If your company suffers a cyber attack attack by a foreign power, is that an act of war? Is it your responsibility or right to retaliate, or is it up to the government? When it comes to missile attacks, it’s not up to a corporation to fire back. That’s the military’s job. But when it comes to cyber defense, the responsibility falls to the corporation. Should it be a shared responsibility? Can we better defend ourselves with an improved cyber defense architecture that is developed by a public-private partnership?

General (Ret.) Keith B. Alexander (U.S. Army), Jamil N. Jaffer and Jennifer S. Brunet of IronNet Cybersecurity recently wrote an article on the subject, offering insights based on their deep experience in the intelligence, defense and government sector. Gen. Alexander, among many other posts, was Director of the U.S National Security Agency when he was tapped to head the U.S. Cyber Command. Jaffer was counsel on cybersecurity to the White House, the U.S. Senate and the U.S. Department of Justice. Brunet is former Protocol Officer with the NSA. They say the situation is an urgent one that must be addressed ASAP.

“When it comes to understanding what might constitute acts of war in cyberspace,” they write, “it is easy to imagine categories of cyberattacks with consequences that we would likely be prepared to call acts of war. For example, attacks that cause major loss of life, destruction or incapacitation of significant portions of key infrastructure, or even attacks that cause massive economic damage, are likely to cross that line. At the same time, there remains an enormous gray area of hostile nation-state actions that might approach, or may even cross such a line ….

“The U.S. must stay ahead of the problem, think clearly about the challenges we face, and effectively make the critical decisions that are before us today—in a time of relative calm and before a major incident. If we fail to do so, we will have no one to blame but ourselves when that day arrives, as it inevitably will.”


 

You can hear Jamil Jaffer on April 24 in New York — or via livestream on the Web — when he speaks at our Cyber Sector Risk: Critical Infrastructure seminar on how public-private partnerships can or should work.

Tom Hagy