Ukraine crisis is ‘opportunity’ to change cyber for the better, says former NSA director
A former director of the National Security Agency (NSA) in the United States has called for greater collaboration between governments and the private sector on cybersecurity.
Admiral Michael S. Rogers, director of the US’s largest intelligence organisation and commander of US Cyber Command from 2014 to 2018, has said there must be far more data sharing between companies and the state in order to learn from mistakes and improve online safety.
Rogers, speaking at Futurescot’s Cyber Security conference in Glasgow yesterday, referenced how improvements were only made to the car industry in the 1970s after society acknowledged the huge rate of annual accidents, forcing industry and governments to work together to devise new regulatory and safety frameworks that brought about a revolution in design and manufacturing for automobiles.
He said we are at a potential inflexion point now in cybersecurity – especially given the accelerating crisis in Ukraine and global risks of cyber collateral damage – where there is a window of ‘opportunity’ to improve the regulatory environment and shared learning between governments and industry.
He said: “I suspect we’re going to have a whole broader set of challenges coming out cyber than what we’re seeing out of Ukraine and Russia. But I hope that our nations collectively view this as an opportunity; there’s nothing like a good crisis to drive change.”
“I hope as we’re looking at these cyber issues in the coming weeks and months, we view this as an opportunity to actually get better and look at how we can do things differently.”
His analysis, particularly in a US context, was that companies are still not mandated to report when they are hit by cyber incidents – including ransomware – and can freely pay cybercriminals unless they are a ‘sanctioned entity’. He said that situation was not incentivising people correctly and because of the lack of transparency, cybercriminals are largely able to repeat the same techniques over and again with a high degree of success.
Admiral Rogers said he was in favour of a new model of collaboration perhaps based on how the aviation and car industries are mandated to share data in the event of catastrophic failure. It is only then, when expert reviewers can pour over the data, that learnings and insight will be gained and it can lead to improvements in manufacturing, design, inspection, software and maintenance regimes that prevent the same or similar incidents from occurring in the future.
He drew the analogy of the auto industry in the US where safety improvements to car headlights, automatic braking systems, more crash resistant glass and seatbelts had all come through the rigorous process of analysing accident data, something which is unnecessarily absent from too many cyberattacks that go unreported. Although he praised a better regime for reporting and standards in the UK, he said there was a long way to go in general to get to the point where the sharing of data is such that it can incentivise better outcomes – potentially along the same lines as how car insurance premiums are cheaper based on enhanced vehicle safety.
“Why is security not a core design characteristic in the software we write, in the hardware that we develop?” he said. “Why is cybersecurity not a core element in the regulatory and the legal frameworks that we put into place? Why are we not incentivising cybersecurity like we incentivise automobile safety? Why are we not partnering with the private sector in the exchange of information, in the way we look at accidents, in the way we model security, in the way use real-live data for real-live penetrations to turn that around to then address what are our standards? I think there’s a great lesson to be learned there from my perspective. We have shown where we can partner in a comprehensive way between the government and the private sector.”
Admiral Rogers’s comments come as it was revealed in an industry report last week that 82 per cent of UK organisations that were infected by ransomware opted to pay the criminals in order to restore their networks, the highest of any region surveyed (and 41 per cent higher than the global average).
The 2022 State of the Phish analysis by Proofpoint, which surveyed 3,500 people across seven countries, revealed also that only 69 per cent of organisations that paid an initial ransom regained access to their data and systems; a further 28 per cent only regained access after a secondary payment with three per cent paying an initial ransom but refusing to pay more, thereby failing to get access.
Admiral Rogers spoke of one experience he had when the US Pentagon’s network was penetrated by 15,000 malicious emails in an orchestrated nation state incident; although they managed to ‘forestall’ over 99 per cent of the inbound traffic, it still managed to infect four users, leading him to conclude that it had “been a bad day”.
He said: “The most frustrating thing is adversaries are using same techniques over and over and getting a high return. So we need to… potentially look at different collaboration model.” To that end he urged starting off small because ‘cyber is a journey’ and you cannot expect to create the right respond model from the off, adding: “I look at cybersecurity and I’m thinking it is the same challenges over and over again. Why is it we cannot create a situation where the pain of one leads to the benefit of many? If it happens to you why can’t we learn from this so we’re not repeating it.”