By Karlin Lillington
In San Francisco
Cybersecurity “is now everyone’s problem, affect(ing) our lives, our livelihoods and our way of life,” according to the US secretary of the Department of Homeland Security (DHS), Kirstjen Nielsen.
“Every facet of our society is now being targeted, and at every level,” she said. “Our very institutions can be compromised and used to undermine our democratic process.”
In a keynote address on Tuesday on the opening day of sessions at the RSA Conference in San Francisco – one of the world’s largest annual security events – Ms Nielsen said society has reached a tipping point where “digital security is converging with personal and physical security. The public is starting to realise how they are entwined.”
Last year was the worst ever for cyberattack volume, Ms Nielsen said, noting that nearly half of all Americans became the victim of just a single data breach – the attack on Equifax in which sensitive personal and credit information was leaked.
By 2021, the value of cybercrime damage is expected to hit $6 trillion (€4.85 trillion) annually, she said, citing research by Cybersecurity Ventures, a figure representing nearly 10 per cent of the world economy.
The “internet of everything”, in which every variety of object can be connected online, made it easier to conduct attacks, she said.
“Our cyber-enemies are bolder and more brazen than ever before. That goes for nation states in particular,” she said.
Just a few years ago, nation state attacks were fairly obvious and conducted in a clumsy way. Now, she said, “adversaries are getting more sophisticated and sinister”.
Using the metaphor of a house break-in, she said that previously, an attack had left clear signs such as windows broken, the house interior damaged and items thrown around on the floor. Now, the house looks completely normal, she said, but the intruder has been inside for hours.
Responding to today’s cyberattacks is complicated because different actors have different objectives. “No one size fits all,” said Ms Nielsen.
Some want to siphon away classified information, some to steal trade secrets, while some try to access bulk data, including information on ordinary citizens. Some want to compromise critical national infrastructure, while others attempt “to manipulate us”.
Ms Nielsen said the DHS was “adopting a more forward-leaning posture” in response, and would soon release a national cybersecurity strategy.
She pointed to a number of elements which she said needed particular focus.
Firstly, “we must be more aware of vulnerabilities built in to the structure of internet”. Because of the internet’s interconnecting structure, an attack on the financial system could have an affect on infrastructure, such as the water or electricity grid, agriculture, or healthcare.
“We cannot get stuck in silos and focus on vulnerabilities in specific sectors,” but must look across sectors, Ms Nielsen said. Shocks to one system could have “untold cascading consequences”.
“Collective security” also must be considered, she said.
“Your risk is my risk, my risk is your risk. You can no longer protect yourself in a vacuum. We have a weakest link problem and the consequences affect us all. Today we are all on the frontlines of the digital battlefield.”
The DHS plans to “have far greater awareness of potential threats and faster response” over the next five years. She noted that “the bad guys are crowdsourcing their attacks so we need to crowdsource our response”.
Repeating a frequent US government complaint, she said organisations were still not sharing information on attacks or responses quickly enough. The DHS is creating an automated incident response programme to help address this, she said, adding that some industry sectors, such as banking, were also doing this.
The DHS also “need(s) to be federal empowerers” by helping to develop tools to identify software bugs and vulnerabilities earlier, but also to “drive demand-side security”. Consumers “must demand products that put security first”.
‘Advanced persistence resilience’
Unfortunately, Ms Nielsen said, “there’s only so much we can do on the prevention side … we will get hit over and over again”. Therefore, there’s a need to develop “advanced persistence resilience” to limit damage despite persistent attacks, “so we not only bounce back, but bounce forward”.
Finally, she said the US could not allow a repeat of Russia’s “brazen campaign” to interfere in the presidential election in 2016.
“Complacency is being replaced by consequences. We will not stand on the sidelines. We will not tolerate cybermeddling,” she said.
“The US possesses a full range of responses both seen and unseen. In today’s connected world, cybersecurity is national security.”