This week’s State of the Union Address was the fourth in a row in which President Obama highlighted the critical nature of cybersecurity. Until the most recent onslaught of headlines painted a painful picture of the consequences of a data breach, all too many of our organizations have been focused on passing compliance audits and dealing with a broad variety of threats to long-term business viability. Times have changed, and the headlines and the tough reality are all crystal clear: the bad guys are strong, dedicated, and working productively together, and they are in our networks today.
As President Obama said, lawmakers must “finally pass the
legislation we need to better meet the evolving threat of cyber-attacks,” and,
“If we don’t act, we’ll leave our nation and our economy vulnerable.” Recently
proposed legislation would relieve some of the risk of participating in the
information-sharing for which the federal government is asking. Defending our
organizations is becoming increasingly complicated for legal and security
teams, so it’s crucial for such legislation to increase the incentives or
decrease the exposure that companies would experience in being more transparent
and collaborative with government when data breaches occur.
I was pleased to have the opportunity to participate on a panel at the 5th Annual Billington Cybersecurity Summit, a very well attended event in Washington, DC yesterday. At the Summit’s opening keynote, Admiral Michael Rogers, Commander of U.S. Cyber Command and Director of the National Security Agency, made a strong call for the adoption within cybersecurity of the military concept of “situational awareness,” both in government agencies and in corporate America. This, he said, can be achieved through understanding normal behavior across a network and on endpoints and having a way to quickly visualize anomalies.
The headlines are full of stories about the growing number of job opportunities for what may be a too-small pool of young cyber-defenders and incident responders. At Guidance Software, we support universities with our EnCase Academic Program to help ensure that the up-and-coming generation of information security specialists has the tools and technology they need to work like seasoned professionals do. To that end, we are also proud to be a Gold sponsor of the National Collegiate Cyber Defense Competition (NCCDC).
Ten finalist teams from more than 180 colleges and universities will participate in this national competition, held in San Antonio, Texas from April 25-27. To support this valuable training exercise, we supplied EnCase software network-wide, some EnCase training for all contestants, and will staff the volunteer Red Team with an EnCase incident-response expert.
On the day the mighty U.S. government shut down, the U.K. government threw down a colossal gauntlet: it revealed that it has been developing the capacity to carry out cyber attacks. The Financial Times reported today: Philip Hammond, defence secretary, said ahead of the Conservative party conference in Manchester that the UK was "developing a full-spectrum military cyber capability, including a strike capability." It was the first time any country has made such a sensitive statement in public.
One of the fundamental realities of security is dealing with vulnerabilities. In the industry, we have become so jaded to the fact that software makers simply don't want to go to the trouble and expense of churning out secure code that we have just learned to 'abide.' Consequently, we come up with elaborate ways to measure vulnerabilities and concoct Wile E. Coyote style mitigation plans to bring the risk down to an acceptable level.
Occasionally, I'm reminded that my permanently security-tainted skepticism needs a bit of a challenge to my comfortable position that there is no real security, there is only incident response. We continue to fight a losing war and resign ourselves to try harder tomorrow. With nation-states throwing their hats and ample wallets into the ring and anonymously buying bugs and exploits and expecting it to not be reported to the software vendor or public, it seems all is lost.
The second story had to do with one of those agencies that's been in the news lately for monitoring lots and lots of email and phone communications. I've heard claims that all three branches of government had oversight into the process. It struck me that there is a major problem with that claim. They were all sworn to secrecy and operating behind closed doors. No transparency; just a tacit statement that we only look at the facts relevant to the bad stuff. Ok, so how are they related?
Yet, despite fears of retaliation from foreign governments against the U.S. electric grid, a recent report based on over 100 surveyed utility companies revealed alarming vulnerabilities in the nation’s energy system. The report was supported by members of the U.S. House of Representatives in an effort to bring awareness to the security gaps in the utilities sector.
Among some of the report’s key findings were:
- Attacks on the nation’s critical infrastructure – including energy – were up 68 percent from 2011
- Many utility companies reported receiving “daily,” “constant” or “frequent” cyber-attack attempts
- Among the attacks reported were phishing, malware infection, and unfriendly probes
- Most utility companies are compliant with mandatory cybersecurity standards issued by the government, but voluntary recommendations by the industry watchdog – the North America Electric Reliability Corporation (NERC) – have been ignored by many
It is simply more profitable to sell newly discovered exploits to bad guys than it is to report them to the software companies for fixing. The few companies that are willing to pay bounties for bugs are easily outbid by the bad guys as a cost of doing business. As long as that is a viable economic model, we will never have a hope of any defensive strategy that will work other than fast clean up of the mess when it happens.