Black Hat, by its name, seems ominous. What was once a conclave of hackers in 1997 has become a fast-growing global conference series focused on the business of cyber security and includes technical presentations on vulnerabilities and solutions. Black Hat and its attendees have grown up, representing and protecting enterprises from cyber risk and threats. Past demonstrations have included hacked ATM’s spitting out $20s on the stage, using a laptop to override a pacemaker and cause a fatality (not an actual, live demo- thankfully) and later, similar fates via insulin pump.
But these threats and vulnerabilities were first shared with and mitigated by the at-risk enterprises before being presented. The value connection to business risk has led to a strong expo sponsored by major organizations including Cisco, Microsoft and Deloitte. Indeed, two groups that would never acknowledge each other in high school have come together. One in suits, the other in cargo shorts are now conversing and doing business.
From training to briefings to interactive discussions, Black Hat delineates the maturity and growth of the cyber security market to the big businesses of ethical hacking and cyber risk management. The significant boom in dollars being applied against cyber crime documents the recognition that this is a business issue that requires strategic attention at the C-level vs. post-event patches by network and desktop IT administrators.
And to put an exclamation point on the reality that cyber crime as a business issue, General Keith Alexander, Director of the National Security Agency keynoted the recent conference, saying at the start of his speech:
“This is the technical foundation for our world’s communications, you folks right here, and the issue that stands before us today is one of what do we do next, how do we start this discussion on defending our nation and protecting our civil liberties and privacy.
“The reason I’m here is because you may have some ideas of how we can do it better. We need to hear those ideas.
“But equally important, from my perspective, is that you get the facts. And so what I’m going to do today is try to lay out those facts.…there are good reasons why some of this is classified and why some of it is stuff that we just don’t put out there. And the big reason, from my perspective, is because terrorists use our communications. They live among us. How do we come up with a program to stop terrorism and to protect our civil liberties and privacy? This is perhaps one of the biggest issues facing our country today.”
Indeed, the very solutions to America’s most pressing threats will come from those who are, perhaps, most skilled at threatening it. The economic incentives and legal disincentives to work on the solution to cyber risk are winning the day as enterprises are investing and paying a premium to white-hat hacker organizations to protect their businesses.
Unfortunately, the first of my 2013 Trends predictions to be realized was that a cyber attack would put a business out of business. As I wrote in January 2013:
Prediction 1. An organization will declare bankruptcy after a cyber-attack.
While some organizations are shoring up against cybercrime, many are not taking even basic or intermediate steps to remove vulnerabilities. As the level of attempts increase, the odds of a catastrophic event resulting in an organization failing also increases. The U.S. Cyber Consequences Unit (US-CCU) an independent, non-profit (501c3) research institute has found that a cyber-attack that could hijack systems, at a corporate level “have the potential to create liabilities and losses large enough to bankrupt most companies.”
Krebs on Security recently reported that “A $1.5 million cyber heist against a California escrow firm earlier this year has forced the company to close and lay off its entire staff. Meanwhile, the firm’s remaining money is in the hands of a court-appointed state receiver who is preparing for a lawsuit against the victim’s bank to recover the stolen funds.”
Fraudulent money wires to banks in Moscow and China led to the insolvency and closure of Efficient Services Escrow Group by the California Department of Corporations.
General Alexander noted that “the offense is winning right now. Where is the defense?” We have learned, recently, that the defense (the NSA) has violated its own restrictions thousands of times due to human error, technical glitches and lax oversight. Indeed, the NSA and Black Hat were wise to meet and discuss the current situation. Any enterprise leadership believing cyber is a technical IT and not a serious business risk and security issue is delusional. Enterprise security must become just that, “enterprise-wide.” And the solutions will most certainly come from the Black Hatters that are motivated and compensated to play defense.
