America's Cyber Offensive

The Department of Defense took an intriguing step in the field of cyber warfare.  Earlier in the week, Defense Secretary Ash Carter made some overtures to transforming U.S. CYBERCOM from a sub-unified role under U.S. Strategic Command to a full combatant command (Tucker, 2016).  This perhaps signifies a dramatic switch in how America’s political and military leaders have begun viewing the cyberspace domain.  Carter said this evolving outlook signifies CYBERCOM’s emerging role in the fight against ISIS.  Given the terrorist organizations sophisticated use of social media and encrypted communication networks, moving CYBERCOM to the digital front lines seems to be the next logical step. 

Recognizing this progression also expands CYBERCOM’s larger role in the defense of the United States against a host of other digital enemies.  From nation states to organized criminal syndicates, the US has long endured an onslaught of cyberattacks against its critical infrastructure.  To illustrate the point, this week the Department of Homeland Security (DHS) released details on an attack against the American power grid back in January.  The attack resulted in the exfiltration of sensitive information from American energy companies along with the planting of Cryptolocker ransomware on networks belonging to three different utility companies (Pagliery, 2016).  This piece of malware has the potential to lock digital files perhaps resulting in the disabling of portions of the electrical grid.  Although DHS described the incident as “espionage” rather than a “cyberattack”, the organization also reported that “aggressive foreign government hackers broke into American companies 17 times between October 1, 2013 and September 30, 2014.”   

Whether the intent of these intrusions was espionage, theft, or even curiosity, the most important part of this story is that our infrastructure remains woefully at risk.  In light of this newest revelation from DHS it only makes sense to develop CYBERCOM’s role into a more offensive asset.

References

Pagliery, J. (2016). Government reveals details about energy grid hacks. WCVB.com. Retrieved from http://www.wcvb.com/money/government-reveals-details-about-energy-grid-hacks/38877110

Tucker, P. (2016). Carter may elevate CYBERCOM to full combatant command. Defense One. Retrieved from http://www.defenseone.com/technology/2016/04/carter-may-elevate-cybercom-full-combatant-command/127243/

Cybersecurity Investment Forecast

In a blog I posted a couple months ago, I mused about the usefulness of prognostications when it came to the field of cybersecurity.  These sometimes less than educated speculations are often obvious pieces of data regurgitated from other reports or even findings from previous years.  The one aspect of this process I find useful however is the financial component.  Cybersecurity experts may find fault with generic threats for the upcoming year however, decision-makers often use these reports to direct their ever-increasing IT and IS budgets. 

A 2014 PricewaterhouseCoopers survey found that 69% of executives expressed “concern about cyber threats.”  This number was increased to 86% in the 2015 survey (Meola, 2016).  What these figures indicate is that cybersecurity and its associated expenditures are not going away anytime soon.  One of the highlights from Meola’s article was the following infographic which illustrated the main drivers of cyber spending.  

Meola also introduced two interesting, albeit very expensive ($495) reports from the publication, Business Insider.  Highlights from The IoT Security Report and The Cyber Insurance Report include:

BI

*Research has repeatedly shown that many IoT device manufacturers and service providers are failing to implement common security measures in their products.

*Hackers could exploit these new devices to conduct data breaches, corporate or government espionage, and damage critical infrastructure like electrical grids.

*Investment in securing IoT devices will increase five-fold over the next five years as adoption of these devices picks up.

*Traditional IT security practices like network monitoring and segmentation will become even more critical as businesses and governments deploy IoT devices.

*Cyber insurance plans cover a variety of costs related to cyber attacks, including revenue lost from downtime, notifying customers impacted by a data breach, and providing identity theft protection for such customers.

*Annual cyber insurance premiums will more than double over the next four years, growing from to ~$8 billion in 2020.

*However, many insurance companies have been hesitant to offer cyber insurance because of the high frequency of cyber attacks and their steep costs. For example, Target’s notorious data breach cost the company more than $260 million.

*Insurers also don’t have enough historical data about cyber attacks to help them fully understand their risks and exposures.

*There are large underserved markets with very low cyber insurance adoption rates such as the manufacturing sector, where less than 5% of businesses have cyber insurance coverage.

What the infographic and these two articles demonstrate is that cyber threats, both perceived and actual, are on the rise.  Perhaps more importantly, the budgets associated with mitigating or transferring the risk from these vulnerabilities is also on a similar trajectory.

References

Meola, A. (2016). This one chart explains why cybersecurity is so important. Business Insider. Retrieved from http://www.businessinsider.com/cybersecurity-report-threats-and-opportunities-2016-3

U.S. Cybersecurity Sucks

Given an ever-increasing number of cyberattacks and a seemingly inexhaustible budget, the American public would think its government is doing a better job at cybersecurity.  Spoiler alert, it is not.  A recent article by Arik Hesseldahl (2016) shows that billions of dollars thrown at this problem has had limited effect at stemming the tide of cybercrime.

“A $6 billion security system intended to keep hackers out of computers belonging to federal agencies isn't living up to expectations, an audit by the Government Accountability Office has found.

A public version of the secret audit — a secret version containing more sensitive findings was circulated to government agencies in November — released last week concerns the Einstein system, formally called the National Cybersecurity Protection System and operated by the U.S. Department of Homeland Security.

