Journal Cyber Security: how could we turn this issue into an opportunity? Part II

 

Cyber Security: how could we turn this issue into an opportunity? Part II

03 February 2013

Part II

In my first post on this topic, I have mentioned the emerging security challenges posed to businesses by the ICT pervasiveness.

More recently, however, cyberspace has become a tool for projecting national power, procuring profit and promoting instability and disruption, therefore moving the risk far beyond business and into the political and strategic areas.

The fact that States are now potentially both protagonists and principal targets of cyber attacks heightens the political risks involved, to the point that securing the domain through both offensive and defensive measures has become a strategic priority for most major powers.

And this is real life...

I have read in an article that in the fall of 2010, Deputy Secretary of Defense William Lynn stated that the Department of Defense (DoD) had “suffered a significant compromise of its classified military computer networks.”  The penetration occurred in 2008 and was delivered via trusted uniformed military personnel who were using USB mass-storage devices to move important operational information between unclassified and classified systems in support of U.S. Central Command’s military operations.

The devices at issue contained a malicious computer code, which was able to proliferate undetected from network to network.  The code was designed to illegally copy information and, when possible, transfer it to servers under foreign control.

The DoD code-named the discovery of, and recovery from, this incident   “Operation Buckshot Yankee.” Government leaders wanted to learn the extent of the penetration and whether the networks could still be “trusted.”  Thousands of man-hours were expended to hunt and isolate the infections. The DoD developed and deployed technology to detect and close communication channels, as well as to eradicate the infections.

The total operational and capital cost has yet to be publicly disclosed.

From a policy perspective, the Secretary of Defense and the Chairman of the Joint Chiefs of Staff announced a temporary abandonment of the use of portable media/storage devices. This affected department performance, enterprise agility, and for some, the ability to execute their missions.

From a technology perspective, it required a change in architecture. Prior to this event, the DoD focused its defensive posture from an outside-in strategy.

The DoD continues to suffer from more than 6 million probes per day with an untold number of successful intrusions against their unclassified networks.

US defense chief raises alarm on cyberattacks_IHT_Oct 13, 2012

Which lessons should we learn?

1) you are only as strong as your weakest link;

2) need to set stronger security policies: rather than point solutions, robust security architectures encompassing the whole information system chain.

Some analysts are observing that maybe something shouldn't be on the internet.  They claim that we must have a way to go backwards to the old services structures, in case internet services get stopped.

At the same time, some are recommending the introduction of multi-factor authentications,  although this could be very complicated as much as it is the solution implemented in Bulgaria for ATM cash withdrawals: card plus PIN plus geo-localization in front of the specific ATM through the personal cell phone.

This is an unacceptable risk, and that's why it should be tackled with the appropriate sense of urgency.

In spite of the adverse economic climate, States are already making enormous investments in advanced cyber capabilities to protect when possible, and use as an instrument of power when necessary.

In 2010, a consulting firm issued a report estimating that the U.S. government’s total spending on cyber security between 2013 and 2018 will reach $65 billion. This figure did not include either the funds that certain agencies are already spending on R&D on cyber capabilities and deterrence measures, or the amount private companies are investing.

Some have estimated that Western governments currently spend an annual $100 billion on telecommunications and cyber security, a figure set to double in the next six years.

However, we must recognize this is not an easy task.  Why?

Because of the difficulty in balancing parallel demands: economic recovery and growth vis-à-vis national security and infrastructure protection. This tension is further exacerbated by the competition for resources, lagging policy implementation, and lacks in the technology roadmap to address security shortfalls.

I am inclined to think that the we should keep investing to overcome this new barrier: the ICT progress is inevitable, and we should turn this challenges into opportunities to further develop ICT and make it more inherently secure.

All the core businesses will be based on one single infrastructure, the Internet, and we cannot afford not to think about its security in a holistic way.

It is also clear to me that there isn't one single Nation which could lead this effort, and that we need more incentives than penalties for Companies to take full responsibility for leading this problem's resolution.

No comments

Leave a comment