Three years ago, I wrote an analysis about trust on the Internet - or the lack thereof - that focused, in part, on the faceless hacking groups such as Anonymous and LulzSec (see Analysis: Who Do You Trust?). Today, we have a face for this lack of trust, and it looks like Uncle Sam and a Chinese Red Army cyber-soldier.
"No one left to trust in cyberspace," shouts a subhead in the Threat Horizon 2016 report recently published by the Information Security Forum, a not-for-profit organization that develops IT security best practices. In its report, the ISF advises organizations to prepare to operate in an environment where governments no longer balance national security with citizens' and businesses' best interests.
The security space has changed so rapidly over the past few years, and I think we are, to a certain extent, still in a game of catch up.
To better understand the current environment that the report addresses, I spoke with ISF's Global Vice President Steve Durbin, who says the vast majority of us in the West, until recently, believed that our own governments acted in the best interest of its citizens. That, of course, wasn't true. "What became clear last year was a whole variety of states are now capable of funding espionage activity," Durbin says. "It's no longer limited to the old favorites like China, Iran and North Korea and so on, but it did include the democratic states such as the United States, U.K., France, Japan and others."
And it's not just governments that shake our trust. Corporate institutions - whether unwittingly, with premeditated intent or through incompetence - cannot be trusted to protect our privacy and security. Just look at the retailer Target. According to published reports, a Target security team received an alert about malware that likely caused a breach that compromised up to 40 million customers' credit and debit cards, but the team didn't act on it (see Did Target Ignore Security Warnings?).
"Organizations hold huge amounts of customer information, and they're going to play a key role, unfortunately, in espionage activities," Durbin says. "I'm not suggesting that they're going out there and willfully sharing information. Whether they're being coerced through legislative or regulatory obligations, or whether cybercriminals or nation-state backed espionage authority is using ulterior methods to gain access to that information, these organizations are being targeted, and from an individual perspective, that's something new."
The Threat Horizon report points out that confidence in accepted solutions has crumbled. Take, for example, encryption, a tool enterprises have trusted to protect stakeholders privacy and keep their secrets secret. That's not the case anymore, with the news about the Heartbleed vulnerability, plus the reports about the National Security Agency (and likely others) creating backdoors to bypass encryption (see NSA-RSA Ties Raise New Concerns).
At a time when a number of accepted solutions to defend against cyberthreats are no longer viable, Durbin says organizations must build resiliency. To do that, he says, CISOs must expand their skill sets to ensure that they can anticipate their CEOs' needs and deliver on an increasing demanding digital agenda. If not, they'll fail.
Seeking Worthy Protection
The need for CISOs to understand the needs of CEOs - and vice versa - is a hot topic these days. The management consultancy Booz Allen Hamilton now has its CISO, not chief information officer, reporting directly to top management (see Role Reversal: CIO Reports to CISO). "It has to do with access, to articulate the threat and deal with senior managers on a more frequent basis," says Thad Allen, a Booz Allen executive vice president. "Basically, bring the operational threat environment out of the server room in the backroom into the visibility of senior managers."
Since the Target breach, a growing number of enterprise leaders are beginning to understand that information is a critical asset worthy of protection.
"What they're trying to do now is really understand what are those assets, interpreted not as bytes, but in terms of the value to the business," says IT security adviser Val Rahmani (see Getting Executives, Technologists to Speak the Same Lingo). "Then, I can start thinking about who might want those assets and how they would try to go after them. And, until you've done that, you haven't even got the capability to start thinking how might I protect them."
Yet, aligning an enterprise's top executives with senior security managers doesn't directly address the problem of the lack of trust in cyberspace.
What should organizations do to rebuild trust in cyberspace? The best way to battle the lack of trust, Durbin says, is by collaborating with other organizations to share threat intelligence.
"Now, this is a little bit ironic because we're probably reaching a point where the need for collaboration and sharing in order to fend back cybercrime and nation-state backed espionage has never been more important at the time trust has really been broken and shaken," Durbin says.
Playing Catch Up
Still, Durbin didn't diminish the challenges ahead. "The world has changed. We used to be able to nice and neatly put walls around our data. We put it in our own data centers. We knew where they were. ... That doesn't exist anymore; it's all up in the cloud, and we're accessing it using mobile devices. We don't know who listening in and accessing that information, either through a man in the middle or quite legitimately.
"The world has moved on. The security space has changed so rapidly over the past few years, and I think we are, to a certain extent, still in a game of catch up. The world doesn't stop turning, and we have to figure out ways to address these challenges and address them as quickly as we see them emerge."
The situation isn't going to get better. ISF in the report lists 10 threats organizations will face over the next two years. Reading the report, and listening to Durbin, I felt more pessimistic about the state of cybersecurity in the coming years. When I made that point with Durbin, he wasn't as gloomy:
"What we need to be doing is taking a much more practical approach to some of these things. We can't make assumptions anymore. We have to plan for worst, hope for the best. It is about our organization's becoming very much more resilient. It's that understanding some of the threats that are out there.
"Not all these threats impact everything in an organization. What they do, though, is encourage the conversation within the enterprise on just how we are dealing with some of these things. How can we legitimately stand up and say to our stakeholders that we do have best in class security for our business needs at the moment?"