Governments Scramble to Defend Cyber Assets

As noted in our perspective last month on Cyber Attacks, the security of personal, corporate and government networks have never been more important or more vulnerable.  Information and communications technologies are everywhere in modern society, including critical infrastructure, like banks, power plants, hospitals, defense, and first responder systems. Safeguarding such critical infrastructure is generating attention at the highest level of government. Richard Stiennon’s new book is titled, There Will Be Cyberwar: How the Move to Network-Centric Warfighting Has Set the Stage for Cyberwar.  The assumption is that not “just data” but lives may be at stake.

Since China purportedly nabbed over 21 million profiles, many including fingerprints, from the U.S. Office of Personnel Management, national leaders everywhere have been scrambling to shore up their own digital security frontiers.  A new cyber-agreement topped the agenda for Obama and Xi JinPing.  Germany just announced a new cyber command with 15,000 IT specialists.  Indian prime minister has busily been inking a cybersecurity pact with every country he visits, including the U.S. and Mongolia.

Cyber security agreements are being discussed in the language of disarmament or arms control agreements. But while Mr. Obama seeks, “an architecture to govern behavior in cyberspace that is enforceable and clear,” such a goal may be impossible. Unlike the cold war focus on counting missiles and limiting nuclear warheads, there is no way to count cyber weapons. Agreements can however provide the moral and legal grounds for holding nations accountable for their actions.

A UN report this July is a first step in this direction. In his forward, the Secretary General said: "Making cyberspace stable and secure can only be achieved through international cooperation, and the foundation of this cooperation must be international law and the principles of the UN Charter.” The UN Group published norms or principles for responsible behavior of States for information and communications technologies (ICTs).  Selected norms are summarized below.

• States should cooperate…to increase stability and security in the use of ICTs
• States should not knowingly allow their territory to be used for wrongful acts using ICTs
• A State should take appropriate measures to protect their critical infrastructure
• A State should not conduct or support ICT activity that damages critical infrastructure
• States should not conduct or support activity to harm the information systems of emergency response teams

Experts seem to agree that sharing information on data breaches is of paramount importance, and the easiest place to detect and share threat data is on the cloud.  Rather than being less secure, data can be more secure in the cloud. 'Threat awareness and detection is improved with the more data organizations have access to. The cloud is the perfect place to share the massive collaboration of security Intelligence that could make a significant dent in the global cyber-attack capabilities.'  Said Paul Nguyen, president of network security automation firm CSG Invotas.  The longer a threat goes without being detected, the more opportunity there is for the attacker to cause damage and the worse it will be for an organization’s reputation, record of compliance and ultimately its bottom line as customers lose confidence.

Security firms can match similarities in the code of intruders and may trace hacks back to their home base in a particular country. To accumulate evidence of attacks as well as beef up security, the U.S. Department of Defense issued a new rule this September, in effect immediately, for all contractors, not just IT providers, to protect information and report on breaches.  As the Internet of Things (IoT) grows the end points for data movement will increase exponentially.  “The traditional approach of securing the perimeter will no longer be enough,” says Cisco's UK director of cyber security Terry Greer-King, “when the perimeter is with thousands of sensors deployed remotely.”

Roy Tobin, threat researcher for Webroot also quoted in Information Age, thinks avoiding the loss of sensitive data downloaded by employees onto mobile devices will be the biggest security challenge to come. The solution, he believes, is to maintain a network-wide inventory of data and have visibility of data movement over the network and on mobile devices and removable media. With a number of different operating systems and a multitude of different devices available to people today, businesses’ approach of managing physical devices is becoming complex and expensive, forcing companies to commit time and resources to managing personal applications on employee’s devices that have nothing to do with their work. 'A less costly and more effective approach is to manage what people actually do on their devices, which is to say the business applications they use,' says Greer-King. 

'The biggest security mistake companies are making is that they are continuing to rely on outdated password-based authentication systems to protect sensitive data and cyber assets,' warns Christian Campagnuolo, senior VP at MicroStrategy. 'Passwords are by far the weakest link in cyber protection, as they can be stolen, lost or guessed. Furthermore companies are mistaken if they believe asking staff to make their passwords longer and more complicated will solve this issue.' Combining various types of biometric authorization, like finger and voice prints along with analytics that detect unusual patterns of usage are far more secure.

Securing critical data thus requires the effort of individuals, companies and governments at every level to deploy procedures and programs to protect, detect, repair and share, enabling authorities to name, shame and prosecute perpetrators.