So how might enterprises move from resilience to active defense? Here's one way not to do it, according to panelist Richard Baich: don't listen to all the Jason Bourne wannabes running loose in the commercial sector.
The panel on deterrence and resilience was moderated by AECOM's Bob Butler, and it included not only Wells Fargo's Richard Baich, but also Scott DePasquale (Financial Systemic Analysis and Resilience Center) and Irv Lachow of the MITRE Corporation.
Perhaps one lesson being learned is the importance of achieving a holistic understanding of risk, and of conducting the sorts of exercises that produce an understanding of interdependencies. Baich noted that Quantum Dawn, the financial sector's major cyber exercise, was wrapping up as they spoke. For the first time Quantum Dawn was held on a cyber range, and we're beginning to see a "dynamic, operationalized" approach to risk management.
DePasquale, describing his organization, FSARC, and its mission of serving financial services and financial utilities, also stressed the importance of understanding the interdependencies that affect the security in complex systems. Institutions depend upon an interplay of policies, practices, and technologies. FSARC seeks to help the sector better account for its vulnerabilities.
Looking internationally, Lachow saw a range of national preparedness for and appreciation of cyber risks. At the top tier one sees countries like Israel and Estonia where there's considerable sophistication. Below that there's a strong "demand signal." Lachow wanted to distinguish active defense from hacking back. "These may occupy points on a continuum, but they're distinct." He sees the US ACDC Act (which would empower companies under certain circumstances to retaliate against cyberattack) as a generally positive step, but offered some cautions. Hacking back by companies would, under many circumstances, expose the US Government to liability under international law.
For his part Baich wanted little of it. He sees hacking back by the private sector as massively risky, and this is where he deplored the number of Jason Bournes running around in the private sector, who think they know all sorts of things about what the Government can do, and what they can do with the Government. There are indeed immense capabilities the Government can easily bring, but they're not the stuff of spy fiction or action flicks (we paraphrase, here). For a sound model of Government assistance to the private sector, Baich thinks current Treasury Department practices offer a good, workable, and helpful model.