The GAO found that the system has limited capability to detect anomalies in network traffic that sometimes indicate attempts to attack a network. What it can do is scan for and detect attacks based on a list of known methods or signatures. Most of the signatures used to scan for the attacks are available in commercial-grade products, though a few were developed specially for the government.

The system relies only on signatures and doesn't use more complex methods for detecting attacks. It doesn't analyze anomalies or odd patterns in network traffic that might indicate an attack. Analyzing anomalies can sometimes be useful in detecting attacks using "zero-day" vulnerabilities, so called because they rely on weaknesses in systems that are completely unknown, giving defenders "zero days" to figure out how to head them off.

"By employing only signature-based intrusion detection, NCPS is unable to detect intrusions for which it does not have a valid or active signature deployed. This limits the overall effectiveness of the program," the report reads. A security system that relies on signatures is only as good as the list of signatures used.

Additionally, the system was properly deployed at only five of the 23 non-military government agencies for which it was intended. And only one agency had deployed it to scan for possible attacks in email, a common vector for attacks.

The stinging report provides a reminder of just how bad government agencies have been in protecting their computers and the sensitive data on them. Last year the federal Office of Personnel Management, the government's human resources branch, disclosed a data breach that revealed information on some 22 million people who had worked for the government. The information stolen dated back decades, and included fingerprint data on nearly six million people. Private sector researchers later traced the hack to a group based in China.

It's also the latest proof that government agencies suck at securing their systems. The main reason for this is that agencies check off a list of vague requirements created by lawmakers and regulatory agencies when putting security in place. But they tend not to account for the risk that the requirements aren't sufficient.

None of this is exactly news in government circles. A study by the security firm Veracode last year found that after discovering security flaws in the software they use, government agencies fixed them by applying patches only 27 percent of the time versus 81 percent for private companies. Why? Because no specific laws or regulations require it.”

References

Hesseldahl, A. (2016). Federal government confirms that it still sucks at cyber security. CNBC. Retrieved from http://www.cnbc.com/2016/02/01/federal-government-confirms-that-it-still-sucks-at-cyber-security.html

2016 Cybersecurity Predictions

The start of a new year always holds the promise for emerging trends, technologies and threats in the field of cybersecurity.  One of my favorite traditions when it comes to this arena is reading the commonplace and sometimes absurd predictions that “experts” will prognosticate for the upcoming 12 months.  Jon Oltsik from Network World (2016) had some fairly timely and (in my opinion) likely options for 2016. 

“Mergers and acquisitions.  Okay, this one is somewhat obvious but allow me to add my own spin.  M&A activities will be robust with numerous big deals taking place before the RSA Security Conference at the end of February.  That said, many areas of cybersecurity are actually over-invested right now (i.e. CASB, next-generation endpoint security, etc.).  Once the first few deals happen, I foresee an industry panic where Johnny-come-lately VCs get cold feet and start fire selling.  As this happens, patient cybersecurity companies will be rewarded with cybersecurity technology startup acquisitions at relative bargain basement prices. 

The Beltway crowd jumps into the commercial market.  Federal contractors like Booz Allen Hamilton, CACI International, CSC, L-3, Lockheed Martin, and Northrop Grumman have strong cybersecurity skills and assets but little penetration into the commercial market.  Look for one or several of these federal integrators to follow Raytheon’s lead by establishing commercial cybersecurity divisions, hiring management teams with vast private sector experience, and acquiring companies with strong commercial cybersecurity market share.

Growing trusted systems offerings.  Technologies like the Trusted Platform Module (TPM) and Intel’s Trusted Execution Technology (TXT) have been around for years but few software developers have taken advantage of this system-level security functionality.  I believe we will see things start to change in 2016 as enterprises look to enhance mission-critical system integrity.  Oracle and VMware will join the trusted systems fray while phones will ring off the hook at focused players like Skyport Systems and Virtual Software Systems (VSS).

Cybersecurity technology vendors will open their own kimonos.  Driven by new types of threats, CISOs will continue to increase oversight of IT vendor risk management in 2016.  This will cause a reaction on the supply side as leading vendors trumpet their own internal cyber supply chain management and secure software development best practices as a way of differentiating themselves from more lackadaisical competitors.  Microsoft secure software development lifecycle (SDL) is a good example here, look for lots of others to emulate this type of model.”

Given past trends and predicted threats, these all seem likely to come to fruition.  As I searched for additional predictions on the future of my field, I came across an interesting article entitled Hocus-Pocus: The stupidity of cybersecurity predictions, from Computer World’s Ira Winkler (2016).  Winkler purports that all predictions are either a slight variation of each other, rehashed trends from last year’s DefCon, or worse a self-fulfilling prophecy.  That is, if enough reporters / politicians / security professionals say the power grid will be hacked then eventually it will.  Winkler does concede that occasionally the cybersecurity groundhogs can predict something correctly as one analyst firm did prior to the end of the millennium when they envisioned a Y2K-related billion dollar theft.  Given the potential for jumping on this bandwagon then, I will hazard my own safer prediction.  Technology will be exploited, and the world will need more people to stop it.   

References

Oltsik, J. (2016). Cybersecurity industry predictions for 2016. Network World. Retrieved from http://www.networkworld.com/article/3019106/security/cybersecurity-industry-predictions-for-2016.html

Winkler, I. (2016). Hocus-Pocus! The stupidity of cybersecurity predictions. Computer World. Retrieved from http://www.computerworld.com/article/3019063/security/hocus-pocus-the-stupidity-of-cybersecurity-predictions.html