We live in a connected world, and the hard reality is that nearly all these connections are vulnerable to cyberattacks. For today’s business leaders, this means they not only need to worry about selling their products, but must also worry about nation-states stealing their products and rogue employees selling their data.
When issues of cybersecurity first emerged, they were greeted with a general air of disbelief. The following stage of wanting revenge against attackers was soon squashed by lack of law in the cyber domain. Then came attempts to bargain, and the inevitable feeling of defeat.
Now, it appears the business world has reached the last stage in this national progression of grief. They’ve accepted that cyberthreats are here to stay—and from this vantage point, things may finally start getting done.
Edward Guiliano, president of the New York Institute of Technology (NYIT), noted some of the recent cyberattacks. He said that the recent breach of marital affairs website Ashley Madison, in particular, “highlights a basic problem in cybersecurity.”
“People thought their data was safe on a website,” Guiliano said.
Guiliano and other experts gave a sobering picture of the threat landscape in cybersecurity, during the NYIT Cybersecurity Conference on Sept. 24 in New York.
They outlined the decrepit state of cybersecurity—where every device from computers to home printers is a vulnerability, where new connected devices hitting the market will surround us with spy sensors, and where security on these devices is terrible to the point of nonexistence.
Yet, there was also an understanding that in order to truly secure our own data, and critical networks that keep the country running, something needs to change.
According to Eric Goldstein, policy adviser to the Department of Homeland Security’s Office of Cybersecurity and Communications, the U.S. government is trying to work with businesses to address cyberattacks. This has taken the form of voluntary programs for sharing data so attacks can be stopped before causing too much harm.
“The government has information the private sector does not,” he said, noting that in 2014, the U.S. government sent out 97,000 incident reports and 12,000 actionable alerts to businesses, warning about attacks.
This raised another issue, of course. Businesses are facing data fatigue when faced with the scale and frequency of attacks. The numbers given by Goldstein suggest that last year, U.S. businesses received alerts on more than 250 threats every day.
Even with large numbers like these, Mark Hanny, vice president of IBM’s Global Alliance and Academic Initiative, pointed out that incidents of cybertheft are increasing about 25 percent each year.
In an interconnected world, where most of the basic infrastructure that keeps nations running is reliant on data and computers—from the financial market to military control systems—it’s becoming increasingly important to ensure the integrity of this data.
There is no such thing as complete security, according to Idan Edry, CTO at Israel-based energy company Nation-E. The Internet, he said, “is about comfort,” and this comfort comes with a price.
Cybersecurity is likewise moving beyond the idea that attacks can be prevented. According to Rob Evans, director of business development at Northrop Grumman, cybersecurity has moved into the new realm of “cyber resilience.”
The difference between cybersecurity and cyber resilience, he said, is an understanding that no system will ever be completely secure—and this is becoming the new starting point when addressing threats in cyberspace.
Cyber resilience is a growing topic. It’s based on the idea that traditional cyberdefenses aren’t enough to stop today’s threats. Instead, cyber resilience focuses on industries’ being able to service customers while fending off and reacting to cyberattacks.
Evans said that at Northrop Grumman, part of this strategy includes educating staff on not accidentally compromising company networks. As an example, he said the company occasionally sends out emails designed to look like phishing attacks, and keeps track of how many employees fall for it.
Phishing attacks are becoming a common tool in the hacker arsenal, mainly because they bypass a company’s security and go straight for the employees. The attacks often take the form of spoof emails, with infected files attached. If the victim opens the file, it infects their computer.
What’s embarrassing for governments and large companies is that many of these phishing attacks actually work. According to Angelos Keromytis, program manager at the Defense Advanced Research Projects Agency (DARPA), the Pentagon’s research and development branch, phishing attacks are now a favorite tool for nation-state hackers.
“We don’t have very sophisticated adversaries,” Keromytis said, noting this highlights the poor state of cybersecurity.
The basic reality is that—from the beginning—the Internet wasn’t built with security in mind.
Keromytis said this basic fact also means that we need to think differently about security when it comes to the Internet—and DARPA is currently working on a new form of cybersecurity that takes this into account.
The new focus, he said, is not to prevent hackers from accessing a system, but instead to ensure that hackers can’t do anything once they’re in.
Gregory Conti, director of the Army Cyber Institute at the U.S. Military Academy at West Point, noted that simply playing defense will always be a losing game.
“If an adversary want to get in—a persistent one,” said Conti, “sooner or later they’ll get in.”
Conti emphasized how serious this is, when it comes to the nature of modern technology. “Think about New York City, it’s a SCADA system that you live inside,” he said, referring to the control software that runs systems including water pumps, elevators, and traffic lights.
“If you think you’re secure,” he said, “you aren’t paranoid enough.”