- In cybersecurity, the public and private sectors collide, but national governments aren't leveraging the intelligence capabilities of companies, said J.C. Dodson, global CISO of BAE Systems, while speaking at Suits & Spooks cybersecurity summit in Washington Friday.
- The threat landscape has evolved to the point where industry-specific cyberattacks — financial services, pharmaceuticals, aerospace — have blended. "It may start over in pharmaceuticals, but it's going to land in another sector," said Dodson.
- Malware used to take an average of 92 days to weaponize — now it's 16 days, said Dodson. As a result, response time has decreased. Sophisticated malware was once only available to nation-state actors and now "that stuff is sold for a buck 99."
The private sector needs direct and fast information sharing, unlabored by classified data. About a decade ago, national governments shared 98% of intelligence with BAE, said Dodson.
The roles of the public and private sector have essentially flipped. Yet, information is still a point of contention between the public and private sectors.
The Department of Homeland Security banned all Kaspersky Lab products from its technical infrastructure in 2017. The agency said it couldn't enforce the rule on private entities. Some retailers, including Best Buy and Office Depot, pulled Kaspersky products from their shelves when the ban was announced.
"Our vision here wasn't to say, 'everyone should do it this way,'" said Allan Friedman, director of cybersecurity initiatives at the National Telecommunications and Information Administration in the Department of Commerce, while speaking at the event.
For more proactive cross-sector collaboration, the solution is just "ask nicely" in a "slightly kumbaya" fashion, said Friedman.
But the federal government's willingness to identify Kaspersky Lab as risky wasn't the hard part. The hard part was locating where the software lived. "Asset management is the No. 1 thing we have for cybersecurity," said Friedman. Cybersecurity needs to start with open source and commercial software down to the end user.
Transparency is the goal. Communication is the vehicle to get there.
If the leader — in this case, DHS — is alone in the ability to identify and sound the alarm about risk, companies have to wait until an employee or an audit finds it. And then it is vital for companies to announce what they found. If a risky software is commercialized, a business's systems are vulnerable.
Transparent collaboration won't solve all exploitable software flaws, but it will provide general knowledge to cybersecurity professionals outside of the federal government.