Hackers hammering Apple, Twitter and eBay; a new report showing evidence of cyber warfare between China and the United States; a freshly minted cyber security executive order from President Barack Obama and media warnings about the threat of a "cyber Pearl Harbor ".
Security company RSA, a subsidiary of EMC, couldn't have asked for better background chatter for its annual security conference in San Francisco recently. National cyber security became a highlight rather than a hotly disputed occasional session theme.
The topic was centre stage from the opening keynote by RSA executive chairman Art Coviello, who lamented that too many still remained sceptical about the threat of international cyber warfare and cyber security, with people wanting to see solid proof of the perpetrators first. Coviello asked: "Do we really need a smoking gun to know there is a dead body on the floor?"
At the same time, he bemoaned an inclination by the media to over-dramatise, noting that he detests the term “cyber Pearl Harbor”. Any large-scale, catastrophic cyber event “is still highly, highly unlikely”.
The pressing issue, he said, was the fact that regular hacking attacks could cause significant disruption: "Disruptive attacks will become the prelude, the pathway, to destructive attacks."
Greater global security
Still there's now much greater global cyber security activity, with governments moving in recent weeks to publish proposed national strategies. These included an executive order from Obama, a European Union cyber directive and a master plan from Singapore, noted Microsoft corporate vice-president Scott Charney in a keynote address.
He divided cyber security threats into four different types: cyber crime; national behaviour; military espionage and the doctrine of cyber warfare. On the positive side, governments were increasingly working towards harmonisation, creating standards, sharing intelligence and responding quickly to attacks. The challenge, he said, wasn’t in co-ordinating government efforts, “it’s in our technology. We have too much noise in the network. We can’t tell the stuff that’s fine from the suspicious activity.”
This is increasingly the case with the advent of “big data”, the vast amount of digital information generated daily by networks, devices, computers, sensors and analytical software. Stored digital content is doubling in volume every two years, Coviello said.
This ocean of information has required security companies like RSA and Symantec to move away from the old model of designing software that understood specific types of attacks, to systems that incorporate pattern recognition, searching for "needle in the haystack" anomalies amid the data, signals in the noise that don't quite make sense and could indicate malicious activity.
"There has been a ramping up, a significant shift in the threat model," Bob Griffin, RSA's chief security architect, says in an interview. These include not just the many distributed denial of service (DDOS) attacks that bombard a target with so many requests for web pages that sites collapse, but attempts to bring down critical infrastructure, something which seemed to be the intent of a recent attack on oil company systems in the southwest US, a commuter train system in the Pacific northwest, and a water company in the midwest
Malware, the industry's collective term for malicious programmes that may be used to attack computers, networks and devices in a variety of ways, is growing more complex, changing more frequently (which makes the unique signatures of programmes more difficult to detect by security systems) and becoming easier to use, allowing less technically adept hackers to carry out more sophisticated attacks, said Griffin.
In addition, he says, potential targets are dealing with the development of a criminal ecosystem that will sell intellectual property obtained from targeted attacks on the black market of the so-called “dark web”; the increased involvement of nation states in attacks and espionage and the rise of “hacktivism” from groups like Anonymous.
There has even evidence from the US Secret Service that companies providing infrastructure services have had to pay extortion money to criminal gangs threatening to bring down services, according to Alan Paller, director of research at security company Sans, who chaired a conference session.
“The best way to deal with all of this is to put in a comprehensive set of analytics that can look for good patterns versus potential threats,” Griffin says. “You look for activity that doesn’t match any pattern of good behaviour. You collect information and see, is there something that doesn’t fit.” Such software uses big data techniques for gathering as well as processing information. “It’s really a huge transformation.”
But has there really been an increase in activity and is it truly that threatening? Has cyber security just become the topic of the moment, due to the set of recent attacks and global government responses?
Retired US navy rear admiral Mike Brown, now vice-president and general manager for RSA's federal services, says it' it is a bit of both – a significant rise in the threat level coupled with an increased awareness and understanding of some of the threats, thanks to international press coverage of global attacks on companies and infrastructure.
“When you put all those things together, there’s a greater awareness of the breadth of what the threats are, how they can be used by adversaries against the public or private sector or both, as well as a lot of knowledge that’s starting to get down to the individual user,” he says in an interview. He welcomes Obama’s executive order, but like most others at the conference, noted it was an inadequate start. It suggests the overall problem be looked at for a further year before any concrete actions are taken, for example, and places few requirements on the private or public sector to respond or share threat and intrusion information more widely.
"I definitely do not think it's enough. But it was necessary, to continue the journey down the path with both the public and private sector to try and address the issues and the threat, to try to raise the security at least around the critical infrastructure that's going to be identified by the order. But there's a lot of things that aren't addressed."
Disquiet over regulations
Private sector companies, meanwhile, have expressed disquiet about having any security-related regulations placed upon them. Won't it be difficult to get them on board, if it means greater costs or regulation?
“We have to be able to articulate the benefits for the private sector,” Brown says. Among those are the protection of infrastructure and the economic benefits that flow from making it safer to compete in a global market, he notes.
The private sector actually plays an important role in national security, he adds. The FBI has highlighted that most of the critical infrastructure in the US and internationally – energy sources, power grids, transport networks, financial management, communication networks – are owned by the private sector.
Having adequate technology tools for protecting that infrastructure, as well as having a good “security response community” is essential. “Going back to military doctrine, you’re only as good as you’re trained. And we need to be able to act aggressively against nation states acting maliciously, as well as cyber criminals and hacktivists.”
Alarmingly, several conference sessions pointed out that there was growing evidence of collaboration between nation states and criminal gangs, which offered botnets for hire for malicious attacks, and sell sensitive data and intellectual property gained from accessing company and government files.
"Now cyber criminals have realised they are sitting on a pot of gold and have started to contact state actors [who act on behalf of a governmental body]," said Uri Rivner, vice president of business development and cyber strategy at BioCatch, during a conference session.
Down on the ground, the threat of cyber attacks from nation states and international gangs is real and alarming for chief security officers at big companies and include the fear of total shutdown.
"It's a major, major issue that goes beyond the theft of IPs," Howard Schmidt, former CSO at Microsoft and eBay and former special assistant to Obama on cyber security, noted during a panel discussion. "You flip a few bits and all kinds of things get shut off. That's where the real threat is."
Jason Witty, chief information security officer at US Bank, said it could be financially difficult for companies to protect their infrastructure adequately against cyber attacks funded by nation states that may have millions at their disposal. "These things are woefully out of balance," he added.