Neutralizing the 'Weapons Grade' Enterprise Cybersecurity Threat
"We've got to change the paradigm here," said CSC's Dean Weber. "We've got to get better at threat intelligence. We've got to get better at event correlation. We've got to get better at the business of cybersecurity. And it has to be a public-private partnership that actually gets us there, because the public has an interest in the private infrastructure ... . That's not just U.S. -- that's global."
Sep 9, 2013 5:00 AM PT
IT leaders are improving security and reducing risks as they adapt to new and often harsh realities of doing business online.
CSC and HP, for example, have entered a strategic partnership to help companies and governments better understand and adapt to the tough cybersecurity landscape.
Discussing the current threat environment in this podcast are co-host Paul Muller, chief software evangelist at HP Software; Dean Weber, chief technology officer, CSC Global Cybersecurity; and Sam Visner, vice president and general manager, CSC Global Cybersecurity. The discussion is moderated by Dana Gardner, principal analyst at Interarbor Solutions.
Listen to the podcast (32:46 minutes).
Following are some excerpts:
Dana Gardner: What is the real scale of the threat here? Are we only just catching up in terms of the public perception of the reality of cyber-insecurity? How different is the reality from the public perception?
Dean Weber: The difference is night and day. The reality is that we are under attack and have been for quite some time. We are, as Sam likes to put it, facing a weapons-grade threat.
Sam Visner: When I think about the threat, I think about several things happening at once. The first thing is that we're asking IT, on which we depend, to do more. It's not just emails, collaboration, documents, and spreadsheets. It isn't even just enterprise systems.
It extends all the way down to the IT that we use for manufacturing, to control power plants, pipelines, airplanes, centrifuges, and medical devices. So, the first thing is that we're asking IT to do more, and therefore there's more to defend. Secondly, the stakes are higher. It's not just up to us.
Third is the point that Dean made, and I want to elaborate on it. The threat is very different.
Today, intellectual property, whether or not it's possessed by the public sector or the private sector, if it's valuable, it's worth something. It's worth something to a bad guy who wants to steal it. And if you have critical infrastructure that you're trying to manage, a bad guy may want to disrupt it, because their government may want to be able to exercise power.
And the threats are different. The threats are not just technically sophisticated. That's something a hacker, a teenager, can do. In addition to being technically sophisticated, they're operationally sophisticated.
That means this is foreign governments, or in some cases, foreign intelligence services that have the resources and the patience to study a target, a company, or a government agency over a long period of time, use social networking to figure out who has administrative privileges inside of that organization, and use that social networking to identify people whom they may want to subvert and who may help them in introducing malware.
Then, once they have decided what information they want, who safeguards it, they use their technical sophistication to follow up on it to exploit their operational knowledge. This is what differentiates a group of hackers who may be technically very bright from an actual nation-state government that has the resources, the discipline, the time, and the patience to stick with the target and to exploit it over a long, long period of time.
So, when we use the term "weapons grade," what we mean is a cyberthreat that's hard to detect, that's been wielded by a foreign government, a foreign armed force, or a foreign intelligence service -- the way a foreign government wields a weapon. That's what we're really facing today in the way of cybersecurity threats.
Paul Muller: You asked if the headlines are simply reflecting what has always been going on, and I think the answer is yes. Definitely, there is an increased willingness of organizations to share the fact that they have been breached and to share what some of those vulnerabilities have been.
That's actually a healthy thing for society as a whole, rather than pretending that nothing is going on. Reporting the broken window is good for everybody. But the reality is the sophistication and the scale of attacks, as we have just heard, have gone up -- and have gone up quite measurably.
Every year we conduct a Cost of Cyber Crime Study with the Ponemon Institute. If we look just at the numbers between 2010 and 2012, from the most recent study in October, the cost impact of cybercrime has gone up 50 percent over that period of time. The number of successful attacks has gone up by two times. And the time to resolve attack is almost doubled as well. So it has become more expensive -- greater scale -- and it's becoming more difficult to solve.
Gardner: What strikes me as being quite different from the past, too, is when businesses encountered risks, even collective risks, they often had a law enforcement or other regulatory agency that would come to their rescue.
But in the May 20th issue of The New Yorker, in an article titled "Network Insecurity" by John Seabrook, Richard McFeely, the executive assistant director of the FBI, says quite straightforwardly, "We simply don't have the resources to monitor the mammoth quantity of intrusions that are going on out there."
So, enterprises, corporations -- governments even -- can't really wait for the cavalry to come riding in. We're sort of left to our own devices, or have I got that a little off-base, Dean?
Weber: The government can provide support in talking about threats and providing information about best practices, but overall, the private sector has a responsibility to manage its own infrastructures. The private sector may have to manage those infrastructures consistent with the public interest. That's what regulation means.
But the government is not going to provide cybersecurity for a power company's power grid or for a pharmaceutical company's research program. It can insist that there be good cybersecurity, but those organizations have always had to manage their own infrastructures.
Today, however, the threat to those infrastructures and the stakes of losing control of those infrastructures are much higher than they have ever been. That's what's amplified now.
There is also a tradeoff that can be done there in terms of how the government shares its threat intelligence. Today, threat intelligence shared at the highest levels generally requires a very, very high level of security, and that puts it out of reach of some organizations to be able to effectively utilize, even if they were so desirous.
So as we migrate ourselves into dealing with this enhanced threat environment, we need to also deal with the issues of enhancing the threat intelligence that we use as the basis of decision.