Roles, Responsibilities & Resources in Defending Cyberspace
By Christian Schnedler, Chief Information Security Officer and Cyber Practice Lead
It takes a village. That’s the core takeaway from the Biden administration’s new cybersecurity strategy, announced in March. As cyberattacks escalate in frequency and complexity, the White House argues that too much of the burden has fallen on individuals, small businesses and local governments. “Instead, across both the public and private sectors, we must ask more of the most capable and best-positioned actors to make our digital ecosystem secure and resilient,” the strategy says. In other words, technological trailblazers and established companies need to step up.
Defending against a growing threat
The strategy is a response to the new Cold War that has been brewing in cyberspace for at least the past decade. Cyberattacks, from both state-sponsored and private actors, are growing more common and severe. Historically, the bulk of attacks focused largely on espionage and financial crime, including fraud and ransomware. Today, more threats are also targeting operations that can cause incalculable harm to people in the real world, such as attacks on power grids, oil and gas pipelines, airports and other critical infrastructure. The war in Ukraine has highlighted the potential severity of attacks, including a thwarted Russian hack that would have left 2 million Ukrainians without power. The United States is not immune to such aggression, and defense of the nation’s vital infrastructure is a key focus of the White House’s strategy.
Despite advances in technology that can address these threats, the strategy points out that current efforts fall short. For much of the past 20 years, the cybersecurity industry has been relegated to check-the-box compliance exercises and subjected to enterprise risk management paradigms not rooted in cybersecurity. As the current administration has rightly identified, this approach is intolerable and even reckless now that the risk calculus of cyber attacks includes potential loss of human life.
The Biden administration is not alone in its campaign to elevate the profile of cybersecurity and bring the conversation to the boardroom. The invisible hand of the market is also at work, most notably in the form of exponentially rising cybersecurity insurance premiums and hurdles to insurability. The White House’s cybersecurity strategy adds teeth to this shift by compelling companies to report security breaches rather than shielding them from the public for fear of liabilities and reputational damage.
The power of networks
In essence, the White House argues that the key to addressing this perilous situation is collective defense: Government agencies, private companies, civil society and others must come together to share information, protect critical assets and defend cyberspace. The new strategy, along with the SEC’s proposed requirements to mitigate cybersecurity risks, pave the way for improving the status quo by incentivizing companies to disclose information. This should embolden established information-sharing forums, most notably the Information Analysis and Sharing Centers (ISACs). As these conversations gain traction, there has never been a better time for businesses to distinguish themselves by taking a leading role in the fight against cyber attacks.
This approach to network-based, collective defense aligns well with WestCap’s investment philosophy and approach to value generation. Some of the strongest, most innovative companies driving America’s economy benefit from network effects. Just as network-affected business models are often best-positioned to win a market and establish unassailable barriers to competition, we believe that network-affected collective defense models will win the “gray zone” cyber war America currently finds itself in.
So what are the hallmarks of a network-affected model? In short, network-affected models are those in which every new consumer or supplier benefits the whole. Recently, technology has advanced to support network-affected models in cybersecurity: Every new member that joins a network can alert others to emerging attacks, and defenses used by one member can be deployed by everyone.
For example, although our investment professionals at WestCap have invested in cybersecurity for decades, one of the first cybersecurity investments made by WestCap itself was in HUMAN Security. What excited us most about this company was HUMAN’s Defense Platform that enables protection against account takeover attacks, credential stuffing, web scraping, transaction abuse, and account fraud where a detection event for one of its customers is a protection event for all 500 of their customers. This is further strengthened by the HUMAN Collective, an information-sharing community led by some of the strongest brands in media who faced constant attacks by advertising fraud schemes.
Similarly, Dragos, our most recent cybersecurity investment, enables every new oil company, utility or manufacturer that joins the platform to monitor new attack patterns to better deploy defense measures against similar tactics. Every additional customer serves to reinforce collective intelligence, identifying threat activity and distributing that information to other participating customer systems to identify subsequent attacks. Even novel “zero day” vulnerabilities often rely upon tried-and-true attack patterns to gain access to a target and successfully execute the exploit.
Said differently, network-affected defense models operate like an immune response: Once the system gets to know the threat, it can protect against similar incursions in the future. This approach increases the cost of business for cybercriminals, since each operation becomes bespoke. It also limits the damage that attackers can do, as members of the network share information and get out in front of threats.
The opportunity ahead
We’re excited to continue using our expertise at WestCap to help cybersecurity firms think through how to build effective networks and scale across industries and geographies. The White House’s strategy can serve as a galvanizing force, but the private sector will have to do its part to keep cyberspace safe and work together to tip the balance. Together, we can protect the sanctity of the internet and help safeguard civilization.
About Christian Schnedler
Christian joined WestCap as its CISO and Cyber Practice Lead in 2020. In this capacity Christian leads WestCap’s Security, Risk and Compliance practice area within StratOps while facilitating WestCap’s cyber investment thesis, evaluating cyber investment candidates, and conducting due diligence. Christian also oversees WestCap’s cyber advisory board composed of security leaders across WestCap’s portfolio, CISOs of publicly traded companies, and recognized security thought leaders. Christian’s career prior to WestCap includes running a defense contractor in identity & access management, serving as the Director of Strategic Technology Programs for the NYPD, and founding/scaling multiple digital marketing and media agencies. You can check out details and reach Christian on LinkedIn.
The above is provided as an illustrative example and designed to demonstrate the benefits to portfolio companies of partnering with us. The information is aimed at prospective portfolio companies and not intended to solicit investors, or an offer to purchase any securities. The experiences highlighted may not necessarily represent or be indicative of current, past or future results and experiences with portfolio companies.