The writer is former director of the US National Security Agency and founding commander of United States Cyber Command. He currently serves as chair and co-CEO of IronNet
Right now, the world has a front-row seat to what could possibly be the first full-scale cyber war in the making. With some 130,000 Russian troops arrayed around Ukraine’s borders, the risk of invasion is high, and there can be little doubt that such a modern military campaign would almost certainly include an extensive cyber attack component. Even if there is ultimately no attempt to invade Ukraine with conventional forces, there is widespread consensus that President Vladimir Putin has put himself in a position where he must do something. A cyber attack — which is easy and comparatively cheap — is likely to top that list. As Russia showed during the 2008 Georgia conflict, hacking government systems as well as financial and energy sectors can cause chaos.
Though some in the west may believe this isn’t their problem, that attitude reflects a disregard for history. It was less than five years ago that Russia conducted NotPetya, a cyber attack targeting Ukrainian power, transportation, and financial systems in an attempt to further destabilise the country. But rather than being the cyber equivalent of a precision smart bomb, NotPetya spread rapidly across the globe.
The attack caused companies around the world — including in the US, UK, France, Germany, and India — to suffer massive operational disruptions. With ripple effects hitting nearly every corner of the global economy, total worldwide costs were estimated by the White House to exceed $10bn.
Today, not only is the threat of a cyber attack higher, but the risk of damage is far greater. Microsoft has already warned that it has detected destructive malware recently placed within Ukrainian computer networks, spanning multiple government, non-profit and information technology organisations. The lesson learned from NotPetya is that once activated, this malware could spread far beyond its intended targets.
The US Department of Homeland Security has warned that even if a cyber attack targeted against Ukraine did not spread beyond its borders, Russian disruptive or destructive cyber attacks directly against the US are possible. This is a real risk for all Nato members.
Finding an escape from this particular crisis is beyond the power of any individual organisation, company or executive. But what is within our own control are the often woefully inadequate cyber defences we deploy. While there is no silver bullet, it is clear that a foundational element of securing our systems is the concept of collective defence. This connects companies and other organisations — especially in critical infrastructure — with each other and with government, in order to share anonymised data about attempted cyber intrusions and attacks at the speed of modern networks. Most recently, collective defence helped detect adversaries trying to exploit the Log4j vulnerability, which infiltrated the Belgian ministry of defence, among other targets.
Today, most cyber attacks are directed against multiple targets simultaneously, but the victims — and the government agencies charged with protecting us — are currently unable to see when and where those attacks are taking place. No one has time to draft a memo or send a warning email when data is disappearing off the screen before their eyes.
A collective defence approach creates a radar-like picture of cyber space, enabling multiple teams to take on adversaries immediately. Imagine a group of 100 midsize companies with 10 network security operators each. Collective defence changes their entire dynamic: instead of 10 people fighting on their own against Russian-backed cybercriminal groups, there are 1,000 security professionals rallying together the instant any of them comes under threat. I like those odds a lot better.
The company I co-founded after leaving the military, IronNet, focuses on collective defence. But this global vision for a more secure future is shared by many other cyber leaders. General Paul Nakasone, the current commander of US Cyber Command, recently wrote that “cyber security is a team sport: the scope and scale of the problem are too large for any single organisation to tackle alone,” while the Office of the National Cyber Director at the White House stated that “shared defence is an imperative, not a choice”.
Cyber security remains the exposed underbelly of democracies around the world. Ukraine is already facing the cyber-equivalent of a howitzer. We will all be faced with a 9/11-scale threat in cyber space — the question is simply when. Banding together is a must if we are to protect ourselves against one of the greatest risks to a prosperous and peaceful future.