ASP Business Council for American Security member organization Fortinet recently formalized a relationship with NATO with the aim of combining the best practices of the private sector and multi-lateral, international organizations in cyber security.
Fortinet team members John Welton, James Jasinski, Erika Buenrostro and Derek Manky discussed this new partnership, and how it can serve as a case study for similar projects going forward.
What are some best practices that the private sector can do to work on cyber security with the government?
James Jasinski, Vice President Federal Business Development: There is a natural desire to categorize, segregate and order data into distinctive bundles. This usually makes projects more focused and is critical in defining the problem.
The Internet of things, however, is one homogenous entity which is indistinguishable in operation, even when we try to create distinctions such as intranet and Internet systems. That is true whether inside or outside of the government. Protection is both operationally and economically tiered and segmented. Understanding how this is accomplished is critical.
But success is iterative and dynamic, often with greater insights arising from the less successful than the successful. Those insights and understandings are the core principles for best practices, and sharing with the government enhances security for all.
How can enterprises in the private sector work more closely with governments at home and abroad?
Jasinski: Better integration and alignment of the how, the who, the what and the where. But to achieve that better alignment requires a clear set of rules which society accepts as balancing the dialectic of privacy and security.
This balance is still in a state of flux, as demonstrated by the current discussions over rights and duties – the right to privacy, the duty to provide security. To date each organization, community and country is still in the process of finalizing an acceptable balance. Resolution requires participation by multiple parties in this dialogue process, because until we achieve acceptable guidelines, efforts will be “one offs” as opposed to generally acceptable cooperation.
How did Fortinet connect with the NATO Communications and Information (NCI) Agency to facilitate this partnership?
Erika Buenrostro, Global Account Manager NATO: Cyber Defense is a complex task that cannot be accomplished alone. Attackers are smart, agile and sophisticated, they can operate in the dark with no strings attached to standards and procedures.
In such context, collaboration is very important and NATO understands that. NATO is very open for dialogue with the private sector to find new ways to respond to evolving threats.
We engaged with the NCI Agency and realized that the research job that we do at FortiGuard Labs could add tremendous value to NATO efforts and that we could also benefit by learning in the process. We started the conversation around information sharing on cyber threat intelligence and that led us to strengthen the collaboration via the NATO Industry Cyber Partnership (NICP).
What was the process like writing up the agreement with such a large organization? What lessons could other private enterprises take from that process?
Buenrostro: Independently of the organisation size, a successful partnership relies on mutual trust, commitment and the same end goal.
The recommendation is to start with a reduced scope in which results can be measured and achieved in a reasonable amount of time and to grow from there. There is still a lot of work to do for government agencies, private sector, academy and law enforcement to effectively team up against attack campaigns.
At the same time, this is a unique opportunity for organisations to develop contra-measures to cybercrime.
What does the future of information sharing look like? Do you see this agreement as a model to work off of?
Derek Manky, Global Security Strategist: There is a greater mission on the part of every security vendor to make the world safer and more secure for people to interact, do business, and to communicate ideas. Public and private sector partnerships will remain a big opportunity in the future, this agreement is a great model and example for others to follow over time.
In addition, contextual information is very important, while safeguarding privacy and only sharing and correlating non personally identifiable information (PII). Indicators of compromise (IOC), traits related to an adversary, campaign or tactic often have a short shelf life. Sharing information promptly and proactively across all verticals is essential moving forward. Security controls need to be able to digest automated threat intelligence and take action. The vast amount of threat intelligence that exists today and more coming tomorrow cannot be managed otherwise.