5 Steps to CyberConfidence
What are the big emerging cybersecurity threats in 2014 – and what steps can your organisation take to stay ahead of them?
1. CYBER THEFT OF VALUABLE DATA AND IP
While the public sector has previously been the chief target for advanced persistent threats, CSC’s cybersecurity experts are now seeing more and more such attacks against organisations in the commercial world.This is a change that no one predicted even a few years ago. Information on cyber attacks in the commercial sector is increasingly helping the public sector to prepare its defences, rather than the reverse.
Why? Information is becoming the most valuable asset of many enterprises. And the information being targeted is no longer just financial or personal data such as credit card details. Now they are more worried about theft of intellectual property.
Today it would often be more damaging for a business to lose exclusive access to its vital IP (such as a proprietary manufacturing process, technology feature or software source code) than to lose the factories which manufacture products based on that IP.
For example, in the chemicals and pharmaceuticals industry they have some of the world’s most valuable IP, which has cost billions to develop. For cyber criminals this is an opportunity comparable to the Sack of Rome.
We can expect the sophistication and impact of cyber threats to rise in proportion to the value of the information at risk. How should this affect an organisation’s investment in cybersecurity? How do we reflect this reality as a strategic issue for boards and their members? What do they need to know, and what do they need to do?
2. CYBER VULNERABILITY OF INFRASTRUCTURE
Emerging IT architectures encompass smartphones,desktops, laptops, servers, enterprise applications, the cloud, supply chains, partners, and computer systems embedded for industrial control and the managementof critical infrastructures. Such architectures will be seamless, from the smartphone to the 3-D manufacturing devices on the factory floor, linking product designers directly with manufacturing systems. However, though new opportunities such as cloud and mobile have great benefits, they can lead to bad data security habits.
We need to make sure cybersecurity is baked into new IT architectures from the start.
Such integrated architectures need integrated cybersecurity management allowing for unified views of cybersecurity policy, events, and responses throughout complex enterprises. How does this happen? What are the consequences if it does not?
Also, much of our existing industrial infrastructure cannot be easily upgraded for more security. Most industrial control systems equipment in the operational technology environment was designed to have a 10-to-20-year lifespan, and much of what is in play today was designed and implemented well before ubiquitous security controls were built into components. We still need a standard process to measure and assess risk, especially because the operational paradigm has changed.
3. PENALTIES FROM NEW CYBER MANDATES
In the UK, the US, and elsewhere, the public sector’s interest in the cybersecurity of the private sector is becoming more evident. Critical infrastructure, aerospace and defence manufacturing, and other sectors are places in which the public sector’s cybersecurity interest must be understood and addressed, threats much be shared, and joint action taken. Data security compliance mandates are set to become much tougher. In the UK, the Financial Conduct Authority is working with banks and the markets to tighten up compliance. Under new EU data protection and privacy regulations, fines for non-compliance will be up to 100 million euro or 5% of an organisation’s global annual turnover – whichever is the greater. Board members are now asking what they should know about cybersecurity, and even whether their company is at real risk.
Compliance is also becoming a much bigger issue in the US. Ten years ago, cybersecurity was seen by many in government as simply a developing area of IT. Today it has become a top national security issue. The US Government is not only looking at how it can protect its .gov and .mil internet domains from attack, but also how to ensure the cybersecurity of the nation’s critical infrastructure and manufacturing base. The US also is bringing in a Presidential order with new cyber mandates on companies holding federal contracts in 16 sectors of industry, in the cause of national infrastructure protection.
How will new standards be set? Which standards should be voluntary and which should be mandatory? From where do we get threat information? In a world in which most infrastructure is owned and operated by the private sector, where are we likely to see first indications of advanced threat?
4. WEAPONS-GRADE CYBER THREATS
Organisations and government agencies see cyber attacks growing dramatically, with greater technical sophistication, operational discipline, and frequency. The level of operational patience, resources, and skill reflects the activities of foreign intelligence organisations capable of mounting exploits and attacks over many years. What is the best way to detect such threats, manage in their midst, and respond appropriately? Sandia Idaho National Laboratories has proved that a cyber-based attack is able to physically destroy a diesel generator. The Stuxnet worm reportedly crippled uranium enrichment facilities in Iran. Aramco suffered significant consequences from the Shamoon (DistTrack) malware attack, and speculatively, the same Flame worm variant hit RasGas as well. And these are only a few examples of what is now happening.
These are increasingly referred to as ‘weapons-grade cyber threats’ – the cyberspace equivalent of a battle tank rolling up your driveway.
Cyber attacks are now more dynamic and polymorphic. Breach methods can involve multiple components, making them extremely difficult to detect. They are frequently able to establish command and control functions within your network.
Attacks are also showing more operational sophistication. There are intelligent human beings behind them. We are seeing the emergence of the “human-morphics” concept, in which attacks utilise polymorphic malware, but also include human adversary activity designed to see real-time changes in your defences and adjust attacks accordingly.
Cyber intruders are operating smarter to counteract defences. They often have better information on an organisation’s network topology and defences than the organisation itself does.
5. GLOBAL AND STATE-FUNDED CYBER ATTACKS
CSC’s experts find that cyber attacks are now sourced from all over the world. While we see highly sophisticated attacks from around the globe by hackers and cyber crime organisations, it increasingly appears that many of these attacks are funded or undertaken by nation states. In the conventional world of espionage, one state’s national intelligence agency might target the government or military of another. But now national intelligence agencies are increasingly targeting commercial businesses, such as chemical or pharmaceutical companies.
These are real intelligence operations, with quite stunning cyber-espionage tradecraft.
So why are we seeing more of this kind of sovereign-state-funded cyber warfare in the private sector as well as the public sector? There are two basic conceptions of cyber among nation states. In more liberal countries, it’s commonly seen as a ‘defensive’ measure – protecting data and IP across public and private sectors. However, in many less liberal countries, cyber is part of a very different national agenda – regarded as a powerful new ‘offensive’ tool to politically, militarily and financially benefit the state. In their eyes, there is also no real distinction between commercial and state targets for cyber attacks.
What do foreign governments and their activist allies hope to gain? CSC’s hypothesis is that threats to cybersecurity can be mapped to some countries’ inability to compete militarily and economically. Cyber-power levels the playing field, and diminishes asymmetries in other domains (military, economic, and other kinds of power). Where potential conflicts exist between asymmetric powers (such as Syria versus the West; Iran versus the West; North Korea versus South Korea), cyber attacks will rise as tensions rise. Cyber activity can be used to demonstrate a less powerful nation’s ability to attain global reach, and put at risk the resources of more powerful nations.
This hypothesis model (below) reflects the recent behaviour of cyber attackers such as the so-called Syrian Electronic Army. In August 2013, when it appeared likely that the US would launch an air strike in response to Syrian Government attacks on its people, the group’s cyber attacks became more aggressive – taking down the New York Times website for most of two days, for example. The following month, once the US began talks with Russia and the Syrian Government about disarmament, the group’s activities scaled down.