The dangers of the internet are not proliferating the way they once were, according to some industry experts at the Washington Post Cyber Security Summit, sponsored by Lockheed Martin’s Cyber Security Alliance earlier this month.
“The numbers [of threats] are getting bigger, but the internet is getting bigger. It’s not going up, it’s staying level,” said Howard Schmidt, former White House cyber security coordinator, now a partner with Ridge Schmidt Cyber.
Schmidt and Ellen Richey, chief enterprise risk officer for VISA, the international credit card company, attributed the slowdown in threats to improved computer hygiene by all sectors – government, corporate and individual.
Getting Back to Basics.
To protect networks, organizations need to practice basic security fundamentals. According to Jane Lute, former deputy secretary at the Department of Homeland Security and current president and CEO of the Council on Cyber Security, simply following the top four out of 20 basic security measures will block 80 percent of the threats.
The 20 Critical Security Controls identified by the SANS Institute include everything from identifying unauthorized hardware and software on networks to continuous vulnerability assessment and remediation to incident response and management.
But the remaining 20 percent of threats, the ones that are not prevented by these security measures, represent serious dangers, the panelists warned.
Today’s Evolving Threat.
The threats arise not only from nation-states such as China, which frequently are looking for intellectual property they can steal, or criminals, who siphon about $10 billion a year from the payments industry, but emerging bad guys who are looking to cause actual harm.
Michael Hayden, former director of both the National Security Agency and CIA, cited the 2012 attack against Aramco, the Saudi national gas company. About 35,000 hard drives were wiped clean in that attack, he said.
“I think people need to understand that in the last 12 months there’s been a qualitative change,” said Craig Mundie, senior advisor to the CEO of Microsoft. “The threats are moving to destructive attacks. Unlike conventional weapons, every time someone shoots one of these weapons, the bad guys get to watch it, then clone it.”
Understanding the Threat and Taking Action.
There is a cultural disconnect between business executives and IT professionals that hinders industries from taking protective measures, Lute said. CEOs are not taking to their CIOs or CTOs. They might as well speak two different languages.
And there are other disconnects between government and industry, the panelists said.
Businesses want certainty – they want to be told the specific steps they must take to be safe, and that if they do that, their companies are protected. Government agencies, on the other hand, provide recommendations, but have no enforcement authority, and know that new threats will lead to new recommendations. Security is not a static target.
“If someone came and bombed my data center, I presume the government would protect me, but if an enemy country sent hackers to attack me,” the company is on its own, Richey said.
But companies cannot fight back against a cyber attack. “It’s illegal to chase bad guys up the wire, even if you have the capability to do so,” said Craig Mundie, senior advisor to the CEO at Microsoft.
Lute acknowledged the business sector has been slow to invest in cyber security.
“We need to be incentivized,” she said. “Good business practice isn’t an incentive. The protection of people’s privacy isn’t an incentive.”
COMMENTS