Articles

Cyberattacks: The Danger, the Cost, the Retaliation

How do we get better cybersecurity technologies out quickly while having enough personnel to rapidly respond to the ever-changing exploits?

by / September 11, 2015

From hacking cars to stealing state secrets and instances of retaliation, there is a real-world awakening to just how expensive and dangerous it is to recover from a cyberattack.

Cybersecurity companies make billions of dollars in patching and reacting to the problem, but customers want proactive cybersecurity — not reactive analysis and temporary repairs. There are reasons this is not happening, and we must redirect both money and thinking in order to put the cybersecurity industry on the right track.

Today's Cybersecurity Business: Bad Start and Needed Change

When cybersecurity becomes a business rather than true protection, we have a problem. Unfortunately this is what it's become, and though some are calling it a flat-out scam, I wouldn't necessarily go that far.

There is so much vulnerability in networks and application software that even good cybersecurity developers are working with one hand tied behind their back. This has led to a hack-and-patch cybersecurity business that is a reactionary temporary repair — not an upfront cyberdefense. It takes months to even detect a breach and many more months to temporarily fix it. Companies are making billions in historically patching cyberattacks when customers want to spend their money to stop them from happening in the first place. 

Case in point: The Sony attack was disclosed on Nov. 24, 2014, and discussed in a recent 60 Minutes broadcast: Today there are still hundreds of technicians working to correct the problem. Since this attack, other companies and government agencies have been hacked, involving millions of people. This continues while the cybersecurity industry admits to limited cyberdefensive capabilities. In fact, the cybersecurity defensive positions are so weak that retaliatory offensive positions are being considered. What we have learned from earlier attacks is now being used to develop strategies to stop future attacks. 

The OPM Breach and Lessons Learned

Nothing was more telling than the information disclosed in a report from the largest federal government breach ever on the U.S. Office of Personnel Management (OPM), which shows both desperation and hope as far as cybersecurity is concerned. The rapid disclosure of the attack may be easier for a government than a corporation that may take a stock hit, but the needed quick response is the same. The quicker the reaction to the breach, the less damage is most likely to occur.

One of the most impressive things that resulted from the OPM breach was the creation of a Cybersecurity Sprint Team that includes members from OMB's E-Gov Cyber Unit, DHS, the National Security Council Cybersecurity Directorate and the Defense Department. The team was charged with leading a 30-day review of "cybersecurity policies, procedures and practices," and issuing a Federal Civilian Cybersecurity Strategy based on its findings. 

 The sprint team will focus on eight priority areas:

  • Protecting Data: Better protect data at rest and in transit
  • Improving Situational Awareness: Improve indication and warning
  • Increasing Cybersecurity Proficiency: Ensure a robust capacity to recruit and retain cybersecurity personnel
  • Increase Awareness: Improve overall risk awareness by all users
  • Standardizing and Automating Processes: Decrease time needed to manage configurations and patch vulnerabilities
  • Controlling, Containing and Recovering from Incidents: Contain malware proliferation, privilege escalation and lateral movement; quickly identify and resolve events and incidents
  • Strengthening Systems Lifecycle Security: Increase inherent security of platforms by buying more secure systems and retiring legacy systems in a timely manner
  • Reducing Attack Surfaces: Decrease complexity and number of things defenders need to protect

The creation of the Cybersecurity Sprint Team and the unprecedented 30-day review that issued a Federal Civilian Cybersecurity Strategy based on its findings is a good sign of present and future responses to cyberbreaches. The key now is whether the recommendations from the Cybersecurity Sprint Team produce results.

Still Playing Catch-up

Current cybersecurity technologies — that were designed years ago — are behind the curve. In a recent Federal Times article, Federal CIO Tony Scott explained that most of the systems — most of the technology we use every day — were designed and architected in the 1970s or 1990s, and even newer systems are built on that same framework. Scott said that future systems need to be designed with cybersecurity at the center, and agencies must also work to secure existing systems. 

These needed changes in technology are often delayed by industry standards groups, government regulation, compliance and red tape, all of which create process delays and even danger when trying to get needed technological change in and operating. Hackers know this and target these weaknesses while being very agile and always changing. Both industry and government are recognizing they must offer avenues of responding to these changes, and are finding ways to cut all the red tape and get these need changes evaluated and deployed. 

Cybersecurity: Pick Up the Pace

A Brookings Institution think tank suggested that government needs to pick up the pace of funding research and acquiring the latest technology in the quickly changing software and electronics sectors. Even day-to-day operations are affected. When you have software upgrades happening every six months, on average, systems must be in place to accept these frequent upgrades. The bureaucracies of both government and business must change their procedures if they are ever to stay ahead in an industry in which change is the new normal. 

The last RSA conference also warned of even a bigger problem. Are there enough people to deploy and operate these needed cybersecurity systems? Two studies validated these concerns in the conference and discussed what steps can be taken in correcting the problem. So how do we get better cybersecurity technologies out quickly while having enough personnel to rapidly respond to the ever-changing exploits? By using something called cybersecurity software as a service (CSaaS).

CSaaS: An Emerging Trend

CSaaS may not only address how to get advanced cybersecurity services in and updated, but also the industry's known personnel shortage. These system capabilities offer customers advanced cybersecurity services without the worries of complex design builds and necessary staffing to run these often complex services. 

When former NSA Director Keith Alexander entered the private sector, he built a company with a goal of offering CSaaS. His company, IronNet, touts top personnel with more than 100 years of combined experience in top posts at the NSA, U.S. Cyber Command, National Counterterrorism Center and Army Intelligence. An initial version of IronNet’s CSaaS will be generally available later this year.

This CSaaS trend seems to be continuing with CloudLock — the industry's first CSaaS for the cloud. CloudLock was launched in 2011 with one simple goal in mind: to transform cloud security into a business enabler. Delivered as a service, CloudLock’s unified Cloud Security Fabric connects and secures any app natively from the cloud in the cloud through a series of CloudLock Cybersecurity APIs. 

While most CSaaS services are focusing on the use of existing cybersecurity and software technologies, a company called Decision Zone is offering a completely new cybersecurity platform that is capable of securing multiple industries. Its CSaaS platform focuses on the use of a non-algorithmic fifth generation programming language (5GL) technologies. This patented technology runs in parallel to any existing network, hardware or software process platform and can detect cyberattack event anomalies in microseconds.

Moving Forward

Our current cybersecurity technologies are still stuck in after-attack mode, while bureaucracies delay needed change. We must be able to rapidly deploy proactive systems or we will remain stuck in the dangerous game of cybersecurity catch-up or offensive cyber-retaliation. Recent cyberattacks have already disclosed how costly and dangerous reactive cybersecurity approaches can be, offering  tremendous lessons learned. It is now a matter of how we move forward. 

It is refreshing to see the unprecedented responses by the federal government Cybersecurity Sprint Team in not only rapidly responding to attacks, but also offering both existing and new technologies avenues of addressing these attacks. We must continue to find ways to move and change quickly in addressing cybersecurity. It is a good sign that both government and industry are realizing this. They must now find procedures and avenues of funding and rapidly deploying these needed cybersecurity technology advances.

Like the saying goes, “Pay me now or pay me later.” But in cybersecurity, “later” can be too much and too late.

Larry Karisny

Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.