The cyber threat landscape is changing rapidly. Organized crime, cybercrime syndicates for hire, and nation-state actors are motivated by substantial financial gain, intellectual property theft, and the threat of offensive actions.
Threats to critical infrastructure are real. Hackers and other cyber-criminals are not only interested in ripping off banks; the threat landscape also includes targets that range from banks to phone companies to water and sewerage providers to public transportation networks and government institutions.
The tenth biggest threat to the stability of the world in the next ten years comes from the risk of cyber attacks, according to World Economic Forum’s 10th edition of the Global Risks report, published in January. Failure of climate change adaptation, major water crises, and cyber-attacks are all high risk and, worryingly, rate ahead of failure of critical infrastructure based on their likelihood and potential impact.
Not surprisingly, cyber security was a hot topic at this year’s World Economic Forum, the global gathering of CEOs, world leaders, and other power players in Davos, Switzerland. Attendees were warned that attacks on power plants, telecommunications, and financial systems—even turning traffic lights green—are the terrifying possibilities of modern cyber terrorism.
Jean-Paul Laborde, head of the UN’s counter-terrorism unit, highlighted increasing links between organized crime and extremist groups, such as ISIS, which he said were now combining to launch cyber attacks. Laborde called for an international legal framework to bring these criminals to justice.
With a host of well-publicized data breaches last year—including the Sony hack and hackers supporting Islamic militants’ takeover of a U.S. military command’s Twitter and YouTube accounts—it is clear that cyber attacks aren’t going away anytime soon. While there is a significant difference between what is a large data breach and the hacking of a Twitter account—in what the Pentagon called an annoying prank that did not breach military networks or access classified data—both incidents are being taken seriously.
More collaboration from government and private enterprise
To be sure, governments are taking cyber security more seriously, kicking off 2015 with a round of announcements across the globe.
President Obama announced new cyber security legislative proposals and other cyber security efforts, asking Congress to pass new legislation to combat what he called “the evolving threat of cyber-attacks” while warning that the U.S. faces heightened risks if policymakers don’t act. Lawmakers have signaled that they plan to act on some version of new laws to defend against cyber attacks, but deliberations are still in the early stages.
Obama’s budget proposal for the 2016 fiscal year seeks $14 billion to pay for cyber-security efforts across the government. Among various measures, the White House is requesting $227 million for construction of a Civilian Cyber Campus designed to spur public-private partnerships.
Obama is also introducing cyber security legislation that will encourage private sector companies to share cyber threat information with the Department of Homeland Security’s National Cyber security and Communications Integration Center (NCCIC) which, in turn, will share it with both relevant federal agencies and the private sector. This legislation would also encourage private sector businesses to share information among themselves while protecting customer privacy by removing unnecessary personal data.
It is encouraging to see the U.S. and governments worldwide taking these kinds of steps to improve the defense of our businesses and critical national infrastructure. Australia’s cyber security review, for example, is led by the Department of Prime Minister & Cabinet, but involves a mix of intelligence and law enforcement agencies, private sector telecommunications and technology providers, and international voices. It is anticipated that this trend will continue to grow globally as governments acknowledge they need to work with the private sector in order to tackle this growing problem.
Critical intelligence and information sharing
It is also promising to see private sector companies working closely with the authorities when a data breach is detected. Anthem Inc., the country’s second-largest health insurer, recently announced hackers had broken into a database containing personal information for about 80 million of its customers and employees in what is likely to be the largest data breach disclosed by a healthcare company. While investigators are still determining the extent of the incursion, Anthem said it is likely that “tens of millions” of records were stolen.
Since the discovery of suspicious activity on its network, Anthem shared with HITRUST’s Cyber Threat Intelligence and Incident Coordination Center the MD5 malware hashes, IP addresses, and email addresses used by its attackers. This crucial observable information was shared anonymously with the HITRUST C3 Community through the automated threat exchange. It was quickly determined that the IOCs were not found by other organizations across the industry, and that this attack was believed to be from a targeted advanced persistent threat actor.
Federal law requires healthcare companies to inform consumers and regulators when they suffer a data breach involving personally identifiable information, but they have as many as 60 days after the discovery of an attack to report it. This incident has really raised awareness within the healthcare sector and other sectors about how critically important an intelligence—and information sharing—coordinated response can be. To this end, the FBI praised Anthem for its “initial response in promptly notifying the FBI after observing suspicious network activity.”
Greater investment in cyber intelligence technologies
Detecting threats within the firewall, and as they develop, is certainly not a simple task. In today’s threat landscape, companies subject to high-profile attacks like Anthem, Home Depot, and Target must contend with extremely sophisticated intruders who constantly change and refine their methods, and insiders who abuse legitimate access rights to manipulate and steal data.
There is also no instruction manual for companies with details on how those intruders will behave. A clever intruder may lie low within an organization for weeks or months, conceal his movements within the noise of a busy network, and remain undetected for a long period of time. Similarly, insiders are extremely difficult to spot because a lot of what they do may be legitimate, while a small but significant part of their activity is threatening. In other words, both intruders and insiders may be hiding in relatively plain sight.
According to Gartner, 60 percent of enterprises’ information security budgets will be allocated for rapid detection and response approaches by 2020, up from less than 10 percent in 2012. Smart companies and governments are no longer relying on the implementation of information security policies or traditional perimeter cyber security tools. They are now actively building cyber intelligence capability to manage the cyber risk, reducing the unknowns likely to impact their operations or economy.
Data analytics can monitor patterns across a company’s computer network, map what is normal activity, and detect previously unidentified APTs as manifested in anomalous occurrences in the network and devices. Analysts are alerted to suspicious connections between seemingly unrelated events or known entities of interest, as well as recurring visits from suspicious IP addresses or malicious domains. Again, IT and information security personnel are able to manage threats more effectively if they are detected quickly.
Companies increasingly are acknowledging that advanced cyber threats are an unsolvable problem, but the benefits of being connected to the Internet outweigh the risks. Cyber security is a responsibility shared and managed by all—the public sector, the private sector, and the general public.
Louis F. Quijas is an Advisory Council Member of the Wynyard Group, providing operational strategy, access to market networks and product development guidance. He served as Assistant Secretary for the Office for State and Local Law Enforcement for the Department of Homeland Security; President of Datong Electronics; Assistant Director at the Federal Bureau of Investigation; and Chief of Police for High Point, North Carolina.