Threats are increasing and, more than ever before, the security industry needs to come together if it hopes to get ahead of attackers, top security leaders said Tuesday at the 2017 RSA Conference in San Francisco, Calif.
"We are far away from declaring victory. We are going to need to do more and we are going to need to do more together if we are going to address this problem effectively," Brad Smith, Microsoft president and chief legal officer, said. "The time has come for us to come together."
Intel Security Senior Vice President and General Manager Chris Young compared what needs to happen in the security industry to the 1992 Olympic Men's Basketball team, where basketball superstars, including Magic Johnson, Larry Bird and Michael Jordan, had to put their previous competition aside for a broader goal of a U.S. gold medal.
"None of us can go it alone. We must work together as an industry," Young said. "They knew they could only win if they saw themselves as a small part of much, much larger effort. There was no room for stars … We need our own 'Dream Team' in the cybersecurity industry. Working together, we are that team," he said.
That's a shift that has already started to come together in some ways, Young said. He cited examples of the "No More Ransom" website, which was formed through industry collaboration and helps victims of ransomware recover lost information, as well as the Cyber Threat Alliance, which was officially established this week by the top (and very competitive) leaders in technology, including Intel Security, Fortinet, Palo Alto Networks, Symantec, Cisco and Check Point Software Technologies.
Microsoft's Smith said there are three areas where security companies can step up. First, he said security companies should start with themselves, making sure they are leveraging the power of data instead of just creating security features. Second, he said the security industry needs to call on the government to step up. He said the public sector should form an independent cybersecurity organization - a "Digital Geneva Convention" of sorts – to form rules around cybersecurity, including government agreements to not engage in attacks on the private sector, assistance to private sector response efforts, vulnerability reporting, restraint in cyber weapons development, commitment to nonproliferation and the limiting of offensive operations.
Finally, Smith said the security industry needs to act to do more collectively. To accomplish that, he said the security industry should pledge to not assist in offensive actions, collaborate in development, collaborate in remediation of attacks, make software patches available to all, have coordinated disclosure practices for vulnerability and provide support for international defensive efforts.
"It's great that we do so many things alone. But, we need to do more together," Smith said. "Even in an age of rising nationalism, we as a global technology sector need to become a trusted and neutral digital Switzerland … I think a sense of humility is a positive force that can infect and help us all."
That push for collaboration also extends to a need for the cybersecurity industry to reach across the aisle to other areas of business, RSA CTO Zulfikar Ramzan said. Ramzan said there is currently what he called a "gap of grief," where the business teams and security teams aren't aligned. However, he said as security becomes more of a business problem, these two sides need to come together under an approach he called "business-driven security."