Much criticism has been levied against those sounding the alarm about the cyber-threat level. Whether it is a report
that more than 26 million strains of malware were released in 2011or comments about cyber threats by Gen. Keith Alexander, the head of U.S. Cyber Command, skeptics are quick to dismiss the assertions claiming they are self serving.
In the past few months, high-level Obama administration officials along with leading experts from the cybersecurity industry have become increasingly vocal and tried to sound a cyber alarm. Most recently in an interview former counter-terrorism czar Richard Clark said, “I’m about to say something that people think is an exaggeration, but I think the evidence is pretty strong--every major company in the United States has already been penetrated by China.” Add to that the comments by FBI Director Robert Mueller that cyber threats would surpass terrorism as the country’s top concern.
People with a security clearance and a need to know have insights based on information that is not public. The Washington Post in 2011 reported that more than 4.2 million people have security clearances for access to classified information. Many of these individuals have provided their insight to Congress, and there are multiple pieces of regulations working through the legislative process that address this threat.
Many of those who criticize those sounding the alarm are quick to dismiss the need for regulations. They often say, “Show me the intelligence, so I can see if the warnings are justified." While I agree some things do not need to be restricted or classified, there are reasons much of this information is classified and not publicly available. The threat is real, and the clock is ticking. We need to accelerate our risk mitigation efforts.
Posted on Apr 05, 2012 at 12:54 PM0 comments
Cyberattacks and the availability of malware are on the rise. The code and processes used to carry out these acts of cyber aggression are professionally developed and sold on the black market. The developmental transition really began in 2003 and has continued to progress to the point where quality assurance comments have been found in some of the raw code used to create this new class of weapons.
Many fear the notion of a cyber Cold War or cyber arms race, but not for the reason you might think. They envision it will bring more government involvement, regulations, data observation and collection, and loss of privacy, and also an overall risk to Internet freedom. Growth in data theft, digital identity theft, malware and other methods of attack continue to become more sophisticated and more successful. The fact is criminals, terrorists and rogue nation states are attacking computers and devices that connect to the Internet at an unprecedented rate. Recent reports that the Defense Department has accelerated its efforts to develop offensive cyber capabilities (i.e., cyber arms), which could be used to disrupt or dismantle hostile military networks in countries where U.S. forces are operating, have fueled rhetoric of a new Cold War and a cyber arms race.
Those who are involved in cybersecurity know the cyber arms race didn't just begin. Many believe it started with the first state sponsored cyberattack and that is said to have taken place in the late 1980s. What changed is that the threat imposed by cyber weapons development increased by more than 600 percent from 2010 to 2011, rising from a low level to a high level, according to Technolytics' 2012 Cyber SitRep. In addition, the topic gained much wider media coverage and also received more attention as the result of an increase in the disclosure of successful cyberattacks.
Posted on Mar 29, 2012 at 9:03 AM0 comments
In mid-March I spoke at the 2012 Mid-Atlantic Collegiate Cyber Defense Competition (CCDC) held on the 400 acre campus of Johns Hopkins University Applied Physics Lab in Laurel, Md. I can’t remember when I enjoyed speaking at a conference so much.The competition pitted collegiate defenders against would-be attackers and focused on the operational aspects of managing and protecting computer systems. This year’s scenario was cast in a health care setting.
About 25 colleges competed to qualify with schools from Delaware, Maryland, Virginia, Washington, D.C., North Carolina and West Virginia. Winners moved on to the face-to-face regional finals that took place in mid-March. The event drew close to 1,000 participants and guests with twenty-plus sponsors from private industry and government organizations such as the Homeland Security Department and National Science Foundation. Towson University won the regional competition and will now proceed to the national competition. This year’s National CCDC will be held April 20-22 at the St. Anthony Hotel in San Antonio, Texas.
The CCDC competitions were created to provide educational institutions with computer security and related curriculum an objective, competitive environment that places students in a real-world scenario to assess the student's understanding and operational competency in managing the challenges inherent in cybersecurity. During the event the student defenders must respond to a volunteer red team acting as the external threat. This challenges the students’ defensive skills in a dynamic setting against live opponents. These competitions are great educational experiences for all involved and rewarding experiences for guests and sponsors alike. After all, these students are our future cyber defenders.
Posted on Mar 22, 2012 at 12:54 PM0 comments
I recently participated in a briefing where some troubling metrics were disclosed. It seems we are not getting a clear picture of the number of cyberattacks and breaches that are occurring even though these malicious actions have been uncovered.
During that briefing, one survey was mentioned that reportedly found that about 10 percent of those responding claimed to report breaches and losses only when legally required to do so. The survey also showed that approximately 60 percent of organizations pick which breaches to report.
The observation is supported by another data point that came out in the briefing, which is that e-mail messages leaked by insiders show that a number of companies have chosen not to publicize breaches that occurred as far back as 2010. Based on these metrics and this information, it is clear we are only seeing the tip of the cyber iceberg. Our cyber intelligence is at best incomplete, and the worst case scenario is that it misleads us about the magnitude of the problem.
Cyberattacks, cyber espionage and cyber breaches now dominate the threat environment of businesses, government organizations, the military and individuals. These threats continue to evolve at a rapid pace and have now become the greatest threats to our national security. We have failed across the board. Organizations have not adopted a proactive approach to cybersecurity and managing data breaches. Some expect the government to pick up the tab -- they have asked for incentives -- for securing their systems.
A recently released report authored by from Carnegie Mellon University's CyLab found that boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets.
Cyberattacks on computer systems and associated devices are a foreseeable risk. I can think of a great incentive: those who do not take appropriate actions to protect the systems that make up our critical infrastructure will face claims of negligence.
Posted on Mar 15, 2012 at 2:46 PM0 comments