In February, President Barack Obama issued a cybersecurity executive order that directs U.S. intelligence agencies to share information on potential cyber threats with private businesses that are considered part of the nation’s critical infrastructure. The order also gives government agencies a year to devise a “baseline framework” for cybersecurity that incorporates peer-based standards and industry best practices. This week, the National Institute of Standards and Technology (NIST), which is part of U.S. Department of Commerce, hosted the first in a series of cybersecurity workshops designed to help develop this framework in Washington, D.C.
But while government officials and industry leaders meet to exchange ideas about how to best approach the problem, hackers are hard at work devising new ways to steal information and create chaos. Just last month, the Department of Homeland Security sent out a notice to government emergency communications centers warning them about the threat of telephone denial of service (DoS) attacks by those attempting to extort money by flooding public safety answering points (PSAPs) with calls to block phone lines. According to the story, there have been about 600 of these attacks reported so far, but none have yet to impact 911 lines.
According to Andrzej Kawalec, chief technology officer for Enterprise Security Services at HP, achieving a balance between enabling access to data and protecting it proves difficult when the threat is constantly evolving and the black market continues to grow.
“Our ability to respond to that hasn’t been amazingly successful as an entire industry,” he explained. “The focus on reactive controls and traditional security countermeasures can only help so far in that we’ve become very adept at defending our networks as though they were a line in the sand. And when you build sandcastles, the sea will rise and all of a sudden you fill find yourself cut off with your walls slowly eroding and I think that is the situation many enterprises have found themselves in.”
Another problem is that the frequency with which attacks and breaches are occurring has increased exponentially, which Kawalec attributes mainly to innovations in technology. “Five years is a huge horizon in the tech world and in the security world. The iPad wasn’t even born five years ago,” he said. “We’ve seen the time to remediate against a breach, in the last two years, go from 14 days to 24 days. It’s now taking nearly a month to remediate against a major breach. “
Rather than just sitting back, building higher walls and hoping that cyber criminals go elsewhere, Kawalec believes that organizations need to be proactive in responding to the threats they face and get out ahead of them.
“I think we need actively try and disrupt the kill chain, which starts with research and then the second stage being infiltration into your organization and the third stage being the ability to discover and cull across all of your data, capturing the important and valuable pieces and take them out of the organization. We need to think about how we disrupt each stage of that kill chain and that is a very different mentality from just layering security around anti-virus and different technology controls.”
Kawalec said there are three things that have contributed to the current state of cybersecurity within organizations; a traditional underinvestment in security that has not allowed companies to keep pace with the threats; security has too often been distributed across a lot of different functions within organizations; and, security teams have been unable to articulate the return-on-investment (ROI) of improving their security posture.
“That’s why it has been hard for people historically to drive and invest in security. I think that is starting to change because governments are waking up to the fact that their only influence is through regulation and compliance. The boards are waking up to the fact that this could pose a clear and present danger to them professionally and to the valuation of their organizations,” Kawalec said. “The security profession is growing up and is starting to articulate things not in a bits and bytes feature benefits type of way, but in risk and strategic security posture. It’s a journey, but I think we’re slowly turning the corner.
Despite the best efforts of the government and private businesses, however, Kawalec believes that the probability of a cyber attack occurring against critical infrastructure somewhere in the world over the next several years is “very real.”
“We know the capability is there. We see vulnerabilities occurring on a daily basis and if you look at the World Economic Forum’s list of top 10 global risks, cybersecurity attack and disruption has made it onto the list for the first time alongside financial chaos and global environmental phenomenon,” he said. “Yes, I think it is very possible and we have to plan against that very eventuality and we need to be very cognizant that we’re likely to see that type of disruption. I absolutely believe that in the next five years we will see some very significant steps in that space.”