It is no secret that to defend our critical infrastructure from the threats emanating from cyberspace requires cyber intelligence. Malicious cyber actors with a plethora of motivations launch cyberattacks continuously. Many individuals and organizations do not realize that in 2012 on average there were more than 50 new strains of malware released every minute. Detecting this malware, creating a detection signature, developing new rules for our firewalls or adapting our intrusion detection sensors are reactive in nature.
Cyber intelligence is what allows our reactive posture to be changed and moved to a much more proactive approach. However, the current way our intelligence community is structured and our predisposition to put intelligence into compartments could actually hinder our efforts to defend the cyber domain. There is a growing understanding that physical aspects of intelligence collections are directly applicable to the intelligence that supports operations in the cyber domain.
“Cyber Intelligence is the stratum that ties legacy approaches used for threats in the physical domain to the threats in the ethereal. Industries and Governments require key information at their fingertips to make critical decisions, cyber intelligence provides that ability for decision makers,” said Richard Moore, a financial industry security professional.
As those on Capitol Hill work on the Cyber Intelligence Sharing and Protection Act, (CISPA) the clock continues to tick and we see more malware released, more attacks on our critical infrastructure and theft of intellectual property that impacts our economy and national security. Whatever gets passed won’t be perfect and with the pace of change in the cyber environment it will become inadequate quickly, but it is a critical step that we need to take. We need lawmakers to get it done now before another successful cyberattack.
Posted on Apr 11, 2013 at 12:55 PM0 comments
The threats of cyberattacks on our systems are recognized as a risk. Some publically traded organizations even list this as a risk in documents with financial projections and earning information. That would lead one to believe that cyberattacks are a foreseeable risk and as such must be addressed.
What about those that do not address these threats? Are there consequences and if so how severe are they? Until now most of the consequences have come mostly in the form of public condemnation, negative publicity, negative reactions and a few have come in the form of fines.
In a recent cyberattack scenario planning exercise the consequences changed. Earlier this year, the CEO of security company Top Patch was quoted on the CNN Money website as saying, "nation-state attackers will target critical infrastructure networks such as power grids at unprecedented scale in 2013," and went on to say, "these types of attacks could grow more sophisticated, and the slippery slope could lead to the loss of human life."
That became the construct for the cyberattack scenario, where a cyberattack targeted a critical infrastructure component that was owned and operated by a for-profit business. The attack resulted in the death of one or more individuals. An investigation was launched and it was determined that the cybersecurity in place to protect the critical infrastructure systems that were compromised was far from what would be considered usual and customary within that peer group.
It would be reasonable to predict that once the investigation’s findings got out, civil litigation would follow. What about criminal charges? Could the CIO and/or chief information security officer (CISO) be charged with negligence when a cyberattack resulted in death or deaths?
There are a substantial number of conversations about the threats our systems face from cyberattacks taking place at the CIO and CISO levels. Given this possibility, the topic will be high up on that list, if not at the very top.
An article about the recent South Carolina Department of Revenue breach of personal and financial information was brought to my attention and said to be very relevant. It is. Given the current cyber threat environment and the continued breaches and theft of sensitive data, it is easy to see how the CIO and CISO could be held accountable, especially if a cyberattack results in a death or deaths.
Posted on Apr 04, 2013 at 2:04 PM0 comments
Today there is a far greater and more accurate cyber space threat awareness than ever before. In addition to this critical aspect, we now receive regular reports of threat, attacks and breaches, many of which are in near-real time.
A 2012 report by cyber security provider McAfee stated nearly one in five U.S. PCs are unprotected. In another report it indicated that one recent breach was said to have exposed the account information and passwords of 50 million users. These pieces of information spawned a heated discussion that centered on why businesses and individuals are ignoring all the warnings coming from cyber security professionals and government officials about this growing threat.
So, why is that?
Some say the continuous bombardment we are all getting about this topic has desensitized many to the threat. Others point to the lack of understanding by non-technical executives and common users as the core issue. Cynics say the threat is overstated and this is nothing more than part of a government plan to take control of the Internet and invade further into businesses and the personal lives of U.S. citizens.
On the other side of this issue, one cyber security professional said it is an inconvenient truth that there are no easy or cheap answers to the problem and therefore it is being ignored. Still others in the critical infrastructure segment feel they are not on the hook to address this national security threat because it is the government’s responsibility.
What good are these warning when they are ignored and many basic cyber security practices are not implemented or followed? This has led to calls for a minimal cyber security standard for all equipment/devices connected to the Internet. Is that what awaits all of us?
Posted on Mar 29, 2013 at 12:55 PM0 comments
The use of the term “cyber war” has seen an increase in use as of late. This is primarily due to all the media coverage given to recently discovered and disclosed acts of cyber espionage against the United States and others.
It would be very difficult for those who are not security cleared and actively involved in the classified cyber threat intelligence side to really wrap their arms around some of the critical characteristics of this threat and how it continues to grow virtually unchecked. What has become all too evident is that we should not, and, more importantly, cannot address this threat way in which we are going about it. That is not just my opinion I checked with other cleared individuals working in this area and they expressed similar opinions.
For example, look at the Cyber Intelligence Sharing and Protection Act (CISPA). What most people, even those who work in cyber security, do not realize is that CISPA was first introduced back on November 30, 2011. Just consider all the reported cyber attacks since that time. Since then we have had more than 27 million new strains of malware, some with unseen-before vulnerabilities and others with new non-technical methods of attacks. Now consider all the new or updated technology that is out there that could be used as a tool in prosecuting a cyber war.
What is all too evident is that the pace with which this threat is evolving demands a different approach. Near-real-time cyber threat intelligence is what is needed. Waiting 18 months or more to get that ability to share cyber threat data is not even close to where we need to be in this environment. Our mental models must be updated and include the condensed timeframes necessary in the cyber domain.
Posted on Mar 21, 2013 at 12:00 AM0 comments