The electronic spying controversy has captured the news media and the attention of lawmakers in Washington, as well as much of the American public. The polarization on this topic is clearly evident just listening to the coverage on five of the major TV networks: NBC, ABC, CNN, CBS and FOX. Surprisingly, support for this program is not split along party lines.
What is not very surprising to many that are involved in or have been involved in the intelligence community is the change in President Barack Obama’s opinion and attitude from earlier in his political career. I once heard a story that when a senior government official was first briefed on the current state of threat he stopped the briefing halfway through and dropped his head in his hands.
Just imagine what the cyber threat environment looks like from the top (NSA Director Gen. Keith Alexander or President Obama), compared to the mental picture of that environment the general public currently has.
There has to be some degree of trust by the American public. That being said, trust is earned—not freely given. Gaining, or as some would say regaining, that trust must be a priority for the administration and the intelligence community. And, as we’ve seen over the last week, that job just got a lot tougher.
What is likely to be the biggest leak of classified information in history will have far-reaching implications, of which most will not be evident or known to the public. It is a huge blow to the security of the nation.
However, the damage does not stop there. America’s allies are watching this very closely, and wondering if they, too, will be damaged by the fallout. They have to ask, how safe is the intelligence they collect and provide the U.S. in light of what has just taken place?
Posted on Jun 14, 2013 at 4:34 AM0 comments
Cyber breaches have become all too common, and there is a growing belief that they are inevitable. I’m sure we have all read about the material impact of these events, but there is another set of implications that has not been covered.
Few people would dispute the monetary impact that a cyber breach has on the organization experiencing the event. Numbers are thrown about that suggest the financial impact of a breach is between $2,000 and $2,500 per record. While much attention has been given to that aspect of the crime, far less attention has been paid to the hidden impact.
In examining a few incidents that I have worked on, there is also an emotional impact on individuals. For example, think of the user that received a phishing email, falls for it and clicks on the link. That individual became ground zero for the cyber attack, and his/her actions resulted in their computer being infected and the spreading of malicious code through all the emails sent to colleagues, business partners and friends.
FACT: In 2013, Radicati Group estimates there will be over 900 million corporate email accounts. That is a target rich environment to be sure. (Think of all the information in corporate emails.)
Once detected, the e-forensics work begins and eventually a computer is identified as ground-zero. The individual assigned to that computer is immediately on edge and may even have a feeling that their personal space has been violated. They wonder, did I do something wrong or will I be fired over this? In some cases the word gets out the malware originated from their online actions. Practical jokes, name calling and ridicule is an all too common occurrence.
Now consider the IT security department if the systems they protect are compromised and the organization experiences loss of customers, possibly fines and penalties, as well as the cost of repairs and credit monitoring. Those individuals feel a sense of defeat; a cyber adversary has beaten them. Many also wonder if they will be fired.
The implications of a breach go far beyond what we commonly see in the headlines. The true cost must be taken into consideration when assessing the proper level of security for these systems.
Posted on Jun 05, 2013 at 2:46 PM0 comments
One of the most frequent questions I receive as a result of my blog postings deals with how to properly assess cyber security within the context of the cyber threat environment. The biggest misconception out there deals with penetration testing.
“Pen-testing” is not the first step. It plays a critical part in the overall cyber security program, but cyber security assessments must be far more robust.
When this question is asked, I recommend ISO 27000 series (http://www.27000.org/), and I also include ISO 28000 as the foundation upon which to assess an organization’s current defensive cyber posture. These standards were created by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC), and are updated regularly.
Naturally, we have added a few things to the 27000 and 28000 standards. It is amazing how many people have heard of the quality standard ISO 9000, but have not heard about the ISO security series of standards.
This ISO set of standards addresses information security management from multiple perspectives. Using these standards cyber security evaluators can ask a series of questions and determine the current cyber security measures that an organization has put in place. Answers to each assessment question are recorded and given a rating of 1 (low/incomplete) to 5 (high/complete), and a graphically depicted scorecard is created that illustrates the results.
As the assessment is repeated on an annual or semi-annual basis, the previous score for each area is shown and contrasted with the current score. This allows quick interpretation of changes, both positive and negative, in the organization’s security posture.
While a perfect cyber security assessment does not exist, using the internationally recognized ISO set of standards provides a solid foundation upon which organization’s can build. Many organizations start with a scaled down version of the standards due to just how bad many score when looking at the complete standard.
It is worth your time to look at ISO 27000, and to keep in mind that there is a big difference between compliance requirements and security standards like those issued by ISO.
Posted on May 28, 2013 at 12:55 PM0 comments
Last month, the Pell Center for International Relations and Public Policy at Salve Regina University, Newport, RI, released the results of a study that raised the eyebrows of senior individuals in the U.S. military and government. The study, entitled, “One Leader at a Time: The Failure to Educate Future Leaders for an Age of Persistent Cyber Threat,” says it all.
The national security implications of attacks in the cyber domain demand this be addressed immediately. You would think that since government officials have called cyber security “one of the most serious economic and national security challenges we face” that we would not be facing a leadership shortage. However, the problem does not stop there.
A respected individual from the U.S. intelligence community stated “there are about 1,000 security people in the U.S. who have the specialized security skills to operate effectively in cyber space. We need 10,000 to 30,000.”
In March 2013 the Wall Street Journal ran a blog headlined “demand-for-cyber-security-jobs-is-soaring” that reported the demand for cyber security professionals continues to grow at a rate 12 times that of the general job market.
The shortage in leaders and skilled cyber security practitioners is placing our nation at risk. Here is an idea, why don’t we launch a re-skilling program for all the veterans returning from Iraq and Afghanistan and give them the cyber skills necessary for these roles. They already have background skills and military/intelligence experience that would be very valuable. Some are already cleared, and they understand the military and the hardware that the military uses so they are not starting from scratch.
This is not a new idea; it has been talked about. But talk is cheap. It is time for action. With every passing day that this issue is not addressed the risks to our businesses, critical infrastructure and national security increases.
Posted on May 17, 2013 at 2:46 PM1 comments