A Required Course in Cyber security 101
Pat Clawson - June 29th, 2011
In all my years in information security, I have never seen the volume of attacks targeted at high profile organizations that we are seeing right now. We need to take this tumultuous new reality as a needed wake-up call to affect sweeping change.
I recently came across a great interview on the New York Times business blog – A Failing Strategy to Stop Cyberattacks. At that time, the unfortunate hack-of-the day victim was Citigroup and CNBC asked Anup Ghosh, founder of Invincea, about his thoughts on today’s hack-happy environment and what should and could be done. Ghosh made some excellent points regarding today’s threat landscape about what so many of us in the Infosec industry have also said – today we are faced with “widespread looting” and “internet lawlessness.” A “theft of a nation” is occurring, he said and I couldn’t agree more.
How we improve things is a little more difficult to get our arms around however and we lack consensus on what to do next. In the interview, Ghosh mentioned the need for security companies to innovate in order to win the cyber security battle. I also agree with the need for continued innovation, as I discussed in a recent blog post.
But what people also need to realize is the status quo is no longer an effective protector against today’s attacks. Be it cyber criminals in search of profit, hactivists using your company to make a point or state-sponsored attacks that appear to be taken from the page of a best-selling spy thriller, hackers are succeeding in their attempts to disrupt, deny and steal data critical to any organization’s mission.
Yet technological innovation is but one piece of the puzzle. While “putting users in a bubble” as Ghosh suggested would be an ideal answer to our cyber crime problem, I’m less optimistic that standalone approach will succeed. After all, innovation A has a way of driving innovation B and ultimately, that only puts us in a continuous back and forth with temporary wins. To truly improve security across the board, organizations must implement strong, enforceable policy, hire the best people and rely on the latest technology.
Global laws and policy are an important first step. When looking at the bigger picture, we have had a couple thousand years to develop laws and enforcement around the protection of physical property. Today, it is critical we work to mimic those laws for cyber data, here in the U.S. and around the world. Hiring the best people to both enforce those policies and manage the technology tools is also an important component.
Cyber crime is a very big business with the potential for significant impact on individuals, businesses and governments. Sadly, I am continually amazed at the lack of understanding and sense of responsibility technology users have toward the safety of their personal information. Not only do the majority of people need lessons in basic security measures, they also need to be educated on the potential repercussions of a data breach, both personally and from an enterprise perspective. Without education, we will never gain any ground.
I agree with former Department of Homeland Security secretary Michael Chertoff when he told attendees at the June Gartner Security and Risk Management Summit there should be a push for any Internet user to be “taught the importance of maintaining secure systems and how to avoid unnecessary risks.”
Both industry and government have failed to do enough to understand and address the problem of cyber attacks. As a country, we need to do more. And it starts with education. Think back to what we know about the Cold War era. Back then, safety became a critical issue and the government stepped in with standard “duck and cover” safety recommendations. The result? Everyone went out, dug a bomb shelter, packed it with canned food and water and regularly required their families (including the kids) to practice their escape in the event the sirens went off.
Response to the exploding problem of cyber crime is a little like that – although what needs to be done and how that message can and should be shared with the public is of course quite different. Today, the reality and impact of cyber crime needs to be shared with everyone. While sirens probably don’t need to be installed today, users do need to be educated. Public service announcements, billboards, mobile messaging, and of course a Facebook campaign would be a good place to start. So would the implementation of a school curriculum – starting with the youngest of students.
This is a global issue and we as a country need to address it now.