IronNet : In an Era of Real-Time Cyber Threats, No Company Can Go It Alone

About the authors: Gen. (Ret.)Keith B. Alexander is the former director of the U.S. National Security Agency and the founding commander of U.S. Cyber Command. He currently serves as the founder, chairman, and co-CEO ofIronNet, a cybersecurity company.Tom Fanning is chairman, president, and chief executive officer ofSouthern Company, a U.S. energy company. He previously served as a commissioner of theCyberspace Solarium Commission.

Over the past two decades, we have witnessed the explosive growth of the digital world. The importance of cybersecurity has grown rapidly alongside that transformation. Personal information. Intellectual property. The nation's wealth and future prosperity. All depend on a networked digital backbone-not to mention the everyday devices that run our lives.

While we see tremendous opportunities for our future, including ways that digitization can yield better efficiency and sustainability in the energy sector, we also see tremendous vulnerabilities. The vast array of devices, operating systems, now-connected industrial controls, applications, and networks makes the new digital world a tough security issue. Teams are constantly working to defend, but, as we are learning, that work is advancing too slowly. We cannot give up all the promises of digital transformation, so we must continue our journey to secure our digital infrastructure, going beyond incident response by making a leap to incident prevention through real-time collective defense.

Companies across all sectors have made significant progress in understanding the importance of our shared digital world and their role in bringing that world to fruition and-just as important-securing it. We are witnessing a rapid surge in cybersecurity and cyber education.

The U.S. government is on board too, having recently passed legislation that is paving the way for sharing information on incidents that affect critical infrastructure environments. Signed into law March 15, the Cyber Incident Reporting for Critical Infrastructure Act requires the reporting of certain cyber incidents within 72 hours and/or the reporting within 24 hours of ransomware payouts. This law is an important milestone in recognizing the importance of cybersecurity, yet much more needs to be done.

Wouldn't you rather prevent an incident-or at least detect it very early in the intrusion cycle-before there is business impact or destruction instead of after the fact? Think about it: If a missile were fired at a company, it would be crazy to allow 72 hours to pass before the attack is reported. Companies expect the U.S. government to stop such an attack with the nation's missile defense program. And we built a missile defense system to provide that security.

Given the threat of destructive attacks launched from the cyber realm, we need the same type of defense in cybersecurity. In this journey, companies must work together to build the equivalent of a real-time cyber radar picture to protect sectors, and exchange that real-time data with the government, so the government can act fast to shoot down the cyber missiles. While this scenario requires a transformation both in mindset and technology, and will take time, it is important that we have a program that allows the nation's companies to be protected in real time when they are being attacked in cyberspace, not after. It's hard to get it right, and some might say impossible, but we need true, real-time collective defense to protect our nation, as do our allies.

So how do we build a cyber radar view?

First, we need to go beyond our current detection capabilities that detect what we already know, to a real-time behavioral "eventing" threat engine that detects what we need to know-in other words, those stealth cyber attacks as they are occurring. We will always need the current detection capabilities to block the bad things we know to prevent the known malware. As the SolarWinds incident highlighted, however, the ability to see attacks as they are occurring is imperative, not six months after they began when it's too late to stave off a significant impact. Each company should be able to see these events in a view that serves as an early warning system for all.

One challenge to current approaches to cybersecurity is that we don't have enough people in companies to work through the events, especially with the increase in networked devices and the volume of data coursing across networks (whether on premises or coming to or from the cloud). It is therefore equally important that we exchange event information at network speed at companies, leveraging our cyber resources in real time.

Currently, one company with two analysts is no match for nation-state offensive capabilities and criminal hackers with nation-state tools and financial backing. Now imagine 2,000 companies working together with anonymized threat information. That would put 4,000 defenders to work together, crowdsourcing and knowledge sharing, in turn reducing time to detection and truly driving toward real-time attack detection. Without question, private sector companies need to work together, exchanging threat-related cyber information at network speed. No company can go at it alone anymore.

A key step is to build a public-private partnership for shared defense, as highlighted in the March 2020 Solarium Commission Report and what senior cyber administration officials have recently described. We must focus first on securing those assets prioritized within our national critical infrastructure and codified as "systemically important critical infrastructure," the "disruption, corruption, or dysfunction [of which] would have a debilitating effect on national security, economic security, public health or safety, or any combination thereof."

Within a collaborative partnership between the public and private sectors, we can see and respond to sophisticated and nation-state-backed threats to systemically important critical infrastructure in real time. In fact, the Department of Homeland Security's Cybersecurity and Information Security Agency is standing up that capability today with its Joint Cyber Defense Collaborative effort to unify defensive actions and drive down risk in advance of cyber incidents occurring.

The ability to anonymize threat-related information allows companies to share it with the government. This is work the energy sector has helped pioneer in a program referred to as "shoot the archers." Specifically, this means sharing that same information with the government so they can shoot the archers and take down cyber missiles heading toward our nation and critical infrastructure before there is a destructive impact.

CISA is key in linking the private sector with the public sector to make collective defense a reality. CISA's partnership with the Defense Department to share that same information at network speed ensures the most important assets are protected. Working with the FBI's National Cyber Investigative Joint Task Force, we can concurrently go after criminal hackers who are trying to steal information and money from our companies, state and local governments, and our nation.

The cloud is one of the critical technology advances that make collective defense for cyber security possible. Cloud capabilities, coupled with machine learning and artificial intelligence algorithms, help drive down false positives within a company's view. Sharing those detections enables all companies to strengthen their security posture through crowdsourcing and knowledge sharing.

To be clear, we are on a journey toward collective defense. We already can see the importance of collective defense in exercise and the concrete ways that machine learning and AI will drive us toward better cybersecurity. Now, we need to implement and begin training. This transformation will not happen overnight, but we know that it not only is possible but also is the key to defending our nation in cybersecurity.

The bottom line is we need to evolve the way we think about cybersecurity. Missiles travel fast and require rapid decision-making. In the cyber realm, however, attacks happen at the speed of light. We need to be able to defend at the same speed. We must continue the journey and practice working together, as a nation and with our allies, in cybersecurity.

Guest commentaries like this one are written by authors outside the Barron's and MarketWatch newsroom. They reflect the perspective and opinions of the authors. Submit commentary proposals and other feedback to ideas@barrons.com.