The Distraction of Attribution
5–13–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, May 13, 2024, and we’re going to take a minute to re-calibrate the discussion around “nation-state” cyber risk - because it’s time to talk through this.
Distractions of Attribution
Last week was the annual RSA conference in San Francisco, arguably cybersecurity’s biggest event. Much of the discussion there focused on the current threat landscape, and I’d like to highlight a couple elements of these discussions and pull apart what’s useful - and what’s distracting - for those of us charged with actually defending our businesses from cyber risk.
Representatives of the US Government were out in full force to spread the news that nation-state threat actors are coming (and in many cases are already here).
It was nicely summed up by a couple of folks, including a reminder from head of the NSA’s Cybersecurity Directorate, that just because China’s “been caught doesn't mean that they're going to stop.” “When you think about the scope, scale and sophistication of the PRC, or even the Russians, they're always going to be pursuing their end goal objectives.”
As a counter to that idea, was a Marine Corps Major General, head of US Cyber Command’s Cyber National Mission Force, who offered “that the adversary's not 10-foot-tall, and collectively we are not in the corner in the fetal position with an abacus.”
And while I can appreciate the vivid imagery offered by the Marine, I think it even goes beyond that in the sense that it doesn’t matter who the adversary is.
I mean, think about this: would you defend differently if it was China vs. if it was Russia? Or what about if it was the crew known as “Scattered Spider,” who is, by all accounts, made up of teenagers from the US and UK? I’m sure that MGM and Caesars - Scattered Spider’s biggest victims to date - don’t care about this distinction, from a defensive standpoint. So why should we?
At the same time, the FBI is warning that “foreign adversaries could use AI to spread disinformation about US elections”. Reporting notes that “The three countries of most concern to the FBI in the current election year are Russia, Iran and China. Officials in the past have ascribed different motives and ambitions to the countries in terms of what they hope to achieve by influencing American elections.”
But what, really, is the importance of the foreign adversary bit, here? If we’re worried, collectively, about the impact of AI on our elections, we should defend against that threat, regardless of the threat actor or their motivations.
In fact, utilizing motivations as a driver for a defensive strategy is a surefire way to create blindspots. Instead, our threat modeling should be centered on the things that have or create value for our organization, and should be scaled such that we aren’t spending $20 to protect a $5 bill.
Attribution and motivation are things that defenders (and policy makers and threat intelligence firms) spend significant effort on, with really very little return on that investment.
I would encourage all of us who are working on these threats in smaller scales - i.e. you’re not in charge of this for the NSA or Microsoft - to stay focused on defending what matters, not trying to figure out who is attacking and why.
Fundraising
From a fundraising perspective, we’re back with big numbers, with more than $35B in newly committed capital. Led by a new fund of more than $20B from Silver Lake, we’re also seeing big announcements from other large, long-tenured firms such as TPG’s $5.3b Asia-focused fund.
All of this is culminating in some interesting data and discussions, including Axios noting that Private Equity has a record amount of dry powder (around $956 billion of dry powder at the end of 2023).
And, while we’re still seeing fundraising outpacing dealmaking, we are also seeing interesting conversations around returns, including the idea of leveraging Net Asset Value loans to return cash to LPs.
Meanwhile, struggling public tech companies continue to seek shelter in private markets - the latest being Squarespace, who is taking $7B from Permira to go private.
So - long story short - there’s still good deals to be made, funds to be raised, and companies to be built (and defended). We’re still having fun, right?
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://therecord.media/cyberthreat-landscape-altered-chinese-operations
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
https://www.washingtonpost.com/technology/2023/09/22/mgm-hack-laid-to-star-fraud/
https://apnews.com/article/fbi-ai-russia-china-election-security-7200abc0215e822c84f032605bed41b9
https://pitchbook.com/blog/what-is-dry-powder
https://www.cnbc.com/2024/05/13/squarespace-to-go-private-in-7-billion-private-equity-deal.html