It would be nearly impossible to dispute the fact that there are differing opinions as to the current cyber threat level. Some say it is overblown, while others express deep concern and warn that we are not ready.
Now add the question of the likelihood of a successful cyber attack that disrupts or destroys our nation’s critical infrastructure and you will get a glimpse of the distribution of opinions on this subject. So who’s right and who’s wrong? That is the question that commonly arises, but there is a much better question that should be asked.
Why is there such a difference in opinion? I asked that question and received the response that I had expected.
The answer to that question deals with access to cyber threat intelligence—much of which is classified. For those of you with security clearances you know that classified intelligence is protected so that our sources and methods of intelligence collection are not compromised. There are those out there who say “classified” is just an excuse to cover-up the lack of credible information or to justify made up information to suit the government’s specific purposes.
I asked an individual who had a very high-level security clearance but is no longer cleared to reflect on this. He responded without hesitation: “There is no way anyone without access to classified threat intelligence can appreciate the real level of threat.”
After about five minutes of conversation about this he expressed his concern about the continuous balancing that must take place. He went on to say it is conceivable that cyber attacks may or have already taken place and we could not alert the targets due to the classified nature of the intelligence.
This led me to ask at what point does our classifying threat intelligence put us at greater risk, and how do we deal with that issue? There was no answer, but you know what, we had better come up with one. That is hot a hypothetical situation; it is one we face today.
Posted on Apr 19, 2013 at 9:30 AM0 comments
It is no secret that to defend our critical infrastructure from the threats emanating from cyberspace requires cyber intelligence. Malicious cyber actors with a plethora of motivations launch cyberattacks continuously. Many individuals and organizations do not realize that in 2012 on average there were more than 50 new strains of malware released every minute. Detecting this malware, creating a detection signature, developing new rules for our firewalls or adapting our intrusion detection sensors are reactive in nature.
Cyber intelligence is what allows our reactive posture to be changed and moved to a much more proactive approach. However, the current way our intelligence community is structured and our predisposition to put intelligence into compartments could actually hinder our efforts to defend the cyber domain. There is a growing understanding that physical aspects of intelligence collections are directly applicable to the intelligence that supports operations in the cyber domain.
“Cyber Intelligence is the stratum that ties legacy approaches used for threats in the physical domain to the threats in the ethereal. Industries and Governments require key information at their fingertips to make critical decisions, cyber intelligence provides that ability for decision makers,” said Richard Moore, a financial industry security professional.
As those on Capitol Hill work on the Cyber Intelligence Sharing and Protection Act, (CISPA) the clock continues to tick and we see more malware released, more attacks on our critical infrastructure and theft of intellectual property that impacts our economy and national security. Whatever gets passed won’t be perfect and with the pace of change in the cyber environment it will become inadequate quickly, but it is a critical step that we need to take. We need lawmakers to get it done now before another successful cyberattack.
Posted on Apr 11, 2013 at 7:16 AM0 comments
The threats of cyberattacks on our systems are recognized as a risk. Some publically traded organizations even list this as a risk in documents with financial projections and earning information. That would lead one to believe that cyberattacks are a foreseeable risk and as such must be addressed.
What about those that do not address these threats? Are there consequences and if so how severe are they? Until now most of the consequences have come mostly in the form of public condemnation, negative publicity, negative reactions and a few have come in the form of fines.
In a recent cyberattack scenario planning exercise the consequences changed. Earlier this year, the CEO of security company Top Patch was quoted on the CNN Money website as saying, "nation-state attackers will target critical infrastructure networks such as power grids at unprecedented scale in 2013," and went on to say, "these types of attacks could grow more sophisticated, and the slippery slope could lead to the loss of human life."
That became the construct for the cyberattack scenario, where a cyberattack targeted a critical infrastructure component that was owned and operated by a for-profit business. The attack resulted in the death of one or more individuals. An investigation was launched and it was determined that the cybersecurity in place to protect the critical infrastructure systems that were compromised was far from what would be considered usual and customary within that peer group.
It would be reasonable to predict that once the investigation’s findings got out, civil litigation would follow. What about criminal charges? Could the CIO and/or chief information security officer (CISO) be charged with negligence when a cyberattack resulted in death or deaths?
There are a substantial number of conversations about the threats our systems face from cyberattacks taking place at the CIO and CISO levels. Given this possibility, the topic will be high up on that list, if not at the very top.
An article about the recent South Carolina Department of Revenue breach of personal and financial information was brought to my attention and said to be very relevant. It is. Given the current cyber threat environment and the continued breaches and theft of sensitive data, it is easy to see how the CIO and CISO could be held accountable, especially if a cyberattack results in a death or deaths.
Posted on Apr 04, 2013 at 4:41 PM0 comments
Today there is a far greater and more accurate cyber space threat awareness than ever before. In addition to this critical aspect, we now receive regular reports of threat, attacks and breaches, many of which are in near-real time.
A 2012 report by cyber security provider McAfee stated nearly one in five U.S. PCs are unprotected. In another report it indicated that one recent breach was said to have exposed the account information and passwords of 50 million users. These pieces of information spawned a heated discussion that centered on why businesses and individuals are ignoring all the warnings coming from cyber security professionals and government officials about this growing threat.
So, why is that?
Some say the continuous bombardment we are all getting about this topic has desensitized many to the threat. Others point to the lack of understanding by non-technical executives and common users as the core issue. Cynics say the threat is overstated and this is nothing more than part of a government plan to take control of the Internet and invade further into businesses and the personal lives of U.S. citizens.
On the other side of this issue, one cyber security professional said it is an inconvenient truth that there are no easy or cheap answers to the problem and therefore it is being ignored. Still others in the critical infrastructure segment feel they are not on the hook to address this national security threat because it is the government’s responsibility.
What good are these warning when they are ignored and many basic cyber security practices are not implemented or followed? This has led to calls for a minimal cyber security standard for all equipment/devices connected to the Internet. Is that what awaits all of us?
Posted on Mar 29, 2013 at 6:06 AM0 comments