The Brave New World of Cybersecurity
'Burning Chrome' Cover Art
Author William Gibson coined the phrase cyberspace in his 1982 short story “Burning Chrome” that depicted hackers wantonly breaking into corporate security systems. Fast forward to 2015 and Gibson’s vision is reality as cyberattacks on vulnerable corporations, governments, and institutions have become commonplace. What strategies do global companies and governments need to protect themselves from cyberattacks?
In the wake of much-publicized incidents on the likes of JP Morgan Chase, Target, Sony, and Anthem, the heightened threat posed by cyberattacks has become a high-priority for senior management and boards of directors around the globe. At no time has there been greater attention paid to cybersecurity and what it can offer to combat costly, malicious attacks.
Broad and expansive in its reach, cybersecurity encompasses tools, policies, security concepts, best practices, and technologies—all of which can be deployed in concert to protect both the virtual data and physical infrastructure forming an organization’s assets. Against a backdrop of persistent and unrelenting threats in cyberspace, cybersecurity’s mandate is to protect and secure an organization’s assets to ensure their continued availability, integrity, and confidentiality.
Yet many large corporations still do not have strategic cybersecurity plans in place even as more and more devices are interconnected and virtually anything of import is accessible from the Internet. Indeed, cybersecurity is becoming as critical as physical security precisely because of this ubiquitous interconnectivity through which cyberattacks can quickly spread.
True, the cybersecurity market remains small at present—just $589 million was spent on industrial cybersecurity systems worldwide in 2013. But the potential for growth is huge, especially as the world begins to craft coherent cybersecurity strategies to combat increasingly dangerous cyberattacks.
Global revenue for industrial cybersecurity will more than double between 2013 and 2019
But defense is only one side of the issue. As recently as March, Admiral Mike S. Rogers, head of the United States Cyber Command and the National Security Agency admitted during a Senate committee hearing that the United States needed to boost its ability to stage cyberattacks. Rogers said the United States needs to create a deterrent against other countries seeking to attack the country, and that a defensive strategy alone would be inadequate.
To be sure, the US government is increasing its investments in advanced cybersecurity technologies, and special funds are also being set aside for small businesses to develop innovative solutions in cybersecurity. Moreover, the government requires large defense contractors to subcontract a certain percentage of their cybersecurity solutions development to small businesses. This way, a small business has multiple avenues for engaging in the federal cybersecurity market, either through direct contract with the government or by helping a large business meet its small business subcontractor quota.
Cyberthreats and emerging technologies
Cyberattacks are increasingly sophisticated as their destructive incursions seek new ways to breach security and inflict maximum damage. And in an age of increasingly porous digital borders, three areas pose grave challenges in the cybersecurity wars:
The all-things-connected phenomenon known as the Internet of Things
Cloud computing, or the online storage and repository of data
The continuous churn of enormous amounts of information being gathered and sifted for specific purposes, otherwise known as Big Data.
The Internet of Things
In the coming years, billions of new devices—from cars to household appliances—will be fitted with computer chips that enable interconnectivity with the Internet. Experts estimate there will be nearly 50 billion connected devices by 2020, with an average of more than six connected devices per person. This is the vast universe making up the Internet of Things (IoT), and the interconnected nature of such a massive system significantly raises cybersecurity risk factors. Because IoT devices are designed for connectivity and not security, they are vulnerable to malware attacks. And each device is a potential portal through which a cyberattack can gain entry, and then proliferate throughout the chain.
There are three categories of cyber threats in the world of connected devices. On the lower end of the scale, denial of service is an immediate threat, potentially paralyzing all services offered by a network of smart devices. Higher up is the threat from botnets and malware-based attacks. Here, a malicious code could infect computers in order to gain control of a network of smart devices, or to compromise the software running them, with the objective of converting the connected devices for heinous purposes. Lastly, data breaches can exploit the aggregation of valuable information resulting from the daily actions of individuals, in order to access private communications or expose sensitive data on the cumulative behavior of population subsets.
