Collective Cyber Defense: From Buzzwords to Reality

Collective defense is one of those phrases that makes me wince. Not because I disagree with the concept. I dislike the insouciant way it gets flung about as if collective defense is an easily achievable thing.

Collective defense virtuously splits the burden of persistent defense between stakeholders. Sometimes (think NATO) collective defense also acts as a deterrent. So, let's look at road markings (yes, the lines painted in the middle of the road) as the historical precedent when thinking about collective cyber defense.

When slow-moving, horse-drawn buggies were the only vehicle, road accidents weren't a public menace. This changed when new, super-speedy automobiles started populating roads.

The two modes of transportation co-existed on city streets for decades until cars eventually took over in the 1920s. Check out these lunatic drivers on Market Street in San Francisco circa 1906:

Despite the dangerous new phenomenon of auto traffic, and that no special skill or great expense was required to paint lines, it still took 45 years of accidents to get consensus that ‘that road markings are good for safety’ and to start painting them on the most populated roads. Worse yet, it took another 30 years to stand up the Department of Transportation (1966) with authority to require standardized painted lines on every road across the nation.

What’s the moral of this story? Even with decades of great loss of life and property, when left to their own devices, the private sector won’t organize to assure their collective safety. “Everyone for themselves” is acceptable and the default setting in our individualistic society. It’s not that security isn’t a priority, but security at scale is always someone else’s responsibility.

Until a maverick comes along...

In 1917, a truck drove Dr. June McCarroll off the road, nearly killing her. She appealed to municipal authorities for lane demarcation. They argued, couldn't arrive at consensus, and her request was denied. So, she bought a bucket of paint and painted the lines herself. It was a bellwether event because word spread and others followed suit.

Did it solve all road safety problems? No. But it established national consensus without debate on a terrain that had no government oversight.

Cyberspace is a domain with (almost) no government oversight. Is it reasonable to expect private-sector critical infrastructure companies to arrive at a consensus, establish, sustain, and enforce a standard for collective defense against persistent APT aggression? As it stands, it's every company for themselves with only slight coordination via ISACs and fusion centers.

Also defending against APTs is much more complicated than deciding if road lines should be dashed or dotted. With disparate resources, competing interests and businesses to run, are national security decisions realistically within the private sector's capacity? Or is natsec strategy development and implementation something the private sector should be responsible for?

(Remember, there is no cyber force for civilian critical infrastructure. USCYBERCOM protects DoD networks exclusively, the IC is responsible for everything else, DHS has no military authorities, and the FBI handles law enforcement & prosecution, not APT defense).

Without authority and oversight, is collective cyber defense in the civilian sector even possible?

I'm not waiting to find out. To address this dire problem, my team and I built something that will change everything. It’s called Nemesis, and it’s a global, interoperable, software platform which delivers a suite of unexpected defensive capabilities and timely intelligence. It’s a private-members only platform (a bit like SWIFT) that forms an allied coalition of armed, informed and synchronized collective defenders.

Nemesis is the supporting framework and infrastructure for collective defense. I guarantee that you’ve never seen anything like it.

Does Nemesis stop APT aggression? No. But it solves the most urgent problems at hand: Consensus, synchronization and rapid distribution of defensive capabilities at global scale.

Right now, civilian critical infrastructure cyber defense is about as organized as Market Street in 1906. The persistent APT aggression endured by these companies is unsustainable. This aggression threatens the continuity of critical goods and services, can tank the economy and compromises the US's ability to project power. We simply can't continue like this without sustaining irreparable damage to the American way of life.

So grab your brushes. We here at ANOVA Intelligence have the proverbial bucket of paint.

Note: Access to Nemesis is reserved exclusively for private-sector companies responsible for critical goods and services, defense departments and governments that are FVEY or NATO members/partners. (If you’re curious to learn more please reach out to me directly).