The Good Old Days of Cyber Security
Advanced Persistent Threats (APTs) are proving traditional cyber attacks (viruses, malware, etc) outdated, according to Larry Clinton, President & CEO of the Internet Security Alliance.
Each minute in 2010 there were 45 new viruses created, 200 new malicious websites established, 180 personal identities stolen, 5,000 new versions of malware created and most importantly, 2 million dollars lost. That is what Larry Clinton, President & CEO of the Internet Security Alliance (ISA) calls the “good old days.”
According to Clinton, the alarming, but traditional attack methods that were causing such damage in 2010 can be considered outdated compared to the newer attacks of today called the “Advanced Persistent Threat,” or the APT.
ISA is a multi-sector trade association with membership from most of the major industry sectors.
In 2008, ISA published its Cyber Security Social Contract, which articulates a market oriented, incentive based model as an effective sustainable model for improving our nation’s cyber security. The Contract is both first and last source cited in the Executive Summary of President Obama’s Cyber Space Policy Review.
When the Obama White House issued its executive order on cyber security earlier this year it essentially adopted the ISA’s Social Contract model.
APT is not only well funded, Clinton says, but it’s also well organized, highly sophisticated and it targets vulnerable people more than vulnerable systems.
Clinton adds, “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could derail passenger trains or trains loaded with lethal chemicals, contaminate the water supply or shut down the power grid across the country. Attackers could also seek to disable or degrade critical military systems and communication networks. The result could be a cyber Pearl Harbor; that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.”
These facts, of course, beg the question, if this is such a big problem, why hasn’t it been solved?
According to Clinton, and previous columns by SecurityPublisher Mark McCourt, one problem has been that policy makers have been thinking of cyber security primarily as a technological problem, when in reality it is an enterprise-wide risk management issue. Technology only tells us how attacks occur; economics tell us why attacks occur. Considering technology without considering economics is as misguided as thinking of economics without technology.
“For example, economists have long known that liability should be assigned to the entity that can manage risk,” Clinton says. “Yet everywhere we look we see online risk allocated poorly…people who connect their machines to risky places do not bear full consequences of their actions. And developers are not compensated for costly efforts to strengthen their code. We find that misplaced incentives are as important as technical design…security failure is caused at least as often by bad incentives as by bad technological design.
“Moreover, there has been a misconception that increased security is good business. That is clearly true to a certain extent However, in the digital business world there are major economic incentives to deploy insecure systems and processes,” Clinton notes. “For example VOIP is basically less secure than traditional telephony, but businesses have deployed it widely for the massive cost savings. The economics driving these unsecure decisions are overwhelming.”
“Making the business case for security could be a challenge – no one wants to pay their insurance bill until the building burns down,” Clinton says. “And the challenge in cyber security is not that best practices need to be developed, but instead lies in communicating these best practices and demonstrating the value in implementing them and encouraging individuals and organizations to adopt them.”
Even with all these problems there still seems to be some light emerging at the end of the tunnel. To begin, there is growth toward businesses taking an enterprise-wide cyber management approach to cyber security. In 2008, according to Clinton, only 15 percent of companies ISA surveyed had enterprise-wide risk management teams for privacy/cyber. In 2011, 87 percent of companies had cross organizational cyber/privacy teams. Some major firms are now including ISA Financial Risk Management in their enterprise programs, which are also being used as the foundation for the Enterprise Risk Management process that will be part of the voluntary program that the Obama Administration is creating under its Executive Order on Cyber Security.
In addition, there are now numerous books and pamphlets and websites to assist enterprises in their fight to become more cyber secure. One such document has just been published by ISA on how to fight the APT on a smaller budget. Among the tips provided are Corporate due diligence: enforce the “Need to Know” rule, encrypt everything in transit and at rest (i.e. the iPhone), with foreign travel use throw-away laptops, label all documents and e-mail with the appropriate data classification and upgrade to the latest operating systems. systems.
What is your enterprise doing? Let me know, firstname.lastname@example.org