Rethinking Disclosure as a Common Good
9–11–2023 (Monday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, September 11, 2023, and a somewhat somber day of rememberence here in the United States, and in many places around the world reflecting on the terrorist attacks of September 11, 2001 - certainly a defining moment in the trajectory of my own life.
We’re going to continue with the aviation risk theme this week while we rethink disclosure - building on a string of news from last week.
Rethinking Disclosure
Our friends at Krebs Stamos (founded by former Facebook CISO Alex Stamos and former CISA Director Chris Krebs) published an interesting executive brief last week on rethinking aviation cybersecurity.
They cite a string of issues in the past week - including a flawed software update that required a nation-wide ground stop for United, Canadian budget carrier WestJet having a network issue, and reservations provider Sabre getting ransomed (or, at least appearing to).
At the same time, CISA is noting that “multiple nation-state actors” are targeting the aeronautical sector - and have been since January - through a couple of different zero day vulnerabilities. Side note: this is why you keep logs for 18 months - so you can look back on things that you didn’t know then and do some threat hunting when new knowledge is available.
So, what does this have to do with rethinking disclosure?
Well, for one, we’re continuing to see industry-based attack patterns develop - whether that’s in financial services, education, or, in this week’s case, aviation.
In many industry verticals, there are shared pieces of infrastructure or software that facilitate these attack patterns. So shared intelligence - in the form of disclosure, formal or otherwise - can prevent these attacks from spreading.
Additionally, as we continue to connect our devices - from lightbulbs to airplanes - to networks and to the Internet, we increase both complexity and systemic risk.
Increased disclosure helps all of us be better at defending what we’ve built from those who really seek nothing other than to disrupt and destroy our companies for their own financial gain.
Think of this as a shared resource, a collective defense. Another layer of the Defense in Depth approach, and more eyes and brains in the fight adding to a Diversity of Defense.
Up until now, we’ve suffered from a perverse cyber version of the tragedy of the commons, where individual companies act in their own best interest and ultimately everyone suffers. In this case, of course, their own best interest is to not disclose the nature and extent of an incident, and thus enable the threat actors to perpetuate their attacks on others who may have otherwise been able to adjust and defend.
We’re going to have additional forced disclosures soon - whether that’s public companies via the new SEC rules, private companies through enforcement actions, or insurance claims.
Why not gain some benefit from these disclosures? If we see them as a collective, we are almost ALWAYS going to be benefitting from this knowledge share, with the rare occasion being that we’re the ones needing to disclosure.
Rethinking disclosure is yet another tool in our toolbox - attackers are using our default approach to “commercial best interest” against us, and it’s not only tremendously effective, but also completely within our control. The only hurdle? Nobody can go it alone in this model, we’ve all got to go together.
Fundraising
Another very quiet week of fundraising, with only a few billion in newly committed capital, led by $1.6B from Matrix Partners China, which seems interestingly timed. Matrix has traditionally done well with their counter-cyclical timing, however, so I have no reason to doubt - but will be watching closely.
Meanwhile, in the public markets, IPO roadshows are underway, with all eyes on valuations. As SPAC-mania finally loses its luster, it’s nice to see more traditional offerings returning, even if the numbers aren’t quite as bonkers as they have been.
You can find all the links to the stories we covered in the comments section below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next Monday for another Intentional Brief.
Links
https://intel.ks.group/p/ksg-exec-brief-final-boarding-call
https://www.cbc.ca/news/business/westjet-delays-1.6958071
https://techcrunch.com/2023/09/06/ransomware-gang-claims-credit-for-sabre-data-breach/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a