The automotive industry highlights the promise and pitfalls of the Internet of Things. Few industries are as poised to reap the benefits of a dramatic expansion of connectivity as auto manufacturers, which can utilize hyper-connected devices to assist GPS navigation, augment safety instruments, and ensure an information-rich driving experience.
But the risks are clear. Enhanced connectivity in cars could enable a remote takeover of a car’s driving or parking functions, creating genuine peril for the driver, passengers, and other vehicles. A second conceivable risk relates to the sensitive data accumulated from driving patterns, with the potential to hijack the information in order to publish or blackmail the driver.
In the IoT universe, cyberattacks can hit anywhere. Banks and other financial institutions; healthcare and the medical sector; industrial utilities including oil and gas, chemicals, and critical infrastructure; insurance and their carriers; retail and consumer data; telecommunications and satellites—no industry is exempt.
Cloud computing
Cloud computing enables convenient, on-demand access for individuals and businesses to a shared pool of computing resources including networks, servers, data storage, and other applications. But these very advantages represent an attractive target for cyberattacks. This is because an attack on a stand-alone system is ultimately less dangerous than an attack on a networked model like the cloud, which could result in a cascade of failures across the network.
The finance industry is especially vulnerable to the inherent threats of cloud computing. Trading brokerages, banks, and credit unions all highlight their 24/7 online availability for consumers to check their accounts, conduct transactions, and monitor financial activity as a key selling feature. Yet this type of ubiquitous access, heavily reliant on cloud computing, renders the paradigm susceptible to such risks.
Big Data
Big Data exploits the massive reams of data cascading over the Internet—driven in large part by the growth in social media apps and mobile devices—in order to identify underlying patterns and trends. From a corporate security perspective, Big Data allows companies to observe the larger threat picture against enterprises, incorporating internal and external threats alike. By pooling internal data and relevant outside information to correlate high-priority alerts across monitoring systems, companies can cut down on the white noise and false alerts endemic to existing monitoring tools.
For these reasons, Big Data is not so much another vulnerability but a tantalizing new opportunity for corporate players to take proactive measures against cyberthreats. A Big Data paradigm can efficiently log information, events, and activities occurring within a preselected tracking environment; consolidate the data in a central location; and then use advanced analytics to help identify patterns that no individual monitor can do on its own, in the process creating a holistic picture to analyze and investigate security-related issues.
One potential concern, however, for the broader application of Big Data is the scarcity of data scientists specializing in security issues. In many cases, organizations will need to engage with third parties to compensate for the lack of in-house expertise.
Cyber warfare and the defense sector
As governments around the world awaken to the impact of cyberattacks, a primary focus remains the prevention of cyberattacks from being deployed as an instrument of warfare by both state and non-state adversaries. Indeed, a quick glance at national defense spending over the past decade bears out the growing investment by governments in cybersecurity. In the United States alone, spending on cybersecurity at civilian and military agencies will reach nearly $15 billion in the current fiscal year (FY), which includes $5.5 billion for the Pentagon to invest in cyberspace operations. These outlays represent increases over last year’s funding, in an environment that saw a general decline in federal spending.
Overall, opportunities for the global cybersecurity market are brisk. The world market for cybersecurity alone is worth $81 billion, with 10% annual growth. None of this is lost on the business world: witness the growing number of mergers and acquisitions over the past few years, with larger and more established corporate players buying smaller IT firms, especially those with cybersecurity skills. Examples of such corporate deal making include the acquisition of Mandiant by FireEye; of Urgentis Digital Crisis Solutions by Deloitte; of Blackbird Technologies by Raytheon; and of SilverSky by BAE Systems.
Recent and well-publicized hacks into private sector and government systems will keep a focus on cybersecurity as an imperative. While these attacks are not new, what was interesting about 2014 was the openness by the US government and its military regarding the use of offensive cyberspace operations, previously shrouded in classified documentation.
