Beyond better internal awareness and controls, there’s a need for greater beyond-the-box planning to address ecosystem weakness. While national or regional governments might logically provide this oversight and coordination of cyber security strategies for critical industries, not many governments have embraced the task.
Exceptions include the UK’s Government Communications Headquarters (GCHQ), which promotes cyber vigilance in industry, the U.S. Department of Homeland Security and other agencies that drive industry standards, and Singapore’s efforts to apply stringent cyber security regulations. However, most countries are yet to implement similar regulatory frameworks.
Cooperation is also limited at the trans-national level, due to lack of political consensus or the slow pace of legislative change. For example, although the European Union is in the midst of updating its Network and Information Systems Directive (NIS), it could take years for the NIS 2 guidelines to be implemented within member nations. Currently, even basic, cross-border sharing of intelligence, to alert national agencies of emerging cyber threats, is in its infancy.
In light of these realities, the critical role of ecosystem protection may hinge on industry collaboration, with leadership provided by the largest infrastructure and tech firms who can bring their counterparts to the table to iron out common principles and practices. Such industry-wide consensus could ultimately spur on corresponding regulatory activity. For example, this variety of ‘industry-made’ solutions has already taken place in the banking sector, where Europe’s largest banks worked together nationally and internationally to draft cyber security standards and threat intelligence information sharing.
This industry-driven approach could produce better, ‘out-of-the box’ strategies, based on real world field experience from operators who already practice meticulous risk mitigation of their internal, physical assets. Today, most companies can quickly shut down (part of) their own operating environments, if a problem occurs, and revert to alternative processes. This ‘can do’ mindset must be extended to the ecosystem level, so that risks relating to an industry’s labyrinth of dependencies are identified, work-around solutions are developed, and back-up plans are tested and practiced jointly by companies, industries, tech and regulators.
While it will take time and commitment for the numerous stakeholders to develop effective ‘out-of-the-box’ approaches to manage the risks embedded in their ecosystems, it’s encouraging to see that industry participants are now taking preliminary steps.
Like any major challenge, it must begin with ‘awareness,’ and recent, headline cyber-attacks are prompting CEOs and Heads of State to ask, ‘What assets do we have?’ ‘What is our level of Operational Technology maturity?’ and ‘How could the ecosystem impact our ability to operate?’ The next step is industry, government and technology collaboration, to think outside the box and protect the critical infrastructure upon which we all depend.