging threats, and address the potential attacks by bringing government and private sector resources to bear.
Unlike any other time in the lifecycle of cybersecurity, private sector organizations are uniting to bring their best capabilities together to assess and develop solutions for tough cyber challenges. These partnerships are genuine and encouraging, as the skills shortage in cyber security means the best talent is often disbursed across multiple organizations.
Like no other time in the past, competitors in the cybersecurity field are openly praising the work and partnership of others. Alliances are being established and matured as the cyber community realizes that the strength of our response is contingent not on the capabilities of one, but on the contributions of all. It is critical that these alliances continue to flourish.
Unlike any other time in the lifecycle of cybersecurity, private sector organizations are uniting to bring their best capabilities together to assess and develop solutions for tough cyber challenges.
The U.S. government, likewise, has increased its efforts to collaborate both across government and with the private sector.
The strengthening of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), both in substance with designation of additional resources to this mission, and in leadership, has resulted in a stronger front line for the USG’s engagement with industry.
Similarly, collaboration across the USG is manifest, as evidenced by published security guidance on a myriad of security topics, often co-authored and/or sponsored by multiple USG departments or agencies. This collaboration takes advantage of the cybersecurity expertise that exists in several organizations while acknowledging established author