Cyber security experts lament west’s failure to learn lessons from Ukraine
The recent Black Hat conference held in Las Vegas was a magnet for the world's top cyber minds. One figure who stood out was Victor Zhora, Deputy Chairman and Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection of Ukraine. His compelling discourse on Ukraine’s experiences in countering Russian cyber attacks and navigating the terrain of hybrid warfare offered invaluable insights. However, his account also underscored a gaping void in the Western world's cyber-defensive strategies, drawing attention to challenges that should alarm us all.
Firstly, Zhora’s remarks about Ukraine’s adaptation since the annexation of Crimea in 2014 were poignant. He depicted a nation that has made cyber capabilities an integral part of its defense mechanisms. His country's approach is agile and flexible, moving swiftly to counter threats in real-time, often involving a free flow of sensitive information among stakeholders. The West, notably the U.S. and its allies, while financially backing Ukraine’s cyber initiatives, appear to have failed in integrating such adaptability into their own defense systems.
The most glaring shortcoming in the West's approach lies in bureaucracy and inter-agency conflicts. In Ukraine, when a new security protocol needs implementation, the word of a government official is enough to set things in motion. However, in the West, executives complain of getting bogged down by regulatory bottlenecks and legal roadblocks. This is alarming, considering that the cyber domain is an ever-mutating battlefield where seconds can make the difference between a thwarted attack and a successful breach.
In the U.S., the dichotomy of classified and non-classified information poses another challenge. The reluctance to share data, often labelled as sensitive or classified, cripples the ability of allied entities to respond in unison to emerging threats. It’s time for radical transparency, as advocated by experts like John Shier from Sophos, who argue that the proactive sharing of data can arm us better against common enemies.
This cautionary tale extends to the business sector as well. Corporations, for fear of stock market repercussions, are hesitant to disclose security breaches. This could change with potential legislation requiring immediate disclosure of material breaches, but even this is not without contention, as the U.S. Chamber of Commerce disputes these new rules.
Meanwhile, the labyrinthine struggle among agencies like the FBI, DHS, and CISA only adds to the inefficiency, culminating in a chaos that adversaries can exploit. Robert Lee of Dragos pointed out that the inter-agency conflicts are far worse than the public perceives, raising questions about the cohesiveness of our cyber-defense strategies.
While the U.S. claims "deterrence as defense," arguing that mutual awareness of capabilities holds certain attacks at bay, this may be a temporary solution to a rapidly escalating problem. Victor Zhora's presentation highlighted not just Ukraine's challenges but also its triumphs in cyber-hybrid warfare, offering a roadmap for the West if we are willing to adapt. As Jen Easterly, the CISA director, rightly puts it, "a threat to one is a threat to all."
Therefore, it's time we started learning earnestly from those who have been in the trenches, and not just from a distance, but by deeply ingraining these hard-won lessons into our own cybersecurity frameworks.