The Obama administration has not only acknowledged the presence of offensively focused teams at the strategic and operational levels, but it has implied the use of such capabilities at the tactical level. Perhaps more significant, active training and military exercises in offensive operations have now become the norm, along with the creation of stand-alone cyberforce organizations, nurturing a new generation of digitally savvy cyber warriors. For instance, the US Army recently established a cyber branch for officers on the same level as traditional infantry or armor specialties.
This growing embrace of holistic cyber capabilities, which integrates defensive attributes with offensive missions in a proactive fashion, is not the only new force shaping cyberspace operations in the defense sector. As national defense increasingly embraces the necessity of investments in cyber programs and personnel, other key trends include the following:
Infrastructure. Protecting the security of industrial control systems for key elements of critical infrastructure will grow in importance. Also known as SCADA (Supervisory Control and Data Acquisition), these computer systems control activities over multiple sites. A successful attack against SCADA can shut down, destroy, or manipulate infrastructure activities. Imagine cyberattacks causing power grids to go offline, airplanes flying in the dark after the failure of air-traffic control systems, or the shutdown of a municipal water system. As the threat magnitude grows, so too will research and development into cyber-defense applications to produce more robust defenses.
Self-repair. A greater emphasis is anticipated on real-time continuous monitoring and mitigation to defend against persistent threats, which will gradually take the place of the traditional “react and patch” approach, enabling greater automation and self-awareness when it comes to cyber defense applications. Technological advances will usher in more prominent self-repair network attributes. These capabilities—monitoring, mitigating and self-repairing—will pave the way for a resilient network ecosystem which until now has been in the conceptual and research realms.
Compliance. From a tactical perspective, network cybersecurity needs will grow as the military becomes fully networked. These networks must be secured, and for the US military this means complying with information assurance accreditation and certification requirements. Cybersecurity opportunities will increase accordingly, as seen in the recent US information security contract awards for the Virginia-class submarine and F-35 fighter.
Collaboration. The international cybersecurity market will experience significant growth. Rapid evolution is already occurring at the nation-state level, ranging from the routine establishment of national cyber emergency response teams, to the development of cyber forces with potential offensive capabilities. Bilateral and regional cooperation, both in the investment of resources and shared training, is beginning to accelerate. Industry is also joining in, with the establishment of overseas centers of excellence and growing mergers-and-acquisitions activity.
The way forward
Cyberattacks have become a permanent and pervasive peril to governments and businesses alike and managing the risks must become a priority. But understanding the challenges and implementing appropriate strategies for the long term requires resources and expertise. The threats are evolving as are the tools and technologies. To manage the emerging risks successfully, it’s useful to keep three things in mind:
Cybersecurity is a corporate imperative. Every major entity, whether governmental or corporate, is a likely target. Complete security is impossible, but leaders must remain ever vigilant and employ all available means to defend against the threats. Consequently, cybersecurity is a C-suite, senior management issue, and must be incorporated into strategic planning with risk mitigation explicitly addressed as well as routinely reviewed and updated.
Government and industry must enhance their collaboration in identifying, assessing, and responding to cyberthreats. The time for siloed approaches to defense and deterrence has passed. The Obama administration has been working with key members of Congress on legislation that would encourage greater information sharing on cyberthreats, in part by providing liability protection for firms that share sensitive information, which should form part of a multi-pronged response. Understandably, companies are hesitant to divulge or share information for fear of public exposure on the true extent of a cyberattack, so a means must be found to surmount this obstacle.
Finally, cybersecurity is too important to be left to technology or security specialists alone. Because cyberattacks can go through any portal or user, everyone—from CEOs to front-line workers—should be mindful of appropriate cybersecurity best practices and recognize the danger from breaches. In particular, corporate leaders must understand that cybersecurity is just as important as product development, earnings reports, and future growth plans. The spate of data breaches against high-profile U.S. entities has shown the reputational damage that can be inflicted by a cyberattack. Indeed, a company’s ability to successfully manage myriad cybersecurity risks could determine how well it is able to navigate and succeed—or flounder and stumble badly—in this new, more dangerous age.
iHS: http://bit.ly/1FVe2o8