Shifting Tides of Cyber
Industry officials foresee changes in network security.
Cyber industry experts predict a number of coming developments in the cyber realm, driven in part by government strategy and funding uncertainties. The future may include a greater reliance on law enforcement to solve state-sponsored hacks, increased automation and more outsourcing.
Earlier this year, the White House released the Administration’s Strategy on Mitigating the Theft of U.S. Trade Secrets. It calls for an increase in diplomatic engagement; makes investigation and prosecution of trade secret thievery a top priority; and promises a review of legislation regarding trade secret theft to determine what changes may be necessary. The strategy contains “lots of hints” the administration will rely on law enforcement in addition to national security channels in some cases involving nation-state-sponsored hacks, says Kimberly Peretti, a former senior litigator for the Justice Department Computer Crime and Intellectual Property Section.
“The big gorilla in the room is what we do with state-sponsored attacks. One of the priorities of the strategy itself is having the Justice Department continue to make investigations and prosecutions of trade secrets a priority. So, if we see a lot of these trade secret thefts happening by Chinese hackers or state-sponsored attackers, that could be incorporated into the strategy—to start looking at pursuing avenues criminally as well as on the national security side,” says Peretti, who is now a partner in the White Collar Group and co-chair of the Security Incident Management and Response Team, Alston and Bird Limited Liability Partnership, a law firm headquartered in Atlanta.
While not a radically new direction for the United States, the strategy does clarify the government’s approach to trade secret theft. “It’s clarifying and refining different avenues and approaches. It brings together different avenues to attack the problem and prioritizes them,” Peretti says. And if the government relies more on law enforcement, that will mean a greater dependence on industry. “If that’s the way the strategy is pursued, then we really are going to be more dependent on security researchers and private sector entities and their ability to pull information together,” she states.
The Justice Department and the FBI mostly use private-sector cyber forensics experts to gather evidence in computer-related crimes. “The FBI does not come running in and take out 300 servers and go look at them. There’s no way. They cannot do that. They’ve never done that. That’s not the way law enforcement works,” Peretti explains. Private sector forensics investigators start the investigation and transfer some aspects of it over to the FBI, she adds.
Involving law enforcement in cyber attacks sponsored by another nation presents some challenges. It requires the ability to catch perpetrators or accomplices in the United States or in other countries willing to extradite suspects. Additionally, it is more difficult to protect classified information in open court, and foreign law enforcement agencies may use tactics, techniques and procedures for gathering evidence that will not hold up in a U.S. court. “We have a high-level standard of proof at trial under the federal rules of evidence. Initially when [foreign law enforcement agencies] are collecting your evidence, you don’t necessarily control that process. You can request that they follow certain procedures, but it becomes more and more challenging and difficult the more parties outside the United States you have to rely on,” Peretti points out. She also notes that in some cases, the actual perpetrators may be in one country with accomplices, witnesses or evidence in a number of other countries, adding to the challenge.
Peretti stresses that companies that are victims of cyber intrusions—whether by other nations or criminal groups—need to hire qualified professionals to stop the attack, investigate and gather evidence. Otherwise, the attack could be repeated. She cites an example of a Russian organized criminal group known for infiltrating networks in search of credit card or payment card data. “They will go back to the same systems if the back doors aren’t closed, if the malware is not removed. They really have developed very similar tactics to what we’re seeing from state-sponsored attacks in that they get deep and prolonged access into systems—hundreds of systems—and if the company doesn’t fully remediate the breach, then they have a couple of systems with back doors, and the criminal group can easily come back in a year later, two years later,” Peretti says.
Furthermore, a company reeling from the effects of having its systems breached also can become the subject of investigations by multiple government agencies. It is imperative, therefore, to hire an investigator with multiple forensics skills—network, malware and memory forensics. “All of these are critical areas, and if the investigator doesn’t understand how to do any of those components, the company is not going to understand exactly what happened on their systems. And that happens time and time again,” she declares.
Other experts cite shrinking budgets as a major factor influencing the future of cyber. For example, Maria Horton, founder and chief executive officer of EmeSec Incorporated, Reston, Virginia, says new budget realities will lead to a greater focus on levels of service. “Because of budgets, austerity and even just competitive advantage, spending in all aspects of information technology and IT security has to be really smarter. We are living through what I would call a transformation from focusing on the technology to focusing not only on the data but also on value,” Horton offers.
Horton compares network and data security to the physical security provided for important people. Some get bigger and better bodyguards than others. The U.S. president or a member of the Senate, for example, will receive a higher quality of protection than a university president or talk show host. “We are seeing the transformation in the government and the military to where they have to look at the vendors and decide how much value they want, how much risk they are willing to accept and how quickly they can implement a solution. That is going to impact acquisition. It’s going to impact quality from the perspective of how we measure it and how we monitor it, and how we know that we’re getting those outcomes,” Horton says.
Horton cites the Federal Risk and Authorization Management Program (FedRAMP) as an example of where the cyber realm is headed. The multi-agency program calls for a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. “I’m a big fan of the FedRAMP program. I think it’s smart, and it’s the front end of how we get some cost savings in there,” Horton says. Her company is a third-party assessor for the program.
Tighter budgets also will require greater automation and will lead to increased use of artificial intelligence for cybersecurity, Horton theorizes. “We will see the best results as we begin to evaluate the initial cloud service providers for the government. As they get larger and get more services, they’re going to have to automate more and more to be able to maintain both the government requirements and the level of service—that value that I talked about—for their customers. It will allow the cloud service providers like the Amazons and Googles of the world that do their change management in an automated way to save dollars and offer up their services at a lower price. So, we’ll see those first,” Horton says.
Fewer resources also will lead to network security streamlining and less duplication, says Sanjay Castelino, vice president and market leader for networking business at Solarwinds, Austin, Texas. Castelino says he sees a lot of unnecessary overlap between system administrators and security teams in the military, government and commercial sectors.
He reports that all too often, the security team is “beating the administrators over the head” to convince them to use more security tools. Inevitably what happens, Castelino contends, is that additional information security tools slow down network operations, leading system administrators to stop using them in order to get things done.
And many times, additional tools are unnecessary and duplicative. “The tools the operations guys are using today are already collecting much of the data, if not all of the data, relevant to operations, relevant to security. The ops guys and the system administrators and network administrators are actually the people who can be on the frontline of security. They can be the folks carrying that flag forward if they’re using the tools in the right way,” Castelino proposes. “There are operations products being used every day that can add a tremendous amount of value to the security apparatus without trying to overlay it with another security product that the ops guys are being forced to use.”
Michael Markulec, president and chief technology officer, Lumeta Corporation, Somerset, New Jersey, offers some of the more dire predictions. He says that because of budget uncertainty, information security professionals will leave government service and make it that much harder for departments and agencies to hire and retain talent. He reports that his contacts at the Homeland Security Department already are evaluating how a smaller force of contractors will set up and manage an emergency network in the aftermath of a disaster such as Hurricane Sandy. His contacts at the Transportation Security Administration also are struggling with the effects of sequestration, he adds.
Markulec predicts that as people leave government, agencies likely will be forced to do more outsourcing toward the latter part of President Barack Obama’s term. Following the September 11, 2001, terrorist attacks, Markulec points out, government began doing more insourcing, and the Obama administration initially accelerated that trend. “That tide will turn again. With a lot of the cyber expertise on the outside, you’re going to see that tide shift, and we are going to be relying more on contractors to provide expertise that the government just doesn’t have,” Markulec concludes.