In a report entitled “Building a Defensible Cyberspace,” the New York Cyber Task force highlights strategies for government, cybersecurity companies, and other IT-dependent organizations.
“Cyber security professionals are tired that year after year, decade after decade, attackers have had the upper hand,” said Jason Healey, a senior research scholar at Columbia SIPA who is the report’s lead author. “We need more fundamental change for more defensible enterprises and a more defensible cyberspace as a whole.”
Among the report’s findings:
It is possible to establish a more defensible cyberspace—an Internet where defenders have the advantage over attackers.
Defending cyberspace will not require a “Cyber Manhattan Project.” Security professionals have developed effective strategies in the past, and with the right kind of innovations defenders will once again enjoy the advantage.
Improvements may come from unexpected places and rely on unglamorous strategies.
The best options use leverage—innovations across technology, operational, and policy that grant the
greatest advantage to the defender over attackers at the least cost and greatest scale.
The task force’s recommendations to achieve leverage—based on lessons drawn from five decades of past innovation—are laid out in a simple but rich graphic. They call for more transparency and risk-based governance and increased use of cloud computing and other new technologies. The report also stresses the importance of federal funding, collaboration across sectors, and flexibility and resilience.
The New York Cyber Task Force included about 30 senior-level experts from New York City and elsewhere, counting among its members executives in finance and cybersecurity, former government officials, and leading academics. The group’s co-chairs are Phil Venables, a partner and chief operational risk officer at Goldman Sachs, Greg Rattray, managing director of global cyber partnerships and government strategy at JP Morgan Chase, and Merit E. Janow, the dean of Columbia University’s School of International and Public Affairs, which organized the task force.
“Organizations must leverage innovations and new technologies to constantly expand their cyber defense efforts,” said Venables, who stated he wanted the report to address the concerns of executives seeking to defend their companies in depth.
“We must not overlook operational and policy innovations,” said Rattray. “We’ve made many gains in information sharing, for example, that help with attribution of attackers and reducing their ability to circumvent responsibility. Now we have to build on that trust and pursue even closer operational collaboration in the form of sectoral and public-private cyber systemic risk analysis and proactive contingency response planning.”
Other contributors included Katheryn Rosen of the Atlantic Council, Neal Pollard of PwC, Dmitri Alperovitch of Crowdstrike, Melody Hildebrandt of 21st Century Fox, David Lashway of Baker McKenzie, Elena Kvochko of Barclays, John Carlson of the FS-ISAC, Ed Amoroso of TAG Global (and former CSO of AT&T), and Columbia University scholars Steven M. Bellovin, Arthur M. Langer, and Matthew Waxman.
The co-chairs and selected task force members discussed the report at an event this afternoon hosted by PwC.
Read the report at https://sipa.columbia.edu/defensible-cyberspace.